db0ec6bd62107e18df2c409b9c34af1948dc9ceb1a826d7d2607b28eb2d8bfd9

Analysis

max time kernel
121s
max time network
129s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11-07-2024 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe
Size

104KB
MD5

380add407a00239b16eb8099c0cbb468
SHA1

e1b2542ad92caa117eef80de4b4feaa834387206
SHA256

db0ec6bd62107e18df2c409b9c34af1948dc9ceb1a826d7d2607b28eb2d8bfd9
SHA512

29501efc24ca051ba4eaccddb9f1da0d341cfe4c4718b2192e4bcac87029f87e25c0bef3fe77ba158c66202b1a6f29f6cb8cc84598714a3c4ffc10c49008e49e
SSDEEP

3072:tL5FLClZmzePVeO1cmmQFg+G4pnSvhWfPdi9X3kuA:R5Fe7mz88DrQFg+9SvhWfP+S

Score

10^/10

adware evasion stealer trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
668	cmd.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{06ec6572-7280-485a-a712-c380526bc048}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{06ec6572-7280-485a-a712-c380526bc048}\NoExplorer = "1"	regsvr32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ieocx.dll	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\don't load	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\don't load\scui.cpl = "No"	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\don't load\wscui.cpl = "No"	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426841089"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb4700000000020000000000106600000001000020000000f54bd058f5f7ececc90951d8da4d97b6ba40f6360334a4bd712989c022b3e7fa000000000e8000000002000020000000028fb77d242478dd8685ce176b20e983f75faf3824310c5c2efca63c0e20d11d900000001f6b3722b97155ee92900b2a14b303f509f01fb1e8502f217764537189212b82052326ab495a34a1d7207f0b5946c8339fecaba66eaae42def0fa783e4670999564ade4a21f7608f2e350655f1ad59945ff68c753c42ac3856914ca7ea0ef2204ce3288effc127c2ee99a7b5500c1b86bebcb7cb4d02be2825ffc2d5be361411c74ae2b6e71743657164d30b2dfd980d400000004922b681f5e0a3796d14057ca9150a13507b26ed22c76439a990759f9ab470b09cd44c8326d483677064a94673c719d0a9a6057e2284b5d90034ccb677fb8f94	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb470000000002000000000010660000000100002000000060dba565a46fa6b657edfcefad0f23e4a8591a2ebc3facbafe1d5614cb6025fe000000000e800000000200002000000020630bff5c790ed07f5aa8711c61b3d6879ead1240c27bde69e12465e7e56fbb200000006b9a90d81bc6e260056a990306b22e8dae5d3696894d84bbcf8806578a318ac44000000019689a58100f155a13662d27d7b30da3b7c250db9fc4830344a7557a0112c1f3dc25a7c173485374ff4e250fa36cf3be486c30b02bf8bbdbb0499bb1890014e9	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 603dcc6c5bd3da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{958AA0C1-3F4E-11EF-81FA-CA26F3F7E98A} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\VersionIndependentProgID\ = "IEocxApp.IEocx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\HELPDIR\ = "C:\\Windows"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1\CLSID\ = "{06ec6572-7280-485a-a712-c380526bc048}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\ = "IEocx Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\ProgID\ = "IEocxApp.IEocx.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ = "_IBhoAppEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1\ = "IEocx Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\ = "DHCP 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CurVer\ = "IEocxApp.IEocx.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\ = "IEocx Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\TypeLib\ = "{b360243e-09e8-402f-8721-00b6798089ad}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\InprocServer32\ = "C:\\Windows\\ieocx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ = "_IBhoAppEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CLSID\ = "{06ec6572-7280-485a-a712-c380526bc048}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\0\win32\ = "C:\\Windows\\ieocx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib	regsvr32.exe

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2692	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2692	iexplore.exe
2692	iexplore.exe
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE
2624	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 2784	2160	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2784	2160	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2784	2160	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2784	2160	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2784	2160	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2784	2160	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2784	2160	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe	30
PID 2160 wrote to memory of 2728	2160	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe	31
PID 2160 wrote to memory of 2728	2160	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe	31
PID 2160 wrote to memory of 2728	2160	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe	31
PID 2160 wrote to memory of 2728	2160	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe	31
PID 2728 wrote to memory of 2472	2728	net.exe	33
PID 2728 wrote to memory of 2472	2728	net.exe	33
PID 2728 wrote to memory of 2472	2728	net.exe	33
PID 2728 wrote to memory of 2472	2728	net.exe	33
PID 2160 wrote to memory of 2692	2160	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe	34
PID 2160 wrote to memory of 2692	2160	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe	34
PID 2160 wrote to memory of 2692	2160	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe	34
PID 2160 wrote to memory of 2692	2160	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe	34
PID 2692 wrote to memory of 2624	2692	iexplore.exe	35
PID 2692 wrote to memory of 2624	2692	iexplore.exe	35
PID 2692 wrote to memory of 2624	2692	iexplore.exe	35
PID 2692 wrote to memory of 2624	2692	iexplore.exe	35
PID 2160 wrote to memory of 668	2160	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe	37
PID 2160 wrote to memory of 668	2160	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe	37
PID 2160 wrote to memory of 668	2160	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe	37
PID 2160 wrote to memory of 668	2160	380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe	37

C:\Users\Admin\AppData\Local\Temp\380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\380add407a00239b16eb8099c0cbb468_JaffaCakes118.exe"
1⤵
- Windows security bypass
- Windows security modification
- Drops file in Windows directory
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s C:\Windows\ieocx.dll
  2⤵
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2784
- C:\Windows\SysWOW64\net.exe
  C:\Windows\system32\net.exe stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    PID:2472
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://loyal-porno.com/videosz.php
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2692 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\asd.bat" "
  2⤵
  - Deletes itself
  PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d625daa107f3809275c4c193e40e2ec

SHA1
35b6ddb28f19d08639d84212889e4e6bdd3f305a

SHA256
5e06ff0c2700b9b2a7c2f387e89f9ee402f90aaf94364d20c6123f5df5b86275

SHA512
68ab4b0de959926fddbb2b1cab7aff9c1de623e8859d24a7441127d3a16122b8a8ef6e1b4ab1c2405b18358a75be7bc522aba4ea73342c68b3a67c140dc3a6f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea7532ff4edda903bdc431d56f4819ae

SHA1
7962842c05e4283a270106dcdab2988da60ce9a0

SHA256
7d2f2f6112b2215f99e85b6c82a7c6c9269c7a5d9b3f75172c95d6f0fbbd27f1

SHA512
7977b2e609b95af49b4929f42165b11a06123799de55dac89e65f87245c709cb4a3fbe93917c8d4d75eeb0aa8b2fee13125d5de23165865bf64ec03f6b700884

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3c417285362bbb04bf3b4e36923d46b

SHA1
7d392462abfc08fcffa755af8ab8ce0c805511ae

SHA256
b9b686b9364b73c791edcdda6e8539cfc85b4abe9ec851d0a2ff10b036ebcd52

SHA512
b962032ffd335406bf456810b5c6c134dece5316008110aa78f56c4d7ce63c770e229c7fb967d4784243b86a69d4d4dd204a63bbef960e8db82c18f70fb85936

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1454dcf4864006cf2470bcb53504003c

SHA1
756ef2cfc798f990636ee7a127c1a32aff629885

SHA256
979fc5ba86e1fe2f4cf3a5235b94188281d691bab9664d1562bd8b47a1ebf3eb

SHA512
27bf06ff8f737ccaf4bbac0b2cb4b5d6a38f25cfb838394d06b415abf7acae1660364a8e24f5ecf842ebc0f900c8bea8bad1bd4671b9e115e1c659da254530da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8a68062966964c5ff5246a0a7a3d83d

SHA1
89eb09aa4fe70540156fa3be912b2d13c10f7c23

SHA256
2f29931345705d99fc604f007e6dde9f55cee35e8a23c426a6820460b592f7b5

SHA512
e0c0011ad9388a9ff80f00ea0de6401f6b9e3fcd8d6f8142a8a7a6984112b8b89e1f7a621695ce1b99460289b1f1b1601d215268cae6e9b422a0681af6081cdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53649738b316c8c19446300d59cca7d0

SHA1
5aa699e9eea72f29ea1066c004f28bbcdac60de3

SHA256
b5950ad6cacfb6d28ab17d6b2b8ad5882d58b3bf8c1991102003eb6ec70350ca

SHA512
73bf41fca0fe3c8247f111b1a5dad5a88145f087ca5c387b4bf66abfe2a951b2a2cf82675607dba67e5cf40a7d8b0a4b31ffcde7657d2136550110851c1ac058

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94d36ed899ed460859df6f551f404527

SHA1
6a988b522ac7bd54cb18c72283caadc9b05f8a16

SHA256
37aa460dfbaade4380048759d19980f42cfd0aa6db7fdf9fe3df44a1a38d95cb

SHA512
cee5cd0afd75881f19807656508a24587498a22c15585d1742e2897b669548a59f28c755e4ebca3f9cc27324024a1fc70c3159659191e075d7a9e508eaad5ee2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ae6c04eb39283a3520743703f94238d

SHA1
89cf2386ffa947daadd8abcc3dce7f51e67d7da2

SHA256
ed85864e297333e9bf99e562830031562cf79ee676285cd043a1dfbdbaa53f26

SHA512
1af69f071d975961414ba6f030647160ac345d488f2857621aae91cacbaf2451c9e4227df11c64376d0359334eb781c8fb5b3ae99e9cbb3644c6e0a145537268

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c7401f1c0ee1002058417d414d6d0c2

SHA1
3fdf296166e90a03cca7f3a22db088d45493b94d

SHA256
df87c3524a67c1a805a6608057d9ef5c2ed50677158c8ee769d62fa782fc94e1

SHA512
f953d9123262a70b096582e51d203a64ab32e93eed7fdacdc670cc6a48fb6b6d632098fcbd0d71d9f747c9cceaab2937f5bcd72a3eda2fdd1acb94e52b419500

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
659cf6daa66270b0d9b34afec7c19840

SHA1
988d205a28a9b3414e05d19b95925caef9e761b1

SHA256
996f51a555844276491b0983dc190932989f12d615e89b60796bfd884a63fdf3

SHA512
481addd3fb0ccd5cc78fc7c796590e6d8a1d6527713512b5db6bfe0fccaa344c2a2ce14c3d03184f07f5f6fe3e5e11dab2e124f950fbc697fb39074b4cdbd3b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e17d46cd938bfbe67b4289c71870f9ac

SHA1
be42a2eabdf538d433d915132c5485b84c491529

SHA256
6c15277d55d560e5cd4e3d3e64b8b03f9e9cebacc286691ed29b14d924e33621

SHA512
8529eb349f7fe82a2e7d77a4ee947addb1d9b01d7289513e158c84277cebb94d8ebbabe3ebdda1f05296573a7d3eb4a92b644c62642134f6df63d8ebaf3a8099

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c440ba583d806b5cbb0d75259ba749b

SHA1
fdd0fcf6f3c9e0e6c7fe51cbce5a4d9cccf06db3

SHA256
16749ad7ac58fe4163d08b85f799137fda019c0b5c48a76385160ed69dbe3458

SHA512
79cf3582e35787d594f7fecc28c24751675b1cb7fe8a5c39b52a77c08f430045a8b15858130aae23d842a8cd544288844ffe6aed7c8838cb059e0e01188c720f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4afe152d08f030b4ae7c433c05446cc0

SHA1
5c75adbe8d90dcd1faf9058d4bd95dc5188244a6

SHA256
39f47887eeba729db87085a4c970cf7002f45417bc281b1d3da335ece14528a1

SHA512
73db905b828772ef7d456990719ac5972792dd40eb97fdfd89cbeb92c5cf6658c0393225b216e6c7cee859df8dd004ccfabe5fe726928644ef98efb1e3955dee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff2a6cd3227eac7ee6cdc0d0fd7b8a96

SHA1
817948b071b3eca6d8180fcb449adbe0378782e5

SHA256
dfe6696124a979ad93a2c9da1627a8ba37150da3e128a1cc5ff37fcf7ee4083c

SHA512
6fdb81c655077f8041cf86dfab3f722f1488dba2f427525b4a9f55e083ee9e9ee116cd3fd5239eaca1cb1c86412a8b047e0c8a8af061533b55b5048073cf5bc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ddc3e831f26e68477707553583750bab

SHA1
64ecc7d1ef121c5592332c19fb7b090babd606d2

SHA256
2eb3b28a3c78449d41710c9827057ae83dbe08f7766aab06d48f2889858a1152

SHA512
2b4d05612304b8679688195a73e170493181cc7f87ffde99882797bb0551fd1fa83ce82a7ab00b3ea54a0186c88bfef2d5045df44cb699c9ef5232ab65ad5051

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eef574495754bffc83eafd14b65955c6

SHA1
aa98858a5813c40d13f76442444a15988a8618a2

SHA256
1feed29565bb8486fd19a4bab190332ec546f0f5bd5006b6b60fd9fc5c76ac98

SHA512
922a6599f59863cfc888d05a400bd62b225acd2ef739c47de276be08bec36cde85aef995ba2d8449cbfb39af1b22aaa8b96b9ac844a8720d1d3d1c35fc98a63f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df79aadba67e97c0b20d13fe91c28026

SHA1
5b21ec0641d82443905d5cd4c85f5854b21329df

SHA256
1aa8a08e27ba3c85903ad2d11b5877ffef3b29bf1b5608e4bafe8796872553d6

SHA512
85f36358bb4063cc57737f096d6039704c511af762bb950e079e4c7613cc2ffbfd08d7b481345ef18b4365d62b3cb05e3239b18a372a6ff5a5f8539635cac94e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfae64d4bbb90443de4a9d32b600e5fe

SHA1
4e1a92c6be0f9d91a0f182f2d4b83a11a74bde78

SHA256
c5cb8e1b22489b8416a02da5cf3e631fdb5ec4de39a3dbd48d489fda4b4b5042

SHA512
8d7655c752739477ab7c7f94544412577a61345ef9ab19422e0743e2ac5cd834246a1cc5e78120e6b55247a946111666fcae950ca865154c314e597821aa0793

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9169.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9209.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\asd.bat

Filesize
256B

MD5
c2e5f5100b2e377c8fd2293ccf5df751

SHA1
61ebfa205f3e1b61b836e176e86a57153daf4d9c

SHA256
e9aca2cfb0fe3df1061e59ce43981322e4cb1b48889bc4633b79f62f7abc99c7

SHA512
cf215ee5985ba1c3b7a702b9946f2d24171074e8bfbf1f9ef36c7515c0fb5722ef56cbf857a13455a15a188cb1cb1bfc8c470b97aaa37e82236da23f2128d17e

Download Submit
C:\Windows\ieocx.dll

Filesize
27KB

MD5
ef09200d176f64c9effcd6d71ef090cf

SHA1
19647fa778246ff860bd4ac2a74185d1429c1d6b

SHA256
ac3bf5cf4b459c932cdf15f79816aca14445bfb1477ea4ce58be8d8dec4ab886

SHA512
331b71bbc9fa5ba76d0bcbe2cf44a5443c73f8800701f9e9f2734c62e5755c366e0d05a7b5b239bede7dec2f260ca239f018bcf0b41a2ed2471096d5bcd744c2

Download Submit
memory/2160-452-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/2160-2-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2160-0-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/2160-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2160-451-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2160-4-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2160-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2784-7-0x0000000000660000-0x0000000000666000-memory.dmp

Filesize
24KB

Download
memory/2784-8-0x0000000010000000-0x0000000010002000-memory.dmp

Filesize
8KB

Download
memory/2784-6-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads