gh0strat | 678bddf3e9e0e5fbcd7d0d61d3cc944740c334380aad164e46d3fb5252406864

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
15/07/2024, 16:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a77887bfb15cd97964730f743d8d7d2_JaffaCakes118.exe
Size

2.0MB
MD5

4a77887bfb15cd97964730f743d8d7d2
SHA1

2946916719060e789cfeb70b06a1a19eae1dcb8c
SHA256

678bddf3e9e0e5fbcd7d0d61d3cc944740c334380aad164e46d3fb5252406864
SHA512

4d3ee6b2b513a0c2d0207ce7860d8305c2cab79108e539d5d0b863b8d3846e738286159a326953434fd351ca00988bb1559c3c3cbcaab4795484151c7a23ba9c
SSDEEP

49152:LbQ9tUbdU0GUvqrwILQiTZ+W49gAK0vyhUkwkur:LEC1GUqLQuZyM0vyGkt

Score

10^/10

gh0strat discovery persistence rat

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/2724-17-0x0000000000404000-0x0000000000420000-memory.dmp	family_gh0strat
behavioral1/files/0x000800000001568f-16.dat	family_gh0strat
behavioral1/memory/2724-18-0x0000000000400000-0x000000000041F380-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ = "Adobe Flash Player"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ComponentID = "Flash"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\IsInstalled = 01000000	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Version = "10.0.22.87"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Locale = "EN"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe

Executes dropped EXE 2 IoCs

pid	Process
2792	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
2724	eeeeeeeeeeeeeeeeeeeee.exe

Loads dropped DLL 16 IoCs

pid	Process
2060	4a77887bfb15cd97964730f743d8d7d2_JaffaCakes118.exe
2060	4a77887bfb15cd97964730f743d8d7d2_JaffaCakes118.exe
2060	4a77887bfb15cd97964730f743d8d7d2_JaffaCakes118.exe
2240	WerFault.exe
2240	WerFault.exe
2240	WerFault.exe
2792	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
2792	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
2792	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
2240	WerFault.exe
2792	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
2792	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
2792	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
2792	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
2792	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
2792	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\install.log	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\Flash10b.ocx	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10b.exe	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash10b.ocx	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10b.exe	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\uninstall_activeX.exe	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
2240	2724	WerFault.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x00080000000120cd-2.dat	nsis_installer_1

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\SysWow64\\Macromed\\Flash"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil10b.exe"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil10b.exe"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\ = "FlashBroker"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mfp\ = "MacromediaFlashPaper.MacromediaFlashPaper"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\ = "Shockwave Flash Object"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS\ = "0"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\TypeLib\ = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\ = "Macromedia Flash Factory Object"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\LocalizedString = "@C:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10b.exe,-101"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\ = "Shockwave Flash Object"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\Elevation\Enabled = "1"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon\ = "\"%1\""	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{0BE09CC1-42E0-11DD-AE16-0800200C9A66}\TypeLib	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sor\Content Type = "text/plain"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash\CLSID = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID\ = "ShockwaveFlash.ShockwaveFlash.10"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\ = "0"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.spl	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.mfp	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mfp	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\ = "Shockwave Flash Object"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ = "Shockwave Flash Object"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\ = "Shockwave Flash Object"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version\ = "1.0"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\ = "Shockwave Flash Object"	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2792	AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 2792	2060	4a77887bfb15cd97964730f743d8d7d2_JaffaCakes118.exe	30
PID 2060 wrote to memory of 2792	2060	4a77887bfb15cd97964730f743d8d7d2_JaffaCakes118.exe	30
PID 2060 wrote to memory of 2792	2060	4a77887bfb15cd97964730f743d8d7d2_JaffaCakes118.exe	30
PID 2060 wrote to memory of 2792	2060	4a77887bfb15cd97964730f743d8d7d2_JaffaCakes118.exe	30
PID 2060 wrote to memory of 2792	2060	4a77887bfb15cd97964730f743d8d7d2_JaffaCakes118.exe	30
PID 2060 wrote to memory of 2792	2060	4a77887bfb15cd97964730f743d8d7d2_JaffaCakes118.exe	30
PID 2060 wrote to memory of 2792	2060	4a77887bfb15cd97964730f743d8d7d2_JaffaCakes118.exe	30
PID 2060 wrote to memory of 2724	2060	4a77887bfb15cd97964730f743d8d7d2_JaffaCakes118.exe	31
PID 2060 wrote to memory of 2724	2060	4a77887bfb15cd97964730f743d8d7d2_JaffaCakes118.exe	31
PID 2060 wrote to memory of 2724	2060	4a77887bfb15cd97964730f743d8d7d2_JaffaCakes118.exe	31
PID 2060 wrote to memory of 2724	2060	4a77887bfb15cd97964730f743d8d7d2_JaffaCakes118.exe	31
PID 2724 wrote to memory of 2240	2724	eeeeeeeeeeeeeeeeeeeee.exe	32
PID 2724 wrote to memory of 2240	2724	eeeeeeeeeeeeeeeeeeeee.exe	32
PID 2724 wrote to memory of 2240	2724	eeeeeeeeeeeeeeeeeeeee.exe	32
PID 2724 wrote to memory of 2240	2724	eeeeeeeeeeeeeeeeeeeee.exe	32

C:\Users\Admin\AppData\Local\Temp\4a77887bfb15cd97964730f743d8d7d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4a77887bfb15cd97964730f743d8d7d2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe
  "C:\Users\Admin\AppData\Local\Temp\\AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2792
- C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeeeeeeeeee.exe
  C:\Users\Admin\AppData\Local\Temp\\eeeeeeeeeeeeeeeeeeeee.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 88
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eeeeeeeeeeeeeeeeeeeee.exe

Filesize
124KB

MD5
353c0e160c02d71afc564853d997bf5b

SHA1
4a0f78fd94b06dd18e53c7931e7700a4b2838db0

SHA256
d022188b18f68df90ea34687db226f68636bc94bc243adf6633aa3fb66fd0035

SHA512
22d4d90d0bdd62249fb99f32138179fbac4cec2c6b82bd3665ed06ec1c3cfd037e5828a2a6f6161b733bb55a92cff72572204a58b45f0cd15009557ebfcc9898

Download Submit
\Users\Admin\AppData\Local\Temp\AdobeFlashPlayer10.0.22.87ActiveXforIE AOL.exe

Filesize
1.8MB

MD5
c41b29f0fee117ced47248cc7fecad11

SHA1
86745020a25edc9695a1a6a4d59eae375665a0b3

SHA256
594d0d699566fbbec4e733ba0c603cb6e6f6fc3cb8901eeb715a037c99c4c38f

SHA512
8734722bcdc97dedaa3fd31e2ced14748b54bca5847f0b0ed2fbb4a7dfe463a47a11d10e9a2dc85f4e2f883be1b4b4cf56038099624c7c37a6b313db5bf6b25b

Download Submit
\Users\Admin\AppData\Local\Temp\nsd6875.tmp\NSISArray.dll

Filesize
17KB

MD5
2b8574f6a8f5de9042baa43c069d20ba

SHA1
07959da0c6b7715b51f70f1b0aea1f56ba7a4559

SHA256
38654eef0ee3715f4b1268f4b4176a6b487a0a9e53a27a4ec0b84550ea173564

SHA512
f034f71b6a18ee8024d40acd3c097d95c8fd8e128d75075cc452e71898c1c0322f21b54bd39ca72d053d7261ffbab0c5c1f820602d52fc85806513a6fe317e88

Download Submit
\Users\Admin\AppData\Local\Temp\nsd6875.tmp\System.dll

Filesize
10KB

MD5
16ae54e23736352739d7ab156b1965ba

SHA1
14f8f04bed2d6adc07565d5c064f6931b128568f

SHA256
c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc

SHA512
15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f

Download Submit
\Users\Admin\AppData\Local\Temp\nsd6875.tmp\UserInfo.dll

Filesize
4KB

MD5
68d73a95c628836b67ea5a717d74b38c

SHA1
935372db4a66f9dfd6c938724197787688e141b0

SHA256
21a373c52aaecce52b41aebe6d0224f53760fc3e5c575e821175eee3a1f7f226

SHA512
0e804deab4e647213132add4173c1d2c554c628816f56e21e274a40e185d90254e29c8bfc6fbfdfea2a492d43d23c0bfa4b276252a3f5e1993ab80ff832c4914

Download Submit
\Users\Admin\AppData\Local\Temp\nsd6875.tmp\fpinstall.dll

Filesize
8KB

MD5
071b6233c92f69ffa1c24243328c3b94

SHA1
bb583c00e87cdc65e6254c7148d37afc1bbb3095

SHA256
5f6c63cb0ba539d692c5461730f057d0ec6c60639d772fbdc3753c3c6e746c43

SHA512
7fc2db406350488ee86ccffe1e99a91e0f509ef0429063336bf6f96aab07127df352db77fe9d00ddc3aa2db7886dfbac08b6acf6a5c647859956111ca47c24f1

Download Submit
\Windows\SysWOW64\Macromed\Flash\Flash10b.ocx

Filesize
3.7MB

MD5
8afc17155ed5ab60b7c52d7f553d579c

SHA1
fc3087d8acb839e4cfcf14c9982c0e4d8a1c7109

SHA256
a7f7cd44461e11d1b8be467bd4e4a22ae05b6df29260cc0b9d43a6314fe2a375

SHA512
b22b3d280a7d8bb6c5131c98c7270010d5aabeeaf8092596d5e8f024d1820cf4c0bfa42d6ed1f2a6cbb82ab4d0f3d48ef873c4edf307078e51618decc1eeff92

Download Submit
memory/2060-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2060-14-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2724-17-0x0000000000404000-0x0000000000420000-memory.dmp

Filesize
112KB

Download
memory/2724-18-0x0000000000400000-0x000000000041F380-memory.dmp

Filesize
124KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads