12c6553395de3745b0891c77230103fb2c2493453b48f87ea8a99189e65c9472

Analysis

max time kernel
140s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14-07-2024 08:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Size

34KB
MD5

451e7b627befd8d42005864bacfd90c9
SHA1

588784038cb50e06b8e45fcb6a48e948eb2ce54b
SHA256

12c6553395de3745b0891c77230103fb2c2493453b48f87ea8a99189e65c9472
SHA512

b13a473db27bfadd01d4ab71d2e32172e2c3342e9f6fa67c04db19114d17cd5588c057e14a7ab0eaba09cec9a73bb8397d9c9fdf5402c0a0739edf0ef5230f6b
SSDEEP

768:SF2SEgEaVjiMQFRQVQoxGpcvogcOaabAiM9umhAiPCWcC:E7XiMQFGpxGi9wriQ6iPC

Score

8^/10

persistence

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE\Debugger = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFWLiveUpdate.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojDie.kxp	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kabaload.exe\Debugger = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVPFW.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KMailMon.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvwsc.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP_1.kxp\Debugger = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CCenter.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FTCleanerShell.exe\Debugger = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Wsyscheck.exe\Debugger = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iparmo.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KWatch.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KISLnchr.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MagicSet.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvolself.exe\Debugger = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVSrvXP.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmqczj.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe\Debugger = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\appdllman.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TxoMoU.Exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit32.Exe\Debugger = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe\Debugger = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kvupload.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavTask.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KASMain.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVMonXP.kxp\Debugger = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\isPwdSvc.exe\Debugger = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe\Debugger = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVSetup.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ras.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Trojanwall.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UmxAgent.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cross.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavMon.exe\Debugger = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\U.exe\Debugger = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pagefile.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrojanDetector.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kernelwind32.exe\Debugger = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Discovery.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guangd.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\5784sddfgiaabsfgds.exe\Debugger = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xxxdgfdfg.exe\Debugger = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FileDsty.exe\Debugger = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KAVDX.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rfwsrv.exe\Debugger = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcsvc.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVCenter.kxp	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RegClean.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVSetup.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RsAgent.exe\Debugger = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SysSafe.exe\Debugger = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\servet.exe\Debugger = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LoveHebeAA = "C:\\Windows\\system32\\vistaAA.exe"	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\vistaAA.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\vistaAA.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\vistaAA.exe	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0339825cbd5da01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb47000000000200000000001066000000010000200000002159a0e1ff6784e918b200ca43bdf7473fae8f3219a81297450d0d25e3731037000000000e800000000200002000000027a6a0b64619e67b621a2c8e98b9f435a5ab01e65f9a8ed3debb203bb0461a4e900000008f0b8c25541cf72a0e5ad977214286cfcb3c869fd495991f724efa6190b9aea02814bf06d6a1363d2c3a277b44d516b207d5d70b9195eda0e1cc8091d4a8ee404bb2eca143c008543aac97adc4d54c183b5b9403cf9ae4e9555c80975f2a5bbd629704076825bef5f6bf44bd560ad5eb05a046f313fc1da7e3565d160daf90b2a5a1467ae3368a87a4eeb703a7ac5cda40000000ae91a435bb49dd254ece6e4488435b1acd3be3203d31addb983578a355d91b73df2b9603f0c513bfc8ce242c865188ed30aba3b8434afb017da22637acf12da7	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{50116661-41BE-11EF-9BC7-EEF6AC92610E} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a3d5a058b71c4645a1a6b8b9d2c7fb470000000002000000000010660000000100002000000028ed0e1ad9d5462f64434c6854bb6c963dbc9fdecef9f846fcf4771f114c2ab1000000000e80000000020000200000009b44e923931f2e1d88fe6a0d3f59eb270faee0929c38c2b58e321718596c9ff62000000024b391a55314d0d1bcf7421bee6a7ca7c6fc55f5d46c7ccdf3829d795563ab574000000045119ece2d5ab9196f9ffe8144d72905f829519cd8f1a79432caf9a78a22fbad3c31dd2236fdd0d48d69b6249558fa804dd91c6dc668ea5bbb7f7a5302db996c	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1312	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
1312	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
1312	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
1312	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
1312	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
1312	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
1312	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
1312	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
1312	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
1312	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
1312	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
1312	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
1312	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
1312	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
1312	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
1312	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
1312	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
1312	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1312	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2084	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2084	IEXPLORE.EXE
2084	IEXPLORE.EXE
2240	IEXPLORE.EXE
2240	IEXPLORE.EXE
2240	IEXPLORE.EXE
2240	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 2084	1312	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe	32
PID 1312 wrote to memory of 2084	1312	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe	32
PID 1312 wrote to memory of 2084	1312	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe	32
PID 1312 wrote to memory of 2084	1312	451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe	32
PID 2084 wrote to memory of 2240	2084	IEXPLORE.EXE	33
PID 2084 wrote to memory of 2240	2084	IEXPLORE.EXE	33
PID 2084 wrote to memory of 2240	2084	IEXPLORE.EXE	33
PID 2084 wrote to memory of 2240	2084	IEXPLORE.EXE	33

C:\Users\Admin\AppData\Local\Temp\451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\451e7b627befd8d42005864bacfd90c9_JaffaCakes118.exe"
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  Open http://xz2.llju.com/tj.asp
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2084 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0aad442b0c86223acb1d0da2d9ee380f

SHA1
4bc19e814430014bb6644d209d5c4a10b4f7fc70

SHA256
9f6e02b93fe8e54055dc680616dde831ef712ab336c0a3cacbb9938968a0767a

SHA512
e87cd2a503d6be35d3a7bd56c5f124fb52bb13ed0e276483a502e41226cb14685ca9f70030fb9f31a21fa6e2567ceab8241c9b27e6088ee8222ec4472317a873

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01533a2a8e8fc71af644cbdf5178bfea

SHA1
e7cb86cc1eb100da561acba5ce88a56a2cc19b33

SHA256
22fff9f783359fd8c8ce0a9d74212c470e04d40afa53bd1ea43312adbf042232

SHA512
02382ba85d92dd0c15b17b1db312b15f64e49214f3430543d9dce7aab649d0ab1d66cc2a76d900d8403fd3155008eddef388bb9dfb4f8647d1950d796c1c2efa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff52ba97c6d6dce6433efc90af9592c9

SHA1
25162ccccfb0b98dea22b0339c25c8fd3cf322c5

SHA256
3175e91c373ab0c2cf9e59fe4ca5a8f05cc94aee6d97a1447d9bbd25b74c7514

SHA512
992389d59e092a324c3d5bb8f3b0b474be6d7eeae3e85d11fb00d282f2f21b2874f4de781d60d1c4879ff55680d04558ead355a436e5101e3248341e79224636

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55cbdbf10fecb10a820a71d0df48df49

SHA1
5ac5eac8b484e36e0423abba584b25bab5cc2772

SHA256
1676fd9381da0001ed66b0b7ab37db28a975494efbc3907363d3934b2cc259b9

SHA512
bc0901c270f8171a97c613529a0e828954e054acb49c567a5deabe8a4e7789c78223b56d748a2417f0a9618a7d634694fd438512661d0c9a080d2ce7947ccdc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
23de1d6408450e853ea57d8045b90f67

SHA1
719ac28acc5d6e2cf46ca73d524b2380cc4522d9

SHA256
8f6a11334057d2dd336ae17f392ff52de11cd94344baa2dad8ae382e6a70ae1e

SHA512
40a726d6044723c21b8390e1f3d3650f0bb9c34b3d19114e250c28e1282ea6126850362fbc8e69e399a7f3b83993c2f6aa64dc4fde951411248b74f07927a279

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdba3a6f053b79f3ca89499d87b1847d

SHA1
8222816ca9a673dd7ddb0fc19d80cfb7541e0bbc

SHA256
38b66e37186d61b5e836df6cca608e074d4a0e72070cc640f8314d38094d3359

SHA512
6b933b0646939efd5615125f0c7b3c920b077440e740d41745c2d17779c41557cf76596336e56a56cef90e34ab3e8cff1f7ca12c24e1c777f422be9655637028

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cefbe8d7a620a40eccbc95f710f690ca

SHA1
97145ca5c48081d2e099112685498696f66dead8

SHA256
75cde12c3ad458bbd687a6a4197b7a3808640fd02e856d8c0031c64d3c7e7a69

SHA512
85a945f5402fdc2b7ffc64fadc1f4ecb8b5f7d1bab5edd5042cc5c1e713bad14d3511f5c166f40cc3f29d0a0061e16c12857358faae9056a9c76f11206b480b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
676e4913723fcb0ec8f7922828ddc54c

SHA1
fd477fd384504f423e53f73adf391854ffa14271

SHA256
58fbb336ccf5ddf4f9a342b36b90da5c41992299c1aa82e79ceb6f14118f2ea0

SHA512
f60979dcadb47ce9b3a015027c4de10695d4de7b5eec5a4e9392d0f796e1ed7a4e28fc618d4e4d8778d861e1278e369acd2d7cf15e692dcd4e745b2545e59387

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFE7D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFF1D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1312-0-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1312-432-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download