26644836f08a3c73e88061fc3c56049a2124579640f0f2b75a396adc1075f1ed

Analysis

max time kernel
120s
max time network
130s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

267da3bb4970edfd8a1859f4b97c79e7_JaffaCakes118.exe
Size

554KB
MD5

267da3bb4970edfd8a1859f4b97c79e7
SHA1

ad3d3c98c5af21023573ef7556ccdab97a285c53
SHA256

26644836f08a3c73e88061fc3c56049a2124579640f0f2b75a396adc1075f1ed
SHA512

5daa6592a427f0f0d49954692e53d6f5a0b99c13df146d04853120b954f07798fcad1270018a600a2f143637469ca48761337ad3ca9c29e8fc09c4f750dd83bf
SSDEEP

12288:AjD+ijx7f2PCOPwncag6jBhxfDKbHLKbocZlweVsEZopDs:Rijx7f2P9PZag6ZaOEcZf5opDs

Score

7^/10

adware spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2052	InstValid.exe

Loads dropped DLL 8 IoCs

pid	Process
756	267da3bb4970edfd8a1859f4b97c79e7_JaffaCakes118.exe
756	267da3bb4970edfd8a1859f4b97c79e7_JaffaCakes118.exe
2052	InstValid.exe
2052	InstValid.exe
2052	InstValid.exe
2052	InstValid.exe
2600	regsvr32.exe
2600	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{815829A6-F768-41DE-B765-FED22D3DA34B}	regsvr32.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\extensions\[email protected]	InstValid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426295303"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D3678F81-3A57-11EF-B1D1-D2EFD46A7D0E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0b1b2aa64ceda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000681bcc4b22710f43ab8785dac0959438000000000200000000001066000000010000200000002f652687880597de78086957c94cd6a267681be08e1434ae73de72720b7905b1000000000e800000000200002000000058e2a197b7305e8961db4d2a6735313164cd7bda797b0a04824df10c74f94bb82000000008a4d7eecd11f3029a5dc132f213f09570d2fecc33966ba2e87fbf558c5927e0400000001135925b2d961b760dd624d2c579e6e3e38992a94ac609a3c768232b5a3b37b5aa0ef5193180438af3d80826fde7c4a4c11526b2587e5e20c2e31be4e65bffb6	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000681bcc4b22710f43ab8785dac095943800000000020000000000106600000001000020000000f1830a7bde6c8365866addaac45898664b0913c5cc959792a0aafca34bb7e8c1000000000e800000000200002000000088a8d47c51b6ec4b8defdf38bf33efa9664701f55b1eb180b11a09680b7ea3e4900000004e38962e1d0e8677c7851ddfd80f9d9454e46a3cab32db7cbbb8f4c402a117aa5e09ff444ba193a392ab74c3a12504c668664e9618fdd207f558a1367d23214ed6589e9c40c77fd287a66808a7e9804731a27ffb43c7ba4816b4e416d84141b0112120ac27b26cd6cf3ee1b30d61c4daab1f8fc5d1c8d876baddadfda67ae0e756e119ed5e08566329adc78141a4551e40000000acb763ebf1806e60c1609e1dca30ec25625e15c647219bf24f3bd5da6618ee457caeb920e41392ba71bbf525e8170c47f8af7f4a3cda85b4b4bf2c11e7ff870d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9040DC9F-6D87-4CE5-8AC6-A98084F848B7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMIE	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{815829A6-F768-41DE-B765-FED22D3DA34B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleNMore\\3.GoogleNMore.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97DDAF32-45A9-4E34-B9EA-B97C5C047738}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}\1.0\ = "GoogleNMore 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56CE1560-48DB-46C6-ACF0-0926220D6317}\TypeLib\ = "{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9040DC9F-6D87-4CE5-8AC6-A98084F848B7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMIE\CurVer\ = "GoogleNMore.GNMIE.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{815829A6-F768-41DE-B765-FED22D3DA34B}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{815829A6-F768-41DE-B765-FED22D3DA34B}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMFF\ = "GNMFF Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97DDAF32-45A9-4E34-B9EA-B97C5C047738}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56CE1560-48DB-46C6-ACF0-0926220D6317}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMIE\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{815829A6-F768-41DE-B765-FED22D3DA34B}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56CE1560-48DB-46C6-ACF0-0926220D6317}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMFF\CLSID\ = "{97DDAF32-45A9-4E34-B9EA-B97C5C047738}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97DDAF32-45A9-4E34-B9EA-B97C5C047738}\ProgID\ = "GoogleNMore.GNMFF.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleNMore\\3.GoogleNMore.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56CE1560-48DB-46C6-ACF0-0926220D6317}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56CE1560-48DB-46C6-ACF0-0926220D6317}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{815829A6-F768-41DE-B765-FED22D3DA34B}\TypeLib\ = "{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMFF.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMFF\CurVer\ = "GoogleNMore.GNMFF.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleNMore"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56CE1560-48DB-46C6-ACF0-0926220D6317}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9040DC9F-6D87-4CE5-8AC6-A98084F848B7}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{815829A6-F768-41DE-B765-FED22D3DA34B}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMFF\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97DDAF32-45A9-4E34-B9EA-B97C5C047738}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56CE1560-48DB-46C6-ACF0-0926220D6317}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9040DC9F-6D87-4CE5-8AC6-A98084F848B7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{815829A6-F768-41DE-B765-FED22D3DA34B}\VersionIndependentProgID\ = "GoogleNMore.GNMIE"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97DDAF32-45A9-4E34-B9EA-B97C5C047738}\TypeLib\ = "{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56CE1560-48DB-46C6-ACF0-0926220D6317}\ = "IGNMIE"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9040DC9F-6D87-4CE5-8AC6-A98084F848B7}\ = "IGNMFF"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9040DC9F-6D87-4CE5-8AC6-A98084F848B7}\ = "IGNMFF"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMIE\ = "Google and More"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{815829A6-F768-41DE-B765-FED22D3DA34B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMFF.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97DDAF32-45A9-4E34-B9EA-B97C5C047738}\VersionIndependentProgID\ = "GoogleNMore.GNMFF"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56CE1560-48DB-46C6-ACF0-0926220D6317}\TypeLib\ = "{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9040DC9F-6D87-4CE5-8AC6-A98084F848B7}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9040DC9F-6D87-4CE5-8AC6-A98084F848B7}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{815829A6-F768-41DE-B765-FED22D3DA34B}\ProgID\ = "GoogleNMore.GNMIE.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9040DC9F-6D87-4CE5-8AC6-A98084F848B7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9040DC9F-6D87-4CE5-8AC6-A98084F848B7}\TypeLib\ = "{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97DDAF32-45A9-4E34-B9EA-B97C5C047738}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97DDAF32-45A9-4E34-B9EA-B97C5C047738}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56CE1560-48DB-46C6-ACF0-0926220D6317}\ = "IGNMIE"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9040DC9F-6D87-4CE5-8AC6-A98084F848B7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{815829A6-F768-41DE-B765-FED22D3DA34B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9040DC9F-6D87-4CE5-8AC6-A98084F848B7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMIE.1\ = "Google and More"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{815829A6-F768-41DE-B765-FED22D3DA34B}\ = "Google and More"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97DDAF32-45A9-4E34-B9EA-B97C5C047738}\ = "GNMFF Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{97DDAF32-45A9-4E34-B9EA-B97C5C047738}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56CE1560-48DB-46C6-ACF0-0926220D6317}\ProxyStubClsid32	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2444	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2052	InstValid.exe
2444	iexplore.exe
2444	iexplore.exe
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE
2852	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 2052	756	267da3bb4970edfd8a1859f4b97c79e7_JaffaCakes118.exe	28
PID 756 wrote to memory of 2052	756	267da3bb4970edfd8a1859f4b97c79e7_JaffaCakes118.exe	28
PID 756 wrote to memory of 2052	756	267da3bb4970edfd8a1859f4b97c79e7_JaffaCakes118.exe	28
PID 756 wrote to memory of 2052	756	267da3bb4970edfd8a1859f4b97c79e7_JaffaCakes118.exe	28
PID 756 wrote to memory of 2052	756	267da3bb4970edfd8a1859f4b97c79e7_JaffaCakes118.exe	28
PID 756 wrote to memory of 2052	756	267da3bb4970edfd8a1859f4b97c79e7_JaffaCakes118.exe	28
PID 756 wrote to memory of 2052	756	267da3bb4970edfd8a1859f4b97c79e7_JaffaCakes118.exe	28
PID 2052 wrote to memory of 2600	2052	InstValid.exe	29
PID 2052 wrote to memory of 2600	2052	InstValid.exe	29
PID 2052 wrote to memory of 2600	2052	InstValid.exe	29
PID 2052 wrote to memory of 2600	2052	InstValid.exe	29
PID 2052 wrote to memory of 2600	2052	InstValid.exe	29
PID 2052 wrote to memory of 2600	2052	InstValid.exe	29
PID 2052 wrote to memory of 2600	2052	InstValid.exe	29
PID 2052 wrote to memory of 2444	2052	InstValid.exe	30
PID 2052 wrote to memory of 2444	2052	InstValid.exe	30
PID 2052 wrote to memory of 2444	2052	InstValid.exe	30
PID 2052 wrote to memory of 2444	2052	InstValid.exe	30
PID 2444 wrote to memory of 2852	2444	iexplore.exe	31
PID 2444 wrote to memory of 2852	2444	iexplore.exe	31
PID 2444 wrote to memory of 2852	2444	iexplore.exe	31
PID 2444 wrote to memory of 2852	2444	iexplore.exe	31
PID 2444 wrote to memory of 2852	2444	iexplore.exe	31
PID 2444 wrote to memory of 2852	2444	iexplore.exe	31
PID 2444 wrote to memory of 2852	2444	iexplore.exe	31

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	InstValid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1"	InstValid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\IgnoreFrameApprovalCheck = "1"	InstValid.exe

C:\Users\Admin\AppData\Local\Temp\267da3bb4970edfd8a1859f4b97c79e7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\267da3bb4970edfd8a1859f4b97c79e7_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756
- C:\Users\Admin\AppData\Roaming\GoogleNMore\InstValid.exe
  "C:\Users\Admin\AppData\Roaming\GoogleNMore\InstValid.exe" -val:Top_Gear.18x01.HDTV_XviD-FoV.[VTV].avi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2052
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe "C:\Users\Admin\AppData\Roaming\GoogleNMore\3.GoogleNMore.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:2600
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.YooVidz.com/ThankYou.aspx?v=5&i=val:Top_Gear.18x01.HDTV_XviD-FoV.[VTV].avi
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2444
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2444 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
031c1d13d07750ddc6cec6ae0b5086ef

SHA1
e876c4a302ee7c654b3f3ef85158f4a2c29f91ae

SHA256
939f0abc7aac8f567405b4b5f590abae431661fe9febab62b15c4ac00f192f99

SHA512
b583f920975d9991aee94dbe60cb1449d00ce52592b18af74f06747024c6de2dce457f325eee92e5ebc95d4db408b3c8ff936eb35351997820851a00e0e4976d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f272fe50fc6d72a19dfd0fe8c0790397

SHA1
86b07b3cecce2aa730f591ae0b57b8de01ef6b90

SHA256
ae8f0a7e0af13299b776f1e9de52c4fb36a4bf15b8d58bed3c055812d0c11429

SHA512
2ec8e94515553060369dcc345b17926458c076c1e6c7b724c85b2d2217303651c82bda2ca576fcbf2b43f39ad1c385a9f2a7fa46ff86605674976ac4c2791001

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7732d54320110f30f2a7131476e562d6

SHA1
8a9a6745945c24fbdd55ded0b376344472afa5e9

SHA256
8b5f61de8110a23a6ebf90754b411e9697a1179f1589ce4d83d66c8d7449c9b4

SHA512
9d4a57eba24b84bea9654107970f1cfd1c8a5e0caee223151bf4d47459ef5dc98a69bf060743cdaec740134f53844693f1589d5f670cfc8bfb1f61cd8167e02e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0c45527177c05a244991ac30e84815a

SHA1
4aa460b735bd10eb9c409b3a8b7e35730828cce1

SHA256
8ef351158c81627472ae7bc442104de1e2315ea086244a0d4f87fc48b7434cee

SHA512
9fedd2247fe4cadf2c2421fb616f1526df655e8de4e993001d6f2a33eef138a7ce9ced8cd7d9aad30ac68555d22b164800b49776a6613c9f4b13ef4457bbe28b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
864d7608d850830c501a74d38fbea982

SHA1
f5d3d61c5ca839a9e929f67f83ce7bf2de2b474c

SHA256
1c7038c10f3b9ace415dc1567018579f967a22d0d3ca97f858cfb7ff0b2b92eb

SHA512
2af3fe4d12f61ec9a751d5629eb042d3430126d0726d1152617cf0289cdf4dfeda5329f2a9281dc641b79337a3f0bced506d0bd06ac43bfccbfc70c40769481b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3d5d426f04eaac6e5a5eaab8363b0da

SHA1
3c1b1ff021fb15bb0abaa0ef352ecba533465c80

SHA256
1d40493cb63c1858b13e06b4791d46f44d893c7449fc8e9f8d795a620061ed99

SHA512
f73cadeb5860c51d5c5413f15f7ce68f3f386b577659b3a1984fcd7806d154e079530fae1f053780a55dd34bbed32b785a1545bd1f5f9ab7084391cacbb9e8ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75bd6b03e1b30cc9b638d776aa570822

SHA1
67b143b5b9d18c919f15bec05f51cba014b40c72

SHA256
9ff100bd2ed3539050bb61fb41e791c71de90b4bd52728b5b1cda446872ea214

SHA512
7d89a6fc4e256c4243dfd2f1fa7bc79856197a54d35d74d4726175907a3732c12d2e4f3b2bb12c3676fb95924406c1fdeec08d7a7282e97c4db6ba468970cd1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98800f0f3dd7c520d2d0a4790420a9e2

SHA1
718fbd735377ea71a266a5423d148eb77b8153d7

SHA256
c36754f24e2dfdd9b5ae5ce990d7622178bb18518859cfbb41754d7ce708cc14

SHA512
150c634243fd3a1b5948c00b067ec7467f0868c3d6a5ca7e020a98097da075d0414d97ee71ccba69bfc862291277347e7d3184ae3785437ef9224e969d50990f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e16dc4fd05c5261d0eec601651419ab

SHA1
a27e8d34a834d6a509d6943fcc73b7b2b6dbf139

SHA256
d4ed49323ea7bb90e6298d8aad9efa0194d702230afbf395defb741909731d9e

SHA512
92bb07b1ce61b8eea2187ee92bd31c6a896a37f2f28129a0ad48ff325ec72ee822f886ee03aa7b4ee79c6ff722e4acda807ee554e797a195739084cf2e092335

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4819ec9b88462595edda284ea2d84836

SHA1
9c089712af68e34fe211b38e7b9bdf83245c3d59

SHA256
8834fb2f756b3ae2912fb72dfb773835c396acef7918f83170c84f923dd3756d

SHA512
0f89d6e61d1a816e77936c0e986f517126582f59cdfe5df6ba497629f09d8c0014147ae55a60efc078638cb1910786e777f5906a595bcd63d3db690d8239a2da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6ec62588ef72af0f0c0a58a97d880f5

SHA1
caa2de66dea130dcd276cd9854ed24efe68f952f

SHA256
768d40363aeea814927f17ac753b3fa305c642a02f4626d98548de1bd442e642

SHA512
3474d4ec842264547c32bdc9fdb9ad6cefe753ef5bf758307320928ab9f777a45e4bdf45be6cb2084e2ee8e57dce549b4226f041f29c62cffb43683c6063b23d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
018ddaf144d646002d9c7e4662d9d339

SHA1
828803d9bdfdb605c15ae60739fc6df4aad146d4

SHA256
f72b4e0c9ec993b31abdb89a207ddee2a493caf8da97fadf2c0eac5248781022

SHA512
72c95f5630d421dfa0d1639b93604495bbf7ac8020837b2b9d2a0c9c814a85954c335d8734ed2f174e5b28afe20652daded90e505b132bc4b08e890de3279059

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8efdc97ec85e9c7fc2186ddb413587c9

SHA1
1d97b1b0614198725397410452cd9550706e6db4

SHA256
28307497daaaf73353a605a7335f4e549418359d1d178f37e35cd622a524f068

SHA512
8829e337077634b263cdc9dfa4784288e50bf6cd5b240d1eccc05fb0530d1c51af04d12d4cf113516aa6f72fc04fb9d6843267a81147d7df67d53d6a1df6360b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1795862953c559f9b2e86ce5bf3a1516

SHA1
86622e058afb4a72307e8891bd8035ac17122ab7

SHA256
79bfda904e4179573751a78232c624f1ea264b4ba4261087d77a2ee84df3811f

SHA512
b04650b1a4f27197ff09533ef3265a957fefc7d5d7179dc546960e76a15ef7a349fe834a83217efa213427671033ab088d92cd7c09abe6a3b47f701dbe682c0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
601f55923c7bf2ddfba0ac1ec8179c14

SHA1
a4c6f0775548eef3e5e31f7f4a1eb91f1914530b

SHA256
30e9c5632870c12bde9ed0bc3560bed29643a2334ead38885e01ce2a6704b2bc

SHA512
84929f7a80d83f78d899f77dc4600c69378ea7b533420ba5ebea763980e0dfa63d3ff9c0dff05a7c0bc3ccf6a217c9a4c508f7252b5eb1a1f21dd89ae8746fdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9ebbc8bee63ab8306de35f731e75438

SHA1
7d196b65806094c736f25e97ef161f2424493bd5

SHA256
c977eb8a3f0d843f8df178fa43d743aaa89aa89164c8d84f6546f5afa5bc87c2

SHA512
8d0025cb7fea7bd77524ed874f1cda6c797388bc2f4a55f4874ff4f5fa27e3bde0fb8ff31e00bc03e7b5f5cdf126ae2fd55219b63d01166dd8b99b2060d585e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e3d23bf6fa0ed3030741c358e969b74

SHA1
8f96e866a512d877edccffbbf2e0b4108e9c2cb1

SHA256
7dec24234f4854ecec21247f309bfb989801d1ac8d839d06257191f89a69f053

SHA512
bd22d09e0652652c3b904812a5805577948721b73b562966d39e78c245710562a0d832d19e917a6af7feaa61c67e10e220da7d00efd33b504d9faaa069b39fee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf7ccfb893bc8865b8392f4ab61cecc6

SHA1
9b236e8eba08c4aa90e6977cfba34a42c77e234c

SHA256
fd06e0eaba49eb994ce33fef4976b7c4ab1d6109d338978e932ab2f7d7b325fb

SHA512
1c6cfff167a0192bd73b136748f24864f556f273689ccd85048c7d2e9d443f2cfb20fb280a8673f62c9c70071979629a975d4e49b94ad2b810770a73241ad89c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e203f9d3bff968119f00a844ab3514c5

SHA1
697b6a20c3d5b1029f54347fbbd5f227b2ad4955

SHA256
1d062f381731eeddd2f6ecf1e18b9da52efcb748107fd85bc5dc40bef393691a

SHA512
3735dc21e046b19c85bff566398734da2eecae7951ff8812e26099dc88123d771222ffc58ee35aae403a71f3d046c55edb9236dc30481b19d5b6c46d229039f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab50E1.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar51F1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleNMore\3.GoogleNMore.dll

Filesize
112KB

MD5
3b6fabe45e67779746f6da67b25f0746

SHA1
d47d3527be974623d2aa96b58786ae6e552e2564

SHA256
9af640f6ed6ec741a6cc16dde39777fe26d8b99821a5b1757a679b7c939431bc

SHA512
1352f9d4f1ca3c8f4ee85926abcb4ea50ef8206e98a39f1098b940ec279e05e50b06425376db4dfd130cf7b09ee3db64c582cbefe038a05903f44b414127e701

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleNMore\GoogleNMoreXPCOM.dll

Filesize
28KB

MD5
7ee66bffca97f28b568b716551d1fe44

SHA1
e3d484f0058dfade70c702468a6046ee9db076b8

SHA256
351283b6b9a0d0ce5a5f574480729751c3a883f2d999fd6794ebf5c08a224bd4

SHA512
e82b5c07882deae93d50d0f5f8ac27dd1445eeb621cecb3b7c2bec45d4a0f22e47e2ca275ae5358218bd2eb034ec951c6c08124a51b5266d87e45d93b5d74324

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleNMore\IGoogleNMoreXPCOM.xpt

Filesize
148B

MD5
6aa9be6052fdad60d6316b9092b6ff3d

SHA1
526547b9063c6dc66d2e660aa6bd938c782bdea9

SHA256
7833034e9a64347a19f6396da569e098748b4913e142d1a6fa2b7e846cc3c169

SHA512
42c01e6ba2e686652285fb096ed576fab4ce903ba2c7442e70a574c48b0d6ded867d7ccede2762a0452bbb98c08fa007cf21e83017691b9aa7a5eb1ee8fe4fc0

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleNMore\MFC42u.DLL

Filesize
972KB

MD5
e2f0a183acade1bb6d15fa07046171f6

SHA1
17ab4c0e6244f1f2a861c2e396a63bb2efd11844

SHA256
15c62441edfabd83aa18e2099dd8cb6d6e5d9c6dd248cdb444e41a2aca9ebe93

SHA512
de61a58451b8e51c24090587d2f0cfd4c96b130bfc7e059f698f91b9370260ce87723d6d01459b562ad6277629747f989acc5130c8fd598bf8eaed70f376b381

Download Submit
\Users\Admin\AppData\Roaming\GoogleNMore\InstValid.exe

Filesize
36KB

MD5
13a04b67fc1c7dace722b6259e29909c

SHA1
04ec97ff25418e8482971b7a6b301dd15dd9de6b

SHA256
7af9b9a0aacb2515a2605c2374ff8a85fcae9ac3dc181701a0acaf54e9820805

SHA512
622dbef85e447d033a87ff53b1b1d10d8cb4ce377eadd98bf6c4bdf14899dd709260a222550297eddea8fa9b9ccabeacba704f576ef5bbdecde0a4a1048a2c96

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads