26644836f08a3c73e88061fc3c56049a2124579640f0f2b75a396adc1075f1ed

Analysis

max time kernel
93s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

267da3bb4970edfd8a1859f4b97c79e7_JaffaCakes118.exe
Size

554KB
MD5

267da3bb4970edfd8a1859f4b97c79e7
SHA1

ad3d3c98c5af21023573ef7556ccdab97a285c53
SHA256

26644836f08a3c73e88061fc3c56049a2124579640f0f2b75a396adc1075f1ed
SHA512

5daa6592a427f0f0d49954692e53d6f5a0b99c13df146d04853120b954f07798fcad1270018a600a2f143637469ca48761337ad3ca9c29e8fc09c4f750dd83bf
SSDEEP

12288:AjD+ijx7f2PCOPwncag6jBhxfDKbHLKbocZlweVsEZopDs:Rijx7f2P9PZag6ZaOEcZf5opDs

Score

7^/10

adware spyware stealer

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
456	InstValid.exe

Loads dropped DLL 3 IoCs

pid	Process
456	InstValid.exe
3876	regsvr32.exe
3876	regsvr32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{815829A6-F768-41DE-B765-FED22D3DA34B}	regsvr32.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\extensions\[email protected]	InstValid.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 27 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50eb2bbc63ceda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40a630bc63ceda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E6E96CB6-3A56-11EF-A01A-6E7C67FFD1A4} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008fcedf5e0d52224baa9638bd05eba52500000000020000000000106600000001000020000000722e4587dd9b4e41c1ce0c2ca16504570a50fc6d2971d6a2776fa8309bf086f8000000000e8000000002000020000000dee8781833ae855c6dce6ba71906fc312ab243e4ef0422f0e5c045258c0ee8792000000087d67557e3b11f8097cc0089f4033cc61b6db7f18b5c4944fc1c6b4f97acdb9f40000000c668252ba86ab7a80999647064573eb56f7683b9f6f1f18ad43b121b725af0707a2464102bfd9a08f64cb8f2dfb5b57fbd9eb0186bc5cdce62acba985cbea593	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426898013"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000008fcedf5e0d52224baa9638bd05eba5250000000002000000000010660000000100002000000076abb3211ba2a61c34f0937b9b46a498d87308af6f51011f5b9a23f9de9b5d3d000000000e8000000002000020000000e89dd54e524448f47de7e280bfab70f619064d4feeaadec5bca2ee87c963452120000000b39c15952f0206790a0533f1c26f0a4b99d45eedc7152e366d4471b4a361e84d40000000359ee90890aa6e9bf3d01cb508a22fa52de05efcb93a1cfec7050de0201762211a12b8e45691c6e7fbba860f49a48ca83715411269691c2b0b49bb510b97726c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2494989678-839960665-2515455429-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{815829A6-F768-41DE-B765-FED22D3DA34B}\TypeLib\ = "{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9040DC9F-6D87-4CE5-8AC6-A98084F848B7}\TypeLib\ = "{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97DDAF32-45A9-4E34-B9EA-B97C5C047738}\ProgID\ = "GoogleNMore.GNMFF.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMIE.1\CLSID\ = "{815829A6-F768-41DE-B765-FED22D3DA34B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMIE\ = "Google and More"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{815829A6-F768-41DE-B765-FED22D3DA34B}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMFF\ = "GNMFF Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMFF\CLSID\ = "{97DDAF32-45A9-4E34-B9EA-B97C5C047738}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMFF\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97DDAF32-45A9-4E34-B9EA-B97C5C047738}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9040DC9F-6D87-4CE5-8AC6-A98084F848B7}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}\1.0\ = "GoogleNMore 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9040DC9F-6D87-4CE5-8AC6-A98084F848B7}\TypeLib\ = "{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{815829A6-F768-41DE-B765-FED22D3DA34B}\ = "Google and More"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97DDAF32-45A9-4E34-B9EA-B97C5C047738}\VersionIndependentProgID\ = "GoogleNMore.GNMFF"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56CE1560-48DB-46C6-ACF0-0926220D6317}\ = "IGNMIE"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56CE1560-48DB-46C6-ACF0-0926220D6317}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56CE1560-48DB-46C6-ACF0-0926220D6317}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9040DC9F-6D87-4CE5-8AC6-A98084F848B7}\ = "IGNMFF"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{815829A6-F768-41DE-B765-FED22D3DA34B}\ProgID\ = "GoogleNMore.GNMIE.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{815829A6-F768-41DE-B765-FED22D3DA34B}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleNMore\\3.GoogleNMore.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9040DC9F-6D87-4CE5-8AC6-A98084F848B7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMIE\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{815829A6-F768-41DE-B765-FED22D3DA34B}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97DDAF32-45A9-4E34-B9EA-B97C5C047738}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56CE1560-48DB-46C6-ACF0-0926220D6317}\ = "IGNMIE"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56CE1560-48DB-46C6-ACF0-0926220D6317}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMIE	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{815829A6-F768-41DE-B765-FED22D3DA34B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleNMore\\3.GoogleNMore.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{56CE1560-48DB-46C6-ACF0-0926220D6317}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56CE1560-48DB-46C6-ACF0-0926220D6317}\TypeLib\ = "{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMFF\CurVer\ = "GoogleNMore.GNMFF.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97DDAF32-45A9-4E34-B9EA-B97C5C047738}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56CE1560-48DB-46C6-ACF0-0926220D6317}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9040DC9F-6D87-4CE5-8AC6-A98084F848B7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMIE.1\ = "Google and More"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMIE\CLSID\ = "{815829A6-F768-41DE-B765-FED22D3DA34B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMIE\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMIE\CurVer\ = "GoogleNMore.GNMIE.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{815829A6-F768-41DE-B765-FED22D3DA34B}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMFF.1\ = "GNMFF Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9040DC9F-6D87-4CE5-8AC6-A98084F848B7}\ = "IGNMFF"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97DDAF32-45A9-4E34-B9EA-B97C5C047738}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97DDAF32-45A9-4E34-B9EA-B97C5C047738}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56CE1560-48DB-46C6-ACF0-0926220D6317}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\GoogleNMore.GNMIE.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97DDAF32-45A9-4E34-B9EA-B97C5C047738}\ = "GNMFF Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9040DC9F-6D87-4CE5-8AC6-A98084F848B7}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9040DC9F-6D87-4CE5-8AC6-A98084F848B7}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{815829A6-F768-41DE-B765-FED22D3DA34B}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{97DDAF32-45A9-4E34-B9EA-B97C5C047738}\TypeLib\ = "{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{23C8C930-8831-4DD5-A1C1-8CE1B7E01956}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\GoogleNMore"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56CE1560-48DB-46C6-ACF0-0926220D6317}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9040DC9F-6D87-4CE5-8AC6-A98084F848B7}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9040DC9F-6D87-4CE5-8AC6-A98084F848B7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{815829A6-F768-41DE-B765-FED22D3DA34B}	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4580	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
456	InstValid.exe
4580	iexplore.exe
4580	iexplore.exe
3688	IEXPLORE.EXE
3688	IEXPLORE.EXE
3688	IEXPLORE.EXE
3688	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1804 wrote to memory of 456	1804	267da3bb4970edfd8a1859f4b97c79e7_JaffaCakes118.exe	81
PID 1804 wrote to memory of 456	1804	267da3bb4970edfd8a1859f4b97c79e7_JaffaCakes118.exe	81
PID 1804 wrote to memory of 456	1804	267da3bb4970edfd8a1859f4b97c79e7_JaffaCakes118.exe	81
PID 456 wrote to memory of 3876	456	InstValid.exe	84
PID 456 wrote to memory of 3876	456	InstValid.exe	84
PID 456 wrote to memory of 3876	456	InstValid.exe	84
PID 456 wrote to memory of 4580	456	InstValid.exe	85
PID 456 wrote to memory of 4580	456	InstValid.exe	85
PID 4580 wrote to memory of 3688	4580	iexplore.exe	86
PID 4580 wrote to memory of 3688	4580	iexplore.exe	86
PID 4580 wrote to memory of 3688	4580	iexplore.exe	86

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\DisableAddonLoadTimePerformanceNotifications = "1"	InstValid.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\IgnoreFrameApprovalCheck = "1"	InstValid.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	InstValid.exe

C:\Users\Admin\AppData\Local\Temp\267da3bb4970edfd8a1859f4b97c79e7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\267da3bb4970edfd8a1859f4b97c79e7_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Users\Admin\AppData\Roaming\GoogleNMore\InstValid.exe
  "C:\Users\Admin\AppData\Roaming\GoogleNMore\InstValid.exe" -val:Top_Gear.18x01.HDTV_XviD-FoV.[VTV].avi
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:456
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe "C:\Users\Admin\AppData\Roaming\GoogleNMore\3.GoogleNMore.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - Modifies registry class
    PID:3876
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.YooVidz.com/ThankYou.aspx?v=5&i=val:Top_Gear.18x01.HDTV_XviD-FoV.[VTV].avi
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4580 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\2V4YWVP6\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleNMore\3.GoogleNMore.dll

Filesize
112KB

MD5
3b6fabe45e67779746f6da67b25f0746

SHA1
d47d3527be974623d2aa96b58786ae6e552e2564

SHA256
9af640f6ed6ec741a6cc16dde39777fe26d8b99821a5b1757a679b7c939431bc

SHA512
1352f9d4f1ca3c8f4ee85926abcb4ea50ef8206e98a39f1098b940ec279e05e50b06425376db4dfd130cf7b09ee3db64c582cbefe038a05903f44b414127e701

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleNMore\GoogleNMoreXPCOM.dll

Filesize
28KB

MD5
7ee66bffca97f28b568b716551d1fe44

SHA1
e3d484f0058dfade70c702468a6046ee9db076b8

SHA256
351283b6b9a0d0ce5a5f574480729751c3a883f2d999fd6794ebf5c08a224bd4

SHA512
e82b5c07882deae93d50d0f5f8ac27dd1445eeb621cecb3b7c2bec45d4a0f22e47e2ca275ae5358218bd2eb034ec951c6c08124a51b5266d87e45d93b5d74324

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleNMore\IGoogleNMoreXPCOM.xpt

Filesize
148B

MD5
6aa9be6052fdad60d6316b9092b6ff3d

SHA1
526547b9063c6dc66d2e660aa6bd938c782bdea9

SHA256
7833034e9a64347a19f6396da569e098748b4913e142d1a6fa2b7e846cc3c169

SHA512
42c01e6ba2e686652285fb096ed576fab4ce903ba2c7442e70a574c48b0d6ded867d7ccede2762a0452bbb98c08fa007cf21e83017691b9aa7a5eb1ee8fe4fc0

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleNMore\InstValid.exe

Filesize
36KB

MD5
13a04b67fc1c7dace722b6259e29909c

SHA1
04ec97ff25418e8482971b7a6b301dd15dd9de6b

SHA256
7af9b9a0aacb2515a2605c2374ff8a85fcae9ac3dc181701a0acaf54e9820805

SHA512
622dbef85e447d033a87ff53b1b1d10d8cb4ce377eadd98bf6c4bdf14899dd709260a222550297eddea8fa9b9ccabeacba704f576ef5bbdecde0a4a1048a2c96

Download Submit
C:\Users\Admin\AppData\Roaming\GoogleNMore\MFC42u.DLL

Filesize
972KB

MD5
e2f0a183acade1bb6d15fa07046171f6

SHA1
17ab4c0e6244f1f2a861c2e396a63bb2efd11844

SHA256
15c62441edfabd83aa18e2099dd8cb6d6e5d9c6dd248cdb444e41a2aca9ebe93

SHA512
de61a58451b8e51c24090587d2f0cfd4c96b130bfc7e059f698f91b9370260ce87723d6d01459b562ad6277629747f989acc5130c8fd598bf8eaed70f376b381

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads