Overview
overview
7Static
static
33e76a68170...18.exe
windows7-x64
73e76a68170...18.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...sh.dll
windows7-x64
1$PLUGINSDI...sh.dll
windows10-2004-x64
1$PLUGINSDI...ss.dll
windows7-x64
3$PLUGINSDI...ss.dll
windows10-2004-x64
3$TEMP/~nsi...86.dll
windows7-x64
1$TEMP/~nsi...86.dll
windows10-2004-x64
3Cloud-Web_2_86.dll
windows7-x64
6Cloud-Web_2_86.dll
windows10-2004-x64
6Cloud-Web_2_86.dll
windows7-x64
6Cloud-Web_2_86.dll
windows10-2004-x64
6Cloud-Web_...86.dll
windows7-x64
1Cloud-Web_...86.dll
windows10-2004-x64
1Cloud-Web_...86.dll
windows7-x64
1Cloud-Web_...86.dll
windows10-2004-x64
1Cloud-Web_...86.dll
windows7-x64
1Cloud-Web_...86.dll
windows10-2004-x64
3Cloud-Web_...86.dll
windows7-x64
1Cloud-Web_...86.dll
windows10-2004-x64
3Cloud-Web_run.exe
windows7-x64
6Cloud-Web_run.exe
windows10-2004-x64
6Cloud-Web_run.exe
windows7-x64
6Cloud-Web_run.exe
windows10-2004-x64
6Cloud-Web_tb_2_86.dll
windows7-x64
1Cloud-Web_tb_2_86.dll
windows10-2004-x64
1Cloud-Web_tb_2_86.dll
windows7-x64
1Cloud-Web_tb_2_86.dll
windows10-2004-x64
1cloudidsvc.exe
windows7-x64
1cloudidsvc.exe
windows10-2004-x64
1Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2024, 18:47
Static task
static1
Behavioral task
behavioral1
Sample
3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral2
Sample
3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/newadvsplash.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/newadvsplash.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$TEMP/~nsis/Cloud-Web_nad_2_86.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
$TEMP/~nsis/Cloud-Web_nad_2_86.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
Cloud-Web_2_86.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral12
Sample
Cloud-Web_2_86.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
Cloud-Web_2_86.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral14
Sample
Cloud-Web_2_86.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Cloud-Web_mime_2_86.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral16
Sample
Cloud-Web_mime_2_86.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
Cloud-Web_mime_2_86.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral18
Sample
Cloud-Web_mime_2_86.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
Cloud-Web_nad_2_86.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral20
Sample
Cloud-Web_nad_2_86.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
Cloud-Web_nad_2_86.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral22
Sample
Cloud-Web_nad_2_86.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Cloud-Web_run.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral24
Sample
Cloud-Web_run.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Cloud-Web_run.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral26
Sample
Cloud-Web_run.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
Cloud-Web_tb_2_86.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral28
Sample
Cloud-Web_tb_2_86.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
Cloud-Web_tb_2_86.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral30
Sample
Cloud-Web_tb_2_86.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
cloudidsvc.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral32
Sample
cloudidsvc.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
General
-
Target
3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe
-
Size
587KB
-
MD5
3e76a68170fa6345231f3177915b1fbb
-
SHA1
e0cfeafc4c55d4ab65c0a885f4f140e2aab8c04b
-
SHA256
d490afb032c42bc292e4544a91bb757f4a21b1af889b0afbde4e30847b394a7a
-
SHA512
79ec907c3a0cdeef813b857af1f6bf88d9a3575f5d18d6f16b66948df40877d621c4bb723344ca3dc5a4a1fbc012e9e5adc630e331f868099b0e53f9068f271d
-
SSDEEP
12288:6CNEba4ZlZt9OHqJ5jheewGc4lhoeeViTeyJXg:0bLwHk5VBw83Lmiy
Malware Config
Signatures
-
Executes dropped EXE 5 IoCs
pid Process 1060 cloudidsvc.ex_ 4128 cloudidsvc.ex_ 5104 cloudidsvc.exe 3276 cloudidsvc.exe 3488 cloudidsvc.exe -
Loads dropped DLL 14 IoCs
pid Process 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3655562C-EBBD-Ba21-A87E-8AF80AEED4F8} 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3655562C-EBBD-Ba21-A87E-8AF80AEED4F8}\ = "CloudExs40002APIClass Helper" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe -
Drops file in Program Files directory 16 IoCs
description ioc Process File created C:\Program Files (x86)\Cloud-Web\Cloud-Web_2_86.dll 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe File created C:\Program Files (x86)\Cloud-Web\Cloud-Web_mime_2_86.dll 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe File created C:\Program Files (x86)\Cloud-Web\Cloud-Web_run.exe 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe File created C:\Program Files (x86)\Cloud-Web\Cloud-Web_nad_2_86.dl_ 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe File created C:\Program Files (x86)\Cloud-Web\cloudidsvc.ex_ 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe File created C:\Program Files (x86)\Cloud-Web\cloudidsvc.exe 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe File created C:\Program Files (x86)\Cloud-Web\Cloud-Web_mime_2_86.dl_ 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe File created C:\Program Files (x86)\Cloud-Web\Cloud-Web_run.ex_ 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Cloud-Web\Log\cloudweb_up_20240712.txt cloudidsvc.ex_ File created C:\Program Files (x86)\Cloud-Web\Cloud-Web_nad_2_86.dll 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe File created C:\Program Files (x86)\Cloud-Web\cloud_uins.dat 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe File created C:\Program Files (x86)\Cloud-Web\Cloud-Web_2_86.dl_ 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe File created C:\Program Files (x86)\Cloud-Web\Cloud-Web_tb_2_86.dl_ 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe File created C:\Program Files (x86)\Cloud-Web\Cloud-Web_tb_2_86.dll 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Cloud-Web\Log\cloudweb_up_20240712.txt cloudidsvc.exe File created C:\Program Files (x86)\Cloud-Web\uninst.exe 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D} 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ButtonText = "Ŭ¶ó¿ìµåÀ¥ ¼³Á¤ ½ÇÇà" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Icon = "C:\\Program Files (x86)\\Cloud-Web\\Cloud-Web_tb_2_86.dll,201" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\CLSID = "{1FBA04EE-3024-11d2-8F1F-0000F87ABD16}" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\HotIcon = "C:\\Program Files (x86)\\Cloud-Web\\Cloud-Web_tb_2_86.dll,202" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\ClsidExtension = "{053202B5-4539-4c5a-B531-42C754ABBD41}" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{0A07354E-A092-490f-9597-BA096721A26D}\Default Visible = "Yes" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe -
Modifies data under HKEY_USERS 5 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" cloudidsvc.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ cloudidsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" cloudidsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" cloudidsvc.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" cloudidsvc.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2655562C-EBBD-BA21-A87E-8AF80AEED4F8}\1.0\HELPDIR 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4DDB057-9EDC-45B5-89A3-8CAD9F265F1E}\1.0\FLAGS\ = "0" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22D0BA1C-4BEB-476E-AA5A-18FDE2E9D064} 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{36E4825B-2C2F-4EC9-99F0-6EA492D7CC30}\TypeLib\ = "{EA3B666E-8A3C-4099-B499-E0A277279117}" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CloudExs40002BHO.CloudExs40002APIClass\CLSID\ = "{3655562C-EBBD-Ba21-A87E-8AF80AEED4F8}" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CloudExs40002BHO.CloudExs40002APIClass\CurVer\ = "CloudExs40002BHO.CloudExs40002APIClass.1" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2655562C-EBBD-BA21-A87E-8AF80AEED4F8}\1.0\FLAGS 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\VersionIndependentProgID\ = "CloudToolBar.CloudToolbarObject" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1655562C-EBBD-BA21-A87E-8AF80AEED4F8}\TypeLib 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1655562C-EBBD-BA21-A87E-8AF80AEED4F8}\TypeLib 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41}\VersionIndependentProgID 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1655562C-EBBD-BA21-A87E-8AF80AEED4F8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ID_MimeHTML.1 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36E4825B-2C2F-4EC9-99F0-6EA492D7CC30}\TypeLib 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3655562C-EBBD-Ba21-A87E-8AF80AEED4F8}\ProgID 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3655562C-EBBD-Ba21-A87E-8AF80AEED4F8}\Programmable 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2655562C-EBBD-BA21-A87E-8AF80AEED4F8}\1.0\0\win32 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4DDB057-9EDC-45B5-89A3-8CAD9F265F1E}\1.0\0\win32 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22D0BA1C-4BEB-476E-AA5A-18FDE2E9D064}\ProgID 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA3B666E-8A3C-4099-B499-E0A277279117} 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2655562C-EBBD-BA21-A87E-8AF80AEED4F8}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Cloud-Web\\" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CloudToolBar.CloudToolbarObject\CurVer 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4DDB057-9EDC-45B5-89A3-8CAD9F265F1E} 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2655562C-EBBD-BA21-A87E-8AF80AEED4F8}\1.0\FLAGS\ = "0" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{36E4825B-2C2F-4EC9-99F0-6EA492D7CC30} 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36E4825B-2C2F-4EC9-99F0-6EA492D7CC30}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36E4825B-2C2F-4EC9-99F0-6EA492D7CC30}\TypeLib\ = "{EA3B666E-8A3C-4099-B499-E0A277279117}" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CloudExs40002BHO.CloudExs40002APIClass.1\ = "CloudExs40002APIClass Class" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3655562C-EBBD-Ba21-A87E-8AF80AEED4F8}\InprocServer32\ = "C:\\Program Files (x86)\\Cloud-Web\\Cloud-Web_2_86.dll" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3655562C-EBBD-Ba21-A87E-8AF80AEED4F8}\InprocServer32\ThreadingModel = "Apartment" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D89080BE-5019-4399-96E1-2A0E32AEF599}\TypeLib\Version = "1.0" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ID_MimeHTML\CurVer\ = "ID_MimeHTML.1" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CloudExs40002BHO.CloudExs40002APIClass.1\CLSID 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CloudExs40002BHO.CloudExs40002APIClass\CurVer 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{053202B5-4539-4c5a-B531-42C754ABBD41} 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4DDB057-9EDC-45B5-89A3-8CAD9F265F1E}\1.0\0\win32\ = "C:\\Program Files (x86)\\Cloud-Web\\Cloud-Web_tb_2_86.dll" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ID_MimeHTML\CLSID 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA3B666E-8A3C-4099-B499-E0A277279117}\1.0\FLAGS 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{36E4825B-2C2F-4EC9-99F0-6EA492D7CC30}\TypeLib 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CloudToolBar.CloudToolbarObject\ = "CloudToolbarObject Class" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4DDB057-9EDC-45B5-89A3-8CAD9F265F1E}\1.0\FLAGS 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4DDB057-9EDC-45B5-89A3-8CAD9F265F1E}\1.0\0 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3655562C-EBBD-Ba21-A87E-8AF80AEED4F8}\VersionIndependentProgID\ = "CloudExs40002BHO.CloudExs40002APIClass" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D89080BE-5019-4399-96E1-2A0E32AEF599}\ProxyStubClsid32 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{36E4825B-2C2F-4EC9-99F0-6EA492D7CC30}\ProxyStubClsid32 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{36E4825B-2C2F-4EC9-99F0-6EA492D7CC30}\TypeLib\Version = "1.0" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CloudExs40002BHO.CloudExs40002APIClass.1 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1655562C-EBBD-BA21-A87E-8AF80AEED4F8}\ProxyStubClsid32 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D89080BE-5019-4399-96E1-2A0E32AEF599}\ = "ICloudToolbarObject" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22D0BA1C-4BEB-476E-AA5A-18FDE2E9D064}\ProgID\ = "ID_MimeHTML.1" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CloudExs40002BHO.CloudExs40002APIClass 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3655562C-EBBD-Ba21-A87E-8AF80AEED4F8}\TypeLib 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CloudToolBar.CloudToolbarObject\CLSID\ = "{053202B5-4539-4c5a-B531-42C754ABBD41}" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1655562C-EBBD-BA21-A87E-8AF80AEED4F8}\TypeLib\Version = "1.0" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D89080BE-5019-4399-96E1-2A0E32AEF599}\ = "ICloudToolbarObject" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CloudExs40002BHO.CloudExs40002APIClass.1\CLSID\ = "{3655562C-EBBD-Ba21-A87E-8AF80AEED4F8}" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1655562C-EBBD-BA21-A87E-8AF80AEED4F8} 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1655562C-EBBD-BA21-A87E-8AF80AEED4F8}\ProxyStubClsid32 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ID_MimeHTML\CurVer 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22D0BA1C-4BEB-476E-AA5A-18FDE2E9D064}\TypeLib 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EA3B666E-8A3C-4099-B499-E0A277279117}\1.0\0\win32\ = "C:\\Program Files (x86)\\Cloud-Web\\Cloud-Web_mime_2_86.dll" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3655562C-EBBD-Ba21-A87E-8AF80AEED4F8}\ProgID\ = "CloudExs40002BHO.CloudExs40002APIClass.1" 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B4DDB057-9EDC-45B5-89A3-8CAD9F265F1E}\1.0 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ID_MimeHTML 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4796 wrote to memory of 1060 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 86 PID 4796 wrote to memory of 1060 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 86 PID 4796 wrote to memory of 1060 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 86 PID 4796 wrote to memory of 4128 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 87 PID 4796 wrote to memory of 4128 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 87 PID 4796 wrote to memory of 4128 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 87 PID 4796 wrote to memory of 5104 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 88 PID 4796 wrote to memory of 5104 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 88 PID 4796 wrote to memory of 5104 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 88 PID 4796 wrote to memory of 3276 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 89 PID 4796 wrote to memory of 3276 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 89 PID 4796 wrote to memory of 3276 4796 3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3e76a68170fa6345231f3177915b1fbb_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Program Files (x86)\Cloud-Web\cloudidsvc.ex_"C:\Program Files (x86)\Cloud-Web\cloudidsvc.ex_" /stop2⤵
- Executes dropped EXE
PID:1060
-
-
C:\Program Files (x86)\Cloud-Web\cloudidsvc.ex_"C:\Program Files (x86)\Cloud-Web\cloudidsvc.ex_" /u2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:4128
-
-
C:\Program Files (x86)\Cloud-Web\cloudidsvc.exe"C:\Program Files (x86)\Cloud-Web\cloudidsvc.exe" /i2⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:5104
-
-
C:\Program Files (x86)\Cloud-Web\cloudidsvc.exe"C:\Program Files (x86)\Cloud-Web\cloudidsvc.exe" /start2⤵
- Executes dropped EXE
PID:3276
-
-
C:\Program Files (x86)\Cloud-Web\cloudidsvc.exe"C:\Program Files (x86)\Cloud-Web\cloudidsvc.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3488
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
123KB
MD59fa385bf443861d0f80227948a32dfbc
SHA114bbdeccd9614ccd25971f7bb8cd32f5da39ad79
SHA256e9f1f6605710a04f09bf72b25c9dd807726076a3e1b12f20ca3fbaa8c5bddb18
SHA5123727418aef2235d379eb0dd633ac33b1fe91349cefdfd7f9b1ddcbcab703eb2a31e67cccf8df633bf25697c4953c4c428c503f919f7594eaa176c17213840b6e
-
Filesize
210KB
MD5e03152320af546785839f21cefd28ce1
SHA17264e5753bb5313b9ceb69d05c15e000ed938559
SHA2566807aee8007988c5409a947a526c187c66e349886399541454800ce2a99c2442
SHA51293681775e96cb80b8cc4b89c788902f5070497c5a0120c0ba965c14e651ab3726387bc0d3f8feeaf315ae45bd7bf40bf37f1e2fd379b89bc812c9dd2fdfefb5e
-
Filesize
127KB
MD554db07fc87755030e8c9b0547da56f91
SHA136cade3d66ca6ed2c9ae06aa8f65d9c9ff84c8f7
SHA256f888a96fc2ecf7c8ce4860cbbeac7ed11a5674564dff2db23702bf307352c17a
SHA512bd4cb4c975ea3515e17154b8b8742243cc1f26798c8797059673fe3537dea0ca249a89be66a05c755061df714444da86d06e47d76a12ff654eb314de9154c27c
-
Filesize
127KB
MD52323e058563e10f8cc62f18447dc2044
SHA1eb9dda4d35b0e84ddeea808e1f1ee8b6ffb1521d
SHA256e678e99433a683e78eeb73f1e863993478005302ad4925a0a35b07d85c35efcf
SHA512061a02cd78bcaef3e8690e41cc98a8fd5d18b9f4d659e64610670f1b3c84b7eecda1aa7252b69e16edc2d1368f49f22c37c38bf297c3df7b47ee1052d1fc8618
-
Filesize
307B
MD5eb3c8b7aca2a49e5da19535683206d93
SHA1481d7ec56db1c8446b2d477f73a4f9586af395f8
SHA256965423c4b16fab1b92bd4b267fa1efd0df8e8b02badcab564b4b7b6809d407f8
SHA5129ed0ff966aee772ff9cf990f26d8c014d90719d420259e15d0d7103ec4f9138bd40d187849ac3d361a4e89d84fc57e797732385c3121102ea1ca7e780c6abd6b
-
Filesize
107KB
MD544cd4eb4d58daf2f62159ab0992787d1
SHA13f071ab5670933d644185cd0570c96f812374c27
SHA2566a88c08e4fff37967d85056a475bb2970b4bf53049a3d18afebfe090f5083be1
SHA5128d45fea41491e4eddb9785c7cacdc63cba28f8950ffc9db6edc7f2746c3f9f7079c6ef38925cdd307c4373d5d57cdcb9b459bb5d24d358322b06339c05693c3a
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
8KB
MD57ee14dff57fb6e6c644b318d16768f4c
SHA19a5d5b31ab56ab01e9b0bd76c51b8b4605a8ccce
SHA25653377d0710f551182edbab4150935425948535d11b92bf08a1c2dcf989723bd7
SHA5120565ff2bdbdf044c5f90bd45475d478b48cdbd5e19569976291b1bdd703e61355410c65f29f2c9213faf56251beb16d342c8625288dad6afc670717b9636d51f
-
Filesize
4KB
MD58f4ac52cb2f7143f29f114add12452ad
SHA129dc25f5d69bf129d608b83821c8ec8ab8c8edb3
SHA256b214d73aea95191f7363ad93cdc12b6fbd50a3a54b0aa891b3d45bc4b7b2aa04
SHA5122f9e2c7450557c2b88a12d3a3b4ab999c9f2a4df0d39dcd795b307b89855387bc96fc6d4fb51de8f33de0780e08a3b15fdad43daeaf7373cca71b01d7afdaf0c
-
Filesize
631B
MD5d68e763c825dc0e388929ae1b375ce18
SHA17951a43bbfb08fd742224ada280913d1897b89ab
SHA25625cf0f0ce42f8acd9ea6facc223f54105c7fd0cce63fb7bb5d83e6600100acbd
SHA5121e146e2631a4f3bd091905ccc10ed1054700349648cd52aad24eaeeedff0fac4b44b6212284a6d0855942ff16308c66402ecb895e68ef1c66dcd496973043cdb
-
Filesize
551KB
MD5ae7c5f2888f87f8c329cea3dc4933424
SHA1bf893e229f2082f57bb7618e93334bef97ce5480
SHA256c5c82a44a65db162cc2878c0363b95e64205e7d08d115fd3a84ed1db8f9bbd54
SHA512a60a31e6da49308c83b4bdeea62366f01b968121b3e2f168815344a7b4f2497b7a4ab8042542677126b8f02b079a82f5bcfa2c642bef5622e9a4e7aa1fed0229
