Analysis
-
max time kernel
136s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 22:47
Static task
static1
Behavioral task
behavioral1
Sample
268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe
Resource
win10v2004-20240704-en
General
-
Target
268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe
-
Size
104KB
-
MD5
268367975a460b790b9711e4b2257bf3
-
SHA1
f231b21729f766d7e94c846111f42e030b658641
-
SHA256
235628a202d69369b836b3fd34f951a2030c46379d6d91bc9e7a4a9413089f5f
-
SHA512
39b1b7a0fcd447b9977841865be57de642fece15b07d83a0e8f5d0c5419250c9ab84c9a2180375f8ed6a7da2f6b9b7186803e999463b779b03497d462d55b78f
-
SSDEEP
3072:tL5FLClZmzePVeO1cmmQFg+G4pnSvhWfPdi9X3kua:R5Fe7mz88DrQFg+9SvhWfP+I
Malware Config
Signatures
-
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 1792 cmd.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{06ec6572-7280-485a-a712-c380526bc048} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{06ec6572-7280-485a-a712-c380526bc048}\NoExplorer = "1" regsvr32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\ieocx.dll 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies Control Panel 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\don't load 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\don't load\scui.cpl = "No" 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Control Panel\don't load\wscui.cpl = "No" 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{94561041-3A58-11EF-AB3F-D2DB9F9EC2A6} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0b7aa6b65ceda01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a03905000000000200000000001066000000010000200000009072a04f3d184ffa1e8db5b9aab1e1d31f5def996cb824988ef402157c079ebe000000000e800000000200002000000038998c15f2ec7e358c9439700332e8c435ebc4fc7f299fd9f80fad9af9c8a4fd200000003d70689ff72bdc30c183db9d49e1025e6471021fd127adb288a8a5e6b2e3c417400000003948496fb2e1e9248e796644f1d3102195a428f259c6ffcc42f04c39d10332cd1d7a6bd8a8e42e658f22b7984aa8f23be7f14cefdfd0d46fb726b6968bcff3dd iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426295627" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006fb3d087c4ee9c4bb22550fd83a039050000000002000000000010660000000100002000000037384c25d03014ae8299996dabe42c672198bdb4b591f9c4d690379586fdad06000000000e8000000002000020000000e14ba51c02ec816d9a2bd9c6e47f5c0204c6c427f08765580409f1650c6fd9c8900000000e994922f71d05a2787525e1172ef4e574b5d3ff1e01e23dafdabd7183fc3028b86d06ea10a1ada8baad0a8ffea54f85ffe01fd7b835ea142a8553e34ae7a445876989269a4b8414f9a4e9b8fbe2a9bc75cf76ab2a3c5c12cccc5000e9c6cffe5eac3692064d43f0a2df800b13c3aafdc3bfe2b7c46de83c09ee45b44445a39fe4f5e1a93eb514062e2ef8a204d6143d4000000048aaf8cef715e5028ecaf4eb5f118a900cf4572c4812fd04c72279557dacffc98401f73e221d39c017d95b5a04c72ebd1cfb2223bd82f1680a69bd923dd3b419 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe -
Modifies registry class 60 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\ProgID\ = "IEocxApp.IEocx.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CurVer\ = "IEocxApp.IEocx.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ = "_IBhoAppEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\ = "IEocx Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CLSID\ = "{06ec6572-7280-485a-a712-c380526bc048}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\HELPDIR\ = "C:\\Windows" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1\ = "IEocx Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\InprocServer32\ = "C:\\Windows\\ieocx.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\0\win32\ = "C:\\Windows\\ieocx.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1\CLSID\ = "{06ec6572-7280-485a-a712-c380526bc048}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\ = "IEocx Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CurVer regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ = "_IBhoAppEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\TypeLib\ = "{b360243e-09e8-402f-8721-00b6798089ad}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\VersionIndependentProgID\ = "IEocxApp.IEocx" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\ = "DHCP 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\InprocServer32 regsvr32.exe -
Runs net.exe
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2716 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2716 iexplore.exe 2716 iexplore.exe 2672 IEXPLORE.EXE 2672 IEXPLORE.EXE 2672 IEXPLORE.EXE 2672 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1812 wrote to memory of 2292 1812 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe 28 PID 1812 wrote to memory of 2292 1812 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe 28 PID 1812 wrote to memory of 2292 1812 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe 28 PID 1812 wrote to memory of 2292 1812 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe 28 PID 1812 wrote to memory of 2292 1812 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe 28 PID 1812 wrote to memory of 2292 1812 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe 28 PID 1812 wrote to memory of 2292 1812 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe 28 PID 1812 wrote to memory of 3056 1812 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe 29 PID 1812 wrote to memory of 3056 1812 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe 29 PID 1812 wrote to memory of 3056 1812 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe 29 PID 1812 wrote to memory of 3056 1812 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe 29 PID 3056 wrote to memory of 2076 3056 net.exe 31 PID 3056 wrote to memory of 2076 3056 net.exe 31 PID 3056 wrote to memory of 2076 3056 net.exe 31 PID 3056 wrote to memory of 2076 3056 net.exe 31 PID 1812 wrote to memory of 2716 1812 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe 32 PID 1812 wrote to memory of 2716 1812 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe 32 PID 1812 wrote to memory of 2716 1812 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe 32 PID 1812 wrote to memory of 2716 1812 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe 32 PID 2716 wrote to memory of 2672 2716 iexplore.exe 33 PID 2716 wrote to memory of 2672 2716 iexplore.exe 33 PID 2716 wrote to memory of 2672 2716 iexplore.exe 33 PID 2716 wrote to memory of 2672 2716 iexplore.exe 33 PID 1812 wrote to memory of 1792 1812 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe 35 PID 1812 wrote to memory of 1792 1812 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe 35 PID 1812 wrote to memory of 1792 1812 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe 35 PID 1812 wrote to memory of 1792 1812 268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\268367975a460b790b9711e4b2257bf3_JaffaCakes118.exe"1⤵
- Windows security bypass
- Windows security modification
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\ieocx.dll2⤵
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2292
-
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe stop "Security Center"2⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"3⤵PID:2076
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://loyal-porno.com/videosz.php2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2672
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\asd.bat" "2⤵
- Deletes itself
PID:1792
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59023c19a6b8f86f2a2685752b443ff71
SHA16d600a1fce1f956a6c9deb642883c06821929f45
SHA2564aef47da9625f29b29c5666c26305a15e3c69897becc370c5aeab6aaadf2c116
SHA512aba60b3fb28ba503d82756857b4df1842a919dc22c8721087a7d82529f00cf128c20b413c2c97f75b51e5e09be84fb002d45c51f6b5ed98cc367ab9c8afffd1a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57856e4a81d8dcd6c554231a6558e36b1
SHA1acbaaa49f8417772f416673e5f850c6238455682
SHA256c9c0bc8be1f363177f09c89847cbc9ae48f7c68a7391b15d37fb69c4b6982c50
SHA51215c3e873d6fe3e66ad4d2ffe4f3a289364761b2b893b804126389717d26c9080062262f83212664632da1c92a86626712806d2a349f85f8a7295987f38cbf1ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD501491c56f4fbaba743b160b88f494c19
SHA1d831029dfe264c6b246b4a26267d47fa048fabb1
SHA25600b5e5e54d7ffabacaf9dc426c2aeb632bf1efdc29d9c7f58c8b68962247a5f4
SHA5126f49057b4a14d1bf135175d056afee0732b1d9e6c9e4348a06f2b76ff447a7fb749efde6bebb8c62ab0c18d2aa144a890b5cd3765967180d4b8c333457eaccf6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58e3a6aa2de1f01ce19ec511fcc111617
SHA116c0eefb253f8687eca090fe534c535f6db23213
SHA2568af5230a1dfa4f7e0bcd7adebc0035fbedf02fa8ca7f7d719604ed189fc4bde4
SHA512264376dcf79db204a92d694e4be155816e853098fbf8a8a38e0811978e0762f0727ba345af71df7bbdc5b2593ed7dd4e1486499e5672694a22742d0ad6697473
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c53034aaa1409ab682cd8537b35d9895
SHA131e214819a36d88a752bd24cb9939ffab9401c10
SHA256c15b4ca1ddeee78a344bc9a8abd4db70cbe88650a2877fc56168734da144807d
SHA512ad246e1ff6f9b6ebbdae7dde948164aa2cbc42337d64746ad8a2121a100dde1a336eb13902e717840020b74e6a30453634ffdbc43833e45ffec429fd0e627f59
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b9921445afaedf332416e324f493fedf
SHA1d31417ee5656ed7af5f10320f9b428823de5815c
SHA256cf14a50688f0e8156cfcd1523048541261aad8a9b37b7ec261560f66b221b213
SHA51227c7be2b1e72e723338f513f5d8dd48f0c3335bef35e575bfd8f7b1b202230ef41557c495381ec0a822cf81b595fb12cf2787c22285c8542c02b17078815dd06
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD564882544f4aa92f8a20a46fcd9e3f305
SHA115b96929533a2825b79ba81f4d5ee1260d74f46e
SHA25608d17c4fb742be1d167709b81bca10adb5473a800bb8253c0f529eaff8362006
SHA51266fe3b2dbfd8a258c7365aa2ed27f2cc02daae38651fba60fc76ae3beee8469313b91c06d3ca1ccd3958873fc4c918a63d1535bccce2c450717b877da866094f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bc28907788ac62939d9337521f0fe36f
SHA15e003e41c934ca377761a35452f861f94dc9a33c
SHA25656ffcee82f6bf3fc50d7a8125bb440f7e233290e921e7a462c4ac717c29d4880
SHA512d4ee04fd5bedf69396651bfcbe561dcf3de7ed07852f1ec96d0998f0df37e006db5b0b51342383b8b0630115e1e0b4539cce1b95b9242110d4d673c1aaf48c6a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5daad40670643b7e3fd8dd2e56e0528ff
SHA11639c7a787c9a977627a413b7e90fc98b5ba07fd
SHA2562727663f9d72f2d65144091fd50ce2012e44f67cfc935965f7c1cbad8eca579d
SHA5125e78f0da4e2261d69b74acdaae7bd40d6b4df0a7750acbea373925d94a5ca03795148cc7aef53a37fa2bfc0c5fab309d44cd227dc55be554c7bb7636afa5b571
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f93d66e4267e9886b25a6f4479401f21
SHA1aa5e7edfffb98a2c974ddd2861b70012579f66a7
SHA256b8118f54e47cb00489ab2e276d7dbbb04f0ba89cb9d98255ad900b3354f0acf3
SHA5123e2177e3aac2a69a3fd72000015a5ecfd3f725f8634a1fcb77efedc46b5dc3732c70409f9e53af939c306430e2eb8cb0c2b0b1c48031fc7a428bbf6a268f269f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD568f4a8e17bd4cd9aaf0310af87271a18
SHA1130733bfa780318a4bcb33d818cb5ae05ba59479
SHA25641dd90ea954db96150a86fc5b5966c1b1cdbfe06a7b4f7022af7b1d127e76f58
SHA512a6c54bd0e54a858b6c34ebac4b1c0fe3345aea29755975217ec6d2b374165aebaa028e5b8813e6d40d978e4e75c77e4027d51729376b4a0305308c2e6788aea3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5772cd7b4132c190c47a65b2a4bc79773
SHA10555bf2ddf839e1b24dac0ceaf092bc3c835c422
SHA25600f618bb2628a952c27e955eb7a50de1b1a4a50504009725c901fe387b1ee240
SHA51267f8d4a56f198b1289c2254d4db8c0aa23e06665f66079fec76b0d83a43f285f47d0fa5835a7210230dccc61f29db9bd84da9ec1324ef665660555dc79fdca79
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b97bf8c95fbe300b4678672f33e962b2
SHA144876577e554be5502d818b22de090da2e34245f
SHA256de2fe132bc24d4b2091be44d2e5e269985ebbe4e00d536b079701174a7b3adaf
SHA512f7bc9c5f3409e25f4d14af887d8d17aea5d47982da45e15a535316aa2f0ce5a04246ae8e61b0e25cd736f425636e1acd413e873a3b0e7f0dde3fb92c5041cc1a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b24b01585fd940ecfb8bc7be6da5f978
SHA1c05853da1afc7e6a96e27016e728208f75dc1b92
SHA25643a3e6f7678e5f179553feba649181fdd7167a7d4e860006e0e12e7454a1db71
SHA5127181a412e6910ec0aa89af32b50f1b7242f0d9c76c5b2cbe6b320c9e4d360efc537cd45fb4fefc500969764797f0244b4693e6d8536f4c62a13dbd0794473e1d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e295ceb067266074485362702ff66be3
SHA1e524e789b81fab006fb1ba44829f4d99b0e25910
SHA2564c149af10a67620c0b4c4bf04131d452e541c123bb46fd67dbed1fc31d33cc44
SHA512bac0278673360f002e9fbf56b8821cfad250e75274d2fc5dd3e41888fc489b50892105c612ad0200dfe813ac94ef3eb09800304a503a6cfa3537a3bcaac27bf1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52126ce3ae69a6f07e774544a93d8aa51
SHA1f60cffac8ae7aeed9be9a8879aa874095a49fdee
SHA2566965f44f47ade42fdd6803893f091fde1f3d4b85c019ee7477231a94abf98794
SHA51201d80c09c2bd685e4e529e8630107fb576f6da5b0ef9cdaed273618329b29ff8a6e3c5aa9c914bbd96c05f76fd01c3b7a924e98b546e8cb2ed0d1a7bcf63b232
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD559be8ec109ea3776e91b6ef1708c7b90
SHA14fd65b6acc7205ef3aff1a9e674513252ee1739f
SHA256d6c78acf2756f2d8181b135d3e587e09cb3b98d943ffb585c495c99141e5c7cb
SHA5127b32270b9b8c8a532a078991c4a468a173932b7a1ed992bbbb144d30436350481951a1ca47d1dc95a2f4a3742a5dabd5c344e4ab89bd5875fe766fd7647cd14b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52fc28bc0d5de49171e0fda3c10a80913
SHA13ca4bd164d0ccca0cee66ee49dd420d619087ff9
SHA256016e37d414aa460c3aa7a4cb7ca024c238452ac9469868364c525a461ea9ae18
SHA51217e1bc9ec93f8d8632d5ae637198783d41cc304f2530d92c93ab86af4e32e1136bd3c96d6c881c09f52acfb6489647416a9b3bcb9c7e132c7356ae7b98696ec1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54542a6b053babc03f460d40f9bd602f6
SHA1d26461f4f3dfb1b8858c074658487a8a14ae1731
SHA256f42cbd61bc96da153fdfb35c888be1d83ad94d15da66b9b31810a64c8943f556
SHA512007f2d53e53ed5345ba3a9cb2a2aa0dea2a0907f7f177d3c4d1c345800b97b59cbc44c8eaf1432c6d67c689dfdb8baead7ee2d220028ad2dc4896ef83e22bebd
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
256B
MD52afc94d55767da9af38431cac401f3f3
SHA1e04d2b78e5bc100d9dff922774457039f0f113b5
SHA25684805c6b91df3841b3d676f97adeb611d43199a69f1b7b68c890608e697d34a5
SHA512a74c39ee7f9c0e8a4c1a97b8c398935ddd69cfd173a9d74421b015105671f767bcc62b8bc8849b5964ba8e6e8b2bd2a7276fb39ac688547142500ee0ff6a707f
-
Filesize
27KB
MD5ef09200d176f64c9effcd6d71ef090cf
SHA119647fa778246ff860bd4ac2a74185d1429c1d6b
SHA256ac3bf5cf4b459c932cdf15f79816aca14445bfb1477ea4ce58be8d8dec4ab886
SHA512331b71bbc9fa5ba76d0bcbe2cf44a5443c73f8800701f9e9f2734c62e5755c366e0d05a7b5b239bede7dec2f260ca239f018bcf0b41a2ed2471096d5bcd744c2