e50c36647c0210664490fb3a77d093dc6addc44aa27e40234eb43a5e6fee0bbe

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12-07-2024 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d81f8e46196174be71478be416c761e_JaffaCakes118.exe
Size

1.1MB
MD5

3d81f8e46196174be71478be416c761e
SHA1

56148645996e4d3c930351a84cf1c1d7131766d6
SHA256

e50c36647c0210664490fb3a77d093dc6addc44aa27e40234eb43a5e6fee0bbe
SHA512

9dc310c3a350dc1981d4b52f35caeaeeadedff63462ea1d78a0ff65d3edd4f2bda72b21eca9e0aa813a7b7cac0d7215ae288f9562509fa19116d28a7618043bd
SSDEEP

24576:QXELkiAQ3+8ngBGJ57cXi3LeSIPCljWXyZhVHu6kVT2nE0ytcOTEQI+xU:wCkiAQOF0cXi3CnPClSUhN8ViOTEQTxU

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	3d81f8e46196174be71478be416c761e_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	YontooSetup-S.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	YontooSetup-S-0DE4.exe

Executes dropped EXE 4 IoCs

pid	Process
4652	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
3556	YontooSetup-S.exe
3664	YontooSetup-S-0DE4.exe
4268	7za.exe

Loads dropped DLL 4 IoCs

pid	Process
4652	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
3664	YontooSetup-S-0DE4.exe
3664	YontooSetup-S-0DE4.exe
3664	YontooSetup-S-0DE4.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
File opened (read-only)	\??\L:	YontooSetup-S-0DE4.exe
File opened (read-only)	\??\N:	YontooSetup-S-0DE4.exe
File opened (read-only)	\??\R:	YontooSetup-S-0DE4.exe
File opened (read-only)	\??\U:	YontooSetup-S-0DE4.exe
File opened (read-only)	\??\E:	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
File opened (read-only)	\??\M:	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
File opened (read-only)	\??\O:	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
File opened (read-only)	\??\E:	YontooSetup-S-0DE4.exe
File opened (read-only)	\??\U:	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
File opened (read-only)	\??\H:	YontooSetup-S-0DE4.exe
File opened (read-only)	\??\I:	YontooSetup-S-0DE4.exe
File opened (read-only)	\??\Q:	YontooSetup-S-0DE4.exe
File opened (read-only)	\??\Z:	YontooSetup-S-0DE4.exe
File opened (read-only)	\??\I:	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
File opened (read-only)	\??\O:	YontooSetup-S-0DE4.exe
File opened (read-only)	\??\S:	YontooSetup-S-0DE4.exe
File opened (read-only)	\??\V:	YontooSetup-S-0DE4.exe
File opened (read-only)	\??\L:	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
File opened (read-only)	\??\Y:	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
File opened (read-only)	\??\G:	YontooSetup-S-0DE4.exe
File opened (read-only)	\??\Y:	YontooSetup-S-0DE4.exe
File opened (read-only)	\??\T:	YontooSetup-S-0DE4.exe
File opened (read-only)	\??\J:	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
File opened (read-only)	\??\T:	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
File opened (read-only)	\??\V:	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
File opened (read-only)	\??\W:	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
File opened (read-only)	\??\Z:	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
File opened (read-only)	\??\J:	YontooSetup-S-0DE4.exe
File opened (read-only)	\??\P:	YontooSetup-S-0DE4.exe
File opened (read-only)	\??\X:	YontooSetup-S-0DE4.exe
File opened (read-only)	\??\G:	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
File opened (read-only)	\??\K:	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
File opened (read-only)	\??\P:	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
File opened (read-only)	\??\S:	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
File opened (read-only)	\??\X:	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
File opened (read-only)	\??\M:	YontooSetup-S-0DE4.exe
File opened (read-only)	\??\N:	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
File opened (read-only)	\??\Q:	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
File opened (read-only)	\??\R:	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
File opened (read-only)	\??\K:	YontooSetup-S-0DE4.exe
File opened (read-only)	\??\W:	YontooSetup-S-0DE4.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ = "Yontoo Layers"	YontooSetup-S-0DE4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\NoExplorer = "1"	YontooSetup-S-0DE4.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Yontoo\YontooIEClient.dll	YontooSetup-S-0DE4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\Recovery\Active	YontooSetup-S-0DE4.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api.1\CLSID	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\TypeLib\ = "{D372567D-67C1-4B29-B3F0-159B52B3E967}"	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\NumMethods\ = "7"	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{99066096-8989-4612-841F-621A01D54AD7}	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\InprocServer32\ThreadingModel = "Apartment"	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ProxyStubClsid32\ = "{10DE7085-6A1E-4D41-A7BF-9AF93E351401}"	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ = "Yontoo"	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\WOW6432Node\CLSID	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\InProcServer32\ThreadingModel = "Both"	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\InProcServer32\ = "C:\\Program Files (x86)\\Yontoo\\YontooIEClient.dll"	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers.1	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers.1\CLSID\ = "{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers\ = "Yontoo"	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0\ = "YontooIEClient 1.0 Type Library"	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\ = "IApi"	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\InProcServer32	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ = "Yontoo Api"	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers\CurVer\ = "YontooIEClient.Layers.1"	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ProgID\ = "YontooIEClient.Layers.1"	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0\HELPDIR	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ = "ILayers"	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\VersionIndependentProgID	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\InprocServer32	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ = "ILayers"	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ProxyStubClsid32	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE9271F2-6EFD-44b0-A826-84C829536E93}\defaultEnableAppsList	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\TypeLib\ = "{D372567D-67C1-4B29-B3F0-159B52B3E967}"	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\TypeLib\ = "{D372567D-67C1-4B29-B3F0-159B52B3E967}"	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\InprocServer32	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Yontoo"	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\TypeLib\ = "{D372567D-67C1-4B29-B3F0-159B52B3E967}"	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\Programmable	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\TypeLib	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0\FLAGS	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\TypeLib\Version = "1.0"	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\YontooIEClient.DLL\AppID = "{CFDAFE39-20CE-451D-BD45-A37452F39CF0}"	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api\CurVer\ = "YontooIEClient.Api.1"	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0\0\win32	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\TypeLib\ = "{D372567D-67C1-4B29-B3F0-159B52B3E967}"	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ProgID	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\TypeLib	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\TypeLib\Version = "1.0"	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\InprocServer32\ThreadingModel = "Apartment"	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api.1	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api.1\CLSID\ = "{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}"	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api\ = "Yontoo Api"	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\Programmable	YontooSetup-S-0DE4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers\CLSID\ = "{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ProgID	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\YontooIEClient.DLL	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers\CurVer	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\TypeLib	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\NumMethods	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers\CLSID	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\VersionIndependentProgID	YontooSetup-S-0DE4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\ProxyStubClsid32	YontooSetup-S-0DE4.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4652	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
3556	YontooSetup-S.exe
3664	YontooSetup-S-0DE4.exe
4268	7za.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 4652	1144	3d81f8e46196174be71478be416c761e_JaffaCakes118.exe	85
PID 1144 wrote to memory of 4652	1144	3d81f8e46196174be71478be416c761e_JaffaCakes118.exe	85
PID 1144 wrote to memory of 4652	1144	3d81f8e46196174be71478be416c761e_JaffaCakes118.exe	85
PID 4652 wrote to memory of 3556	4652	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe	88
PID 4652 wrote to memory of 3556	4652	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe	88
PID 4652 wrote to memory of 3556	4652	3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe	88
PID 3556 wrote to memory of 3664	3556	YontooSetup-S.exe	89
PID 3556 wrote to memory of 3664	3556	YontooSetup-S.exe	89
PID 3556 wrote to memory of 3664	3556	YontooSetup-S.exe	89
PID 3664 wrote to memory of 4268	3664	YontooSetup-S-0DE4.exe	90
PID 3664 wrote to memory of 4268	3664	YontooSetup-S-0DE4.exe	90
PID 3664 wrote to memory of 4268	3664	YontooSetup-S-0DE4.exe	90
PID 3664 wrote to memory of 1856	3664	YontooSetup-S-0DE4.exe	92
PID 3664 wrote to memory of 1856	3664	YontooSetup-S-0DE4.exe	92
PID 1856 wrote to memory of 3260	1856	chrome.exe	93
PID 1856 wrote to memory of 3260	1856	chrome.exe	93

C:\Users\Admin\AppData\Local\Temp\3d81f8e46196174be71478be416c761e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3d81f8e46196174be71478be416c761e_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Users\Admin\AppData\Local\Temp\3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe
  "C:\Users\Admin\AppData\Local\Temp\3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe" "C:\Users\Admin\AppData\Local\Temp\3d81f8e46196174be71478be416c761e_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4652
- - C:\Users\Admin\AppData\Local\Temp\YontooSetup-S.exe
    "C:\Users\Admin\AppData\Local\Temp\YontooSetup-S.exe" "YontooApp=bvd" "InstallSource=BVD-S1" "DisableAppsList=" "EnableMoreAppsList=bestvideodownloader,ezLooker,pagerage,buzzdock,dropdowndeals,twittube" "SkipIE=0" "SkipFF=0" "SkipGC=0" "MoreSettings=" "SkipNewOffers=0" "OptimizeEnablePlugin=1" "OptimizeLoadTime=1" "OptimizeMixedContent=1" "OptimizeCSP=0"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3556
  - - C:\Users\Admin\AppData\Local\Temp\YontooSetup-S-0DE4.exe
      "C:\Users\Admin\AppData\Local\Temp\YontooSetup-S-0DE4.exe" /q2 "YontooApp=bvd" "InstallSource=BVD-S1" "DisableAppsList=" "EnableMoreAppsList=bestvideodownloader,ezLooker,pagerage,buzzdock,dropdowndeals,twittube" "SkipIE=0" "SkipFF=0" "SkipGC=0" "MoreSettings=" "SkipNewOffers=0" "OptimizeEnablePlugin=1" "OptimizeLoadTime=1" "OptimizeMixedContent=1" "OptimizeCSP=0" "C:\Users\Admin\AppData\Local\Temp\YontooSetup-S.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Enumerates connected drives
      Installs/modifies Browser Helper Object
      Drops file in Program Files directory
      Modifies Internet Explorer settings
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3664
    - - C:\Users\Admin\AppData\Local\Temp\7za.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7za.exe" x "C:\Users\Admin\AppData\Local\Temp\YontooLayers.crx" -o"C:\Users\Admin\AppData\Local\Temp\YontooLayers" * -r -y -aoa
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4268
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --pack-extension="C:\Users\Admin\AppData\Local\Temp\YontooLayers" --pack-extension-key="C:\Users\Admin\AppData\Local\Temp\YontooLayers.pem" --no-message-box
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1856
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcfbd2cc40,0x7ffcfbd2cc4c,0x7ffcfbd2cc58
        6⤵
        
        PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\3d81f8e46196174be71478be416c761e_JaffaCakes118-0478.exe

Filesize
220KB

MD5
537237d523c660cc578bccb574d69a80

SHA1
1621e8c07466e30c4821d864f69f306d26ea1589

SHA256
8ac20fd67bc5248b2c49e09ee297e443385a74b4fee985f819e92df622dc5975

SHA512
2511594d233166be6406998daa41ec9f1e6783cf6e7158b5a159152839a60c50ee95eff5f8f0d1d91d25ca4fc4a07f6090ff399ad012a1c6a066e388b29d9eb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A8B1D97\Setup.ico

Filesize
4KB

MD5
60e3ef9326e8c3f574a2c7b5a31fd895

SHA1
d3aa40f8de5c549e6abb189421d6cdcd75ac64f6

SHA256
5e8c38cabd089ecd573d953cf2ade243459d7c06aab7b9698975e10dd7f34689

SHA512
9a9be32fb1b4355f37766c5296139012d2fd931fb0db871307059cd0afc063a334165f34069a27ed8850889175e2f5f00be65ac2e8b9d22903754a043ae04906

Download Submit
C:\Users\Admin\AppData\Local\Temp\6A8B1D97\_Setup.dll

Filesize
17KB

MD5
4cb9c66da8efd5e577cf213d51f2af26

SHA1
90b87f25c3c0a7b36b51f275646a4bc6536fbd66

SHA256
241c28098921bf96569a4b39dc4d35d922f3c0b06bade4da8a940752fb0969df

SHA512
fa440c4520a3abaca58f9d458564c2fd4d7fea2ec20cfcec181ba1f7c37bcb5daa0f35d55955db2125ac72d6f028ebb377b521f2017393a1c93b28cfcb6e818e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7za.exe

Filesize
523KB

MD5
e92604e043f51c604b6d1ac3bcd3a202

SHA1
4154dda4a1e2a5ed14303dc3d36f448953ff6d33

SHA256
fa252e501332b7486a972e7e471cf6915daa681af35c6aa102213921093eb2a3

SHA512
ef396d94d83fd7a588c6e645ea5fcfe24390440a03b3bf0ecd05ca6749fd3f9561dfafe725ee0edea51a34d52af26cd311e768aa72f75686cc796abee4757d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9F66C69\_Setup.dll

Filesize
623KB

MD5
a0553660edd8df0a721f256f8ff0fd33

SHA1
a9cf68f2fa3bc592669a6db3bea958cc8de76fbb

SHA256
6bd014216e185b6b874190024900251b4123c6b08626d77a621fb3c60431c3f9

SHA512
d0596f446418158e421c341f3b527e860ad3a7ca2ac552261c654b2b495a7f728e98defd8951987ff14be18e633ecfa205672ce0c1bb6a9125dd1e8a35412d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\B9F66C69\_Setupx.dll

Filesize
412KB

MD5
ff998dd6838d3d4dfd12559b07bca9ed

SHA1
80a6d2f5472c5bdb7e6c6d88079ea1281805550b

SHA256
00a7e8d0e0d4755b661038c184671f44863506654f24abcce002a31fa07ccb32

SHA512
cc1902435ea04f9c81334d8d710e291b3bbd042758b9c2260917ccbcc35d00dc3ee849d91c574ad36f4bd8f0b68ee5fbc959972bdc154aed603b4ee1121cb1f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YontooIEClient.dll

Filesize
190KB

MD5
4bf437cddf8c692738cfa413231c9b3c

SHA1
c7390942d0d6579cc2c17dcaa8e20f6025f996cf

SHA256
e2070da8e584a4d3c88da655171adc8ba179ebacf70758b1627ffc5f45f7fa5e

SHA512
a3b16e2a326cc80c09c012331f716acc27f76c144ad9369b9c608e67c7bfb3745339e0063100a8a9cbf46d9efc884a51c15a0f036c12eb6b49dd97ebf33de26e

Download Submit
C:\Users\Admin\AppData\Local\Temp\YontooLayers.crx

Filesize
1KB

MD5
d58084315fdd9d9bab1a8a9be2274155

SHA1
0265b34ff0a4b03a83ccbe8a2f07cad34f518bd2

SHA256
e14f6f82d52151d15640b61fa0fb01ed865e87eb85327e83f40e0684504d0b5b

SHA512
258c0d5ed9dfc25d3ea7d86f6eed92954ec8442a0ba2e28f724c8cc4dff84cc3359ab2db686a6d4c29c86a50024612fc9c72aa9a2907e2af5ef3e7ee5002f0e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\YontooLayers\manifest.json

Filesize
367B

MD5
cc20c74e78136f35fcc5bdceccc5b060

SHA1
09633fc57bc67ac36523aa8da16b1fa868c65d36

SHA256
df0968ec9c88caa63c1056cf5663477bce092076e498eb5249a3ad0af0c537e3

SHA512
faa1c39622fc70b46e21f440c0a63769829c0b2db2fb8bf85c1d7f10deeaec6ef2b8498a26784575b5df9bc0e66089dff413674e01e4c8e6bb6eaee9fdaad8eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\YontooLayers\yl.js

Filesize
703B

MD5
2f88f7da08ba443199e61da9ac52c0c7

SHA1
365ebb9ddd78af59d004f40773f178013ce7920a

SHA256
aac0065ea9f223b76f3256a03b8aa5f7dbe42ba99abd57627129cd7dede2c27a

SHA512
734b742a5018948317f81939717d8ed9ec991e97f84b1dcc08747857063f33dd2f7fc979e32067999dbe635e5c644449b971cc7588571d9ebb94ee33e22b6838

Download Submit
C:\Users\Admin\AppData\Local\Temp\YontooSetup-S-0DE4.exe

Filesize
223KB

MD5
173ec2796abc3d74f58a86abd7516a2e

SHA1
b2056bf94f0a4d4b9b7e524da425cb2abb499a80

SHA256
1e03b1b06bbffabba51d1981f6361a8bdac9902ef2f99bca832674a20163e684

SHA512
ca8033a09f8269c37bb301077990fd177b811dde06c7a85aac63ac1805ecf88b39857d5090a844af1f9d14c38b7598807b9a42768ecd6330695d530e69f19153

Download Submit
C:\Users\Admin\AppData\Local\Temp\YontooSetup-S.exe

Filesize
1.0MB

MD5
e8f0c3af81a302e9e1580f851ad84c5f

SHA1
9bc097429b54da7d4e36d169ebaa39e01dae1300

SHA256
056dea23f3eeb7a28d3274b094180f56dbac459fb3d45a6a007d48d7956ea595

SHA512
1466c0bd85f81b3908b533d842c053ef54cdc5bae53f46b2af230edc5bc2dae9c448985d7e8bbde9eb777cc4436d5e5b98eef3d5e8ceedde4ac7165f701cf23f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads