73d7a93dcde744159168692552534a5ee8be52d4edcef69a6d2805e2ae2ce01c

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
16/07/2024, 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Size

2.2MB
MD5

4c7a9999d335dd8a68d78122dec64346
SHA1

d29829dae8f4495328629c1141a4ca75b9493c80
SHA256

73d7a93dcde744159168692552534a5ee8be52d4edcef69a6d2805e2ae2ce01c
SHA512

a91beece0959eed46914ad5d5b2d78eebda3fe32dec50b3db9500a7b057293685785d59ab7b50ce114aac1f471f4f3adbe3c96cf8babf01e699759f7b0bc09e0
SSDEEP

49152:corzJdf0uJekfakGWiLN8GnZ84HwB+CKQc+2K1iWF0XnuuH:covJdf00fakPiXnS4HCKQc+2K1iWFD6

Score

8^/10

persistence

Malware Config

Signatures

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NetworkIS\ImagePath = "C:\\Windows\\SysWOW64\\inwebsam.exe"	inwebsam.exe

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000016d74-50.dat	acprotect
behavioral1/files/0x0009000000012029-55.dat	acprotect
behavioral1/files/0x0008000000016c7d-58.dat	acprotect

Executes dropped EXE 3 IoCs

pid	Process
1272	inwebsam.exe
2348	inwebsam.exe
2912	eamcf.exe

Loads dropped DLL 9 IoCs

pid	Process
1984	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
1984	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe

Drops file in System32 directory 12 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\libeay32.dll	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\eamcf.exe	inwebsam.exe
File opened for modification	C:\Windows\SysWOW64\ldmevsh.dll	inwebsam.exe
File created	C:\Windows\SysWOW64\nhzxmc.dll	inwebsam.exe
File opened for modification	C:\Windows\SysWOW64\nhzxmc.dll	inwebsam.exe
File opened for modification	C:\Windows\SysWOW64\libeay32.dll	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ssleay32.dll	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ssleay32.dll	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\inwebsam.exe	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\inwebsam.exe	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\eamcf.exe	inwebsam.exe
File created	C:\Windows\SysWOW64\ldmevsh.dll	inwebsam.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	inwebsam.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	inwebsam.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	inwebsam.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57BE1BD4-3B29-4A4A-AB10-04B25CE34DB4}\InprocServer32	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57BE1BD4-3B29-4A4A-AB10-04B25CE34DB4}\InprocServer32\ThreadingModel4 = 0ba8d5dd8f4a2b7598ad99f82838517d9892e20317405a81adcddc0630406381bb7b7e892c76c56e803d874a1d405c9039390b87e4b00834d9f9243f04c407c9f8685591da5499f06f514972538e8f209486a2bf2b4ddd9b0bd8db99c83847b419e8341496b2136796b7b432ffa0d53868173832edf6427089de922edc191c9e	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57BE1BD4-3B29-4A4A-AB10-04B25CE34DB4}\InprocServer32\ThreadingModel27 = 17e5e38425c66738d97a1cbc82fe9f40e18224c46507a73ce9892cc66d1faf43f18078b72e174abe3d6accd1998b62744cef20e192ded5c2910ca18b61b532141fe7fe2508f61722d4327fcc59052766681f0745c44663fed3c0ad84e9f26668662bb64ac6f6bf728a0d10ff9604d3077910f6621cf1eb54c14b757d5be43fba	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32\ThreadingModel3 = c4472f587586878b8ed5b171d55fdb208f339b04de0ec04511db5b8ca07c78e4c6d704cf054fd6c70813e7d798eb1af3b180383ae134e5587c05cb4d9ee62871bb467ccd2058a2e94c28c8bb6df9a0e002193affaf286bfd48b5d8e80b93884b7e337574fb37f5f04f8c1ad038d85c7abd08351d9248810d0cb2c98b6181c3e0	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32\ThreadingModel26 = 6784e3ee159c3be90b5a2cf52df011db600710dd116a253e1df4f3df0dc30af8e6356d3d042984f2c129c7c7e288cd7e08768da79d9af209fcc62a79cec43428db519ec2cdcc84e3903335a56c5b0963eb9b5cf4354ab6e56fc0828f42c7f5feaaab0e9b475b3226d320c2304573d7e0852bff56d49051541b85bde003bd901b	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32\ThreadingModel27 = 17e5e38425c66738d97a1cbc82fe9f40e18224c46507a73ce9892cc66d1faf43f18078b72e174abe3d6accd1998b62744cef20e192ded5c2910ca18b61b532141fe7fe2508f61722d4327fcc59052766681f0745c44663fed3c0ad84e9f26668662bb64ac6f6bf728a0d10ff9604d3077910f6621cf1eb54c14b757d5be43fba	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D629E0-F705-42C9-80E1-A2C23CA0E760}\InprocServer32\ThreadingModel11 = d70288059d1895086f120e9c275dec4536512ccc9bf7f7ca06e70333f834107cfa96b3382653d3519ba692259a967c3c6a8438593fe51b20b6e95688b70497ddbf9c6309e6557c612cb81236d02c9ed8d1899ddec8b18cd9c6f8e0bfea54d0b6ca883e1aeed5d1fadf615440cfa102d6e0bd9e71e2d60e965deebdf266e534d2	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D629E0-F705-42C9-80E1-A2C23CA0E760}\InprocServer32\ThreadingModel27 = 17e5e38425c66738d97a1cbc82fe9f40e18224c46507a73ce9892cc66d1faf43f18078b72e174abe3d6accd1998b62744cef20e192ded5c2910ca18b61b532141fe7fe2508f61722d4327fcc59052766681f0745c44663fed3c0ad84e9f26668662bb64ac6f6bf728a0d10ff9604d3077910f6621cf1eb54c14b757d5be43fba	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62481A30-A672-4C78-A6F4-9D7E9F86F571}\InprocServer32\ThreadingModel5 = c4b6c79aa738fda4a274ebc01e7cdbff26dde72f29833cfb073cbdad48eedb287ba3e0010cfa09c32ab42ccf7051c75e7701af8e896cc09712f3477e868b04e2e14802c2f8369b5c331e64767450e9b7448f65e67dbadd2e16d952c7c6f3efc5779f7c77503c3717fa8685c55dd5ecbff6f205887c24f927f1a449f922dd2a29	inwebsam.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57BE1BD4-3B29-4A4A-AB10-04B25CE34DB4}\InprocServer32	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57BE1BD4-3B29-4A4A-AB10-04B25CE34DB4}\InprocServer32\ThreadingModel26 = 6784e3ee159c3be90b5a2cf52df011db600710dd116a253e1df4f3df0dc30af8e6356d3d042984f2c129c7c7e288cd7e08768da79d9af209fcc62a79cec43428db519ec2cdcc84e3903335a56c5b0963eb9b5cf4354ab6e56fc0828f42c7f5feaaab0e9b475b3226d320c2304573d7e0852bff56d49051541b85bde003bd901b	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32\ThreadingModel22 = 7bef9a20247e8a546ee1d4d78ebd7e77cda082fd66f2078321beb320a1e20c278c8c5473fc15487de1a1b03e421aae098c6337eb57df1e424da9a28e201a6baec06e5d1230bfb290b98a45e74d88fd1e6a87b747be8c3954607beb0b6fea7c474c22a30be1789d1998282a16ed96156dd6989d7155fb3779f8a08def24a3b49b	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D629E0-F705-42C9-80E1-A2C23CA0E760}\InprocServer32\ThreadingModel21 = f163747b02232f8877a8f358315fda182431e6ec4b332845698da8d5f013314d716d222931d5acf0dcd96156bcc45a9a1a128d2fbeff3dd8d6a8910ccc50ab56cac1027d6f75a6d752e016ba4776c95d9143ae89634337f36dbeac1a5959e50a57aba56240783065e3ebdf166f6ec09233f599290aeabff632f6b0e36b695d6a	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32\ThreadingModel2 = fb1b15bdc2580de8245cc099e42e5d0e17acc22b892d4bbce864942092810eff9a839eed5a3e930d17cabc148a4e754e537fe573a62ece76c0b6a6a2e845d8a7152c6a6673c95fad66b2952bcb2e44852a6e9aa52f4170b913d534075d6ae2c7a2d102ae453e73d559cd1ad857cf5dd732e162d51ddf5ae16eed5de570df63e1	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57BE1BD4-3B29-4A4A-AB10-04B25CE34DB4}\InprocServer32\ThreadingModel7 = de690609cff13ba4cbde4e5d2eb133093f2c1315ff5c71ea8df6d4fad3b8a9c925d03e95f68a0f71e5bbc1a8a08d10b53e92d19c69d0687404a810d5241c1239172b41c79afdc9db9cd577ce6bb9ccd32ad17ff1e69f4b66ae8017fd7b1deb27ddbf35e4adad50bf38fb5c77a88ac210a10a0a6b543ed89e7ce529ab06f8394f	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57BE1BD4-3B29-4A4A-AB10-04B25CE34DB4}\InprocServer32\ThreadingModel24 = fd23d2b0a5012555776f885e0ef605c3f9e46225c18603c726951e60b03385a7d56260b1451c8d842aed916d6216410904f1940bbb594726bdc443b279bbeae73533c2cf337e1a4b2fd2a5bb2ea72f3a025cda74f8ed888393aa6f654a33efe9a53424393e95d8467427cacad767b6a4077614d3634bdc80e1833ad165652e84	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B3254767-055F-41F2-A8C7-021BB8C8363A}\InprocServer32\ThreadingModel1 = ee9a43f4d88ae195735a08ad4d25d17536e06cf4a5731fc8795e10661af8de894464a554fd66670d79799f547e41f4974b0f4d02dfc5701eab8f3deb9921cc7922d2b668bf734538dd8b54f1ab50bfbf771cd88538d74748f75a5112be681cc33132df944bea57560f6ae6117d3a2fdc4eb4fd9d4003a86e1dc381dcce9031d0	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D629E0-F705-42C9-80E1-A2C23CA0E760}\InprocServer32\ThreadingModel25 = f75fd57311ec5dac87baa2edfb158158cd1887468ea8238b62fedda4b4e90876f21ecfa7333897c4013d0ec39fc96f7d8b38c63d1a6c47876610f3a7e9662daf840efaf8d1560248f3ee972f4c2c544fc1f21d84883486309a192d3b2c3f0c4cb0b7b4446a35930b8fe4d61813417389b4d6f80c67c255e5fc552e5e13576360	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57BE1BD4-3B29-4A4A-AB10-04B25CE34DB4}\InprocServer32\ThreadingModel28 = c3b2f478dcd58846f5e948d6dbfc750bf3972c577682a2fba396a8e3f036924b4759c6bcd935800fc1bb9273d0be40baa3f26265147a2519ea76d6e8062c2d4638e891c0ae82df717ae51949aef73004ce407132b1d24c083a496ed778e2726c12ff9aaa159d5b20808da67a337e3bfe0f1772826dc0488349d69a4cb360d85a	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57BE1BD4-3B29-4A4A-AB10-04B25CE34DB4}\InprocServer32\ThreadingModel1 = c063110eb6777839c246ed6b9d9f49b9a8eaeb63aa8f1cdf06aa0fe91532268cb2d3092c1c86b3d505c8b994cfcb9f7496617d3869d80e0d577c7f0dc51095cbd4bf44310de27460a03819fbdba5c4d5ab613fb8b377e8fad7248b69289618a70ae45f62e5ac2ba0ec27705fc496833a14596ede5926e57774127e72d17a1324	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57BE1BD4-3B29-4A4A-AB10-04B25CE34DB4}\InprocServer32\ThreadingModel8 = c7cc41564a5cbb9110992b06b6df9ccffcbf8978d1cf69c75488812ed7db1dfeed416cf3047997c93e40d3d051aa84cbcef0bb8a08d292fe6cf043bf25a1f54f3745938088093ecb7898188bf74582594c87110beef3cb051f6eec403ae1def3b8fdc28d5f5e79a3e77a7c361869fe887e0fd428cbd5229f59c559ee2e8a6241	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57BE1BD4-3B29-4A4A-AB10-04B25CE34DB4}\InprocServer32\ThreadingModel25 = f75fd57311ec5dac87baa2edfb158158cd1887468ea8238b62fedda4b4e90876f21ecfa7333897c4013d0ec39fc96f7d8b38c63d1a6c47876610f3a7e9662daf840efaf8d1560248f3ee972f4c2c544fc1f21d84883486309a192d3b2c3f0c4cb0b7b4446a35930b8fe4d61813417389b4d6f80c67c255e5fc552e5e13576360	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D629E0-F705-42C9-80E1-A2C23CA0E760}\InprocServer32\ThreadingModel28 = c3b2f478dcd58846f5e948d6dbfc750bf3972c577682a2fba396a8e3f036924b4759c6bcd935800fc1bb9273d0be40baa3f26265147a2519ea76d6e8062c2d4638e891c0ae82df717ae51949aef73004ce407132b1d24c083a496ed778e2726c12ff9aaa159d5b20808da67a337e3bfe0f1772826dc0488349d69a4cb360d85a	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57BE1BD4-3B29-4A4A-AB10-04B25CE34DB4}\InprocServer32\ThreadingModel7 = de690609cff13ba4cbde4e5d2eb133093f2c1315ff5c71ea8df6d4fad3b8a9c925d03e95f68a0f71e5bbc1a8a08d10b53e92d19c69d0687404a810d5241c1239172b41c79afdc9db9cd577ce6bb9ccd32ad17ff1e69f4b66ae8017fd7b1deb27ddbf35e4adad50bf38fb5c77a88ac210a10a0a6b543ed89e7ce529ab06f8394f	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57BE1BD4-3B29-4A4A-AB10-04B25CE34DB4}\InprocServer32\ThreadingModel28 = c3b2f478dcd58846f5e948d6dbfc750bf3972c577682a2fba396a8e3f036924b4759c6bcd935800fc1bb9273d0be40baa3f26265147a2519ea76d6e8062c2d4638e891c0ae82df717ae51949aef73004ce407132b1d24c083a496ed778e2726c12ff9aaa159d5b20808da67a337e3bfe0f1772826dc0488349d69a4cb360d85a	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57BE1BD4-3B29-4A4A-AB10-04B25CE34DB4}\InprocServer32\ThreadingModel26 = 6784e3ee159c3be90b5a2cf52df011db600710dd116a253e1df4f3df0dc30af8e6356d3d042984f2c129c7c7e288cd7e08768da79d9af209fcc62a79cec43428db519ec2cdcc84e3903335a56c5b0963eb9b5cf4354ab6e56fc0828f42c7f5feaaab0e9b475b3226d320c2304573d7e0852bff56d49051541b85bde003bd901b	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32\ThreadingModel11 = d70288059d1895086f120e9c275dec4536512ccc9bf7f7ca06e70333f834107cfa96b3382653d3519ba692259a967c3c6a8438593fe51b20b6e95688b70497ddbf9c6309e6557c612cb81236d02c9ed8d1899ddec8b18cd9c6f8e0bfea54d0b6ca883e1aeed5d1fadf615440cfa102d6e0bd9e71e2d60e965deebdf266e534d2	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32\ThreadingModel5 = 464724e6e78b16a0fec65a67b44759f999367b64f14627c75e9530c37f6c6286760fc96a0b91f036489d41400d38d5be86c2dde5d1e1a123ff306be4d7d7e49e1964ba2a10778b98be346b07f381983512710dc35d872972ff948bc34161cfce8d7ce9382fb52d880a4351669d8ff3660a19737611062416273430dd0df7a715	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32\ThreadingModel10 = 68d60dbeb4b2b0e94b5a2dd2339909472985f70c4defcb67433521fc039a1829f5fdcc2621e38a987517d26e7757a81dedc9db9e4a3b21cadf604aee2d91e2b0dac0f8aa17abf6498179b6ded24d38ecde79b017ba62d3550b418f2fcc41973f24b87733fe7c160a8f7fcf4cf347987190e1d9c2f16bde56304f1e0c38c9b094	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32\ThreadingModel12 = ba205db1e44531e1b384d2b9a2249b783f3e91c3034921dbdee3ee8827d0c1491368a8b3f1f8bd10bbcb469ec7d71312ad523f249c9dd761b954f37f506850e4e39675375da6eb0d361a22d30bfda39a251576aa11529723354ee4591192f07cb4cdcac9e070bccd9661748f08ab1ea43157677b87e2617189f0c7762634214a	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62481A30-A672-4C78-A6F4-9D7E9F86F571}\InprocServer32\ThreadingModel7 = 757649879aaeb9b0bf64cd9aa2d4ddc77296db60a0966404e15d0471be4aa65e1b4f3f82e793e7b94072c563ab9585470b2735ac8351c2787e91816f66905dfbe688b505b062f8cf241c83df5624585c4aa9ab746b2169ab8b7a2433f9b9189d77fc268e221f02448982f61398a4e638049a898d6293f40e20eef641f49ae2ec	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32\ThreadingModel6 = 78025f16bb7d282e7469527dd26eaa124433ac43b01c966b5fdadfb41adf33762c6851f14f046281bbc9ad7ccc9db863114741199f289f4006d56cf94cf9949db02422383e816cca5a9077acce5dab9215d84001d539ed43d2a8c425cd8059060cf27a0b89de3180041bd8b2739361ca8dec338566922cb76866b10a0d74e067	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32\ThreadingModel21 = f163747b02232f8877a8f358315fda182431e6ec4b332845698da8d5f013314d716d222931d5acf0dcd96156bcc45a9a1a128d2fbeff3dd8d6a8910ccc50ab56cac1027d6f75a6d752e016ba4776c95d9143ae89634337f36dbeac1a5959e50a57aba56240783065e3ebdf166f6ec09233f599290aeabff632f6b0e36b695d6a	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D629E0-F705-42C9-80E1-A2C23CA0E760}\InprocServer32\ThreadingModel1 = c063110eb6777839c246ed6b9d9f49b9a8eaeb63aa8f1cdf06aa0fe91532268cb2d3092c1c86b3d505c8b994cfcb9f7496617d3869d80e0d577c7f0dc51095cbd4bf44310de27460a03819fbdba5c4d5ab613fb8b377e8fad7248b69289618a70ae45f62e5ac2ba0ec27705fc496833a14596ede5926e57774127e72d17a1324	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32\ThreadingModel28 = c3b2f478dcd58846f5e948d6dbfc750bf3972c577682a2fba396a8e3f036924b4759c6bcd935800fc1bb9273d0be40baa3f26265147a2519ea76d6e8062c2d4638e891c0ae82df717ae51949aef73004ce407132b1d24c083a496ed778e2726c12ff9aaa159d5b20808da67a337e3bfe0f1772826dc0488349d69a4cb360d85a	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32\ThreadingModel24 = fd23d2b0a5012555776f885e0ef605c3f9e46225c18603c726951e60b03385a7d56260b1451c8d842aed916d6216410904f1940bbb594726bdc443b279bbeae73533c2cf337e1a4b2fd2a5bb2ea72f3a025cda74f8ed888393aa6f654a33efe9a53424393e95d8467427cacad767b6a4077614d3634bdc80e1833ad165652e84	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57BE1BD4-3B29-4A4A-AB10-04B25CE34DB4}\InprocServer32\ThreadingModel22 = 7bef9a20247e8a546ee1d4d78ebd7e77cda082fd66f2078321beb320a1e20c278c8c5473fc15487de1a1b03e421aae098c6337eb57df1e424da9a28e201a6baec06e5d1230bfb290b98a45e74d88fd1e6a87b747be8c3954607beb0b6fea7c474c22a30be1789d1998282a16ed96156dd6989d7155fb3779f8a08def24a3b49b	inwebsam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62481A30-A672-4C78-A6F4-9D7E9F86F571}	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D629E0-F705-42C9-80E1-A2C23CA0E760}\InprocServer32\ThreadingModel0 = e00197a4ae4b35d76668b31c0dee5cc43397fd64d03fa20379de45ae1982e753c2269bf55fb9359e0667d43da61078e14ab31d85ee57c02a92fb64cd369f0971da43ac167ee750b9238bf45dc63097fd6acf3ca10f73df45b11883ed56bb288dfa5fcc319d0470d542d7ad677d3828c143271791f334f4a26189692ef35d5fd3	inwebsam.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32	inwebsam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57BE1BD4-3B29-4A4A-AB10-04B25CE34DB4}\InprocServer32	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32\ThreadingModel0 = e00197a4ae4b35d76668b31c0dee5cc43397fd64d03fa20379de45ae1982e753c2269bf55fb9359e0667d43da61078e14ab31d85ee57c02a92fb64cd369f0971da43ac167ee750b9238bf45dc63097fd6acf3ca10f73df45b11883ed56bb288dfa5fcc319d0470d542d7ad677d3828c143271791f334f4a26189692ef35d5fd3	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32\ThreadingModel7 = de690609cff13ba4cbde4e5d2eb133093f2c1315ff5c71ea8df6d4fad3b8a9c925d03e95f68a0f71e5bbc1a8a08d10b53e92d19c69d0687404a810d5241c1239172b41c79afdc9db9cd577ce6bb9ccd32ad17ff1e69f4b66ae8017fd7b1deb27ddbf35e4adad50bf38fb5c77a88ac210a10a0a6b543ed89e7ce529ab06f8394f	inwebsam.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D629E0-F705-42C9-80E1-A2C23CA0E760}\InprocServer32	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D629E0-F705-42C9-80E1-A2C23CA0E760}\InprocServer32\ThreadingModel5 = 464724e6e78b16a0fec65a67b44759f999367b64f14627c75e9530c37f6c6286760fc96a0b91f036489d41400d38d5be86c2dde5d1e1a123ff306be4d7d7e49e1964ba2a10778b98be346b07f381983512710dc35d872972ff948bc34161cfce8d7ce9382fb52d880a4351669d8ff3660a19737611062416273430dd0df7a715	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D629E0-F705-42C9-80E1-A2C23CA0E760}\InprocServer32\ThreadingModel0 = 0fe4bb9776491a01d5ac855f7613e7c3a2755b26ffc9b48e653715edc69f78512b04dcb58e67401af2cba47d563009e1ba936c451ff7d0a9695b340ee6bf976d4a20fcd1ae835f3512e7c39d764b28fddaaf8c613d14f0c5a2a7fe60dca87dccdc047344c295fbfdd39b906c3c2b6411fd7108038683fdf0c026734b2e03dbb9	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32\ThreadingModel28 = c3b2f478dcd58846f5e948d6dbfc750bf3972c577682a2fba396a8e3f036924b4759c6bcd935800fc1bb9273d0be40baa3f26265147a2519ea76d6e8062c2d4638e891c0ae82df717ae51949aef73004ce407132b1d24c083a496ed778e2726c12ff9aaa159d5b20808da67a337e3bfe0f1772826dc0488349d69a4cb360d85a	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32\ThreadingModel7 = de690609cff13ba4cbde4e5d2eb133093f2c1315ff5c71ea8df6d4fad3b8a9c925d03e95f68a0f71e5bbc1a8a08d10b53e92d19c69d0687404a810d5241c1239172b41c79afdc9db9cd577ce6bb9ccd32ad17ff1e69f4b66ae8017fd7b1deb27ddbf35e4adad50bf38fb5c77a88ac210a10a0a6b543ed89e7ce529ab06f8394f	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57BE1BD4-3B29-4A4A-AB10-04B25CE34DB4}\InprocServer32\ThreadingModel9 = 87b61392f2ee0a8873e68bd604d44d03f6a0fabf46894e1e19f62cb6d7f91ec5493ee1b3a45dfb947dd17385f50925f2ac57543a48b7783592a2548a8372e4dec516b9557002addd1ba92e3986f479e8626f7a2a102f38e65fb005259013cd642c2239f1832e971cd472a7eb6e82c190537302e8385660acd314e524dc996682	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57BE1BD4-3B29-4A4A-AB10-04B25CE34DB4}\InprocServer32\ThreadingModel4 = 0ba8d5dd8f4a2b7598ad99f82838517d9892e20317405a81adcddc0630406381bb7b7e892c76c56e803d874a1d405c9039390b87e4b00834d9f9243f04c407c9f8685591da5499f06f514972538e8f209486a2bf2b4ddd9b0bd8db99c83847b419e8341496b2136796b7b432ffa0d53868173832edf6427089de922edc191c9e	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57BE1BD4-3B29-4A4A-AB10-04B25CE34DB4}\InprocServer32\ThreadingModel22 = 7bef9a20247e8a546ee1d4d78ebd7e77cda082fd66f2078321beb320a1e20c278c8c5473fc15487de1a1b03e421aae098c6337eb57df1e424da9a28e201a6baec06e5d1230bfb290b98a45e74d88fd1e6a87b747be8c3954607beb0b6fea7c474c22a30be1789d1998282a16ed96156dd6989d7155fb3779f8a08def24a3b49b	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57BE1BD4-3B29-4A4A-AB10-04B25CE34DB4}\InprocServer32\ThreadingModel24 = fd23d2b0a5012555776f885e0ef605c3f9e46225c18603c726951e60b03385a7d56260b1451c8d842aed916d6216410904f1940bbb594726bdc443b279bbeae73533c2cf337e1a4b2fd2a5bb2ea72f3a025cda74f8ed888393aa6f654a33efe9a53424393e95d8467427cacad767b6a4077614d3634bdc80e1833ad165652e84	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32\ThreadingModel27 = 17e5e38425c66738d97a1cbc82fe9f40e18224c46507a73ce9892cc66d1faf43f18078b72e174abe3d6accd1998b62744cef20e192ded5c2910ca18b61b532141fe7fe2508f61722d4327fcc59052766681f0745c44663fed3c0ad84e9f26668662bb64ac6f6bf728a0d10ff9604d3077910f6621cf1eb54c14b757d5be43fba	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32\ThreadingModel11 = d70288059d1895086f120e9c275dec4536512ccc9bf7f7ca06e70333f834107cfa96b3382653d3519ba692259a967c3c6a8438593fe51b20b6e95688b70497ddbf9c6309e6557c612cb81236d02c9ed8d1899ddec8b18cd9c6f8e0bfea54d0b6ca883e1aeed5d1fadf615440cfa102d6e0bd9e71e2d60e965deebdf266e534d2	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D629E0-F705-42C9-80E1-A2C23CA0E760}\InprocServer32\ThreadingModel13 = 821ef84417199d3ff0a851c81e1f6ccb06febdec858c716986d37e943df8a3540cb46305092718dc8b3aed9b54feae6613a8693ef4d85a0e599ebbff534b1a6f95621de6c4eeb76d6a18aeb9e4bf6165d28edddbb939a8a8e9bed051c6ea2dee0d82dc1bb8c1630e92150bd5a4425a0f0866b6aed076a3840b3629b010bd3e39	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07D629E0-F705-42C9-80E1-A2C23CA0E760}\InprocServer32\ThreadingModel2 = fb1b15bdc2580de8245cc099e42e5d0e17acc22b892d4bbce864942092810eff9a839eed5a3e930d17cabc148a4e754e537fe573a62ece76c0b6a6a2e845d8a7152c6a6673c95fad66b2952bcb2e44852a6e9aa52f4170b913d534075d6ae2c7a2d102ae453e73d559cd1ad857cf5dd732e162d51ddf5ae16eed5de570df63e1	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57BE1BD4-3B29-4A4A-AB10-04B25CE34DB4}\InprocServer32\ThreadingModel0 = e00197a4ae4b35d76668b31c0dee5cc43397fd64d03fa20379de45ae1982e753c2269bf55fb9359e0667d43da61078e14ab31d85ee57c02a92fb64cd369f0971da43ac167ee750b9238bf45dc63097fd6acf3ca10f73df45b11883ed56bb288dfa5fcc319d0470d542d7ad677d3828c143271791f334f4a26189692ef35d5fd3	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32\ThreadingModel2 = fb1b15bdc2580de8245cc099e42e5d0e17acc22b892d4bbce864942092810eff9a839eed5a3e930d17cabc148a4e754e537fe573a62ece76c0b6a6a2e845d8a7152c6a6673c95fad66b2952bcb2e44852a6e9aa52f4170b913d534075d6ae2c7a2d102ae453e73d559cd1ad857cf5dd732e162d51ddf5ae16eed5de570df63e1	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32\ThreadingModel21 = f163747b02232f8877a8f358315fda182431e6ec4b332845698da8d5f013314d716d222931d5acf0dcd96156bcc45a9a1a128d2fbeff3dd8d6a8910ccc50ab56cac1027d6f75a6d752e016ba4776c95d9143ae89634337f36dbeac1a5959e50a57aba56240783065e3ebdf166f6ec09233f599290aeabff632f6b0e36b695d6a	inwebsam.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32\ThreadingModel4 = 0ba8d5dd8f4a2b7598ad99f82838517d9892e20317405a81adcddc0630406381bb7b7e892c76c56e803d874a1d405c9039390b87e4b00834d9f9243f04c407c9f8685591da5499f06f514972538e8f209486a2bf2b4ddd9b0bd8db99c83847b419e8341496b2136796b7b432ffa0d53868173832edf6427089de922edc191c9e	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32\ThreadingModel25 = f75fd57311ec5dac87baa2edfb158158cd1887468ea8238b62fedda4b4e90876f21ecfa7333897c4013d0ec39fc96f7d8b38c63d1a6c47876610f3a7e9662daf840efaf8d1560248f3ee972f4c2c544fc1f21d84883486309a192d3b2c3f0c4cb0b7b4446a35930b8fe4d61813417389b4d6f80c67c255e5fc552e5e13576360	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57BE1BD4-3B29-4A4A-AB10-04B25CE34DB4}\InprocServer32\ThreadingModel11 = d70288059d1895086f120e9c275dec4536512ccc9bf7f7ca06e70333f834107cfa96b3382653d3519ba692259a967c3c6a8438593fe51b20b6e95688b70497ddbf9c6309e6557c612cb81236d02c9ed8d1899ddec8b18cd9c6f8e0bfea54d0b6ca883e1aeed5d1fadf615440cfa102d6e0bd9e71e2d60e965deebdf266e534d2	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F459AA6F-0656-4905-B84A-BD0B210A7E76}\InprocServer32\ThreadingModel6 = 78025f16bb7d282e7469527dd26eaa124433ac43b01c966b5fdadfb41adf33762c6851f14f046281bbc9ad7ccc9db863114741199f289f4006d56cf94cf9949db02422383e816cca5a9077acce5dab9215d84001d539ed43d2a8c425cd8059060cf27a0b89de3180041bd8b2739361ca8dec338566922cb76866b10a0d74e067	inwebsam.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1984	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
1984	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
1984	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
1984	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2348	inwebsam.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2348	inwebsam.exe
2348	inwebsam.exe
2348	inwebsam.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 1272	1984	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1272	1984	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1272	1984	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe	30
PID 1984 wrote to memory of 1272	1984	4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe	30
PID 2348 wrote to memory of 2912	2348	inwebsam.exe	32
PID 2348 wrote to memory of 2912	2348	inwebsam.exe	32
PID 2348 wrote to memory of 2912	2348	inwebsam.exe	32
PID 2348 wrote to memory of 2912	2348	inwebsam.exe	32

C:\Users\Admin\AppData\Local\Temp\4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4c7a9999d335dd8a68d78122dec64346_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\inwebsam.exe
  "C:\Windows\system32\inwebsam.exe" /install /silent
  2⤵
  - Sets service image path in registry
  - Executes dropped EXE
  PID:1272

C:\Windows\SysWOW64\inwebsam.exe
C:\Windows\SysWOW64\inwebsam.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\eamcf.exe
  "C:\Windows\system32\eamcf.exe"
  2⤵
  - Executes dropped EXE
  PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\inwebsam.exe

Filesize
1.6MB

MD5
e47e7d058f7f043fc5dd50c85c7223a7

SHA1
631b02e5fa5c977325951ea0341e3ada2414a114

SHA256
4083741d513fa98451210a7c30888a0916c1cfc411498fbf6059d0a47ea32f35

SHA512
2a4af5c0ef9f0275cdffcb86ef172bc6eae0fefaa11d8c9553011a22182b667b9be29ba9aed6e6ad728d810930782902af0b0af0c1ba786c8a790ff78d70b826

Download Submit
\Windows\SysWOW64\eamcf.exe

Filesize
159KB

MD5
fb704d801095747d27c053b76ca86c92

SHA1
74d17abe02aaf603558fe63ffa505032ea3445d3

SHA256
9dd7a1819e30969b8a5d89b934eba2f6decc8cb29b8d57c96fee7f8e264e60d8

SHA512
f9abf68da6417f01e9c50fe5b76690de578387917d53063bc293a45051df56f2b86111df37bd7c0e59c0e88acf0abcdd0ef59eb3118ec6307eed5e9ea80c2cb5

Download Submit
\Windows\SysWOW64\ldmevsh.dll

Filesize
342KB

MD5
73d9e3b9962751f7e9e93a689200a027

SHA1
24e84f234f4f7f6334d7bc7ab95b172f52b036f3

SHA256
c74372c1586051b9ea173e7eefd2b85a0e5e0402e84e50b4cfb8438c5d98dc67

SHA512
dcd2d79f226522088f6bff1b24d2cbbab7089b6f7de4f4f96152ef79b58f70eeec7d09195928ddebe1d03202f62f7659d88403b47a27316de2eeb8e093f4ca66

Download Submit
\Windows\SysWOW64\libeay32.dll

Filesize
454KB

MD5
0760bbb92fedca6dc101796e7e77f133

SHA1
f23e8fbde23f47fd3ab31f0aed2e31d7f1c74524

SHA256
56a3f32f8ba526ff214636f0ffc109954b1f1b56579ef763621f744c80af2ff0

SHA512
5ef4f3e7511c3f298a09fb6b05ce484db06dfce725b674a44fbdf8aa22510ff4a528414f7cb015e8a5d7a91f29af797f4eb23d8487df779862616cc3a8af6bf6

Download Submit
\Windows\SysWOW64\ssleay32.dll

Filesize
90KB

MD5
7b09cc3c996609f6f5a9fbe75611b91f

SHA1
7ee63bc5fcec06b356811b9a5c494fd7da1b376d

SHA256
ae75de3ec03d2d1e038bdcb41af4d5b415b485f4e712003e5d0faa1375d80890

SHA512
bb85532463dd63b2384f6d23bd6c4b794433178bd9a595579e52b4358f9059328d81925bf924164c93d710064d542ce58662892b6f0a458e97f3479ff425bbea

Download Submit
memory/1272-20-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1272-21-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/1984-25-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/1984-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1984-0-0x0000000000400000-0x000000000047A000-memory.dmp

Filesize
488KB

Download
memory/2348-52-0x0000000003240000-0x0000000003345000-memory.dmp

Filesize
1.0MB

Download
memory/2348-66-0x0000000003240000-0x0000000003345000-memory.dmp

Filesize
1.0MB

Download
memory/2348-36-0x0000000003240000-0x00000000032AF000-memory.dmp

Filesize
444KB

Download
memory/2348-44-0x0000000003240000-0x00000000032AF000-memory.dmp

Filesize
444KB

Download
memory/2348-68-0x0000000003B20000-0x0000000003B59000-memory.dmp

Filesize
228KB

Download
memory/2348-53-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2348-23-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2348-59-0x0000000003B20000-0x0000000003B59000-memory.dmp

Filesize
228KB

Download
memory/2348-37-0x0000000003240000-0x00000000032AF000-memory.dmp

Filesize
444KB

Download
memory/2348-57-0x0000000010000000-0x000000001011E000-memory.dmp

Filesize
1.1MB

Download
memory/2348-67-0x0000000010000000-0x000000001011E000-memory.dmp

Filesize
1.1MB

Download
memory/2348-64-0x0000000003240000-0x00000000032AF000-memory.dmp

Filesize
444KB

Download
memory/2348-65-0x0000000000400000-0x000000000048E000-memory.dmp

Filesize
568KB

Download
memory/2912-49-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2912-63-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download
memory/2912-48-0x0000000000400000-0x000000000046F000-memory.dmp

Filesize
444KB

Download