6b9490016eb3a38cdf85e4e41a850312025700552f49a0a8c6bcafc47a53ac35

Analysis

max time kernel
140s
max time network
127s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/07/2024, 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

307a023aeb2aea0adf07acaf70a998ff_JaffaCakes118.exe
Size

116KB
MD5

307a023aeb2aea0adf07acaf70a998ff
SHA1

e07161408d7547474c2402aa918b2125e66f1860
SHA256

6b9490016eb3a38cdf85e4e41a850312025700552f49a0a8c6bcafc47a53ac35
SHA512

961310020b99d2487010502f5f73fdf7bcb8e1451d163eb553fd664efef6a4933ae40651995a9003df08f3c7bb4662d4adebc7f8c5ca0e32f7d6d1bc46c802bf
SSDEEP

1536:LznfWynDYXtilW2DTvOB0rnqm5CGmGXjKkAbcX+pCaFy5YzAT+/vpFvnjfZV3i:LzuOYdsmsnr2G1AbW+pp4r+frz3i

Score

7^/10

adware stealer upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2200	regsvr32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1528-0-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/1528-30-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}	regsvr32.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\p.ico	307a023aeb2aea0adf07acaf70a998ff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sf.ico	307a023aeb2aea0adf07acaf70a998ff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\c.ico	307a023aeb2aea0adf07acaf70a998ff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\m.ico	307a023aeb2aea0adf07acaf70a998ff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\m3.ico	307a023aeb2aea0adf07acaf70a998ff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\s.ico	307a023aeb2aea0adf07acaf70a998ff_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dhofozr.dll	307a023aeb2aea0adf07acaf70a998ff_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ios.dat	307a023aeb2aea0adf07acaf70a998ff_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 46 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DOMStorage\09021030408721.cn\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DOMStorage\09021030408721.cn\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DOMStorage\09021030408721.cn\Total = "126"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426697212"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{97CFBF01-3DFF-11EF-A19A-DA9ECB958399} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c4d4a7885794291b78de8e6dfadfd000000000200000000001066000000010000200000005b00ff40e22b64bb2f8497c8c03f794f80eab142b206080e8bc81f37c0259db5000000000e8000000002000020000000055f8adc694cfe57786016713712d28890406c61079033cf5e021023488dc38990000000ff6b937de9d32cc2996f349de89449d5fa1103245ad5234bb0b7df7c675e382fd2e7284e0ba2c26c4dcdd7f8a249b7042197f87e32ea3a6691a2fea7ac830743a9b6a89aedb27ae44b3a2d974e2e258a7a142ed2268c305f5b42d0299790402581c4155a4632e1a9e59632eff417a82cb31d9ed2d3dc937819d6a3509fdb9d17fd4f72a04475f162052cc91b96f74180400000001910f6003070b91d8665b93e3237cdc8aaa45650fa28ad2f43d2b4a5d446fde978a55f7f3be8eb80aadec4857c872ecf0afeceb7a6379661afd552edc4d69ffe	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c4d4a7885794291b78de8e6dfadfd00000000020000000000106600000001000020000000d91017fc69dd6f6050ae27617e77558510d6a26f63cb8e5b6144a24ae65b2696000000000e800000000200002000000046f62db0da45d9dba4857e4b19e88e63f2967a2a52524bdde571e63bb0bc0c7f20000000e9ab90ad7ba494d0f9da1c4c3879ddcf684c7656b3bbf4af862f28da57154ac140000000207146dd571f8a34e2f18d2710b96f8fbc0f194d465abe14258a158109964691ffde610831ed6b36b1b26fdd1ad0f2e3bf70c889a49c6e1a10fd11e3de2dad42	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DOMStorage\09021030408721.cn\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0b888ad0cd2da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DOMStorage\09021030408721.cn	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DOMStorage\09021030408721.cn\ = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\ProgID\ = "Lme34.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\InprocServer32\ = "C:\\Windows\\SysWow64\\dhofozr.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34\ = "GigaNet.com"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34\CurVer\ = "Lme34.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34\CLSID\ = "{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34.1\CLSID\ = "{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\ = "avb345 Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34.1\ = "GigaNet.com"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\dhofozr.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\ = "GigaNet.com"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\ = "_ImlobhoEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\ = "_ImlobhoEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\VersionIndependentProgID\ = "Lme34"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\ = "Imlobho"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\ = "Imlobho"	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2252	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2252	iexplore.exe
2252	iexplore.exe
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 2200	1528	307a023aeb2aea0adf07acaf70a998ff_JaffaCakes118.exe	30
PID 1528 wrote to memory of 2200	1528	307a023aeb2aea0adf07acaf70a998ff_JaffaCakes118.exe	30
PID 1528 wrote to memory of 2200	1528	307a023aeb2aea0adf07acaf70a998ff_JaffaCakes118.exe	30
PID 1528 wrote to memory of 2200	1528	307a023aeb2aea0adf07acaf70a998ff_JaffaCakes118.exe	30
PID 1528 wrote to memory of 2200	1528	307a023aeb2aea0adf07acaf70a998ff_JaffaCakes118.exe	30
PID 1528 wrote to memory of 2200	1528	307a023aeb2aea0adf07acaf70a998ff_JaffaCakes118.exe	30
PID 1528 wrote to memory of 2200	1528	307a023aeb2aea0adf07acaf70a998ff_JaffaCakes118.exe	30
PID 1528 wrote to memory of 2252	1528	307a023aeb2aea0adf07acaf70a998ff_JaffaCakes118.exe	31
PID 1528 wrote to memory of 2252	1528	307a023aeb2aea0adf07acaf70a998ff_JaffaCakes118.exe	31
PID 1528 wrote to memory of 2252	1528	307a023aeb2aea0adf07acaf70a998ff_JaffaCakes118.exe	31
PID 1528 wrote to memory of 2252	1528	307a023aeb2aea0adf07acaf70a998ff_JaffaCakes118.exe	31
PID 2252 wrote to memory of 2880	2252	iexplore.exe	32
PID 2252 wrote to memory of 2880	2252	iexplore.exe	32
PID 2252 wrote to memory of 2880	2252	iexplore.exe	32
PID 2252 wrote to memory of 2880	2252	iexplore.exe	32

C:\Users\Admin\AppData\Local\Temp\307a023aeb2aea0adf07acaf70a998ff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\307a023aeb2aea0adf07acaf70a998ff_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\dhofozr.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2200
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://09021030408721.cn/bind2.php?id=3913119
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2252 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eea76e2515bb48091cc82a99332cba6a

SHA1
63e673377f299f5faf2dee13441f5da5e08b3efd

SHA256
cd318d85f799e89469f326d0e860fa9adde110e6cc556b879b56916a74d9b2e7

SHA512
719b03d39119a661e8d4875bb70fac7b376700fada1a67e0b849224e76781003514500a4f220936c4e13295aed045023493f0bb85748df43a9a373a5126205e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a8687743246296a62ee93b0d28a224a

SHA1
fd85c1b5fe55e68a1d77f1b94f0a27c6b4fc6d71

SHA256
54b46d54fe3265ee87a2b2707c5213a0bccc29cfccf7eae238a3e1812c511115

SHA512
91809f0e10f6510190b56784e56989837c89daffb38ee9e9c9ed59ce5f53c73ea86644e5fcfc507c1fae2f5a3dc7de249b9fa4a337a9db90dabe9cf0484dbc8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
939742af9eeb3cabb689cd08cd0f941d

SHA1
db1d37c84fc83ed6120ce5b512e6ed741fdfe4bf

SHA256
f54113d7f2679fed26d8055e698d9db136402460d3574d176fe49d286cf68949

SHA512
ff094ad29049b65c729faf9fa789f6883e03757183b80da3ed64265c0b90d1447cf70517013fb991b5cb428e677fe5c35958ed23943288ab2a128ac05eabf2a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f55abf78806f834eb7fb74e30656cbb3

SHA1
2e8a5b78b9cd60ec976f0fa4753a4d86f867c8c6

SHA256
e20c7eb50638536da7bcc79b13e24f66b057dbe1b0d9cb17526da0c3d198819d

SHA512
6a44739223fb5bc73f69bcec4ba62ac15d82ccff5b7c6b9a94c1928ab20511bf0443d452bef0c06543205ab52357bef3a03afa33c7a07b788a36dedf03dd68d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da395c426b277a6adba7f9a794db312e

SHA1
1add6728e690fc0870c8c9b2639f0fd7b30273b9

SHA256
054110a7e835d573d89fa0deb640d9ce225be8d5c06b5c336a3e2a647cb5641a

SHA512
227671a8ed0dc9db2554dde9491370b8c8b05f2a99a7a1a5d00210493555324627840c032506f298dffd9372c60aaf818ba8473caefd6930d5dc36c17b72218e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
841d4bf5f1e26e13e8708993ac3b7c39

SHA1
00558aaef58425ec2f2fccb9ada4f070fc5e9f5f

SHA256
428dd3d4c830814bc1dd20aeaa0890b4165fd744cf3dc0b859160824281ae775

SHA512
2ddca04d21f84d5427d234d9228fa8134b953d1448bc8da15da24b10b9d829f70608201148366a157948d1f5f99043d31f69e453f0dda4140ab15ff1b39aaf5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c33cc8c8e08cf3bf4e891555ad280a09

SHA1
98d3526d97c9fc9c4ee3c757b0f7cc3299315aa6

SHA256
16714695f159ed3791da91d5d5caa7e07f982df1b8c1a901747ba84a591fc6d0

SHA512
7a017d37df676b35bf3423e5072dc12f531c20f19c2f0f6b334f875a2e607fe02bbb50ccbaf370d8249b6ac8937ea3cd9e5f5898af7082f39f39a96643e9ad05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
486f670a163857db433036f32737be59

SHA1
4a4da82c4708da121b3ce0cf77219b379ea18123

SHA256
48d21a4c0074f1595995fbe0ff231407895a75d13dd2aec34e8bd26574f50a59

SHA512
02d73f77d150b442f5da320d8451431c55e13495b8ed009cde04780ea427ef5844055501339d621d9f9daed237f121f7265129b11d6627dde88c0d56a90e4dac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
593c682366069235613d760ee305ffd2

SHA1
bb868ee621e7c12a86dbb5a6103607a3f13bdca3

SHA256
51808a50063354c775694c91c7eb1478ba8515cd12a8d736634ff4d4c8210b90

SHA512
11fcabf8c8c550431a99ab3d348b6038d0767a8f8f257deb91e605fc676708d47ae4cdfd50e5b65ce363061ffadf0d9db4836b5ab3a8e41fbd9a969f9b6aeefe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff1fcde3a81acd79adabba58366c4ca0

SHA1
95a2d472cff41ceb0408523dbfb5e122a5b262a2

SHA256
ad39d4c0789a888e6f594991938065c11931afa2e2aa3e02686e746c60f72fe2

SHA512
335c3f716dc5b7cd2c82b50e81c871a3793eb7036eaa981b87d6563f20aada941247e8dbb5b2bcaf119b9891eb85d287d5f7e0adb52d411ece90bae9aa810de1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0401ad892b71b56c467d58242f2d789b

SHA1
12e557137f913916be07efced8d2d46491fded3e

SHA256
2aad8344fe184457ff2fdd498087971e7c1151685e770fed76ae3d31460d14ef

SHA512
5cf64e68d71d9369470d2d99d25a11e570e894ba144610c50d1fc380e9cb3812218e90d06855ca29e1be9cbd717c0a72932d80df3345efcba0672734717631cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f44368921320aa4bbc95ccef750561c9

SHA1
237914d51469aa771fe2dc185aba6323c67d8cfa

SHA256
860a2d3cc65d06240e7384cf8801e89aaf83db6c26decdd224ce17b4ab5d01e1

SHA512
a74170713c3e7b79a7fb2b64b40e523e40fdeb9089c056d79011ea0faa036a37eacd2c9868ce7279e052046dca1ef7a599b81db521b25e48123a2e9298cab91e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5f1e7882f914d5d75294042a9e9d95a

SHA1
c9e2e575a1e7820f87f7269e6929a03cb8607518

SHA256
ebf7f5f388225624e9a0d543a6306a04c66dff3821d4d8965b04977a7475906c

SHA512
5b2a928a866ddd3c6edf200b4577460253775fcf4df0a760af90b8c350756ce305d25bd117a3621bcca7ea2e5ab6d846953be580c3ed3a152ea25451ad0a1043

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6afe59b25aeeb195ea00286be509724

SHA1
b22c14525f4f68e36a538b42aca030b8776f8aab

SHA256
f6881d5fb982d60aa0394f3df4b231c84c9090be962ec171300c4c5a8d4bfcc4

SHA512
be1db426980480b251bcc7cb72d4712d895931f4c1a72bf6405c73bf9ef86bc610c02e96a3d2995907c5a4e160497369ebb93e6dbd513bac2cca8b47d12e67f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a6626098df4b1e14b6e4f7b6faa05ab

SHA1
bc6313e327f66ce8ea08337835af896f1dc1ed92

SHA256
abfc689abae9ce437934d389263e20cc8e17d5c63066b5ec57f857096b879f6b

SHA512
0e41444a9175a1f27beb8b1b406bc02b7b727639da63547ac020dc4494338c0296bc900c00a462d6c126dabbfd9d7383140fdfa732d8c7c3295b06dec6fc496b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd4c38ef19775293a7016ffdfe36c542

SHA1
d2583181105a63dedb7cd8ad42d2b067ad5c7390

SHA256
73d144847c96e0f17aff720c2ce62288f262a09c32e53e1040213c5703dc7576

SHA512
89d38432e1eae3aee6426340c4b9ddc7f3c81f03e2e11b0b24741a0bfd21262244a78cf430981d9881e63c936c2c250ec69da530e06a85beee2fe7d3561fc21e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a65a1e751810ac63efeb5888f2da54c7

SHA1
edf68fa7646daf97a0292d611ae4ef3d299afdf8

SHA256
fd8ae2d2aaf6f157b51afd1c5c73fb0abb5b62c5b38d817b3ef83023ef477fb3

SHA512
becc6a12e1a0dbaa1b22b056721ed79f766e476e44530f6d530b21439cdc1ebb0734be14119544e62bfb90368b434cb69f4627a8694d4bdc43b725235bc06c3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15808190e6827e4abc9756b1e1da551b

SHA1
3126d5b089b0e565e19d3818f90f04c8fab9dae6

SHA256
edb1e5ef3a92650745072a8d3c6510294af0c1a51841a67284823e7757a962e4

SHA512
438d0d716b13c9c4436de9183d3a78f822859995d4f902e7415e8dbb098d4f3efed61a2b092e2b3b520e6135a0a82df005892a98e41f04f5a3e16b8bb80f7d0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a527baf01cb9420b0c5e80e151e7225f

SHA1
347dfd4c4a9793704cfd74ce5b37e47ff8a2f4c4

SHA256
8ad63daffb64e7de086050a57979f6f2f0df7f5c730241f215e02f357fb1584b

SHA512
b1c26591942fd5f2bc9294307159836d6bf6a4a61efd055a968d8dea91da14a69b0d5bbb012caefdc346090e7ac5d1f8e1256e106e8fc02a9679147e91c838b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB06B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB07E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\dhofozr.dll

Filesize
164KB

MD5
56fb7a171b218af14937349598f96d31

SHA1
3b0e5d1026ca129375564e6d7fa4a7f307246799

SHA256
07dedbace9a4cde3ffa11ab6a1b6f8966d24db3d6fdebf08ac72c9d838c1790f

SHA512
af1c4515cbd9d30fb0a7abfbb6dba2dab350503c10a9394f3e6c681505e3a969cfa5476d94aaf46b11f486f70ed7c2f6f73d94ddf6d2c1bd02ecf5feed4bb490

Download Submit
memory/1528-0-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/1528-30-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads