c66bc6794b7dd1272efc37df9f60f9039f9b989794e87d3c881288a5ee8772f5

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Size

906KB
MD5

6661719644b940b34694d4fa6a4ed0dc
SHA1

53587dc8f9608e10744e0f84b091678b4c478e15
SHA256

c66bc6794b7dd1272efc37df9f60f9039f9b989794e87d3c881288a5ee8772f5
SHA512

ab73a0c380221b7159d685558ed4a29619c8c74255266892cd5ebe6afca05baba79a9fae7cc1bf552471665a49a899307cba93e6b5bf55214a530294101dfacd
SSDEEP

24576:qZilryc9VuI2livyctA6TKHM9RnShnr98pJ:DywVR2QactA672KP

Score

7^/10

adware discovery persistence stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
3864	Search.exe
3464	whse.exe
3724	DTAdapter.exe

Loads dropped DLL 2 IoCs

pid	Process
528	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
3864	Search.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WhenUSearch = "\"C:\\Program Files (x86)\\DAEMON Tools SearchBar\\Search.exe\""	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\WhenUSearchWHSE = "\"C:\\Program Files (x86)\\DAEMON Tools SearchBar\\whse.exe\""	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BA2325ED-F9EB-4830-8FCE-0BC35B16969B}	Search.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\global.js	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\weather_down.gif	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\emu_menu.html	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\delete_button_down.gif	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\options_over.png	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\weather_less_info_on.gif	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\weather_maps_corner_tl.gif	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\min_new_results_new_text.gif	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\weather_bg.gif	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\weather_current_location.gif	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\open_search.html	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\button_weather_on.gif	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\weather_maps_corner_bl.gif	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\button_weather_down.gif	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\weather_5_day_bottom_right.gif	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\weather_location_lr.gif	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\87_wtext_sm.gif	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\button_pop.gif	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\button_search_off.gif	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\weather_world_over.gif	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\css\module_weather_dialog.css	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\90_wtext_sm.gif	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\tooltip_emu.html	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\weather_bg.gif	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\weather_bottom_Friday.gif	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\right_more_off.gif	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\weather_location_white_bl.gif	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\button_ucontrol_down.gif	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\ring_on.gif	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\manager_min_down.png	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\right_bg_grey.gif	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\weather_5_day_top_right.gif	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\css\module_weather.css	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\68_wtext.gif	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\button_pop_ups_allowed.gif	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\tab_left_down.gif	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\button_pop_ups_blocked.gif	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\weather_top_Monday.gif	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\menu_whenu.html	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\91_wtext.gif	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\weather_5_day_bottom.gif	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\weather_5_day.gif	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\SET715C.tmp	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\arrow_right_on.gif	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\emulation.png	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\lock_on.gif	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\weather_less_info_on.gif	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\weather_mid_Monday.gif	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\dtsb2_tab22_image.png	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\module_weather_left_bg_top.gif	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\right.html	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\desktop_over.png	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\manager_min_over.png	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\menu_right_bg.gif	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\weather_maps_corner_br.gif	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\right_left.gif	Search.exe
File opened for modification	C:\Program Files (x86)\DAEMON Tools SearchBar\SET7180.tmp	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\unmount_grey.gif	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\weather_top_Wednesday.gif	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\right_instructions_on.gif	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\weather_prefs_loading.gif	Search.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\button_weather.gif	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\emulation_min_over.png	whse.exe
File created	C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\menu_pbandit_bw.gif	whse.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DTPlugin.1	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DTPlugin.1\CLSID	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DTPlugin\CurVer	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA2325ED-F9EB-4830-8FCE-0BC35B16969B}	Search.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DTPlugin\CLSID\ = "{1D5B201A-7942-401A-B801-3EAF98F6B8BD}"	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6E451F7-AD35-4F3C-8C1D-CDE92B4F0006}\1.0\FLAGS	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WUSE.1	Search.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DTPlugin\CLSID	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB4262FB-EFF1-4CCC-B6E2-6A7EA525C412}\ = "IDTPlugin"	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{293238AB-B0E2-4357-8548-E5167317CBCC}\LocalServer32\ = "\"C:\\Program Files (x86)\\Common Files\\WhenU\\DTAdapter.exe\""	DTAdapter.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{293238AB-B0E2-4357-8548-E5167317CBCC}\LocalServer32	DTAdapter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4BA765E-D33B-49B2-AE1C-DDC2FABEF004}	DTAdapter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6E451F7-AD35-4F3C-8C1D-CDE92B4F0006}\1.0\0\win32	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{293238AB-B0E2-4357-8548-E5167317CBCC}	DTAdapter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{293238AB-B0E2-4357-8548-E5167317CBCC}\TypeLib\ = "{A4BA765E-D33B-49B2-AE1C-DDC2FABEF004}"	DTAdapter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{5355F82E-E8D3-4401-9FB3-2CC11AFA130A}\ = "dtPlugin"	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{293238AB-B0E2-4357-8548-E5167317CBCC}\ProgID	DTAdapter.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{293238AB-B0E2-4357-8548-E5167317CBCC}\VersionIndependentProgID	DTAdapter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4BA765E-D33B-49B2-AE1C-DDC2FABEF004}\1.0	DTAdapter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF7752F9-A0DA-4EAB-91A0-413A48A73511}\TypeLib\Version = "1.0"	DTAdapter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{293238AB-B0E2-4357-8548-E5167317CBCC}\ProgID\ = "DTAdapter.DTAdapter.1"	DTAdapter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF7752F9-A0DA-4EAB-91A0-413A48A73511}\TypeLib\ = "{A4BA765E-D33B-49B2-AE1C-DDC2FABEF004}"	DTAdapter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DTAdapter.DTAdapter.1	DTAdapter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DTAdapter.DTAdapter\CurVer\ = "DtAdapter.DTAdapter.1"	DTAdapter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA2325ED-F9EB-4830-8FCE-0BC35B16969B}\InprocServer32\ThreadingModel = "Apartment"	Search.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{763BD795-24AE-44d7-82D8-F9A1EE799729}	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\dtPlugin.DLL\AppID = "{5355F82E-E8D3-4401-9FB3-2CC11AFA130A}"	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6E451F7-AD35-4F3C-8C1D-CDE92B4F0006}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\WhenU\\DTPlugin.dll"	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{293238AB-B0E2-4357-8548-E5167317CBCC}\VersionIndependentProgID	DTAdapter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{293238AB-B0E2-4357-8548-E5167317CBCC}\AppID = "{B9FE7DA5-2800-4EA9-AAFE-97984407CE47}"	DTAdapter.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{293238AB-B0E2-4357-8548-E5167317CBCC}	DTAdapter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DTPlugin	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EB4262FB-EFF1-4CCC-B6E2-6A7EA525C412}\ProxyStubClsid32	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF7752F9-A0DA-4EAB-91A0-413A48A73511}\ProxyStubClsid32	DTAdapter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BA2325ED-F9EB-4830-8FCE-0BC35B16969B}\InprocServer32\ = "C:\\Program Files (x86)\\DAEMON Tools SearchBar\\search.dll"	Search.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DTAdapter.DTAdapter.1\CLSID\ = "{293238AB-B0E2-4357-8548-E5167317CBCC}"	DTAdapter.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{293238AB-B0E2-4357-8548-E5167317CBCC}\Programmable	DTAdapter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4BA765E-D33B-49B2-AE1C-DDC2FABEF004}\1.0\HELPDIR	DTAdapter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4BA765E-D33B-49B2-AE1C-DDC2FABEF004}\1.0\HELPDIR\	DTAdapter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF7752F9-A0DA-4EAB-91A0-413A48A73511}\TypeLib	DTAdapter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DTAdapter.DTAdapter	DTAdapter.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{293238AB-B0E2-4357-8548-E5167317CBCC}\ProgID	DTAdapter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A4BA765E-D33B-49B2-AE1C-DDC2FABEF004}\1.0\FLAGS	DTAdapter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF7752F9-A0DA-4EAB-91A0-413A48A73511}	DTAdapter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6E451F7-AD35-4F3C-8C1D-CDE92B4F0006}\1.0	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DTAdapter.DTAdapter.1\CLSID	DTAdapter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DTAdapter.DTAdapter\ = "DTAdapter Class"	DTAdapter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF7752F9-A0DA-4EAB-91A0-413A48A73511}\TypeLib\Version = "1.0"	DTAdapter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EB4262FB-EFF1-4CCC-B6E2-6A7EA525C412}\TypeLib\ = "{F6E451F7-AD35-4F3C-8C1D-CDE92B4F0006}"	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EB4262FB-EFF1-4CCC-B6E2-6A7EA525C412}	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1D5B201A-7942-401A-B801-3EAF98F6B8BD}\VersionIndependentProgID\ = "DTPlugin"	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F6E451F7-AD35-4F3C-8C1D-CDE92B4F0006}\1.0\FLAGS\ = "0"	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EB4262FB-EFF1-4CCC-B6E2-6A7EA525C412}\TypeLib	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EB4262FB-EFF1-4CCC-B6E2-6A7EA525C412}\TypeLib\Version = "1.0"	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF7752F9-A0DA-4EAB-91A0-413A48A73511}	DTAdapter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AF7752F9-A0DA-4EAB-91A0-413A48A73511}\ = "IDTAdapter"	DTAdapter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DTPlugin\ = "DTPlugin Class"	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WUSE.1\WUSE_Id = 651a5e7644ed3046b00e2b4850453869	Search.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DTAdapter.DTAdapter.1\ = "DTAdapter Class"	DTAdapter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF7752F9-A0DA-4EAB-91A0-413A48A73511}\TypeLib	DTAdapter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF7752F9-A0DA-4EAB-91A0-413A48A73511}\TypeLib\ = "{A4BA765E-D33B-49B2-AE1C-DDC2FABEF004}"	DTAdapter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{5355F82E-E8D3-4401-9FB3-2CC11AFA130A}	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DTPlugin\CurVer\ = "DTPlugin.1"	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3464	whse.exe
3464	whse.exe
3464	whse.exe
3464	whse.exe
3464	whse.exe
3464	whse.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
3464	whse.exe
3464	whse.exe
3464	whse.exe
3464	whse.exe
3464	whse.exe
3464	whse.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3464	whse.exe
3464	whse.exe
3864	Search.exe
3864	Search.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 528 wrote to memory of 3864	528	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe	87
PID 528 wrote to memory of 3864	528	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe	87
PID 528 wrote to memory of 3864	528	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe	87
PID 528 wrote to memory of 3464	528	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe	88
PID 528 wrote to memory of 3464	528	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe	88
PID 528 wrote to memory of 3464	528	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe	88
PID 528 wrote to memory of 3724	528	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe	89
PID 528 wrote to memory of 3724	528	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe	89
PID 528 wrote to memory of 3724	528	6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe	89

C:\Users\Admin\AppData\Local\Temp\6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6661719644b940b34694d4fa6a4ed0dc_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:528
- C:\Program Files (x86)\DAEMON Tools SearchBar\Search.exe
  "C:\Program Files (x86)\DAEMON Tools SearchBar\Search.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3864
- C:\Program Files (x86)\DAEMON Tools SearchBar\whse.exe
  "C:\Program Files (x86)\DAEMON Tools SearchBar\whse.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3464
- C:\Program Files (x86)\Common Files\WhenU\DTAdapter.exe
  "C:\Program Files (x86)\Common Files\WhenU\DTAdapter.exe" /RegServer
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:3724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\WhenU\SET723E.tmp

Filesize
182KB

MD5
f92d0e9199b9156871f0e91bd77edc7e

SHA1
e7f712b82d0a064906cb1b89e04239ed564f8c2b

SHA256
e904f6f3f2c368fefbe2252de375fac08c52335af8b356298358509a4eaa2882

SHA512
ffb561efffb477668eeeb75b922a2511e29bca7ba6bcd9bc6d347f328d63a922d60be1b73dd3d8dab2a16549fc6e5a4415278f4158c2427d25f2f572cb71b8b6

Download Submit
C:\Program Files (x86)\Common Files\WhenU\SET725F.tmp

Filesize
124KB

MD5
4b91bb49d57e6eb2153c536d85d7a5cc

SHA1
d9d66b56b60730acfdfdc6417924a74e041a42a7

SHA256
8e5c389d457cfc6efefd3df9dedd72916d24ad714f369ce5065b143c33c6a02f

SHA512
f0a46721692b65be9732ef0b021128e22f6a71379de5d9edd06fcb024be03fa36ec0147528598d18c564e593b33795f7a6fd8a2235833efade2f66bde4084254

Download Submit
C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\daemon.ico

Filesize
7KB

MD5
fcb2bec30b724bc1fa73d324eccff0bd

SHA1
9c62467e37f1cb1b7ba1d981b13bbc74e10d5593

SHA256
5c7a18277ec3283fea6c778202f8ba3d39aecbdbd1d30387a20dd80c6b4ae7a9

SHA512
6a37783b8f30fc167e9b54ef851baa8bb7bd930776eae024a32ab72671cdc72a469e71530084a3e68644c5121a2143029361c500badaa3bd4f33e7a28ed81349

Download Submit
C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\dialog.css

Filesize
281B

MD5
8a90d2f28cc73639e226ac210fc38f90

SHA1
3de0003c5a61d9a425922b4eb66e171abe9c5a83

SHA256
f82ee4fb4d0da013f6164ad22d40942875862defb81a7f055641de3a2f283f64

SHA512
9c27bc2d5494ab6057117cd8f547bc2df3b892e773e0b18e9afce135ffc42576f263c39201a2e164fc3a32736ac103e1b1137bfbdb5795fc8d254be241e08af9

Download Submit
C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\65_wtext_sm.gif

Filesize
592B

MD5
d122cfd2e269d45fa7a486e50e04649e

SHA1
09a75eedf1188b31559b13011ed100fe042faa48

SHA256
3da13a23fb19448d3b7367376665036d625d13ab84d7d12db40867fde0e9b8f8

SHA512
91be7ac567973a14a6770b4d8953b8f57f440b75ab1ae54dbfa8ef33a8ba0b155eddccaee0e5aaba39b49740e8fc6f347fce4b0ecf74ce142bb0d12661f62c98

Download Submit
C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\button_pop.gif

Filesize
880B

MD5
480a8d403b87cec8131068d3f5ed7b50

SHA1
b52abd6ec32b059c4327428f52604961b70aaa79

SHA256
917107c5697721c3e6fe707dcf67baee67d70a50a86428dee9ae4e871ef0baf7

SHA512
7f094cd36cfcc58ef771f1ab97b51c3df4ce650c093aa30615796b4915a6354b1d3aa6e1a8d6802a6a07ffa6f1847cd62a1b4f98fa8fbed20e878919e4580f4d

Download Submit
C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\module_weather_left_bg_top.gif

Filesize
146B

MD5
c10193b3f025a56bd96ab735f14c6a8a

SHA1
88356fd549f31a9722bae89ef95986d43182a817

SHA256
216c590390edb5e70227936a625d76b588453eb40bcbac21f7f3006e9e804853

SHA512
fe34e817aa022d61eaf5b231107425c46d9639dffb112a3fbcd3a83cf958e1d5f4b3ebeeb310652a64ef4fec22d952fe06ee6b631bc23db2e20c64538738c997

Download Submit
C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\more_bottom_bg.gif

Filesize
49B

MD5
afc795842f63d89bbcec15afac05b69b

SHA1
685b8d02ed1792b4a648ef2e7e041fb42d527561

SHA256
0d61dec967f74b861266aa47acbf242d40ab59c9c3cdf7e1781b141ed0ec9919

SHA512
0ab73d95c6ab2a9ac0b2928ca1db5dd747c412f02b31ae730c24cfb8659f0a3f438241ee5c6a9c79e6d6ccc3a49c15cef750fc3365d6d557ecb556ee97e1b2a9

Download Submit
C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\more_top_x_down.gif

Filesize
318B

MD5
ffb4182d3a46b2b80f9c3a02ef39f349

SHA1
1c5daa5cd2a0a749c2c26aba0f9e74ce9055f982

SHA256
de54db329a9cca97040be701a43309333e34080169cfdd7acad6a77e7eb6d44b

SHA512
51a557ec7e471c4a862f9236c2828535fa803286e0766392467ad200a669424fcd0ad0e474bc35661c64665eb72940d94144e6ecd36a85e1fc3dddd08503f905

Download Submit
C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\right_instructions.gif

Filesize
654B

MD5
05e363c6746f9c3b8c9153bc3ba3ceeb

SHA1
7d9c5dbfd80fa2eb6ae823aa551dfbf71a432d58

SHA256
30b8cd9e53186d6368ba156a3e4b855964ff4493651f585c9b4449ae9921ab04

SHA512
6cfd7cc8d8b9f67ef11ee73a06c0e333d4a1aaf638ff6255799100343ae3ef521628979de95e76ee38402fb7e800ee7531d49cc45281e3136c4868efe356d552

Download Submit
C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\right_more_left.gif

Filesize
332B

MD5
e688db50de6436cbe06473592b15f5f9

SHA1
0d19417783f8d11dca674fcfad85e9e1bb6fb119

SHA256
6ee7f728bcad0fea09f4cddeba7f8a4250e00b77cbf450b9307c01611533ad8f

SHA512
9fed0d27ab27bd49e652ed21cfccf7a5d645800b620b2f33a91bd44ec95bef9247af43a2e359df62074c6623d659e97099f02748651fa43001fb6bf8f9536994

Download Submit
C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\images\weather_location_lr.gif

Filesize
70B

MD5
601752dde117be545f7f47b32c3386d8

SHA1
b8192670272e92c72bf71c49027a70f57a7c62bd

SHA256
221d4b8d888982aa51e8ac46c91e8fcc493042231bd445998d58d85087c6195c

SHA512
ad97c5f8e5dd5b0f7ed62779adc6fee2e64bdd3f5b2ed102e1a123c76d95edec0fc7eb0c0f03ea2a585f56079d43101e565c433815d434a24dc019f430aa6418

Download Submit
C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\menu.css

Filesize
290B

MD5
c626b168378e6246bbb4a603c688be0f

SHA1
d606202876f6849897c2fc62b4018615fa672084

SHA256
14d2d6b79286599645743dabe6945a1535edc134d931e0269e72c31b348dfe3f

SHA512
4716f71f1486292015cd039f6b0846cdb22da06ad771f6e8a677a70d47b106ef1cf6ca68475a6107897496fa978d68d05dc5e45c6db542badc54692860afaef1

Download Submit
C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\module_weather.css

Filesize
229B

MD5
b6229ecb43dbbca46bd617b0d9f1a86d

SHA1
8dc3e0bcd9452a73b9f8c177b0cff41fedadc1ee

SHA256
7eba11ab1e20d5d1683fcad78a8899083fcaea616f3357748ed8e81e6631f3b0

SHA512
7ea18a26dec15b86cbe3f378e4d921e762dfc0048381dd28e1f23a0571304642c0c1edc4889f6e3981cea3fa2df53e1e5a65671dfe3a3d5d7a168c2269bbee1e

Download Submit
C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\module_weather_dialog.css

Filesize
163B

MD5
06b1eb04a6cb3a6516c778ef41967761

SHA1
e154aa1c0c652a5df7e0c631d6ce56f75d84ee03

SHA256
88997b398de9ad9044a082853df69ef5e1e690b4c3cdb3001bf2c248788d7560

SHA512
ccbb902449d1014ff5aff6822a42363e3f82bb737bd211786e5bb99fad01906aa61a6246de00fffcfa29248c9a68c24ccfe8ff42f0cec0d215cd20bbfe20d9bc

Download Submit
C:\Program Files (x86)\DAEMON Tools SearchBar\Content~\quick.css

Filesize
313B

MD5
3e10777092741664df092824f8cae152

SHA1
0f3c1939e3946d806e69b43db3296293e75fd365

SHA256
8679c7ed8d23674d3f0f1559c37a320b0692a8fdaec40940bd34dcd7e4d3551e

SHA512
0eb7f51dc9bf0c8ce4f068810737f2a7709709fb637cb5ccf56dc3a3b85642b8aa23279adaae751c13fa9a0e42e6af2c68f3f827f66af7895717701ad5364bb8

Download Submit
C:\Program Files (x86)\DAEMON Tools SearchBar\SET7138.tmp

Filesize
297KB

MD5
221156db6e7d827428e859e3cb79cb2c

SHA1
115269493cc1dadf1d51f78282d6391d8630896a

SHA256
01604e3a88cff3b4ca5261c5bf42a1744f21868b551644dd6f3e4493a4e21ce1

SHA512
7c46bfb5e9115369909b620e6044f4dc6c9b93a70ff306dc2cbb6b99dce326443b10540dcc19e21605f337d45250bdd86b3813f71fb7197cf7d043ded3a2bb0f

Download Submit
C:\Program Files (x86)\DAEMON Tools SearchBar\SET714A.tmp

Filesize
174KB

MD5
338eefed91fd7f2fcf6ac7cdf5535a95

SHA1
e39d3cefc8862a44bc2a46b8190d89d3a63b47c6

SHA256
10b126904f0189a220a2802c2f97257f147c543daa8de9f7f057130712bf0fe2

SHA512
fd8bd4523f6f995d33da62c1f4353a601a899cf20a32971986e72c3731573b1d3b78874953f0189d16ece6949eb793e4cffac97b54a2666036bff4d788586f12

Download Submit
C:\Program Files (x86)\DAEMON Tools SearchBar\SET715C.tmp

Filesize
236KB

MD5
1d4dfdf2b6bb251aa5bc55b2ef9c7a10

SHA1
c3e64b392facc80e4c0ea6847fb39cc95de4612d

SHA256
a757534c8d01e3ec0a0de52d7bed02cb77113d525764696544925121555add96

SHA512
c209088d0d61da221aeaa012544641d7ebcddc88527460cc13e47ffb8024de0ee5993ea599aca1e48e6b14bdf14a88eea4349902dc26263446088e3db292f97a

Download Submit
C:\Program Files (x86)\DAEMON Tools SearchBar\SET715D.tmp

Filesize
40KB

MD5
edd63c9a3700af8cfe5678ee6cd4b547

SHA1
4ac6b3e96e091ade4de65712690e00c4c2d78a36

SHA256
93d05a51a72140c19737329ad1a0245bc037af5908bf00640f147f178c5a1db2

SHA512
bea4ddce20c4e0a8d1537884f155742d5583f5f4929ec757f6ee30265ac70a4c10e4b7cc320ef1657831d020eb637a5053abdc109b54c8d19bfe73bf981772a6

Download Submit
C:\Program Files (x86)\DAEMON Tools SearchBar\SET717F.tmp

Filesize
56KB

MD5
b22ead6d18b2e7cb9c08a5726e019846

SHA1
07cb450119b9923d95cd1b4194c8c81836bed1a8

SHA256
cd460f1a12d062c0d60efdee4711645c55e40726f09972d4333ede78536a2bec

SHA512
03679d5f13ec70cc6ff56e6ba58644c518b51b2d6462a33ada5834b8f0bf68a332a8ee1e2b3e997905d4c7a1317af7fca91e58ffd91943e32e1607ed5716e6a8

Download Submit
C:\Program Files (x86)\DAEMON Tools SearchBar\SET71B0.tmp

Filesize
238KB

MD5
0521d47159e93ab0fb2f61bbc338f6bd

SHA1
cd50aa6eb2429451bfeba7f3e65d05738e1d9ff6

SHA256
f730a8308909fa98d72f8687769b871f87867b9b08e3d3a32c2840effeedb903

SHA512
0993a476d7297f221cb6ead9f49d4426697e30ee89a821127e4ed9f10e8a580788bd4190df453b3bec7e3e431382c3e2252458c0740578de37385a6dea227f5d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads