5e7509ff164b000d0d5c0f6c60eeeb8aa135b9ae9030015f7a24b912e8b96e19

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 10:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Size

130KB
MD5

2ff86cbaeedebe375e7aede288d6280d
SHA1

6d76fcd50d860f89c2c251e9256aaf20806d728b
SHA256

5e7509ff164b000d0d5c0f6c60eeeb8aa135b9ae9030015f7a24b912e8b96e19
SHA512

0f58d3c5bfb7d8b4e1ae6e306f7c460f638ce7901a76f175bb1862a473f848dc235794ed30930167a3dc59275695f9c01c8f46b6877c90e507215478b58e45e4
SSDEEP

3072:8wItpDhe7QWlZbY8+K6ilG/aUJcU1Ic+2e:8wIdYlNY8kUbX

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2796	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
2796	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E714E671-3DF1-11EF-845E-D61F2295B977} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c700000000020000000000106600000001000020000000d0aebfbccf6c4f297de0e4ee55dfdbe3501b845d499b496780eed645fb3d24df000000000e8000000002000020000000d334a42b04d1f8a355b520ecccb30257507a3e9d234d2e4e2e65ce96877f2a1a20000000b7f8623d52ca77193ce4234f07e69ebb228613fa888eae54cacc31cacd3db8ee4000000065ff1a02e28805d6d042e53ec5e2512c24070e7d0ffb8152b3d4d4a582063ec4c1ed3726d2f1a60a220c221ab029f1f7efb26cfad3bcc32576f2c724fb7e6e58	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 002ec3bbfed1da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c700000000020000000000106600000001000020000000d25b36033e1522031807bd892de366b7045264886f94679e930b5dda4126450c000000000e8000000002000020000000349a98d3f4ceacac996b684413734b497780c4061830ce6f082401f4f15fae0990000000e8283aa92e332b83de9c0157bd1f4c05c998f1c715d6ca3623075e0d0086558508fa3712c4f625359d2a3d4329a031d89f868ac4e1bac02a4b480c9408384bb98d1d5c2d8bc361b1ae0661fac9f67d04dffc5a1e003f757a8af84be590c36d6abc42fb9d70a1423de4a034ccdb2287b15c85f7a23bb5b5b7b0e38c03b6ce6b67697f650f0d625595abc98aa5ddea5a4040000000451ce588adc5fd2575af1c499084ca3a27fc63255f2c231dfa7f69aba1ddad135d17ae4b8452056c72c34c933fcbb029a6050ad243d3908fab190a13d523ecaa	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426691332"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0 (SP6)"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\ = "Winsock General Property Page Object"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWow64\\MSWINSCK.OCX"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0 (SP6)"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2824	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2796	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
2824	iexplore.exe
2824	iexplore.exe
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2796 wrote to memory of 2824	2796	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe	31
PID 2796 wrote to memory of 2824	2796	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe	31
PID 2796 wrote to memory of 2824	2796	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe	31
PID 2796 wrote to memory of 2824	2796	2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe	31
PID 2824 wrote to memory of 2740	2824	iexplore.exe	32
PID 2824 wrote to memory of 2740	2824	iexplore.exe	32
PID 2824 wrote to memory of 2740	2824	iexplore.exe	32
PID 2824 wrote to memory of 2740	2824	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ff86cbaeedebe375e7aede288d6280d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.firefox-browser.biz/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2824 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16cfbb82996089c63650815f8d7ec7dd

SHA1
89bed9cecebb0b782e92cc7b80d3fc684f40cece

SHA256
95e6d04f35eabc08f074af03434cc56eefd129284009c395536f1d0b18f3dccd

SHA512
503ee7ca3e72f93d6c633bf1317606ac534feb695c9f65744530c156a9c44c38e285ecfc61c6a8f37ef1e0ff14eeb02388dd3f1f5838562704317ea71233beec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f34026fb13e8a68235f9062f752c4da9

SHA1
10cf1850eeade571cf52057e4148cde361adde07

SHA256
1687589a1879509d9cbf5c025f9b119fcc2493f484a5822ff7e676af1bc8aeb7

SHA512
8dc6e6341dc345c35cb5733c66a323d995c386c3a62e8a86aff16446df62fc4a7c67ece84643b55ce6f51e4a37101becf1f1cff0c5d5b6c17378e08e308bb108

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf55f42b4cf96da956239d3b8f3a9bf1

SHA1
28f0a4dabfc497839537e686f48b5463b8304e37

SHA256
3f0c98cb7deb298b116344793e62b89fe3b7aa8fff8e6a84d54e216ea16994cf

SHA512
4751ba1e39059a93d2eb6bbde87739f92a3ca33df9bab7c87267c2fb052417ab2da13170da6566f7ae3477bef30d1126d1b6d81c2ce3b3f655ee33f45a0e6ff3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6bd4993daab458d9b05348e12ddb646

SHA1
84078c2b1a452e4f020f30a608e826de8d800352

SHA256
fce2d642215b0ae3af5ccca4d3da69b8ab9db3c356cd6393cccb29711481d5a8

SHA512
5c5bf8f641bc74ac3d551177fdbfff7ca2c9375c4c9be9535b6e4b0912aaa6ce04251d9a362a196de0960428c85eb872c0b690b923ce7060ef8ef91181ffac2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
edfb88f4c4d41ab3151a99a5fa66a0ce

SHA1
a2f5589e73df7950c91637b60cebc284a530764c

SHA256
1452300cede4eda4718be8449645865260dbdfdf557d3b6120a9127655706d90

SHA512
00d82af35b243818c1c2c3798b8ed87078d315f52ae8c70537b8326f83a4d18e18b26bb4f56d2dacac1d6bc8fb88c7de06b46aa99a4615c9fbbc72de8fed02b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0884b817185e14d8cead48fa6e8ccddd

SHA1
86768a332deb6e85ca4232b117ece37e46a0e396

SHA256
cb0f63164af19c58b29b57db32f167d32626f5cf7419b9411fd67aaa02a3038c

SHA512
466493a0f9fdac697f8e573b523b99fba2ab8881bebd9bf66bacf62088a81ae7665b4e3ae099da7b791974b5e3c06f5cb783767b030a975b66eb41e5cd517e25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1808a633e7b65e0f80ac05eab43d0f2

SHA1
001e305c78330e34819094ae6514b7ed19a0691c

SHA256
632f169d73e70658a062a37fadc9b5aba3492755910d5c702c73a9743e957ad3

SHA512
6c694c05daa06c39e87d3625ad3087245624a6104993dd492a19d58046f774e5f4c2cb4cba6f6667a33ca05e95ebc031e0409e366c221f29e56145aac25ad01c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e5154e1b090e510b0eced4671c453c4

SHA1
0f3751cddca56b98e842a4ba47c3cb2f2c1d7a29

SHA256
e9e6edb016cf53015557d0ebcdad68a8a4c763360179481cfeff79675deb0009

SHA512
5a565057d34fa67ecb6d02dda67f254e8afb65a0ff3933e1a9fde8589bca0a6b18ae35e79aab78eb488c0d2c1c812c71322f0d36f186ea65240d2414349c3343

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb8929d7dcc9f7b32b5433fcce42cd4b

SHA1
c66d0aac50b410820e389068b5c8304e2215525a

SHA256
71f979ee0af46d04b573101b35b99ab720296c3e998e7cd38c33e051d92382e3

SHA512
2ef6d95253f13413e723e24713ca262c11b7f3115adedf202d8fbe47e7352d0ab219080a7a30d19ed1ae4007929ffc61ddde5b77aa3b30ac9ec127df2afc2674

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab9da7dff9b193bcc1bcca60be510ba2

SHA1
daf6d4d63e5a20ec3454f7573b3cba70e8d45a69

SHA256
ba336eee96b9d26fc6a5b884f190bbc6dd964c4f39226521d21d722a24296ff3

SHA512
06fdb640a79c2a3fff4f4d561735bc283f32e918a5bbb89e7cedf960ae3d26261b600f920ed1029f54ab2f4add008806928efffd12c48512c8767ed30537fb31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
438d8db829d4c49007548b0e291bbaa9

SHA1
3eb9e69060c3ab1c11fe3d69e24cbab2910cad99

SHA256
13d096e656db88985d97b88f8700544c61237fba9c51faa14fadc308088a6891

SHA512
34cbe14e372bac2748ca7e3d6a4bc8acd56c1539728881d856aa97af984b3154447e81c134ebe89cf3d217177eccea61b7759127eec3667e5003fbb2a29abe5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
672f693e32d082b4c7690e85500d514b

SHA1
493fc5ffd48d5dc36ed3b5f76f5dbd7a492a2ba0

SHA256
ef1ba26ad8d532138c936abb08d6dfdb65b901c24a2bc0f5a608a57e615d6f1e

SHA512
c12e0c1dae3d283a90c82a146a79950cc97027f1b4c509dddec4ebc9eaf4e0387bfba692cf000f5b1823ea2643351d4f055e81a0e5af4af550d9386b56c05770

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
08e3a23c7c794202723d669305528e5b

SHA1
a848cf9ac0f16976daf7eac62ab6852e609ca57f

SHA256
d5be5fcface93ef4bf2758dbc6bdcb0e2c50405c9df1a2f780959c82c35183a1

SHA512
0fe41bc0dbd3a1278f95717e2718c7b8f71162268e760377b05839be698570cc34a2a05d9c579db2ce70d9751f8248db7fc403c47b650ee8dd5b4ea3194e15fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2dbd76b56176bbde870af13f9bf6baa6

SHA1
1e76af1202a2642b99319aa978b589a2b2b351c4

SHA256
b617832da2ccbebcfb09b910bf3a700d0f3ad4a6aeae9a19fde710f498e5a0d1

SHA512
5496f2b3e989a9cd9ba75beed5e23e3a4926c1dc30b165203cbbf6b9438ac3680f17a45ed63d5ce9c39c87b94c330d79778d1ef480e3aebc7e9be814c9503a63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d775907ef0097a031da2b6ee54c1786d

SHA1
d320793eec91abd338f95cce806a3b6baf6d0263

SHA256
9fc4f915a8ddb719eb1b6a3f0804afc8429c6a0b87b8c14bfc21fecc0e34da77

SHA512
f7c392d0414a7904acfa6deb5aa59881de1607bddf33aaf27d47708b7d34927f7a29ca135b7cd9269834f65d62920547dfdf8467205810f424e3c43d3355808e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47fab7fd9d4d3c1f7d803d3b68a4c857

SHA1
e064896a44ddffbe5360d339418f294460681a54

SHA256
3b0feb415c670039ea7b8a1727bb4ff768e51caf3e033a0a7bb33eac0444478d

SHA512
b89a85e62db6c5ffcb7b74519a0d279ccacb968045ed82ac58f2349731c175a3567d4634877b5c43ef4a8b1dc1e13298371da03001496f6425ca698937d15a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab22CF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar234F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Windows\SysWOW64\MSWINSCK.OCX

Filesize
121KB

MD5
e8a2190a9e8ee5e5d2e0b599bbf9dda6

SHA1
4e97bf9519c83835da9db309e61ec87ddf165167

SHA256
80ab0b86de58a657956b2a293bd9957f78e37e7383c86d6cd142208c153b6311

SHA512
57f8473eedaf7e8aad3b5bcbb16d373fd6aaec290c3230033fc50b5ec220e93520b8915c936e758bb19107429a49965516425350e012f8db0de6d4f6226b42ee

Download Submit
memory/2796-0-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/2796-10-0x0000000005920000-0x0000000005930000-memory.dmp

Filesize
64KB

Download
memory/2796-12-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download