Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
36afd9c0138...18.exe
windows7-x64
76afd9c0138...18.exe
windows10-2004-x64
7$LOCALAPPD...ub.dll
windows7-x64
3$LOCALAPPD...ub.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3RegistInstallCnt.exe
windows7-x64
3RegistInstallCnt.exe
windows10-2004-x64
3WinTool.exe
windows7-x64
3WinTool.exe
windows10-2004-x64
3uninst.exe
windows7-x64
7uninst.exe
windows10-2004-x64
7Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
24/07/2024, 08:54
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
12 signatures
150 seconds
Behavioral task
behavioral3
Sample
$LOCALAPPDATA/WinTool/WinToolSub.dll
Resource
win7-20240704-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral4
Sample
$LOCALAPPDATA/WinTool/WinToolSub.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
150 seconds
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240704-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240704-en
windows10-2004-x64
3 signatures
150 seconds
Behavioral task
behavioral7
Sample
RegistInstallCnt.exe
Resource
win7-20240705-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral8
Sample
RegistInstallCnt.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral9
Sample
WinTool.exe
Resource
win7-20240708-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral10
Sample
WinTool.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
2 signatures
150 seconds
Behavioral task
behavioral11
Sample
uninst.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral12
Sample
uninst.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe
-
Size
210KB
-
MD5
6afd9c0138821dfae71915f9e3011864
-
SHA1
20adc60e5bb551b2e56e3a6ecb061f40f62ed964
-
SHA256
c8eff05ddf176ea6b12f5e973263f9eb2c5961300312873d328a18eb8995b504
-
SHA512
6eba5505b5f1067df9b17ece16109d85809cde42dbc3b1cc8d038ac026455538eb69cc606fd079315b578c9f6a2f02f2fc19ca157f186012bbd9e5911acf9d56
-
SSDEEP
3072:sgXdZt9P6D3XJR45bwA4n36s2tB+tpv2Yb5DaFOjDwHYOZF5V09sy24p7q0iK0sl:se34PePotb5ao3wVF5V0yAq0Qi
Score
7/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 2616 RegistInstallCnt.exe 2680 WinTool.exe -
Loads dropped DLL 12 IoCs
pid Process 2760 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe 2760 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe 2760 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe 2760 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe 2680 WinTool.exe 2680 WinTool.exe 2680 WinTool.exe 2616 RegistInstallCnt.exe 2616 RegistInstallCnt.exe 2616 RegistInstallCnt.exe 2680 WinTool.exe 2680 WinTool.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinTool = "\"C:\\Program Files (x86)\\WinTool\\WinTool.exe\" 1" 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\WinTool\WinTool.exe 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe File created C:\Program Files (x86)\WinTool\RegistInstallCnt.exe 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe File created C:\Program Files (x86)\WinTool\uninst.exe 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinTool.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegistInstallCnt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{67CD9421-499A-11EF-A3CD-E6140BA5C80C} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{4E218C96-E0B4-4199-B435-3F0D31039321} 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe -
Modifies registry class 46 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8D948778-6110-479E-B807-721CD22B2E91}\TypeLib\Version = "1.0" 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D948778-6110-479E-B807-721CD22B2E91}\TypeLib\Version = "1.0" 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinTool.WinToolBand.1\ = "WinToolBand Class" 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinTool.WinToolBand 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinTool.WinToolBand\CurVer 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E218C96-E0B4-4199-B435-3F0D31039321}\ProgID\ = "WinTool.WinToolBand.1" 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8D948778-6110-479E-B807-721CD22B2E91}\TypeLib 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D948778-6110-479E-B807-721CD22B2E91}\TypeLib\ = "{1914FD5D-F579-445E-985B-DFE10B5B7D0B}" 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinTool.WinToolBand\ = "WinToolBand Class" 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E218C96-E0B4-4199-B435-3F0D31039321}\TypeLib\ = "{1914FD5D-F579-445E-985B-DFE10B5B7D0B}" 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1914FD5D-F579-445E-985B-DFE10B5B7D0B}\1.0\0\win32 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1914FD5D-F579-445E-985B-DFE10B5B7D0B}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\WinTool\\" 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8D948778-6110-479E-B807-721CD22B2E91}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinTool.WinToolBand\CLSID 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1914FD5D-F579-445E-985B-DFE10B5B7D0B}\1.0\FLAGS\ = "0" 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1914FD5D-F579-445E-985B-DFE10B5B7D0B}\1.0\0 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1914FD5D-F579-445E-985B-DFE10B5B7D0B}\1.0\HELPDIR 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E218C96-E0B4-4199-B435-3F0D31039321} 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8D948778-6110-479E-B807-721CD22B2E91} 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8D948778-6110-479E-B807-721CD22B2E91}\ProxyStubClsid32 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E218C96-E0B4-4199-B435-3F0D31039321}\VersionIndependentProgID\ = "WinTool.WinToolBand" 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E218C96-E0B4-4199-B435-3F0D31039321}\Programmable 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E218C96-E0B4-4199-B435-3F0D31039321}\InprocServer32 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E218C96-E0B4-4199-B435-3F0D31039321}\TypeLib 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinTool.WinToolBand\CLSID\ = "{4E218C96-E0B4-4199-B435-3F0D31039321}" 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinTool.WinToolBand\CurVer\ = "WinTool.WinToolBand.1" 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E218C96-E0B4-4199-B435-3F0D31039321}\ = "WinToolBand Class" 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E218C96-E0B4-4199-B435-3F0D31039321}\VersionIndependentProgID 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1914FD5D-F579-445E-985B-DFE10B5B7D0B}\1.0 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1914FD5D-F579-445E-985B-DFE10B5B7D0B}\1.0\ = "QuickToolBar 1.0 Type Library" 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1914FD5D-F579-445E-985B-DFE10B5B7D0B}\1.0\FLAGS 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D948778-6110-479E-B807-721CD22B2E91}\ProxyStubClsid32 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D948778-6110-479E-B807-721CD22B2E91}\TypeLib 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinTool.WinToolBand.1 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinTool.WinToolBand.1\CLSID 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E218C96-E0B4-4199-B435-3F0D31039321}\ProgID 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8D948778-6110-479E-B807-721CD22B2E91}\ = "IQuickToolBarBand" 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D948778-6110-479E-B807-721CD22B2E91} 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinTool.WinToolBand.1\CLSID\ = "{4E218C96-E0B4-4199-B435-3F0D31039321}" 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E218C96-E0B4-4199-B435-3F0D31039321}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\WinTool\\WinToolSub.dll" 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4E218C96-E0B4-4199-B435-3F0D31039321}\InprocServer32\ThreadingModel = "Apartment" 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1914FD5D-F579-445E-985B-DFE10B5B7D0B} 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1914FD5D-F579-445E-985B-DFE10B5B7D0B}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\WinTool\\WinToolSub.dll" 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8D948778-6110-479E-B807-721CD22B2E91}\TypeLib\ = "{1914FD5D-F579-445E-985B-DFE10B5B7D0B}" 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D948778-6110-479E-B807-721CD22B2E91}\ = "IQuickToolBarBand" 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D948778-6110-479E-B807-721CD22B2E91}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3064 iexplore.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 3064 iexplore.exe 3064 iexplore.exe 2420 IEXPLORE.EXE 2420 IEXPLORE.EXE 2616 RegistInstallCnt.exe 2680 WinTool.exe 2616 RegistInstallCnt.exe 2680 WinTool.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 3064 wrote to memory of 2420 3064 iexplore.exe 31 PID 3064 wrote to memory of 2420 3064 iexplore.exe 31 PID 3064 wrote to memory of 2420 3064 iexplore.exe 31 PID 3064 wrote to memory of 2420 3064 iexplore.exe 31 PID 3064 wrote to memory of 2420 3064 iexplore.exe 31 PID 3064 wrote to memory of 2420 3064 iexplore.exe 31 PID 3064 wrote to memory of 2420 3064 iexplore.exe 31 PID 2760 wrote to memory of 2616 2760 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe 32 PID 2760 wrote to memory of 2616 2760 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe 32 PID 2760 wrote to memory of 2616 2760 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe 32 PID 2760 wrote to memory of 2616 2760 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe 32 PID 2760 wrote to memory of 2616 2760 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe 32 PID 2760 wrote to memory of 2616 2760 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe 32 PID 2760 wrote to memory of 2616 2760 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe 32 PID 2760 wrote to memory of 2680 2760 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe 33 PID 2760 wrote to memory of 2680 2760 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe 33 PID 2760 wrote to memory of 2680 2760 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe 33 PID 2760 wrote to memory of 2680 2760 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe 33 PID 2760 wrote to memory of 2680 2760 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe 33 PID 2760 wrote to memory of 2680 2760 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe 33 PID 2760 wrote to memory of 2680 2760 6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6afd9c0138821dfae71915f9e3011864_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Program Files (x86)\WinTool\RegistInstallCnt.exe"C:\Program Files (x86)\WinTool\RegistInstallCnt.exe" -serverUrl www.utilheaven.co.kr -object /setup/ToolMacAddress.php?MacAddress=%s&partnerid=utilheaven2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2616
-
-
C:\Program Files (x86)\WinTool\WinTool.exe"C:\Program Files (x86)\WinTool\WinTool.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2680
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3064 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2420
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5a13f46ce6314a6033024f51252270a29
SHA10f03027e24898a1462294853175a50870f294fb0
SHA256a39d15ae4d9ca76665a9d32f484c6aa0512232e892d4a19b07b54ea9448ca499
SHA5122d7487fa56a873346a24024c4098d11ea909e36d1dd429086652ad7c0a604cc29c58961f9fe2025509b806937ce1c6f2191fbb67cdd8e3f38c8810b3013dd48b
-
Filesize
48KB
MD59cc9a18f4f0ca6d8fbdbb8d5410f303b
SHA169ab499110d32112c15c5cb599fb31f21eb331d5
SHA25614f68999325122f5fdeaba0c23a94eee68db9c462b6101acc1ffdcce308987dc
SHA512b0f0f6b31954baf9baef2dc8f7b08daa9dc63a63853763b3576fb87eb3cb675e354e0257344b9532037b50569a696c76fe55c59e0df469b97189232d79c33567
-
Filesize
252KB
MD53d73a5800f2af02ef1b3b34a36881227
SHA179e3a65dbb62e52bb934639a766919a8861b928d
SHA2562c45fa1e78858464186bd35154e9cc655ea704ecaa8c87abe274d4d4e304488f
SHA512c00999beb76d4059f560b0e986130d4c006a6366f9fb27e882a4441dd71902d6d3b763fc8487e678bde6dce491a260f5decc513ebde8154df18387959979a04a