22bab8dd221a2884e1ceed9d147b7d3bc7c6c990598b8ad2d988d38368310416

Analysis

max time kernel
137s
max time network
135s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

216eed107f28c9b994c12ce02cff2c03_JaffaCakes118.exe
Size

168KB
MD5

216eed107f28c9b994c12ce02cff2c03
SHA1

4d60e3d161698c44848c332007e8eea9c9ac2f8e
SHA256

22bab8dd221a2884e1ceed9d147b7d3bc7c6c990598b8ad2d988d38368310416
SHA512

5cd881e169de12726a81642cfaa52d4db04f073d5d4eb20fac7ffc4e5069842c9c397513210e8eb4b3732e767ff5e518523b35343d0f1ada6489f18f10b021cd
SSDEEP

3072:HNM3HkPIrvRapjrXR7ddaIF/f9KBNvy5s6iChH0netat4:t6HkPIvQtXRhFYBNqst6Fat4

Score

7^/10

adware stealer upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2564	a.exe

Loads dropped DLL 3 IoCs

pid	Process
3044	regsvr32.exe
1916	216eed107f28c9b994c12ce02cff2c03_JaffaCakes118.exe
1916	216eed107f28c9b994c12ce02cff2c03_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1916-0-0x0000000000400000-0x0000000000493000-memory.dmp	upx
behavioral1/memory/1916-13-0x0000000000400000-0x0000000000493000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D83E84DA-D187-4300-B5D7-727727352096}	regsvr32.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\piktbl.dll	216eed107f28c9b994c12ce02cff2c03_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\a.exe	216eed107f28c9b994c12ce02cff2c03_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\a.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 201eced014cdda01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F8CE0BB1-3907-11EF-BE23-DE271FC37611} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a80760000000002000000000010660000000100002000000071d8d48d893881005a1fa5c34cdb70bb935ea812bca7a44d958bdac925284a39000000000e80000000020000200000003723c90d8dcdf095eff7a5fd0f7313f24fa87e3f26fea460ad5bb4ec6478556d20000000077c64e2c2459ab3e9c840eab113c82ec25359ed057e7ec9db17b0f3add1517740000000fb06c5acdb87071e0356af450cc1f7077da64f140e07b3b0f3de1c610f3f16ce61b08a0cd9c30eef9f20fe267068d70c906d20f98ac60bb6b9fd29477d38bd44	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426151057"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005ec80cf279b2564c91633e21940a807600000000020000000000106600000001000020000000ad55f65402fcd6366f9c65fc4bf0ebcdcafdc01ccccf0758e0561294689b5ccd000000000e8000000002000020000000e883d004336f711f30012ad13ad27651d690aab23fe8483a2a2bfa5113f20f4990000000c651a48dd59434b6a436e55f56652b82b55e3f2949adbe2226b10b9da2fa7b81d56c97dfbfb6c282d5f159fcc71fef00b2a1d6869e4adaa7b13672762cde65d2abf114355fc100a9a06741f4f9fb888aee8b3933f314011e9587965d7648a0d282864ab2421a8b7f8898268ce7060983d221aabcd750da129723651b5b1703cdd8aeaddcd3bf6256ab879de6dac7a1bd40000000af75eca431e0a840e5e89797e93e807919062defd1d22250ed4c2976f375bc005c4db0c885b880524b7beafde91b1e1469ef4a6889bd3004bc7fe09c903b359d	iexplore.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D83E84DA-D187-4300-B5D7-727727352096}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}\ = "_IBhoEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ucjs0l.Bho\CurVer\ = "ZoooGoo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D83E84DA-D187-4300-B5D7-727727352096}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ucjs0l.Bho	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ucjs0l.Bho\CLSID\ = "{D83E84DA-D187-4300-B5D7-727727352096}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D83E84DA-D187-4300-B5D7-727727352096}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}\ = "_IBhoEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}\ = "IBho"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D83E84DA-D187-4300-B5D7-727727352096}\VersionIndependentProgID\ = "ucjs0l.Bho"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D83E84DA-D187-4300-B5D7-727727352096}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\piktbl.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D83E84DA-D187-4300-B5D7-727727352096}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\ = "Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D83E84DA-D187-4300-B5D7-727727352096}\InprocServer32\ = "C:\\Windows\\SysWow64\\piktbl.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ucjs0l.Bho\ = "HACK.SPY"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D83E84DA-D187-4300-B5D7-727727352096}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D83E84DA-D187-4300-B5D7-727727352096}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZoooGoo\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZoooGoo\CLSID\ = "{D83E84DA-D187-4300-B5D7-727727352096}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D83E84DA-D187-4300-B5D7-727727352096}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D83E84DA-D187-4300-B5D7-727727352096}\ProgID\ = "ZoooGoo"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}\ = "IBho"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ZoooGoo	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ucjs0l.Bho\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ucjs0l.Bho\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D83E84DA-D187-4300-B5D7-727727352096}\ = "HACK.SPY"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B038F224-F9F5-4B83-A0D0-43D68D8E3CFE}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ZoooGoo\ = "HACK.SPY"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E062203C-7759-4B2F-8EE7-DF725EED1DB7}	regsvr32.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2516	PING.EXE

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3064	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3064	iexplore.exe
3064	iexplore.exe
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE
2652	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 3044	1916	216eed107f28c9b994c12ce02cff2c03_JaffaCakes118.exe	28
PID 1916 wrote to memory of 3044	1916	216eed107f28c9b994c12ce02cff2c03_JaffaCakes118.exe	28
PID 1916 wrote to memory of 3044	1916	216eed107f28c9b994c12ce02cff2c03_JaffaCakes118.exe	28
PID 1916 wrote to memory of 3044	1916	216eed107f28c9b994c12ce02cff2c03_JaffaCakes118.exe	28
PID 1916 wrote to memory of 3044	1916	216eed107f28c9b994c12ce02cff2c03_JaffaCakes118.exe	28
PID 1916 wrote to memory of 3044	1916	216eed107f28c9b994c12ce02cff2c03_JaffaCakes118.exe	28
PID 1916 wrote to memory of 3044	1916	216eed107f28c9b994c12ce02cff2c03_JaffaCakes118.exe	28
PID 1916 wrote to memory of 3064	1916	216eed107f28c9b994c12ce02cff2c03_JaffaCakes118.exe	29
PID 1916 wrote to memory of 3064	1916	216eed107f28c9b994c12ce02cff2c03_JaffaCakes118.exe	29
PID 1916 wrote to memory of 3064	1916	216eed107f28c9b994c12ce02cff2c03_JaffaCakes118.exe	29
PID 1916 wrote to memory of 3064	1916	216eed107f28c9b994c12ce02cff2c03_JaffaCakes118.exe	29
PID 3064 wrote to memory of 2652	3064	iexplore.exe	30
PID 3064 wrote to memory of 2652	3064	iexplore.exe	30
PID 3064 wrote to memory of 2652	3064	iexplore.exe	30
PID 3064 wrote to memory of 2652	3064	iexplore.exe	30
PID 1916 wrote to memory of 2564	1916	216eed107f28c9b994c12ce02cff2c03_JaffaCakes118.exe	31
PID 1916 wrote to memory of 2564	1916	216eed107f28c9b994c12ce02cff2c03_JaffaCakes118.exe	31
PID 1916 wrote to memory of 2564	1916	216eed107f28c9b994c12ce02cff2c03_JaffaCakes118.exe	31
PID 1916 wrote to memory of 2564	1916	216eed107f28c9b994c12ce02cff2c03_JaffaCakes118.exe	31
PID 2564 wrote to memory of 2684	2564	a.exe	32
PID 2564 wrote to memory of 2684	2564	a.exe	32
PID 2564 wrote to memory of 2684	2564	a.exe	32
PID 2564 wrote to memory of 2684	2564	a.exe	32
PID 2684 wrote to memory of 2488	2684	cmd.exe	34
PID 2684 wrote to memory of 2488	2684	cmd.exe	34
PID 2684 wrote to memory of 2488	2684	cmd.exe	34
PID 2684 wrote to memory of 2488	2684	cmd.exe	34
PID 2684 wrote to memory of 2516	2684	cmd.exe	35
PID 2684 wrote to memory of 2516	2684	cmd.exe	35
PID 2684 wrote to memory of 2516	2684	cmd.exe	35
PID 2684 wrote to memory of 2516	2684	cmd.exe	35

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2488	attrib.exe

C:\Users\Admin\AppData\Local\Temp\216eed107f28c9b994c12ce02cff2c03_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\216eed107f28c9b994c12ce02cff2c03_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\piktbl.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:3044
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://thevid11.com/bind2.php?id=1xxx3912941
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3064 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2652
- C:\Windows\SysWOW64\a.exe
  "C:\Windows\system32\a.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\del.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -R -A -S -H "C:\Windows\SysWOW64\a.exe"
      4⤵
      Drops file in System32 directory
      Views/modifies file attributes
      PID:2488
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 1
      4⤵
      Runs ping.exe
      PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7aafaa14980b4485e9f7338267e9f6c2

SHA1
1e5f5cc1d6cc83f746ce011db61f7867086a78e9

SHA256
8a42651d632769499ae1e06d8cc9a99e2c61fba222ab0a351f3fbcc5784581f4

SHA512
76f7b7341a474d8a5d805e26b75b1d8470dddad8cc62a35c4667b0f7c85c6ad047a57302c07641a5c85dd326aff39ecee6a558552fd3c3ce6b0a0a291c6f0c33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32f4d5e60cae294df98eb3944603e5ce

SHA1
c8668b0a2bff4dcebce791be66b33c8be383e4fe

SHA256
bcfb6d39b4cc2fe246691e8d60ae213dd6da0395251e7f7ce7b9948f37a90a90

SHA512
5960020271bddb7e66247091d1cda71dae7d844b7b4c0f6ba1c8c786a5a5ed3ea591a6b148baeb8b414c38e106fae0421a0e704118ce97caf3ccf16a673aa0af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3894cd9f3d0f88d3669ca855ad4b0134

SHA1
c736909d7cd7df1875ec0ab45be88b2d4ad809fd

SHA256
bb9d5f8ae04960741fc97d60178eed39230138e696e80ef410f54939b46e9f2e

SHA512
b6ef6f823fbc54183a3b2fc053e1d94a8a81fc3965c2127c516eb51110cb0aa9abc89f134b70937f8e454f5126a351c643e9cbd02e2a53d05c9f0f0a2bfea8f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d231146d5adc41ce2385db603d86b197

SHA1
dd8f319da74f00ec03c8c894252633edc7ccea04

SHA256
be8030ce724f0bd82ee2c19dcf7ddb346414415dbafe20debaf182b81ade0951

SHA512
b8285d8345055fdccb95dcbd8aae933f07037db72cd9618319a757a9fe50c8a9e34dbf3f034d49855604ec832e0c4d990c1caeb2a3a884db79007f7c4ad7e20f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7abaf8a5b0dcf6d38bae12b5a06d5e3

SHA1
7fa0c238ae250491947981dc1f1cf4831593e773

SHA256
32d820a8645d420dde59f0fd6eb2d54938c9bd25869c25de6c20d054eda8133a

SHA512
c7e77a2d2743cb839dbc31bdd457a6e9a9eb321280acf27b3109114128ed6f71cf15d307e0311a2693f7462478ebc609e638ecfb34622af34b7ad7df91fd8e0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0aded9966e52e31a82abbb3f550a2e3f

SHA1
531810b2d910a39c2e37e8f8664ea7dbb48ca25b

SHA256
4567ce94b72d2399e042899e8169c71ac90a5d71a406e1a820251e1c72981ede

SHA512
fee64745c9e9220592ebabff1215dae2837d7ab1e9dfab1448045757020aa5bf848916c6862744c0eb0a54c15765ee57d1cda86f56e6221a7f06a786ba661f8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4017f9059b2efcb14526b404d65b6ad

SHA1
60cc6b58ab5f4bcb9cd7bceff0e2aed25399740b

SHA256
959079fd3414c9dad1f34238529e928bcbe9cd1aa3bee6678d665bc053c83b46

SHA512
d7aba4d804bebd70850fec0e89f4da9458f86a6b5faa1987b1756728fae1710372e1ed7dabab3955a80e4eb08b9f9917ee1273945edf7a209744fef09834d390

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44e632369889ef3acc1a47dc4eea786a

SHA1
323da7f2a8270c851d4643ee573d298dea9c1bd0

SHA256
56391978e48f44cc5c4761d70a3cae772cbcb11674049c1a5147f8fa2d23d622

SHA512
0096043f707c88879d23be4f70db6334f7df4e66802c62c0b2762a03be1d33189aed51c6722c43a6a7589a9b60f50324a61c105b54f34e2c407befdd38113d5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbfa5daf94fb9d8302a0c1bf2eb57692

SHA1
1f218d4a3db0876356548bd022ecc633fdaadeed

SHA256
d34634b7c8da363ba4cccaeea2540f50dad31c09f8d38f9825c776b296c7b430

SHA512
7e9e5a0c703b2ac1dc0b3f3f9331adff1c707c2b0793b1f6e8b4949b6aa20f239ca33f153cc4682f894b9c0ef139cf4c309486b353f1c9b6b4793c1e4b780995

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a42d978e79ab9d73c70231f9c03ab32

SHA1
0239ca1ba01aaf3112db536163db3a6b5f686bf8

SHA256
eca994db57bedac068785cf5170fdb817d98d7b6ec999b28cf6a70b89db6d80a

SHA512
44fab14d9fa5e1a9303b98e927de4bc04e32d548416277d793062beef6038fb3bf31fdb36e3d3eaf931b3a35dce6eac92b1e58887201dfb47c6b7ba67bc2e542

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3f7a9fb8a85e09a6140992eb38f60fd

SHA1
39d37438aa06689ff8b29245da43ab144752d84f

SHA256
81512d81d490e03f6a101242104007b50c7250ae6a1ad4be4a3fafc4bd4293ce

SHA512
2c1a53fec0172af37d6d09d243fde70c2163cd6b2ff7f95b3daef70ca0a1bfd360d2efb425335a41ede7054aef17f002b7bbff5a873182e9132eff5f873095c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4be60bd6ee8fe3ecde6bcd1cd051b6dd

SHA1
9975d946732a45ff2fce3355e5349327f60caa55

SHA256
371aa4586775be7b33c033c81a97fb156a21771faf39d5992398b0a20f19a76a

SHA512
3c168a633ce0f656bc445dd089190e307fb3655541741668484730fe9517f2aa0b23d73f94ef4459d584de006cd5b0e178873913aed94139c335870019e6735b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d94d8e2d8709c4f04354b96facec3948

SHA1
bdee182b0d08402649f0db7596ebf19072e4b8ed

SHA256
6792b6cb39c844620d2cfec094eb8e725bf022e3dc643e5613e574a8361552ed

SHA512
2f7559ab63aafb6ab4fabc17cd50776a09640a721755798482b8eb2e311a41770ea71ebe31cbabd0a1c51a155d517ff87854edafee8cbe74eb7b986c0e9926a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6d1e3ba455c27719b197d589e7f5255

SHA1
72e73dae45d9c3daa33bb211f9dfa0e305b93854

SHA256
a3589c2c26b82230865fc0a5b1410496a520f7a852eb75a9242b7a0eb5f00e78

SHA512
8f9c0dba28b4026ae87de7697fe6c9b2b4c3494d4a081ba33947d8eb9ad3cf6716a07c2d16837f87d6564fe94cd1f042824b90a43494c6839c2250f79b93e286

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4a5b791a80e541b3a65fe361cc47ede

SHA1
c2897eed5d0475dde97cd35958cf442842feef3a

SHA256
c3b897fb5dd1f8a8b9372b2778e39072a7d1fc3bf94a60fa4273dc60f8cec5b6

SHA512
efd87206589da80194e8ce22c69fb12fc352e08d7846217aa165752b032088e4d6e6bff3c95eef0e3c9be6bd19e7f6aea6a1e03f1491733326e90d24ebb8da3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
662ee8a268d648da1adfda76b457ee22

SHA1
1380286345acc27ee0d92b3016cae755cb5bd160

SHA256
2e48bad5028346006b660a187a3ce0c52cb764b5739d394d55af1474a3e36744

SHA512
51b13554bc37f776b70d0b4a15f751e2f21a5bbbd26aa046ecfef62811416eaffa6c3cbaef3a39019d009aea1535293828674dad313b021751ed9171147ad0a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAB6D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAC2D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\del.bat

Filesize
135B

MD5
46e4e0e0ca92f5244ba4fa1b863f24fc

SHA1
0c80a83e08dbc31bb03744b34bea5017e63bc052

SHA256
3cffd8303b11d87a738391a5c76406fda416ba4e9d4a799a69d7ca4eb94756ce

SHA512
3e520fdc86fcb755293dc83113f811dfb1bba3a23615144d5bf805fe716cc8bbdda6390a53de90061c5b9e06e05d5526d976c2f925dc47548071bc4756e65e69

Download Submit
C:\Windows\SysWOW64\piktbl.dll

Filesize
400KB

MD5
7f961adc5c09b08b668a753a4d21cd12

SHA1
f5f37a3767ab79b58de643cffd9949fa2e4d5f98

SHA256
26c9b73cec00efd4afebe4a24a4a35dc74a5a1f77be9ef2c17f19fcea0179f23

SHA512
f66aae3ad91cdcc8a9c37dbf3c561052fa603aea9200455e4a409bc6531efdfbf41079e5f159f1a503c29bccf5c7a52aec4a902f1fc7210a33dc94d042ccc12c

Download Submit
\Windows\SysWOW64\a.exe

Filesize
112KB

MD5
d27332c61dff6b277ed57ee066be0f28

SHA1
46c2a4e9dea734d5add02b5b76305dbbaa8224b8

SHA256
37b71727ad33484095b3913de579c5128e25236e2d04b1a343831323be07ccd3

SHA512
342e76352b3631e91e697c2a39ab794fd07cfffa1d890b154b8f8384696cb727eb667afcb803801991695dcdd7fadba0b919bb1bc3ff2a0341310c7eaceaf714

Download Submit
memory/1916-0-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/1916-13-0x0000000000400000-0x0000000000493000-memory.dmp

Filesize
588KB

Download
memory/2564-24-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads