44f53e2ca552f49ce5803a4139e09957c14422cfbc7e6ee5df445e16e4b2c4ce

Analysis

max time kernel
139s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
13/07/2024, 05:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe
Size

68KB
MD5

406330f4abd0aff45ebc657b5b37560c
SHA1

7b38374a0bd219475158941d004dc055a44fd28c
SHA256

44f53e2ca552f49ce5803a4139e09957c14422cfbc7e6ee5df445e16e4b2c4ce
SHA512

36c7541442d8cd902a9e775b58b43cab90132f04a1067a9b5ae94ec7b11b9a1fef20bca709237a79bb22c460da90118605eae592dcb08d610d9b436d311193cc
SSDEEP

1536:cj+x2UHc9nMXoML9atF9mV78oe1jDzeDCrqo/11s:bpaTQaw8ACr11s

Score

8^/10

evasion execution persistence trojan

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
2896	52Z91.exe
2876	52Z91.exe

Loads dropped DLL 7 IoCs

pid	Process
2840	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe
2840	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe
2840	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe
2840	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe
2132	WerFault.exe
2132	WerFault.exe
2132	WerFault.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe

Drops file in Program Files directory 50 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe.com	52Z91.exe
File created	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE.com	52Z91.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.com	52Z91.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.com	52Z91.exe
File created	C:\Program Files\Windows NT\Accessories\wordpad.exe.com	52Z91.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe.com	52Z91.exe
File created	C:\Program Files\Microsoft Games\Chess\Chess.exe.com	52Z91.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe.com	52Z91.exe
File created	C:\Program Files\Windows Defender\MpCmdRun.exe.com	52Z91.exe
File created	C:\Program Files\52Z91.exe.com	52Z91.exe
File created	C:\Program Files\7-Zip\7zG.exe.com	52Z91.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe.com	52Z91.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe.com	52Z91.exe
File created	C:\Program Files\7-Zip\7z.exe.com	52Z91.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE.com	52Z91.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe.com	52Z91.exe
File opened for modification	C:\Program Files\8TAGERQJ5\YXLXC5JXA.exe	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7zFM.exe.com	52Z91.exe
File created	C:\Program Files\Java\jre7\bin\jabswitch.exe.com	52Z91.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe.com	52Z91.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe.com	52Z91.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe.com	52Z91.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.com	52Z91.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe.com	52Z91.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE.com	52Z91.exe
File created	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe.com	52Z91.exe
File created	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe.com	52Z91.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe.com	52Z91.exe
File created	C:\Program Files\Windows Photo Viewer\ImagingDevices.exe.com	52Z91.exe
File created	C:\Program Files\8TAGERQJ5\YXLXC5JXA.exe	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe.com	52Z91.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe.com	52Z91.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe.com	52Z91.exe
File created	C:\Program Files\VideoLAN\VLC\uninstall.exe.com	52Z91.exe
File created	C:\Program Files\Windows Journal\Journal.exe.com	52Z91.exe
File created	C:\Program Files\0GOQJ3.bat	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.com	52Z91.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe.com	52Z91.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe.com	52Z91.exe
File created	C:\Program Files\52Z91.exe	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe
File created	C:\Program Files\Windows Media Player\setup_wm.exe.com	52Z91.exe
File created	C:\Program Files\Microsoft Games\Hearts\Hearts.exe.com	52Z91.exe
File created	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe.com	52Z91.exe
File created	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe.com	52Z91.exe
File created	C:\Program Files\Windows Mail\wab.exe.com	52Z91.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe.com	52Z91.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe.com	52Z91.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe.com	52Z91.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe.com	52Z91.exe
File created	C:\Program Files\Windows Sidebar\sidebar.exe.com	52Z91.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\XQPSZX.bat	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe
File created	C:\Windows\TPCPTMODMI.exe	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2668	sc.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2132	2896	WerFault.exe	30

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Play_Animations = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\ = "JScript Compact Profile (ECMA 327)"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript Author"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\ = "JScript Language Encoding"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\ = "JScript Language"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWOW64\\jscript.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\ = "JScript Language Authoring"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID\ = "JScript.Compact"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\SCRIPTHOSTENCODE	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript.Encode"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\SCRIPTHOSTENCODE	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\ = "JScript Language Authoring"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\SCRIPTHOSTENCODE	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\ = "JScript Language"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\ = "JScript Language Authoring"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\SCRIPTHOSTENCODE	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\ = "JScript Language"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064}	regsvr32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
780	reg.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2840	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe
2840	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe
2840	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe
2840	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe
2896	52Z91.exe
2896	52Z91.exe
2876	52Z91.exe
2876	52Z91.exe
2840	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2896	2840	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe	30
PID 2840 wrote to memory of 2896	2840	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe	30
PID 2840 wrote to memory of 2896	2840	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe	30
PID 2840 wrote to memory of 2896	2840	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe	30
PID 2840 wrote to memory of 2876	2840	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe	31
PID 2840 wrote to memory of 2876	2840	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe	31
PID 2840 wrote to memory of 2876	2840	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe	31
PID 2840 wrote to memory of 2876	2840	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe	31
PID 2840 wrote to memory of 2828	2840	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe	32
PID 2840 wrote to memory of 2828	2840	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe	32
PID 2840 wrote to memory of 2828	2840	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe	32
PID 2840 wrote to memory of 2828	2840	406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe	32
PID 2828 wrote to memory of 2668	2828	cmd.exe	34
PID 2828 wrote to memory of 2668	2828	cmd.exe	34
PID 2828 wrote to memory of 2668	2828	cmd.exe	34
PID 2828 wrote to memory of 2668	2828	cmd.exe	34
PID 2828 wrote to memory of 2724	2828	cmd.exe	35
PID 2828 wrote to memory of 2724	2828	cmd.exe	35
PID 2828 wrote to memory of 2724	2828	cmd.exe	35
PID 2828 wrote to memory of 2724	2828	cmd.exe	35
PID 2828 wrote to memory of 2724	2828	cmd.exe	35
PID 2828 wrote to memory of 2724	2828	cmd.exe	35
PID 2828 wrote to memory of 2724	2828	cmd.exe	35
PID 2828 wrote to memory of 1752	2828	cmd.exe	36
PID 2828 wrote to memory of 1752	2828	cmd.exe	36
PID 2828 wrote to memory of 1752	2828	cmd.exe	36
PID 2828 wrote to memory of 1752	2828	cmd.exe	36
PID 2828 wrote to memory of 1752	2828	cmd.exe	36
PID 2828 wrote to memory of 1752	2828	cmd.exe	36
PID 2828 wrote to memory of 1752	2828	cmd.exe	36
PID 2828 wrote to memory of 2220	2828	cmd.exe	37
PID 2828 wrote to memory of 2220	2828	cmd.exe	37
PID 2828 wrote to memory of 2220	2828	cmd.exe	37
PID 2828 wrote to memory of 2220	2828	cmd.exe	37
PID 2828 wrote to memory of 2220	2828	cmd.exe	37
PID 2828 wrote to memory of 2220	2828	cmd.exe	37
PID 2828 wrote to memory of 2220	2828	cmd.exe	37
PID 2828 wrote to memory of 2832	2828	cmd.exe	38
PID 2828 wrote to memory of 2832	2828	cmd.exe	38
PID 2828 wrote to memory of 2832	2828	cmd.exe	38
PID 2828 wrote to memory of 2832	2828	cmd.exe	38
PID 2828 wrote to memory of 2832	2828	cmd.exe	38
PID 2828 wrote to memory of 2832	2828	cmd.exe	38
PID 2828 wrote to memory of 2832	2828	cmd.exe	38
PID 2828 wrote to memory of 2256	2828	cmd.exe	39
PID 2828 wrote to memory of 2256	2828	cmd.exe	39
PID 2828 wrote to memory of 2256	2828	cmd.exe	39
PID 2828 wrote to memory of 2256	2828	cmd.exe	39
PID 2828 wrote to memory of 2256	2828	cmd.exe	39
PID 2828 wrote to memory of 2256	2828	cmd.exe	39
PID 2828 wrote to memory of 2256	2828	cmd.exe	39
PID 2828 wrote to memory of 2308	2828	cmd.exe	40
PID 2828 wrote to memory of 2308	2828	cmd.exe	40
PID 2828 wrote to memory of 2308	2828	cmd.exe	40
PID 2828 wrote to memory of 2308	2828	cmd.exe	40
PID 2828 wrote to memory of 1540	2828	cmd.exe	41
PID 2828 wrote to memory of 1540	2828	cmd.exe	41
PID 2828 wrote to memory of 1540	2828	cmd.exe	41
PID 2828 wrote to memory of 1540	2828	cmd.exe	41
PID 2828 wrote to memory of 2892	2828	cmd.exe	42
PID 2828 wrote to memory of 2892	2828	cmd.exe	42
PID 2828 wrote to memory of 2892	2828	cmd.exe	42
PID 2828 wrote to memory of 2892	2828	cmd.exe	42
PID 2828 wrote to memory of 536	2828	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Program Files\52Z91.exe
  "C:\Program Files\52Z91.exe" C:\Users\Admin\AppData\Local\Temp\406330f4abd0aff45ebc657b5b37560c_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:2896
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 216
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2132
- C:\Program Files\52Z91.exe
  "C:\Program Files\52Z91.exe" rb
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\0GOQJ3.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\sc.exe
    sc.exe create PRUW22BinPath= "C:\Program Files\8TAGERQJ5\YXLXC5JXA.exe -start" type= own type= interact start= auto DisplayName= 6KES2V70
    3⤵
    - Launches sc.exe
    PID:2668
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s shimgvw.dll
    3⤵
    PID:2724
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s itss.dll
    3⤵
    PID:1752
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s scrrun.dll
    3⤵
    - Modifies registry class
    PID:2220
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s vbscript.dll
    3⤵
    PID:2832
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s jscript.dll
    3⤵
    - Modifies registry class
    PID:2256
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2308
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:1540
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2892
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:536
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:596
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:264
- - C:\Windows\SysWOW64\reg.exe
    reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\0GOQJ3.bat

Filesize
1KB

MD5
aafb98e94186d0017562de89d12058d3

SHA1
857eee87b6d77c296e6a53d8b9eebc02e0ee2e1f

SHA256
32ec0cef57eaf6ed3f3f69186ac1c3a51602a5f5af1733b83cf356b0082985d5

SHA512
8cb30890094654f90983a50e9be714b6892b6bfc0fed35bc445b89c9317a8ad2145b39a2c066bb362dc4d206ea947307757cd23d5c4564af87490610f57c16d1

Download Submit
C:\Program Files\7-Zip\7zFM.exe.com

Filesize
68KB

MD5
406330f4abd0aff45ebc657b5b37560c

SHA1
7b38374a0bd219475158941d004dc055a44fd28c

SHA256
44f53e2ca552f49ce5803a4139e09957c14422cfbc7e6ee5df445e16e4b2c4ce

SHA512
36c7541442d8cd902a9e775b58b43cab90132f04a1067a9b5ae94ec7b11b9a1fef20bca709237a79bb22c460da90118605eae592dcb08d610d9b436d311193cc

Download Submit
\Program Files\52Z91.exe

Filesize
28KB

MD5
16b931eb346d9ddd833cf9fb6f6fe829

SHA1
564d9d92ada66930d759645ed60c331bf6a20216

SHA256
dd8ef34c2a7048f2970da5ec121c13c491eb86e0c149e1b57f65fd84e488de40

SHA512
040afe83fd90d79b44cb9c535e993610d2de034e4c807443f7d77e0fd1ec950e8326b93338c868c1ef4f357d6835aff82064470c7b687b03c8895f3cdac91ae1

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads