5055283c3cadcdf5cd027d50ee3db19aebc9adbd04d11e2897296eed1edf7004

Analysis

max time kernel
139s
max time network
153s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 06:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe
Size

143KB
MD5

24f9d4d31b60d0bb1d0426cdd4c73f20
SHA1

f54f13f35260f55cd08a3de5ea790431c47cd1c0
SHA256

5055283c3cadcdf5cd027d50ee3db19aebc9adbd04d11e2897296eed1edf7004
SHA512

c8b640c06a6afc8c46873556fe282c6cc9f50c42d38cdee5ce2a97983731ee470632403d332b17a090e236eebf76795895bd9f7f6b458a34c95a901ce16e04da
SSDEEP

1536:nyqdahk08vPzRg6Jj5qesYHcRv75KCGaEFhYgw4ziQelYUfcBiubdzLsFVlxVGxe:yWZvPa6Dqx75KCMWgpsJuVMVlxB2u

Score

8^/10

evasion execution persistence trojan

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
2144	LayerMini.exe
2456	LayerMini.exe
2752	PathYahoo.exe

Loads dropped DLL 2 IoCs

pid	Process
1936	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe
1936	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	PathYahoo.exe

Drops file in Program Files directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\PathYahoo.exe	PathYahoo.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	LayerMini.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	LayerMini.exe
File opened for modification	C:\Program Files\Windows Media Player\WMPSideShowGadget.exe	LayerMini.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	LayerMini.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	LayerMini.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	LayerMini.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpconfig.exe	LayerMini.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	LayerMini.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE	LayerMini.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	LayerMini.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe	LayerMini.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	LayerMini.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe	LayerMini.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	LayerMini.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	LayerMini.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	LayerMini.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe	LayerMini.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	LayerMini.exe
File created	C:\Program Files\LayerKavsp.bat	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	LayerMini.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe	LayerMini.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	LayerMini.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	LayerMini.exe
File opened for modification	C:\Program Files\Windows Media Player\setup_wm.exe	LayerMini.exe
File opened for modification	C:\Program Files\StormII\stormSrv.exe	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe
File created	C:\Program Files\PathYahoo.exe	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe	LayerMini.exe
File opened for modification	C:\Program Files\Windows Journal\PDIALOG.exe	LayerMini.exe
File created	C:\Program Files\StormII\stormSrv.exe	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	LayerMini.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javacpl.exe	LayerMini.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\YahooLayer.exe	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe
File created	C:\Windows\URTVDQ.txt	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1004	sc.exe
1948	sc.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Enable AutoImageResize = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Compatibility Flags = "00000400"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\ = "JScript Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript Author"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\ = "JScript Language"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\ = "JScript Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\ = "JScript Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID\ = "{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ = "JScript Compact Profile (ECMA 327)"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ = "JScript Compact Profile (ECMA 327)"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWOW64\\jscript.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2524	reg.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1936	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe
1936	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe
1936	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe
1936	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe
2144	LayerMini.exe
2144	LayerMini.exe
2456	LayerMini.exe
2456	LayerMini.exe
2752	PathYahoo.exe
2752	PathYahoo.exe
2752	PathYahoo.exe
2752	PathYahoo.exe
2752	PathYahoo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2144	1936	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2144	1936	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2144	1936	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2144	1936	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2456	1936	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe	29
PID 1936 wrote to memory of 2456	1936	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe	29
PID 1936 wrote to memory of 2456	1936	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe	29
PID 1936 wrote to memory of 2456	1936	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe	29
PID 1936 wrote to memory of 2564	1936	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe	30
PID 1936 wrote to memory of 2564	1936	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe	30
PID 1936 wrote to memory of 2564	1936	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe	30
PID 1936 wrote to memory of 2564	1936	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe	30
PID 2564 wrote to memory of 2508	2564	cmd.exe	32
PID 2564 wrote to memory of 2508	2564	cmd.exe	32
PID 2564 wrote to memory of 2508	2564	cmd.exe	32
PID 2564 wrote to memory of 2508	2564	cmd.exe	32
PID 2564 wrote to memory of 2508	2564	cmd.exe	32
PID 2564 wrote to memory of 2508	2564	cmd.exe	32
PID 2564 wrote to memory of 2508	2564	cmd.exe	32
PID 2564 wrote to memory of 2496	2564	cmd.exe	33
PID 2564 wrote to memory of 2496	2564	cmd.exe	33
PID 2564 wrote to memory of 2496	2564	cmd.exe	33
PID 2564 wrote to memory of 2496	2564	cmd.exe	33
PID 2564 wrote to memory of 2496	2564	cmd.exe	33
PID 2564 wrote to memory of 2496	2564	cmd.exe	33
PID 2564 wrote to memory of 2496	2564	cmd.exe	33
PID 2564 wrote to memory of 2524	2564	cmd.exe	35
PID 2564 wrote to memory of 2524	2564	cmd.exe	35
PID 2564 wrote to memory of 2524	2564	cmd.exe	35
PID 2564 wrote to memory of 2524	2564	cmd.exe	35
PID 1936 wrote to memory of 2752	1936	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe	34
PID 1936 wrote to memory of 2752	1936	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe	34
PID 1936 wrote to memory of 2752	1936	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe	34
PID 1936 wrote to memory of 2752	1936	24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe	34
PID 2564 wrote to memory of 2388	2564	cmd.exe	36
PID 2564 wrote to memory of 2388	2564	cmd.exe	36
PID 2564 wrote to memory of 2388	2564	cmd.exe	36
PID 2564 wrote to memory of 2388	2564	cmd.exe	36
PID 2564 wrote to memory of 2632	2564	cmd.exe	37
PID 2564 wrote to memory of 2632	2564	cmd.exe	37
PID 2564 wrote to memory of 2632	2564	cmd.exe	37
PID 2564 wrote to memory of 2632	2564	cmd.exe	37
PID 2564 wrote to memory of 1896	2564	cmd.exe	38
PID 2564 wrote to memory of 1896	2564	cmd.exe	38
PID 2564 wrote to memory of 1896	2564	cmd.exe	38
PID 2564 wrote to memory of 1896	2564	cmd.exe	38
PID 2564 wrote to memory of 1896	2564	cmd.exe	38
PID 2564 wrote to memory of 1896	2564	cmd.exe	38
PID 2564 wrote to memory of 1896	2564	cmd.exe	38
PID 2564 wrote to memory of 2420	2564	cmd.exe	39
PID 2564 wrote to memory of 2420	2564	cmd.exe	39
PID 2564 wrote to memory of 2420	2564	cmd.exe	39
PID 2564 wrote to memory of 2420	2564	cmd.exe	39
PID 2564 wrote to memory of 2420	2564	cmd.exe	39
PID 2564 wrote to memory of 2420	2564	cmd.exe	39
PID 2564 wrote to memory of 2420	2564	cmd.exe	39
PID 2564 wrote to memory of 2888	2564	cmd.exe	40
PID 2564 wrote to memory of 2888	2564	cmd.exe	40
PID 2564 wrote to memory of 2888	2564	cmd.exe	40
PID 2564 wrote to memory of 2888	2564	cmd.exe	40
PID 2564 wrote to memory of 2920	2564	cmd.exe	41
PID 2564 wrote to memory of 2920	2564	cmd.exe	41
PID 2564 wrote to memory of 2920	2564	cmd.exe	41
PID 2564 wrote to memory of 2920	2564	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936
- C:\LayerMini.exe
  "C:\LayerMini.exe" C:\Users\Admin\AppData\Local\Temp\24f9d4d31b60d0bb1d0426cdd4c73f20_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:2144
- C:\LayerMini.exe
  "C:\LayerMini.exe" rb
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2456
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\LayerKavsp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s vbscript.dll
    3⤵
    PID:2508
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s jscript.dll
    3⤵
    - Modifies registry class
    PID:2496
- - C:\Windows\SysWOW64\reg.exe
    reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2524
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2388
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2632
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s itss.dll
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s scrrun.dll
    3⤵
    - Modifies registry class
    PID:2420
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2888
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s scrrun.dll
    3⤵
    - Modifies registry class
    PID:2920
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s shimgvw.dll
    3⤵
    PID:2212
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s jscript.dll
    3⤵
    - Modifies registry class
    PID:2536
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Enable AutoImageResize" /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2836
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2380
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2060
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:1216
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:1500
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}" /v "Compatibility Flags" /t REG_SZ /d 00000400 /F
    3⤵
    - Modifies Internet Explorer settings
    PID:356
- - C:\Windows\SysWOW64\sc.exe
    sc.exe create ccosmSrv BinPath= "C:\Program Files\StormII\stormSrv.exe /asservice" type= own type= interact start= auto DisplayName= GooglePersonal
    3⤵
    - Launches sc.exe
    PID:1004
- - C:\Windows\SysWOW64\sc.exe
    sc.exe description ccosmSrv "Contrl Center of Storm Media"
    3⤵
    - Launches sc.exe
    PID:1948
- C:\Program Files\PathYahoo.exe
  "C:\Program Files\PathYahoo.exe"
  2⤵
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\LayerMini.exe

Filesize
24KB

MD5
2d128cace571fdfd3b523aa6a4d2fac4

SHA1
dc09144631e2827fad91eb6d09b44b0ea228abcc

SHA256
abed07b98057cdf447084daf89b921f423c1c3f8287eb886966bd1d7d01f8e46

SHA512
71d47364882af5b076c39491813d5bf2f522f03dd8573d4b9bb419d91a705d32a50d621c10b39ea54524e789032ae25b1919b188a3a037ca35084506b609f128

Download Submit
C:\Program Files\LayerKavsp.bat

Filesize
2KB

MD5
641984e0f42bdf661cddf53252ae553f

SHA1
58e0d6636f22c850bf992ede3e6787ea5841d7d6

SHA256
624b5daae23210e6b3a62e7c0de38124b34989ca30ca44b127372b37c34c991a

SHA512
7c3a76fc76342298ff5b2f3df20e8a5f476ebc670e5c4f30bbc05157016527ab4eda4852a62784c2761cf49fd342625c2a20c0c9b47a4bc353cd0832433dfe5c

Download Submit
C:\Program Files\PathYahoo.exe

Filesize
143KB

MD5
24f9d4d31b60d0bb1d0426cdd4c73f20

SHA1
f54f13f35260f55cd08a3de5ea790431c47cd1c0

SHA256
5055283c3cadcdf5cd027d50ee3db19aebc9adbd04d11e2897296eed1edf7004

SHA512
c8b640c06a6afc8c46873556fe282c6cc9f50c42d38cdee5ce2a97983731ee470632403d332b17a090e236eebf76795895bd9f7f6b458a34c95a901ce16e04da

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads