48eb9af9a850ed388a9052922101114f8f7f0c90579cebedea75f6a99277c6b6

Analysis

max time kernel
141s
max time network
120s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Size

5.0MB
MD5

3b3e42f54f1c8bfc435401065ea54ee6
SHA1

2673f89f2aabcff2f06b92351fdc60483d0cbd01
SHA256

48eb9af9a850ed388a9052922101114f8f7f0c90579cebedea75f6a99277c6b6
SHA512

e5c5498bc163db651ff589e62211219330375f23fc69e93cc5416b845af3c200759526c096748ebb5f7e6c83a64fe3675bd28ab027ab8edc29aa7031c0fa631d
SSDEEP

98304:Ni4Wkp+/yJcqpDhnzKyyGnIz6pl5kQ/um94iiRq6Fb+KN+UL:Ni4Wkp+/2cqpDhnWyyGIz6p/kSum9k+v

Score

7^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2292	m3SrchMn.exe
1968	mwssvc.exe
2028	mwsoemon.exe
344	mwssvc.exe
2492	mwsoemon.exe
1768	m3IMPipe.exe

Loads dropped DLL 37 IoCs

pid	Process
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2492	mwsoemon.exe
2492	mwsoemon.exe
2492	mwsoemon.exe
2492	mwsoemon.exe
2492	mwsoemon.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
1768	m3IMPipe.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MyWebSearch Plugin = "rundll32 C:\\PROGRA~2\\MYWEBS~1\\bar\\1.bin\\M3PLUGIN.DLL,UPF"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\My Web Search Bar Search Scope Monitor = "\"C:\\PROGRA~2\\MYWEBS~1\\bar\\1.bin\\m3SrchMn.exe\" /m=2 /w"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MyWebSearch Email Plugin = "C:\\PROGRA~2\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\MyWebSearch Email Plugin = "C:\\PROGRA~2\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\ = "mwsBar BHO"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\f3PSSavr.scr	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\f3PSSavr.scr	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3OUTLCN.DLL	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\NPMYWEBS.DLL	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\msimg32.dll	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\Avatar\COMMON.F3S	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\icons\CM.ICO	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3CJPEG.DLL	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\Notifier\FISH.F3S	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\FWPBUDDY.PNG	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3HTML.DLL	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3SRCHMN.EXE	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\NPMYWEBS.DLL	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\icons\MFC.ICO	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\icons\MFC.ICO	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3POPSWT.DLL	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3WPHOOK.DLL	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3SKIN.DLL	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSOEMON.EXE	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\Notifier\COMMON.F3S	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\Notifier\FISH.F3S	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\Game\REVERSI.F3S	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\icons\ZWINKY.ICO	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3WALLPP.DAT	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\FWPBUDDY.PNG	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSOESTB.DLL	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\Notifier\OPERA.F3S	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3FFXTBR.JAR	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3MSG.DLL	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3PLUGIN.DLL	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSSVC.EXE	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\icons\SMILEY.ICO	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3SCRCTR.DLL	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\Notifier\LIFEGARD.F3S	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\Notifier\MAILBOX.F3S	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\Notifier\SEDUCT.F3S	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3HTMLMU.DLL	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3FFXTBR.JAR	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3NTSTBR.JAR	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3WPHOOK.DLL	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\icons\PSS.ICO	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3IDLE.DLL	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3DTACTL.DLL	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3IMSTUB.DLL	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3NTSTBR.JAR	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\Notifier\SEDUCT.F3S	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\Settings\s_pid.dat	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3HTTPCT.DLL	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3MSG.DLL	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3SLSRCH.EXE	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\Game\CHESS.F3S	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3IMPIPE.EXE	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3MEDINT.EXE	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSBAR.DLL	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\icons\ZWINKY.ICO	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3DTACTL.DLL	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3HISTSW.DLL	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3REPROX.DLL	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3MEDINT.EXE	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\Game\CHESS.F3S	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\icons\SMILEY.ICO	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSSVC.EXE	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\Notifier\DOG.F3S	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\f3ScrCtr.dll\	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7}\AppName = "f3PSSavr.scr"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127}	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481}\AppName = "m3impipe.exe"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{07B18EA9-A523-4961-B6BB-170DE4475CCA}	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127}\AppName = "m3medint.exe"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7}\AppName = "m3SlSrch.exe"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127}\AppPath = "C:\\Program Files (x86)\\MyWebSearch\\bar\\1.bin"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127}\Policy = "3"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7}	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA}\AppPath = "C:\\Program Files (x86)\\MyWebSearch\\bar\\1.bin"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\f3ScrCtr.dll	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7}\Policy = "3"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7}\AppPath = "C:\\Windows\\system32"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907}\Policy = "3"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481}	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481}\AppPath = "C:\\Program Files (x86)\\MyWebSearch\\bar\\1.bin"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7}\AppPath = "C:\\Program Files (x86)\\MyWebSearch\\bar\\1.bin"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA}	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA}\Policy = "3"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7}	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907}\AppName = "m3SkPlay.exe"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7}\Policy = "3"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481}\Policy = "3"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907}	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907}\AppPath = "C:\\Program Files (x86)\\MyWebSearch\\bar\\1.bin"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA}\AppName = "m3SrchMn.exe"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}\ = "_IHistorySchedulerEvents"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FunWebProducts.HTMLMenu\CLSID\ = "{3DC201FB-E9C9-499C-A11F-23C360D7C3F8}"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{741DE825-A6F0-4497-9AA6-8023CF9B0FFF}	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyWebSearch.HTMLPanel\ = "MyWebSearch HTML Panel"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\Control	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7473D297-B7BB-4F24-AE82-7E2CE94BB6A9}\ProxyStubClsid32	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F8ECF4F-3646-4C3A-8881-8E138FFCAF70}\InprocServer32\ = "C:\\Program Files (x86)\\MyWebSearch\\bar\\1.bin\\F3HISTSW.DLL"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8CA01F0E-987C-49C3-B852-2F1AC4A7094C}\1.0\0	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FunWebProducts.HistoryKillerScheduler\CurVer	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FunWebProducts.PopSwatterBarButton.1\CLSID	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E9937FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyWebSearch.HTMLPanel\CLSID	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7473D291-B7BB-4F24-AE82-7E2CE94BB6A9}\ProxyStubClsid32	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{53CED2D0-5E9A-4761-9005-648404E6F7E5}\ProgID	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A626CDBD-3D13-4F78-B819-440A28D7E8FC}\ = "ISessionData"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17DE5E5E-BFE3-4E83-8E1F-8755795359EC}	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\MiscStatus\ = "0"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{84DA4FDF-A1CF-4195-8688-3E961F505983}\InprocServer32\ = "C:\\Program Files (x86)\\MyWebSearch\\bar\\1.bin\\F3CJPEG.DLL"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}\TypeLib\Version = "1.0"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\TypeLib	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07B18EAA-A523-4961-B6BB-170DE4475CCA}\TypeLib\ = "{07B18EA0-A523-4961-B6BB-170DE4475CCA}"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F42228FB-E84E-479E-B922-FBBD096E792C}\1.0\FLAGS\ = "0"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D6FF3684-AD3B-48EB-BBB4-B9E6C5A355C1}\ = "ILargeStringDisp"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3E1656ED-F60E-4597-B6AA-B6A58E171495}\TypeLib\ = "{E47CAEE0-DEEA-464A-9326-3F2801535A4D}"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000_CLASSES\Software\Microsoft\Windows\CurrentVersion\Run	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7473D295-B7BB-4F24-AE82-7E2CE94BB6A9}\TypeLib\Version = "1.0"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E79DFBCA-5697-4fbd-94E5-5B2A9C7C1612}\Control	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E79DFBC9-5697-4FBD-94E5-5B2A9C7C1612}\TypeLib\ = "{E79DFBC0-5697-4FBD-94E5-5B2A9C7C1612}"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E79DFBC0-5697-4FBD-94E5-5B2A9C7C1612}	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63D0ED2C-B45B-4458-8B3B-60C69BBBD83C}\TypeLib\ = "{8E6F1830-9607-4440-8530-13BE7C4B1D14}"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D9FFFB27-D62A-4D64-8CEC-1FF006528805}	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ScreenSaverControl.ScreenSaverInstaller\CurVer\ = "ScreenSaverControl.ScreenSaverInstaller.1"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E720452-B472-4954-B7AA-33069EB53906}\VersionIndependentProgID	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBABDC90-F3D5-4801-863A-EE6AE529862D}\TypeLib\ = "{8CA01F0E-987C-49C3-B852-2F1AC4A7094C}"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}\TypeLib\ = "{8CA01F0E-987C-49C3-B852-2F1AC4A7094C}"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC}\Instance\CLSID = "{4D5C8C2A-D075-11d0-B416-00C04FB90376}"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D6FF3684-AD3B-48EB-BBB4-B9E6C5A355C1}\TypeLib\Version = "1.0"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3DC201FB-E9C9-499C-A11F-23C360D7C3F8}\VersionIndependentProgID\ = "FunWebProducts.HTMLMenu"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9571378-68A1-443d-B082-284F960C6D17}	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyWebSearchToolBar.SettingsPlugin\ = "MyWebSearch Settings Plugin"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E3537FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib\ = "{29D67D3C-509A-4544-903F-C8C1B8236554}"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E79DFBCB-5697-4FBD-94E5-5B2A9C7C1612}\ProxyStubClsid32	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17DE5E5E-BFE3-4E83-8E1F-8755795359EC}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6E74766C-4D93-4CC0-96D1-47B8E07FF9CA}\ProxyStubClsid32	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E53E2CB-86DB-4A4A-8BD9-FFEB7A64DF82}\TypeLib\Version = "1.0"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}\TypeLib\ = "{8E6F1830-9607-4440-8530-13BE7C4B1D14}"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E79DFBCA-5697-4fbd-94E5-5B2A9C7C1612}\InprocServer32\ThreadingModel = "Apartment"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7473D293-B7BB-4F24-AE82-7E2CE94BB6A9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25560540-9571-4D7B-9389-0F166788785A}\ProgID	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E720451-B472-4954-B7AA-33069EB53906}	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F8ECF4F-3646-4C3A-8881-8E138FFCAF70}\InprocServer32	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{120927BF-1700-43BC-810F-FAB92549B390}\ProxyStubClsid32	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3E53E2CB-86DB-4A4A-8BD9-FFEB7A64DF82}\TypeLib\Version = "1.0"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7473D292-B7BB-4f24-AE82-7E2CE94BB6A9}\InprocServer32\ = "C:\\Program Files (x86)\\MyWebSearch\\bar\\1.bin\\M3SKIN.DLL"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7473D293-B7BB-4F24-AE82-7E2CE94BB6A9}\ = "IMyWebSearchPseudoTransparent"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A626CDBD-3D13-4F78-B819-440A28D7E8FC}\TypeLib\ = "{C8CECDE3-1AE1-4C4A-AD82-6D5B00212144}"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F8ECF4F-3646-4C3A-8881-8E138FFCAF70}\VersionIndependentProgID	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib\Version = "1.0"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyWebSearch.ChatSessionPlugin\ = "MyWebSearch Chat Session Plugin"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\Version\ = "1.0"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{90449521-D834-4703-BB4E-D3AA44042FF8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1768	m3IMPipe.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
1768	m3IMPipe.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2492	mwsoemon.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2292	2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe	30
PID 2812 wrote to memory of 2292	2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe	30
PID 2812 wrote to memory of 2292	2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe	30
PID 2812 wrote to memory of 2292	2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe	30
PID 2812 wrote to memory of 1968	2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe	31
PID 2812 wrote to memory of 1968	2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe	31
PID 2812 wrote to memory of 1968	2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe	31
PID 2812 wrote to memory of 1968	2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe	31
PID 2812 wrote to memory of 2028	2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe	32
PID 2812 wrote to memory of 2028	2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe	32
PID 2812 wrote to memory of 2028	2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe	32
PID 2812 wrote to memory of 2028	2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe	32
PID 2812 wrote to memory of 2492	2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe	34
PID 2812 wrote to memory of 2492	2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe	34
PID 2812 wrote to memory of 2492	2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe	34
PID 2812 wrote to memory of 2492	2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe	34
PID 2812 wrote to memory of 1768	2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe	35
PID 2812 wrote to memory of 1768	2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe	35
PID 2812 wrote to memory of 1768	2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe	35
PID 2812 wrote to memory of 1768	2812	3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3b3e42f54f1c8bfc435401065ea54ee6_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2812
- C:\PROGRA~2\MYWEBS~1\bar\1.bin\m3SrchMn.exe
  "C:\PROGRA~2\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwssvc.exe
  "C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwssvc.exe" -install
  2⤵
  - Executes dropped EXE
  PID:1968
- C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwsoemon.exe
  "C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwsoemon.exe" /d
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwsoemon.exe
  "C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwsoemon.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:2492
- C:\Program Files (x86)\MyWebSearch\bar\1.bin\m3IMPipe.exe
  "C:\Program Files (x86)\MyWebSearch\bar\1.bin\m3IMPipe.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1768

C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwssvc.exe
C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwssvc.exe
1⤵
- Executes dropped EXE
PID:344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\MYWEBS~1\bar\1.bin\M3SRCHMN.EXE

Filesize
24KB

MD5
7d82378e11e4ea4bd6b5af002be024b5

SHA1
f5dbc7a173883370f0c468c796d9f216384a9bb4

SHA256
e626e746dce6578fe38b3f81f7a7313260d2efabbb3eb43376aced8c736363e6

SHA512
f50710ceabf3dd047157c92415402a49841d21584d3b71d2ef406e795355ee1d8c44f76df60c730f180f89260ccfb831555a9e940ae7664087cde9d6dd3622a9

Download Submit
C:\PROGRA~2\MYWEBS~1\bar\1.bin\MWSSVC.EXE

Filesize
28KB

MD5
319f6520eeace462c0fbfeb6ab400332

SHA1
f562a0eff8f7d5540efae723a3a33cf3271b1eab

SHA256
12b9e0a23af5f0cfb8d1bd0e33b305972c0d34e936d29acefbb82ec3f005d990

SHA512
3864f2c2605c22235008d896724b64dbeeb14c5593d19cd9a8770856d27d66bfd56ca87142f6cdebfa6a60e401966cba5147db4e0864c7b10caccca8b85fc1d6

Download Submit
C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3IMPIPE.EXE

Filesize
16KB

MD5
fff6063f3245896a084068cd5d8250fe

SHA1
6494f541d7682c5569a1c7da498a4a607a003f13

SHA256
7d8f66bcb0c92887cd18df770d2a68a8592204c1d1c82e6f49a7684f95c531c5

SHA512
9aff4820b4eedd11ea146bbadbc5edc4a42803c8738d5454751f36e0b44d0202962da6cbf4287c036d638070166a435eba8108c6afb95a4a3e88f97225c78866

Download Submit
\PROGRA~2\MYWEBS~1\bar\1.bin\MWSOEMON.EXE

Filesize
32KB

MD5
9abbe6f791c0b599a7128c9aca27c094

SHA1
ab86ada4fc136255edf950b9adf3d380c60ebd8d

SHA256
16bf4998b6073e258661d52810a79ca7f90f951005434ae8102350b094697948

SHA512
fba34cf1c750a35a69b011855e35542e1ad86ebf87e396d813c4bfa5d243c43ada78ad6a668bd7d6184cf47bc428ba122562ed0552260a5696bb67153e024fa4

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3CJPEG.DLL

Filesize
136KB

MD5
acb88f31279e312f633b24f48f8c0808

SHA1
742a35c7d3cedcd0eaf424b35fb5e861643210f0

SHA256
3a52298814e576ae90c5108651e9871dd351fbfd29bfb9b32820fd80cf5c8b7d

SHA512
6fd46a961deaa86e7bb92cc221a080bccbb0d35ac20d43c16ce6b5e283b0d6733654c9f6ccf3d0f3c0c2466ffdd38c5e088e40d1f332e2cb01f28b429a2d180f

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3DTACTL.DLL

Filesize
84KB

MD5
e651be4f6e4dcd99aa66ef80c5cdd28b

SHA1
553b35576446475c5e1ca2549354a611cf3fb8fb

SHA256
3e5a4ba558f1ddd8ae007c4d7fc366159160d60090b0f818b7c6b7cbecbd5856

SHA512
c198797043a06e66eb8c3b5aae81d81c0042dab04d6d62d1ab651c92fa7734877003257ad9d30f52a4a65c71327eefe7087bfc6dcbdd65ceb90922755c7054c4

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3HISTSW.DLL

Filesize
272KB

MD5
807d3213938a474995cc69eb73e86de9

SHA1
9d20a21f10e9e31afcc580650aa965e3ff7c6d94

SHA256
c86a3e4e7531ffefa5f8b858af674fcf69460100e02209bd38462ee6a8c89621

SHA512
dc3c69ce4e345891ed7947faf10ebf23a833b5ed7908ff8d7f472eb475e58d7441c83cf479bb8ac16ff5ebced7fc9d8498085fec0dc13a4fd3274c7abe93c02e

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3HTMLMU.DLL

Filesize
156KB

MD5
61059f5398a9c44d7097be901bb83096

SHA1
9ad5f60105a1bde49c9b915cac7e804f33ee3982

SHA256
af64833ba30552048cec1dcc941a1749a16054ed69957812c91a97ace2892d40

SHA512
34ad2e3c22afeec2de46a0f0e94d1818405929feeb7e4bb5dabb0e136b57e8b6a38d09215cbcd5c0ead8a349122454919a49e46641d1a903193d64da15d44cbc

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3HTTPCT.DLL

Filesize
76KB

MD5
b99d34088590a1f7ebe7d29c5d277dfc

SHA1
a8f14e7e82ca9f5e769e73a48a1b5abb76015733

SHA256
226049c2cd2448a484a62c36593b44fab204a617c1ecc0dd21ec10d73b23afd4

SHA512
e3bfec112c4d726305bf6998b996a6213c04e7df3e90dc8baddb263dc90ceb350fa8f964e133eb1e5a387f6394a2bdad4afc82ddb2f2a3c54ea865d8b954fdbc

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3IMSTUB.DLL

Filesize
28KB

MD5
1375586480385cfdd91a0f27b2e28f3e

SHA1
511defd57d3b3d083697039b7cab9d1fff1f3c72

SHA256
36f6ecf4ceee2a36cdba179cddad42e8dbaae8d8346c87e66222324ea2f1708a

SHA512
29a761052d256f672af4518494938b9616816d2350da6c00b28b0ee135c9078e6557e535fbbf1a6404ed29df619fd549348c05f2924aea6d461399d3be7843e6

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3POPSWT.DLL

Filesize
124KB

MD5
40f5c8587253ce8f534e53b0bd7bd8fc

SHA1
445b42bb7bdb14ebb75440a1e8e3d279bfdcda62

SHA256
f8b3d92ec5fa8120b37bcbb1a328f55c2315ffffb71a1eafa4edf653d1059463

SHA512
6ea2b970637c0b7d10a3b626e83547cebf110249b0e0096e42f55ee887ec7b790654ddb7121605707d1ae4de77a13ab59bb8308eb38bf671d033b7d9cde64436

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3REPROX.DLL

Filesize
128KB

MD5
d1bb2feab46b9867ea0f3cdbc881b204

SHA1
fc697ecb7ee466f4c2bc66961af0240c56730e68

SHA256
8199a9b4879a2ce72df749d6753d64574502f24c0e387a1f3fd05a736d1fc397

SHA512
927855d2af1ef983d61b6d07f2908d097598715493cec15e97ecab2a917e6c46459d78cea15b34988a1fb32e0222e5cfd86651a599cd2c2c1da17338fe34ee07

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3RESTUB.DLL

Filesize
24KB

MD5
c4ff418909d55a7744b04774a83135c9

SHA1
2489008ef2e8fb7a3bdf6014d4488d01629c7034

SHA256
76adc93b3153ccd4ab6f692d78013cb75842f741168a6de5adee56c23748b7a3

SHA512
50b692ddb5c6a1433af93c4b78eea9206dc6bc020e8f084473a788e2f9d4bf4aa5ebe1fd31951ca2890630bf75a3f74a88864781c4b849fdb8b4417c265f191e

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3SCRCTR.DLL

Filesize
292KB

MD5
d700ef661c52f2f7a3a3c5ad28795b04

SHA1
66af20b8640c74d12bdbdb07e943f31e41b6e941

SHA256
eefd5a797736269ae4f74bbf9371d018c3463f24cf78aea92dafe51c7a858f19

SHA512
0ab6a82e48fc7b22d56cd7cfc451d228e8c547d84b3503922d7be60ce221ae852d95a71ec5c764d181e97feb829f0c016ef5b295a27ef3fe25a7c479a44fe015

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3WPHOOK.DLL

Filesize
20KB

MD5
cee57e05eccf470e751689ded838b7d2

SHA1
0abbc8d0284780bfa10d09f8b78c4964ffaffecd

SHA256
2cf54c47ddbc69ebc4e199e11c15c202844645aa97aed823ad2ac2df54df92f3

SHA512
4c0399857b5152185195cd27bcb8cefd15690499ab8ea426ef53a83b9ed9e7037786eef2f3fbe9ac625d3a48364f2b343f5eb24767d9dd404ece37c88265d161

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\M3HTML.DLL

Filesize
84KB

MD5
d460eca5d4574507ff4dabcc2cbc5f2e

SHA1
667b3cfcd047176e948dc7056a545e7ce3dc38f0

SHA256
cecf2b16a398141495764ce6ce4c507f37986e90d1f9705838962d879d446398

SHA512
aed6d7a7a324a811ed77fd688e699528cf91a3be1ae56e97f229c8a9065678cec0d210a942e8c3516321ff7d9dd16554909fc622ee076ef4f70aa0d48122a184

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\M3IDLE.DLL

Filesize
28KB

MD5
86445e5a1c4b02574d8bb1b49ebc1a73

SHA1
5d7a2184b0e8fe0d6006fef4700a1d41aaf68452

SHA256
dfc9ecb661cbab8d7fdb5da5d595173a07f188ff4413968288adbe3e559f1776

SHA512
ccdb79e986dbb5663b2da6b0742cceb43a50d6b8989dc84b34e74ae31eb9ae8970fd5b41f2b733a7fb2715defffeeb7c73dc99253916cb7e74f7491d845b9bce

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\M3MSG.DLL

Filesize
152KB

MD5
445ca5e2da8147d1c7bd7c6d5a8fac4f

SHA1
1a0649b6a37d532071d3e2a7f5ece29b5f36ff65

SHA256
81cd5dc907af4b9b112fedbd96dd4c03008d0295ea2e91668e6b5ca49fea28cb

SHA512
aa8973542fb7714551b0d6adea923cbc03c0e018118f7249318c5d79bd1a10a7ce5bb7d9d5741b259b5fba85b0b9d204abb7c2e89c4e3e1b85497b45331ec66f

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\M3OUTLCN.DLL

Filesize
68KB

MD5
26f833b7ad465a044a8da50b619775b2

SHA1
47e7c028a3f829e20494654b3f4a034ba11c4397

SHA256
ec5f5449f8283811a4718d59d7c05de2dbcee2e6eee4c0f69e00ef92a44236e6

SHA512
2fbd865be9ad5f1a8e2ac4f739b4480333c76c4d675d21354dbd9df83294bf4e6ea8f1584f0da7cbd1ee94e4f00aaf0cab6cd3a899f27c8cb666094e905c87e5

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\M3PLUGIN.DLL

Filesize
52KB

MD5
041f075500e868b813499b039bba808d

SHA1
ea7aa34643563f6416bf79f25c9e6b28b656eb8e

SHA256
9a9575e7ecb4900bcae58c407a05b9b4331a0184efbd4378a5861d369293d5b7

SHA512
be22c590606a2ef151d90870773e919f84c4735b46a8a78a2620a7ec3bf6e1daa245f6d3840adaee3d31fa2caa58f45d193d5d96b18489dd94ccd6c1a9d9067d

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\M3SKIN.DLL

Filesize
128KB

MD5
d1a29fbd9263013a3afd6bb24ee92604

SHA1
1453515e1f71ce526ea83df46c2ffe970df29215

SHA256
e01e420cc5301cdf4d61f132303888bfa329616de8091e82b8e1f50387a66b11

SHA512
9e3b832effca395903279c0b6ee76d9cbd67361fc424b325b9a3d9e23659b08c920cf2d8a24f65bb3c73005639ccadcd5b042295fd6cd3ea7ae389cb8defaff5

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\MWSBAR.DLL

Filesize
424KB

MD5
ab0ba4c6555ea9496a267e1d82493a68

SHA1
57f52718684b01b40bf9af2f33740cb2d4ba573c

SHA256
528238121168a3c8a97e1db36b34cfa21ebffb1074d4cc9305cf277bdc06ba50

SHA512
6b6a85439f5d787ef04fd9958bb2b1128aaa1da66af96c3eb5787304e948826f583dbc2e951bfc5164221b1aaf56a3887c7754d0e7230fe3c531d6cb9a3f7b59

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\MWSOEPLG.DLL

Filesize
376KB

MD5
306d2dc89a130fdde7c0b5986027edf9

SHA1
559b7e739ff7d00fb434cc846fbf23ebaf57431c

SHA256
8242567324684a306080896f69c33a85f9b5583222a3255b0e4afe0fabfc545b

SHA512
3502ed5e67044fd3a0b33b4a374b17553ac6c46957c5d286d24ca0d4e22cff273b313a1e826416e7f7d21cd1ae30226b44f9920a440a2395bfff00ce170f6f37

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\MWSOESTB.DLL

Filesize
44KB

MD5
1ff049d8548fb307b2d03bcf32c61da4

SHA1
d2339982febbcae674dee4f8b7727538e9a57edb

SHA256
e6f54a8ee2ef2891040443cb643e6d4535da86cb5311d6994d720627ef8b9238

SHA512
9a71b887daf0ab20105899f1bbcd8b2b8acbb7cdb6126e72594c6bfd650ddf493adeb9ee4635b849255af944759709f116bee5d0d5bad11353138fff5f88f2c7

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\NPMYWEBS.DLL

Filesize
24KB

MD5
4fc4254f6eb68842e4cd5dead10d93d6

SHA1
bdaa0171c4b9c68c72d7e7f43ae18230cc9805d0

SHA256
defac8f0b9b87f1f32d7a3fe741ea757b548c8c685972bafcb33c646186a5c70

SHA512
c1947ca7287338ccb7823fe36fa9b9955996e9f6247c968eb2f950ace8440142f2b50139c212cb67ce6fd71fccf0f294039cfa23f22369bd3b420c51eb33051b

Download Submit