f7f30c68408ac6bfda57da6d497cd5c32672a7697d91f25593f1093a284db925

Analysis

max time kernel
135s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2222a277faf23099daa91a28ba8b64c0_JaffaCakes118.exe
Size

2.0MB
MD5

2222a277faf23099daa91a28ba8b64c0
SHA1

c6d5f252002d603395d9289e7df7c585677a3312
SHA256

f7f30c68408ac6bfda57da6d497cd5c32672a7697d91f25593f1093a284db925
SHA512

4d400ba7e5eadc08b87e64cf5a6f7a8e3640a1207a72d64178ac7c11e9f57fa4cb1fb31d925ca5c134a7e875c526bb4bfff4da73d29a597a7fca52656b890c66
SSDEEP

49152:vjVK3/r5oGb5x1FNykH23GBULB+WZSuRMcFA975ENBYXIl:vjU3m+HFNy62TLB+lGA9+ree

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	YontooSetup-Silent-0C48.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	YontooSetup-Silent.exe

Executes dropped EXE 4 IoCs

pid	Process
2492	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
3144	YontooSetup-Silent.exe
3812	YontooSetup-Silent-0C48.exe
1356	7za.exe

Loads dropped DLL 5 IoCs

pid	Process
2492	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
2492	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
3812	YontooSetup-Silent-0C48.exe
3812	YontooSetup-Silent-0C48.exe
3812	YontooSetup-Silent-0C48.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
File opened (read-only)	\??\N:	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
File opened (read-only)	\??\U:	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
File opened (read-only)	\??\W:	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
File opened (read-only)	\??\I:	YontooSetup-Silent-0C48.exe
File opened (read-only)	\??\W:	YontooSetup-Silent-0C48.exe
File opened (read-only)	\??\I:	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
File opened (read-only)	\??\L:	YontooSetup-Silent-0C48.exe
File opened (read-only)	\??\T:	YontooSetup-Silent-0C48.exe
File opened (read-only)	\??\U:	YontooSetup-Silent-0C48.exe
File opened (read-only)	\??\X:	YontooSetup-Silent-0C48.exe
File opened (read-only)	\??\E:	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
File opened (read-only)	\??\K:	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
File opened (read-only)	\??\S:	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
File opened (read-only)	\??\H:	YontooSetup-Silent-0C48.exe
File opened (read-only)	\??\M:	YontooSetup-Silent-0C48.exe
File opened (read-only)	\??\V:	YontooSetup-Silent-0C48.exe
File opened (read-only)	\??\Q:	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
File opened (read-only)	\??\R:	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
File opened (read-only)	\??\Z:	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
File opened (read-only)	\??\J:	YontooSetup-Silent-0C48.exe
File opened (read-only)	\??\Q:	YontooSetup-Silent-0C48.exe
File opened (read-only)	\??\J:	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
File opened (read-only)	\??\P:	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
File opened (read-only)	\??\X:	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
File opened (read-only)	\??\E:	YontooSetup-Silent-0C48.exe
File opened (read-only)	\??\K:	YontooSetup-Silent-0C48.exe
File opened (read-only)	\??\Y:	YontooSetup-Silent-0C48.exe
File opened (read-only)	\??\G:	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
File opened (read-only)	\??\O:	YontooSetup-Silent-0C48.exe
File opened (read-only)	\??\P:	YontooSetup-Silent-0C48.exe
File opened (read-only)	\??\Z:	YontooSetup-Silent-0C48.exe
File opened (read-only)	\??\H:	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
File opened (read-only)	\??\V:	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
File opened (read-only)	\??\Y:	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
File opened (read-only)	\??\G:	YontooSetup-Silent-0C48.exe
File opened (read-only)	\??\N:	YontooSetup-Silent-0C48.exe
File opened (read-only)	\??\S:	YontooSetup-Silent-0C48.exe
File opened (read-only)	\??\M:	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
File opened (read-only)	\??\O:	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
File opened (read-only)	\??\T:	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
File opened (read-only)	\??\R:	YontooSetup-Silent-0C48.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ = "Yontoo Layers"	YontooSetup-Silent-0C48.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\NoExplorer = "1"	YontooSetup-Silent-0C48.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Yontoo\YontooIEClient.dll	YontooSetup-Silent-0C48.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Recovery\Active	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\VersionIndependentProgID	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0\0	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Yontoo"	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\ProxyStubClsid32	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE9271F2-6EFD-44b0-A826-84C829536E93}\defaultEnableAppsList\ = "PageRage,PageRageGlobal,PageRageTeases,Buzzdock,BuzzdockTease,PageRage,PageRageGlobal,"	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api.1\CLSID	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\InprocServer32	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99066096-8989-4612-841F-621A01D54AD7}\ = "c885d779-5d6b-4f66-8a81-a56ff1ec341a"	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\VersionIndependentProgID\ = "YontooIEClient.Api"	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0\FLAGS	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\TypeLib\Version = "1.0"	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\WOW6432Node\CLSID	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0\HELPDIR	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ = "Yontoo"	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0\ = "YontooIEClient 1.0 Type Library"	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE9271F2-6EFD-44b0-A826-84C829536E93}\defaultEnableAppsList	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers.1\CLSID	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers\CLSID	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ProxyStubClsid32	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\InProcServer32\ = "C:\\Program Files (x86)\\Yontoo\\YontooIEClient.dll"	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers\CLSID\ = "{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\InprocServer32\ = "C:\\Program Files (x86)\\Yontoo\\YontooIEClient.dll"	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api\ = "Yontoo Api"	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\ = "IApi"	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\TypeLib	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\TypeLib\Version = "1.0"	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\TypeLib	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\NumMethods	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api\CLSID	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ProgID\ = "YontooIEClient.Api.1"	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\TypeLib\ = "{D372567D-67C1-4B29-B3F0-159B52B3E967}"	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0\FLAGS\ = "0"	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\InProcServer32	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers.1\CLSID\ = "{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\NumMethods\ = "17"	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers.1\ = "Yontoo"	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\TypeLib\ = "{D372567D-67C1-4B29-B3F0-159B52B3E967}"	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api.1\ = "Yontoo Api"	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers\CurVer\ = "YontooIEClient.Layers.1"	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\InprocServer32\ThreadingModel = "Apartment"	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\TypeLib	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\NumMethods	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\InprocServer32	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\InprocServer32\ThreadingModel = "Apartment"	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE9271F2-6EFD-44b0-A826-84C829536E93}\ = "2374897c-34c7-4819-ab45-904e190c8fc5"	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api\CurVer	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api\CLSID\ = "{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}"	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api\CurVer\ = "YontooIEClient.Api.1"	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\TypeLib\ = "{D372567D-67C1-4B29-B3F0-159B52B3E967}"	YontooSetup-Silent-0C48.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\InProcServer32\ThreadingModel = "Both"	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ProgID	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\Programmable	YontooSetup-Silent-0C48.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers\CurVer	YontooSetup-Silent-0C48.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2492	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
3144	YontooSetup-Silent.exe
3812	YontooSetup-Silent-0C48.exe
1356	7za.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 32 wrote to memory of 2492	32	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118.exe	83
PID 32 wrote to memory of 2492	32	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118.exe	83
PID 32 wrote to memory of 2492	32	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118.exe	83
PID 2492 wrote to memory of 3144	2492	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe	85
PID 2492 wrote to memory of 3144	2492	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe	85
PID 2492 wrote to memory of 3144	2492	2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe	85
PID 3144 wrote to memory of 3812	3144	YontooSetup-Silent.exe	86
PID 3144 wrote to memory of 3812	3144	YontooSetup-Silent.exe	86
PID 3144 wrote to memory of 3812	3144	YontooSetup-Silent.exe	86
PID 3812 wrote to memory of 1356	3812	YontooSetup-Silent-0C48.exe	89
PID 3812 wrote to memory of 1356	3812	YontooSetup-Silent-0C48.exe	89
PID 3812 wrote to memory of 1356	3812	YontooSetup-Silent-0C48.exe	89
PID 3812 wrote to memory of 3504	3812	YontooSetup-Silent-0C48.exe	92
PID 3812 wrote to memory of 3504	3812	YontooSetup-Silent-0C48.exe	92
PID 3504 wrote to memory of 4004	3504	chrome.exe	93
PID 3504 wrote to memory of 4004	3504	chrome.exe	93

C:\Users\Admin\AppData\Local\Temp\2222a277faf23099daa91a28ba8b64c0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2222a277faf23099daa91a28ba8b64c0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:32
- C:\Users\Admin\AppData\Local\Temp\2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe
  "C:\Users\Admin\AppData\Local\Temp\2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe" /q2 "C:\Users\Admin\AppData\Local\Temp\2222a277faf23099daa91a28ba8b64c0_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Users\Admin\AppData\Local\Temp\YontooSetup-Silent.exe
    "C:\Users\Admin\AppData\Local\Temp\YontooSetup-Silent.exe" "YontooApp=PageRage" "InstallSource=PR-EMPTY" "EnableMoreAppsList=PageRage,PageRageGlobal,PageRageTeases,Buzzdock,BuzzdockTease," "OptimizeForIE9=1" "SkipIE=0" "SkipFF=0" "SkipGC=0"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Users\Admin\AppData\Local\Temp\YontooSetup-Silent-0C48.exe
      "C:\Users\Admin\AppData\Local\Temp\YontooSetup-Silent-0C48.exe" /q2 "YontooApp=PageRage" "InstallSource=PR-EMPTY" "EnableMoreAppsList=PageRage,PageRageGlobal,PageRageTeases,Buzzdock,BuzzdockTease," "OptimizeForIE9=1" "SkipIE=0" "SkipFF=0" "SkipGC=0" "C:\Users\Admin\AppData\Local\Temp\YontooSetup-Silent.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Installs/modifies Browser Helper Object
      Drops file in Program Files directory
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3812
    - - C:\Users\Admin\AppData\Local\Temp\7za.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\YontooLayers.crx" -o"C:\Users\Admin\AppData\Local\Temp\YontooLayers" * -r -y -aoa
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1356
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --pack-extension="C:\Users\Admin\AppData\Local\Temp\YontooLayers" --pack-extension-key="C:\Users\Admin\AppData\Local\Temp\YontooLayers.pem" --no-message-box
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3504
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffc71e7ab58,0x7ffc71e7ab68,0x7ffc71e7ab78
        6⤵
        
        PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\13E59F66\Setup.ico

Filesize
4KB

MD5
60e3ef9326e8c3f574a2c7b5a31fd895

SHA1
d3aa40f8de5c549e6abb189421d6cdcd75ac64f6

SHA256
5e8c38cabd089ecd573d953cf2ade243459d7c06aab7b9698975e10dd7f34689

SHA512
9a9be32fb1b4355f37766c5296139012d2fd931fb0db871307059cd0afc063a334165f34069a27ed8850889175e2f5f00be65ac2e8b9d22903754a043ae04906

Download Submit
C:\Users\Admin\AppData\Local\Temp\13E59F66\_Setup.dll

Filesize
2.3MB

MD5
0ba96504bbe714ef1e40b43fe8325326

SHA1
32bdbfca85d4980057c08a6b1500287f52652471

SHA256
145d6148726fbde5305c1ca684d58b64dd0e80c26d62f1df6ad423a347ac3e6b

SHA512
f9b29e0024d208f4784152c4d71ef830f8db15a7fcdcbed27a1848044e88155a630e4190037705c51345bf55f0e5dcd8ce0ea7f1e72a02a1101ed3cd81cb8e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\13E59F66\_Setupx.dll

Filesize
465KB

MD5
cf61335caf33d13ba378cfb1fccb1274

SHA1
48ef8b4e06e0f1d3c06c4d6e1ea2b6ce48aa5231

SHA256
be3a36c9758fa8c45988aebd7f96e42381cad303c72e79158cfd86d83414ee87

SHA512
e28b73e46c7cc6ea0b61eab80c4f8ef0cb657772f52710ba80746c40656d8f29c1b5008219a35a080d28ff869cb3b7f22ac53fe597e0c4fac876a2eb8b36b37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2222a277faf23099daa91a28ba8b64c0_JaffaCakes118-0020.exe

Filesize
223KB

MD5
173ec2796abc3d74f58a86abd7516a2e

SHA1
b2056bf94f0a4d4b9b7e524da425cb2abb499a80

SHA256
1e03b1b06bbffabba51d1981f6361a8bdac9902ef2f99bca832674a20163e684

SHA512
ca8033a09f8269c37bb301077990fd177b811dde06c7a85aac63ac1805ecf88b39857d5090a844af1f9d14c38b7598807b9a42768ecd6330695d530e69f19153

Download Submit
C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
523KB

MD5
e92604e043f51c604b6d1ac3bcd3a202

SHA1
4154dda4a1e2a5ed14303dc3d36f448953ff6d33

SHA256
fa252e501332b7486a972e7e471cf6915daa681af35c6aa102213921093eb2a3

SHA512
ef396d94d83fd7a588c6e645ea5fcfe24390440a03b3bf0ecd05ca6749fd3f9561dfafe725ee0edea51a34d52af26cd311e768aa72f75686cc796abee4757d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\C54DEBC9\_Setup.dll

Filesize
605KB

MD5
09d11a55ad41ca4293a1341c8e7464af

SHA1
42831431c139510335bd595d6440e7b5901e261d

SHA256
2de30d4d4ea5ced65e014bb2ba7920a6ce20827291308d9fadf6282dc4c8f27f

SHA512
6068203d2f5baad8cf54fddd938a292ccc1096b014c62ce04c4e89bfab764e7d21c1c869d286ec3c94c1574be4d73a149f2b8541d17d2e95f748da4b2f1eaddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\C54DEBC9\_Setupx.dll

Filesize
374KB

MD5
df8efffcdc499957c8709e91473d5472

SHA1
4d5e286e068924709b628a3b8e6118c7c1326ffc

SHA256
78314a34eb485908d179ac3ce8cd1515f07b5bc0682bc777c718283feabd13bf

SHA512
cefd8747d6696752962b6f9ca9e4a193b15a81d67cb51f0fc8144654838281cc97f88aee2d8dbe9047488fac17eaf264040d15e7aa8a045e8c63fdb8d0790477

Download Submit
C:\Users\Admin\AppData\Local\Temp\YontooIEClient.dll

Filesize
190KB

MD5
056453b9ca34a013877da3aa2ea7415a

SHA1
2365e9f0f2f281139672fbef8ba909763b8901b6

SHA256
f8ac59e8adfd2fd1af3320ce94fe38caa49336f3bdef20a80d633ffefdea3a99

SHA512
0667ad4bb9de91be2b135d17ba1f3694b31648cb8091636cde5d45eccd1506648e6bff4c0c47892a0a0d0236ce9ad7476031a941ea9edf9e8cc1d41535ec1b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YontooLayers.crx

Filesize
1KB

MD5
6fb431a075b218a76ad84785d2a9e978

SHA1
f1946e5b839325e4190e6f0147ab660ffbba2dc2

SHA256
769debcfc33b89430eb7c78ddc061b4298c35042d8b1aaa35015429927bbbbc5

SHA512
0b15ccc20d26c9be44f8c52946654c6cf725c156ba534d69b0602562b340fc198b4e2097911a4856d29efbab1dc6eef222eb4d9ac1a68e622c9d74eac0341626

Download Submit
C:\Users\Admin\AppData\Local\Temp\YontooLayers.pem

Filesize
916B

MD5
d81582a081ecd8458a4282df683c1158

SHA1
d65c9b43362e39d2a4331c042e1e921c49ee9e88

SHA256
eba04c5eac9f6a51c32c79ed5d15d179760e99a9c1dbd52e3e777b0e3a4ca92f

SHA512
5e899d2fdb57226e8840550476f558dcda7a9f36adbfce91accda1e54afd8102e5d976de817cfd0090746f346587be17719a07fabaed55dfcf6ab21f8bcd86af

Download Submit
C:\Users\Admin\AppData\Local\Temp\YontooLayers\manifest.json

Filesize
367B

MD5
7686b68c280ab37c51662b24f1217a4f

SHA1
a2cfb0c94cf949b91847eb1e0e6c8dfb7f889e84

SHA256
aed02d81cb477419683f551811c3199de31558be08214c545988634ab85bdb39

SHA512
63e38267aea00c2262b641d2cf4ed82bbb27cf591215219063d95d575a9b39bdd4b62e1a391608296d790bf2b40be9fbf4f7b3c6d480e5d9a2a91b020f65a935

Download Submit
C:\Users\Admin\AppData\Local\Temp\YontooLayers\yl.js

Filesize
720B

MD5
988bda15dedbe5559ea10a314c6d274a

SHA1
b99d02ef555ecf9cacf5d938bcd55ab97393dd13

SHA256
b766dfebe40c1bb2c1fd672f40db9963a362608fc16aae9f067ccc63246bb600

SHA512
6e0e8c53dd444a0bae0c7f20d05b00bf61d92c6a47223987b0ca5ce7a54725ee7d433dff6f5ca3d53491af49094e9d6fd33a5c035d2a85888624a97564208344

Download Submit
C:\Users\Admin\AppData\Local\Temp\YontooSetup-Silent-0C48.exe

Filesize
222KB

MD5
5a8222c703b4a34f2227a652a49a2827

SHA1
ba8b1c8f341219d608a0a5a2a2c8d63c19697d05

SHA256
17936188efac05a0ef9fd87a79b268445ce307dd37a6f9206d116f195ab049c9

SHA512
7b1c200cf96ebb5b660fb11a85e3daf908a6e4d984c90207b5afa2444703fc784897160cf05a4bc592ecd908bf09f8dbd9195a4c0c07f1caef04bbd7c6624d9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YontooSetup-Silent.exe

Filesize
762KB

MD5
2ed047ddb898ac3113f5c9d825a1de5c

SHA1
819f0acd1e17e07ee5935401899bffbbb5457152

SHA256
2147241c066c9e9192a98ea2b83646429fe75882a1067b60e5c35beba1a1087d

SHA512
9171b7b0b9a249650325c90744113d0d17198189b89cdf8d6d706d29eb72ca89827750c60257f9416ddc05988cb3af4640b32ceab5db9fd7164fa699e5d5741b

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads