da0f7d37f12449f553ca3ba30a3012c4c889a08951b1d3c6726c1883a9b8e8b1

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 13:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Size

1.4MB
MD5

3962936bda1fcc80686303735a6e0227
SHA1

fdeed83017a1a3c88fa1b8723e105f2f1d75a5b5
SHA256

da0f7d37f12449f553ca3ba30a3012c4c889a08951b1d3c6726c1883a9b8e8b1
SHA512

458c2616fed847cbae77032b7397435e88d6c68bc8b95564d693de55173862dae69c21bbec0b01add98aaa10ea16b14c3cf87d6ee1fa0691985c89f9e0e7d445
SSDEEP

6144:k7yTOnmlbWtT1p1lKnGSC0qickrQEUuhw0BHZtiD6nUYYmrOp0z5XXXxCWDor650:1TOnbOYmrOp0zeWDoQ

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\WINDOWS\\system32\\userinit.exe,D:\\RECYCLER\\RECYCLER.exe"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\RECYCLER\\RECYCLER.exe"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 34 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "explorer.exe"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe\debugger = "explorer.exe"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TaskMgr.exe\debugger = "explorer.exe"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Notepad.exe\debugger = "explorer.exe"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VB6.exe	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVBKiller.exe\debugger = "explorer.exe"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CMD.exe	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VB6.exe\debugger = "explorer.exe"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProMo.exe\debugger = "explorer.exe"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVBKiller.exe	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.exe	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A-VSafeRun.exe	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A-VIGen32.exe\debugger = "explorer.exe"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProMo.exe	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SMP.exe\debugger = "explorer.exe"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TaskMgr.exe	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit32.exe\debugger = "explorer.exe"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A-VSafeRun.exe\debugger = "explorer.exe"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Notepad.exe	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wordpad.exe\debugger = "explorer.exe"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CMD.exe\debugger = "explorer.exe"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2HIJACKFREE.EXE\debugger = "explorer.exe"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wordpad.exe	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ansav.exe\debugger = "explorer.exe"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\debugger = "Explorer.exe"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit32.exe	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A-VIGen32.exe	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\A2HIJACKFREE.EXE	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.exe\debugger = "explorer.exe"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Folder.exe	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\New Folder.exe	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe

Modifies system executable filetype association 2 TTPs 9 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\ %1"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\FriendlyTypeName = "NITA I LOVE U"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\FriendlyTypeName = "NITA I LOVE U"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\InfoTip = "Folder is Empty"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\NeverShowExt	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\New Folder.exe	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
File opened for modification	C:\Windows\New Folder.exe	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 3 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Control Panel\Desktop	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Control Panel\Desktop\ScreenSaveTimeOut = "60"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\RECYCLER\\RECYCLER.exe"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "(^_^) i LOVE you NITA.. . . . . . . . . ."	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe

Modifies registry class 58 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\NeverShowExt	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\giffile\NeverShowExt	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command\ = "C:\\ %1"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\phpfile	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command\ = "C:\\ %1"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bmpfile\shell	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\phpfile\shell\open\command\ = "C:\\ %1"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\ %1"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\NeverShowExt	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\FriendlyTypeName = "NITA I LOVE U"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSfile\shell\open\command	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\dbfile	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\FriendlyTypeName = "NITA I LOVE U"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\ %1"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\sysfile	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\FriendlyTypeName = "NITA I LOVE U"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\FriendlyTypeName = "NITA I LOVE U"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bmpfile	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\phpfile\shell	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\NeverShowExt	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\dbfile\NeverShowExt	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bmpfile\shell\open\command	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\NeverShowExt	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\NeverShowExt	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\FriendlyTypeName = "NITA I LOVE U"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\shell\open\command	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "C:\\ %1"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "C:\\ %1"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "C:\\ %1"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\NeverShowExt	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\phpfile\shell\open\command	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\NeverShowExt	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inifile\FriendlyTypeName = "NITA I LOVE U"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bmpfile\shell\open	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\giffile\FriendlyTypeName = "NITA I LOVE U"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\jpegfile\shell\open\command	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\phpfile\shell\open	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\InfoTip = "Folder is Empty"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bmpfile\shell\open\command\ = "C:\\ %1"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\FriendlyTypeName = "NITA I LOVE U"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\ = "NITA I LOVE U"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\giffile	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\sysfile\FriendlyTypeName = "NITA I LOVE U"	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2516	3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3962936bda1fcc80686303735a6e0227_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Event Triggered Execution: Image File Execution Options Injection
- Drops startup file
- Modifies system executable filetype association
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2172136094-3310281978-782691160-1000\S-1-5-21-2172136094-3310281978-782691160-1000.exe

Filesize
1.4MB

MD5
3962936bda1fcc80686303735a6e0227

SHA1
fdeed83017a1a3c88fa1b8723e105f2f1d75a5b5

SHA256
da0f7d37f12449f553ca3ba30a3012c4c889a08951b1d3c6726c1883a9b8e8b1

SHA512
458c2616fed847cbae77032b7397435e88d6c68bc8b95564d693de55173862dae69c21bbec0b01add98aaa10ea16b14c3cf87d6ee1fa0691985c89f9e0e7d445

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads