e1c9129d94e51e32fb524916bc7c49389f27c237a410deb017cae4a195d1a74f

Analysis

max time kernel
121s
max time network
133s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10/07/2024, 03:35

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Size

122KB
MD5

3327224408307d94d5c90a3b26cc910d
SHA1

d8ea68678a2c205626c74cc54e816d5f6624efd3
SHA256

e1c9129d94e51e32fb524916bc7c49389f27c237a410deb017cae4a195d1a74f
SHA512

05dc690a779e4d8a4e0a6e62a9c49084e0c3ed7fd333a7b5713ad23dadaf09f42add8ef693feb16b7f253de208e3a2ba7941a8cadec448993d3abbc7d5779cab
SSDEEP

3072:sgXdZt9P6D3XJ/ZfFsuGCqOBVO1cWMFOib1SC:se345Zuu/qbwXF

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Loads dropped DLL 45 IoCs

pid	Process
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 7 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66D8FBA6-D90F-40A9-AC55-84896F79CA69}	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66D8FBA6-D90F-40A9-AC55-84896F79CA69}\ = "BHO Project"	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66D8FBA6-D90F-40A9-AC55-84896F79CA69}\NoExplorer = "1"	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{66D8FBA6-D90F-40A9-AC55-84896F79CA69}	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{66D8FBA6-D90F-40A9-AC55-84896F79CA69}\ = "BHO Project"	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{66D8FBA6-D90F-40A9-AC55-84896F79CA69}\NoExplorer = "1"	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe

Drops file in Program Files directory 23 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Object\facetheme\locale\en-US\sudoku.dtd	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Object\facetheme\content\installid.js	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Object\facetheme\build.sh	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Object\facetheme\content\overlay.js	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Object\facetheme\content\sudoku.js	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Object\facetheme\defaults\.DS_Store	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Object\facetheme\skin\overlay.css	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Object\facetheme\files	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Object\facetheme\readme.txt	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Object\facetheme\locale\.DS_Store	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Object\facetheme\locale\en-US\.DS_Store	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Object\facetheme\content\installid.js	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Object\facetheme\defaults\preferences\sudoku.js	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Object\facetheme\locale\en-US\sudoku.properties	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Object\bho_project.dll	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Object\facetheme\chrome.manifest	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Object\facetheme\config_build.sh	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Object\facetheme\content\.DS_Store	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Object\facetheme\defaults\preferences\.DS_Store	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Object\facetheme_uninstall.exe	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Object\config.ini	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Object\facetheme\install.rdf	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
File created	C:\Program Files (x86)\Object\facetheme\content\firefoxOverlay.xul	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 44 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\Total = "25"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40fe1d7a7ad2da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c700000000020000000000106600000001000020000000e8d809f9fc99795148bbb2231a60c26b708ae57ed8c16f76e28b36ab774305cc000000000e8000000002000020000000c50d9cfc89be89a34213c6545eeb1e176516716b075dfa84f13950770920387490000000a7f4506f7e5cd20925dc2b3963e466972fa16a8a33a69de7c9a0028196a71702d3911b3aa4dbce51f5cdbd6aaa597d2de038df9fa8e2fab81a21fdb0bc85b7ff095fa56a6cd297744ff5d31b1ebc01b2177de830ae64fe32cef18c5d9f1e07b9fff4d2297023ff3756b24bd84dfc30e63e0beced60491c2d284a28f65a0677a7767fbc07460b5970585d2e574b0229eb400000008f6459db0fc3e6318665394224cc91b143ca08784a6c8089972949158d2fe32e0e73500e6ee6865204319731d5e1f03a068122cef520e13f0c20a06d94afb4d2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A35B1EF1-3E6D-11EF-91EE-7699BFC84B14} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426744479"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DOMStorage\google.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "25"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.google.com	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c7000000000200000000001066000000010000200000006579d2314174087b1c1551f8a03aeaf942160e33f2f105178d63d1e650983431000000000e80000000020000200000004254fb3897e57b7f922740fc8e5294698d96678ff898407c096722c5ce0c65d4200000004bed26482bdd46b8fd804fbdf2df1b34c570429b09faaccf0bd39d0028a5919d400000006fcfc630b66c9b7c4c86df41214cd2d074dec461cf7d76bda6b14fc6b9ba95f70b397c3a5d37baac329b5508e17d6bfe15a2801377f3ab8600d02adaea828b4d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bho_project.bho_object\CLSID	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho_project.bho_object\CurVer\ = "bho_project.bho_object.1"	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho_project.bho_object.1\ = "Facetheme"	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66D8FBA6-D90F-40A9-AC55-84896F79CA69}\Programmable	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho_project.bho_object\CLSID\ = "{66D8FBA6-D90F-40A9-AC55-84896F79CA69}"	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66D8FBA6-D90F-40A9-AC55-84896F79CA69}\InprocServer32	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66D8FBA6-D90F-40A9-AC55-84896F79CA69}\InprocServer32\ = "C:\\Program Files (x86)\\Object\\bho_project.dll"	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66D8FBA6-D90F-40A9-AC55-84896F79CA69}\ProgID\ = "bho_project.bho_object.1"	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bho_project.bho_object\CurVer	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66D8FBA6-D90F-40A9-AC55-84896F79CA69}\TypeLib	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66D8FBA6-D90F-40A9-AC55-84896F79CA69}\VersionIndependentProgID\ = "bho_project.bho_object"	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho_project.bho_object.1\CLSID\ = "{66D8FBA6-D90F-40A9-AC55-84896F79CA69}"	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66D8FBA6-D90F-40A9-AC55-84896F79CA69}	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66D8FBA6-D90F-40A9-AC55-84896F79CA69}\ = "Facetheme"	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66D8FBA6-D90F-40A9-AC55-84896F79CA69}\InprocServer32\ThreadingModel = "Both"	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bho_project.bho_object	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho_project.bho_object\ = "Facetheme"	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bho_project.bho_object.1	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bho_project.bho_object.1\CLSID	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66D8FBA6-D90F-40A9-AC55-84896F79CA69}\ProgID	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66D8FBA6-D90F-40A9-AC55-84896F79CA69}\Programmable\	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66D8FBA6-D90F-40A9-AC55-84896F79CA69}\TypeLib\ = "{200C5130-E2A9-42A8-8116-49E58CE01D9D}"	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{66D8FBA6-D90F-40A9-AC55-84896F79CA69}\VersionIndependentProgID	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2824	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2824	iexplore.exe
2824	iexplore.exe
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE
2840	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 756 wrote to memory of 2824	756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe	30
PID 756 wrote to memory of 2824	756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe	30
PID 756 wrote to memory of 2824	756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe	30
PID 756 wrote to memory of 2824	756	3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe	30
PID 2824 wrote to memory of 2840	2824	iexplore.exe	31
PID 2824 wrote to memory of 2840	2824	iexplore.exe	31
PID 2824 wrote to memory of 2840	2824	iexplore.exe	31
PID 2824 wrote to memory of 2840	2824	iexplore.exe	31

C:\Users\Admin\AppData\Local\Temp\3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3327224408307d94d5c90a3b26cc910d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:756
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.google.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2824 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Object\config.ini

Filesize
83B

MD5
95f555cd28b7191f329b0f795e69d4b3

SHA1
9af3a1cf9bff5ddfa4712a3e33377de9a2333a9c

SHA256
05872a2f3bf669101fb251e572fc089a7e9f4286f8126c1a31ad6fdac9fdda80

SHA512
9200a09c36669d654af61f8c0f8b1b91008296960542c1f575872d496419b59a0c07bf00f46080b735e2b5bfd695b2b1f69d5c94a9dcd84340814b27dd33830b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b38b2cd605c72019022c97c732cd422e

SHA1
40b1ab0cf073cab1ab511a295175ac7acbd38b2f

SHA256
8f11d1d96ce937a26e4eeb85442ee85340be45fbe924ad94768f968acaad1a9d

SHA512
d6b5940b79364db472d0bf9bb966c6373aea9c0586ca1fe8424084f21daa4657004f9a641d1debf8ccccfad2b7ae6a299be82393211a919f55f752f023099d58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc68016561a7120c43f13818ef80e025

SHA1
07c53ac1ba079fbf53377ac729689102a0af3a5a

SHA256
abce9eefd5f70de41e742a250d2339b886a43a57f7003f87e424cbab250026eb

SHA512
f1dbf295f21bf9b5e8b2db3b5364a013688ef92c72f15e52daee1bb3353873598de8be2fe68d8d64e98e128b64a5cfb7a36006a808eb85975c18c2459e3d1bc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
456331d147121593669f8f2bcf78d0b5

SHA1
993d6bf173135d489d92f5d12ddaafea103c1ffc

SHA256
f0df0adb745863aa7c5cbde80972bc8f16a44fa294d5043371caacd2338924e4

SHA512
9acbaf459dc28a92d92893e81185689b9c73697bd2ee9c0129a2bbc918798ea57ef1b73726c9adaa7f2e9657187c71bca1db14cbd2bea4e168525aa1949544cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
058f17c7e16c4f16bccc71e640e5d38a

SHA1
0ce531a7dadb90f8dc62436116507d071cbcf9a4

SHA256
e6792c484a3d9800f5081dd503f052d5d0a70144e0421911aac3539591572f72

SHA512
648ca3a46a3992b63629ddda4758c61426e609803c3514ae13b3bdea5f3589a2b2e0d06b24e6c1c853c01e7c1ae2d4f5012b40cfeea39c711dc35d9284b732b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b913ab73937c7fcfefd6c315ecf2c92f

SHA1
07ad6bcc7c88bedc938d5e820aee1e8a7aa21eea

SHA256
8bfb02a93e88803ebb9a97f1e65d7b857cac9fc8832e78ceb1338d0a347e244f

SHA512
ed99463096e623194c1b7224595d9883cb2d759d9e8fb6a63d4d04ab7698c5f8c0865ee116ef7120be053d4174080e76e7f44cc46e315b105c9bfde08ff71c65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9498cbeaed0c742594d56318cb3d9c6

SHA1
69ef2582837017d556752a06948cc47a9947f240

SHA256
b3b7a35652ca6cccf15fc53cea58c6d1bfd11ab98a447a3092ebae19d0276a67

SHA512
52452373afe30782bdf5af71167e2f0fe7fa7660d232af61f619f17815dac3f44c9bdbe27df7d4b51df6a2bcbfb1e48361e8fab7226aa26364a7ce0bc087538c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0cff31d7dc2f3e7cd2a8dbab4dbadd97

SHA1
96b4a2b552c351c1d7c9b7bf583d4ccf408660fa

SHA256
d2f4e3ff04bc6696a140b3d5187a51d33dc32f14a7a3badcf35fc2aa936efe2b

SHA512
73134abdb880def4e43e794001ba0157a7afb0859c5a19658b2712fab0f5c0dc2c9e689f0b1e1de690317f2a6218fd10ce4a3f4a0097ee813fe054e83deff605

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd6af98fe74cb021299f2e44eacf232c

SHA1
f4e743b45278c9a00168d0e8d907702da13f8879

SHA256
cda131a25033a90457e347f2e2cb8c74245e0a3970cee4aa1f5e49360873b623

SHA512
4700c1c2124c10f90023898165e4fdb158e34c4a9bf4fa5af90fc6afea42a173c3025443be593c431d81f8d6350a7e745236718124529e7d1a549543a9abd594

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dedee87956bb83654f09e515393d85ee

SHA1
5a6aba39b371af9868f1eab8dfff76d18f40a135

SHA256
1fd11306562859b9ff00019ddd8846f3037ee734d10855f964b744d013b0959a

SHA512
a175f40ad01692470fdfd2d1e72ca8c9c9b9157d02ae24ab73fdf0e4d2d82358b23c0e86b45e573b7d10da2cdb1f1ca9f0be3952f730e4933018eb4de52c4eda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b537b0e287a168399bfccf397ad5861

SHA1
3bb3b93883b5cbe8f38c048039a502ff24fbacc2

SHA256
4604f71c85b9b4262742a137addf4322435de248e8ac03a24bdacd4e1cedc528

SHA512
cce9b3657951fb05d15f8378935cc6193bf9bedd5ff737169ca5732a448dbb2a13bbd5bacdcafcc5b2433b01f3582e9cbfeb29b2d0a9c16318f200ef1c141497

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0ac69c07483d529ee8a49ce8c634fe6

SHA1
b1b47a92547c602aae1a39e5e3f34e63f22a2a31

SHA256
a5c0a08a1bd3e9c029bb24b218dfcac0e2d6c64cbc437817993c3c71ef4c218d

SHA512
599ba8a2336d322de30a77d3e66afff6965c9ce717ee59b5ca430f375e0ea283d9d4959fe671cbde4bb50cef8be1954319200cd2cb8fd12310ac767ab9e87214

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99905c8788431a1c05411cf38db7473e

SHA1
597a6ffe61ac768d8e0c56ec85266aafe26354c1

SHA256
dcce16052eb49e37b5d7daded20c73a281ee8ad007853825f8f8b793feee2849

SHA512
3692fa4901f27535e3f9d6b93277f0e1ee725cff6f40fc5ec37aa8a10720c7efe910e2b398b10a47753cef63bcc7433750ace70376767a46b88d52dd2d62fd66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6af3766b7aa624ee33654084927725e9

SHA1
490a62b4551750fb164bfd95951d9897e6a73a4d

SHA256
a77412549a0a622c0a8b87d36a3dd7e2a960c8d97bc2149f9497e50a7cebc5c3

SHA512
939e846405113a1fd8ac67cf9666c6f887aa479a10f0a3d9eed0bf0dbba28a346471f3233f1b5ab4095cc880b997da606537dbb5c094e258faa9dfbcca26561e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cf48a31b4c6194ccf8c8c9b32d3fadc3

SHA1
66fc865a92a250fe2e3f17e26aeb556a38f808ae

SHA256
b83d431fddf599c4c0de445b27fdf3eb6f77717d9baf5ddc4d1fd813e0d5f3f9

SHA512
e2197d3c1ba740319b8d367aca9c3f8a6a09831238a903d3b1bb3ff407f94c94808a0aabbf8085233c8cc18dbe5787404f039fe6b70026f8b4a5459fa034b706

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\5f5nsah\imagestore.dat

Filesize
5KB

MD5
56699a84790713bb4be782a49814cf59

SHA1
6daee1eb92f98a2ccef7b2cf0a69b0346ffde34a

SHA256
6c676d14bf96cedfc2ceb248f1f75b843ff1b7f149dab937bfe4e55c52ba7a94

SHA512
6257eb0c014a888aa6e1e98cd507eb28e2076b90e4f79f03fcf0aee38efac8c261d91a54eebee938a31ff031d50ef1423762f206a965ffcd5d6e67735093e49c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GA43GQEJ\recaptcha__en[1].js

Filesize
533KB

MD5
93e3f7248853ea26232278a54613f93c

SHA1
16100c397972a415bfcfce1a470acad68c173375

SHA256
0ec782544506a0aea967ea044659c633e1ee735b79e5172cb263797cc5cefe3a

SHA512
26aca30de753823a247916a9418aa8bce24059d80ec35af6e1a08a6e931dcf3119e326ec7239a1f8f83439979f39460b1f74c1a6d448e2f0702e91f5ad081df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M7H6XY0V\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VCY0HBA7\styles__ltr[1].css

Filesize
55KB

MD5
4adccf70587477c74e2fcd636e4ec895

SHA1
af63034901c98e2d93faa7737f9c8f52e302d88b

SHA256
0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d

SHA512
d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD951.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD962.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB424.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
\Users\Admin\AppData\Local\Temp\nsjB424.tmp\fct.dll

Filesize
4KB

MD5
e3f3809f51c7982d96aaf9c090f7d176

SHA1
7494daa8000c0b31c58d94edc509232569a4606f

SHA256
010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29

SHA512
3fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads