ead1f97c8c31df768fa25b86ecf07260865d4092cba3a9fd0b63195d3374d84b

Analysis

max time kernel
143s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
04/07/2024, 19:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Size

31KB
MD5

2610fc197c97cbd69ddfb46f0b577d2a
SHA1

7a278ae9c1ff1b7b390054d302d0acbeb1ec8e24
SHA256

ead1f97c8c31df768fa25b86ecf07260865d4092cba3a9fd0b63195d3374d84b
SHA512

5131b121c0e042dc6b323b4d10d86db8359334c305d61c212cf90df5e4858883fc08f7d87baa70ae635932fe47caa170574889ff87118317b87d645a7376b889
SSDEEP

768:KVS92A2FlIj0nfFV2rGeqWPy9TH5qxyjt1tHiqS4:KVS92fJNV2rIL9Yot1t9d

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\disdn\Flower.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavStub.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RfwMain.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zxsweep.exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\XP.exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adam.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KPFW32.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\runiep.exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UIHost.exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KvDetect.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvol.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TNT.Exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDGames.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Systom.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guangd.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMonD.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrssvc.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAV32.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxFwHlp.exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svch0st.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatchX.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwProxy.exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxPol.exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TNT.Exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVStart.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDGames.exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guangd.exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMFilter.exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SREng.exe\Debugger = "C:\\Windows\\system32\\Flower.exe"	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UFO.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\v:	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File opened (read-only)	\??\x:	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File opened (read-only)	\??\g:	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File opened (read-only)	\??\h:	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File opened (read-only)	\??\i:	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File opened (read-only)	\??\o:	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File opened (read-only)	\??\s:	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File opened (read-only)	\??\u:	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File opened (read-only)	\??\l:	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File opened (read-only)	\??\p:	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File opened (read-only)	\??\e:	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File opened (read-only)	\??\k:	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File opened (read-only)	\??\n:	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File opened (read-only)	\??\q:	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File opened (read-only)	\??\t:	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File opened (read-only)	\??\z:	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File opened (read-only)	\??\j:	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File opened (read-only)	\??\m:	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File opened (read-only)	\??\r:	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File opened (read-only)	\??\w:	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File opened (read-only)	\??\y:	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	\??\c:\autorun.inf	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File opened for modification	\??\c:\autorun.inf	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File created	\??\f:\autorun.inf	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File opened for modification	\??\f:\autorun.inf	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Flower.dll	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Flower.dll	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\a.jpg	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{66AE2471-3A3F-11EF-A326-424EC277AA72} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1928	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
1928	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
1928	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
1928	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
1928	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
1928	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1928	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2128	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2128	IEXPLORE.EXE
2128	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 2128	1928	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe	28
PID 1928 wrote to memory of 2128	1928	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe	28
PID 1928 wrote to memory of 2128	1928	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe	28
PID 1928 wrote to memory of 2128	1928	2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe	28
PID 2128 wrote to memory of 2756	2128	IEXPLORE.EXE	30
PID 2128 wrote to memory of 2756	2128	IEXPLORE.EXE	30
PID 2128 wrote to memory of 2756	2128	IEXPLORE.EXE	30
PID 2128 wrote to memory of 2756	2128	IEXPLORE.EXE	30

C:\Users\Admin\AppData\Local\Temp\2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2610fc197c97cbd69ddfb46f0b577d2a_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  Open http://219.139.58.141/tj.asp
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2128 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02afbd631b1d60dbfcb0703d81271479

SHA1
246c90560e271a5e482398b61d065edcd56ef885

SHA256
e6aea91aa0c26443f0b7f7e70f1ce021c7e1e187fa2c59430800f1b8bebf0dd6

SHA512
4ef1cc7b37c3f0718fe6a83c15a19520a147c956ea9e0705590477ed68905d2621f949bca243058640cad7305b408170f855d5d1594af67e8babde1b6ca2247a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
827e134c230a53d64a3972853eec5d1c

SHA1
5502aef376a6dab6d225cfd6967fd273a2bd007a

SHA256
803a6dea200266b284b11edd5ed0154269286321b74484d35a82456c95ad4c9d

SHA512
f70a86493ae431d86ca725c808c26686aed3e40c8e15357bcc54a8ecbb8c6f47520935f596312685f4534e679331949588c619b5d5cbb93a16bbd1a87125d23d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7fefb0899daba7b6ae9355718ccb9f9

SHA1
71c949db7ebc684bf2ed50b99520100d2038f156

SHA256
7d636761bbab510c146aa1ea0766bd73055f6f7b3a44c97332609d7602d09777

SHA512
ba44647265a283e7b83cb09bf0c4551ddfbe6cb169092b551014c5577cac860d4cdb14361982e8a5b93d1c3a56c1650df4f7051b0d22f888b9fc6f1b28243448

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed326bb116aa4b34d0769627072de118

SHA1
6e5ac9bec17f5e40e371ec7694c7480a8e84af39

SHA256
1334a2b06002e7cbbef6b948155de3a29f9166ec30b8c33170ea4fe67291a8da

SHA512
64a906bcdef3df6643f54ff60ca8a7733dcb725550a30e8775c01d27661ae072e89a739aa88effacd04653b5771a7aa098c077069509c880963eeec991564661

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0a5da9c7e565efdf7bbcbe3b6c467e1

SHA1
035bd772853e114511301e4c1dc4af40dfee9d84

SHA256
5b677a37f36013c7f3cb22549dd11c3332b3a8b8c321bc5c87f8155b9b3df363

SHA512
27daa35ca34bc7515e18e5e7fe73d253cae1e16d31ca11a6fb352d5c06600f9d131f59095258514539cd51a9dfe337c71f1489769bd25866673048cca37b78b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5cb2c6b0c7596a1efa7c849b645a04f5

SHA1
674885661e016615cbfc5ce393b510800755f43d

SHA256
a396c55e3625111e240792cbf732c583e0e44180ae7aad0f460c5e7b430e9697

SHA512
5feb4a9a2b1d5d72de841b72e32719f2fa00e7e3a7c91d986cbb0e441a5e3544245a88bf9fde12ae24537074103ab54ca7b7211f234871e694cf2b7bd75f4bfc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3bb385fd7c3b424b70c0f65e575832d

SHA1
d5c1664e58b70261c8dd7596d5609f6586b46ee7

SHA256
59709b08bd1ed0040604db5079d044b0b3dd85000f37f00e8d7a6ba514f97efd

SHA512
a2d26e7facb258c6dbc4dc91411ba5cc153de5b8eaef77caa181715b7299842f8fe955eb27465b7e8f628668229e7734eb81fe0dffe1c6b51f1d253943df4746

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bde33c4f13c4cc49589e51ca48f135de

SHA1
7eb1ea69c83411e78ff398c67491bf24122f62e7

SHA256
99437f299da8cc22cea8b3d6b383b743ed51d0146080a04bcc2f9651f081bc5e

SHA512
2b57c422ea991b2793243e79f5be0f3950468fd30f949e7987555d83e1b80449a82373647defa6a1d20ca3c594d18d71c6f0941242d6e9fd5afbb646c64f4185

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2260a54d16284a2aa4f5416e994a7a3

SHA1
9f5b8745a4b8a28856c84eaf3df8817a4df03ea0

SHA256
c96af83e5d501fac91a5fd1c4ac26ebf8420daa7ac1ebdf77eb6aa0387263bcb

SHA512
2bc7676f9205d2f57d7d4aa4ded1115138e20b0ef1d94f8c739037b96c91cf899b2bcf809464d37be9af8471b317c2eebb027897bb04429b4da105f3367a5f4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE9F4.tmp

Filesize
67KB

MD5
2d3dcf90f6c99f47e7593ea250c9e749

SHA1
51be82be4a272669983313565b4940d4b1385237

SHA256
8714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4

SHA512
9c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEAA7.tmp

Filesize
160KB

MD5
7186ad693b8ad9444401bd9bcd2217c2

SHA1
5c28ca10a650f6026b0df4737078fa4197f3bac1

SHA256
9a71fa0cb44aa51412b16a0bf83a275977ba4e807d022f78364338b99b3a3eed

SHA512
135be0e6370fd057762c56149526f46bf6a62fb65ef5b3b26ae01fa07b4c4e37188e203bd3812f31e260ec5cccff5924633dd55ab17e9fa106479783c2fb212b

Download Submit
C:\Windows\SysWOW64\a.jpg

Filesize
145B

MD5
049bad4a2c477da04e09d36af81b087e

SHA1
15b18b6bada7d08503ba85261ffc22faf3709d94

SHA256
8e92786680c710e03413f07244bab8943bad3a6247a8103a8d8198c7f7f6db05

SHA512
a783cdb149059a5e18052edb9f32770bf5e85607d46f2359101dc016b5875c326e4708c070d2b1d8134cd7d7261b3f002e4708429ec3cfc9d5e55b0e920d0ad8

Download Submit
C:\test.exe

Filesize
31KB

MD5
2610fc197c97cbd69ddfb46f0b577d2a

SHA1
7a278ae9c1ff1b7b390054d302d0acbeb1ec8e24

SHA256
ead1f97c8c31df768fa25b86ecf07260865d4092cba3a9fd0b63195d3374d84b

SHA512
5131b121c0e042dc6b323b4d10d86db8359334c305d61c212cf90df5e4858883fc08f7d87baa70ae635932fe47caa170574889ff87118317b87d645a7376b889

Download Submit
memory/1928-0-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1928-1-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1928-2-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1928-4-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1928-397-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1928-6-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1928-413-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1928-429-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1928-445-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/1928-461-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download