549891aef8565b8cdb2ad43e39fb7f7948f677f27292c3ff11da8827fbab2717

Analysis

max time kernel
117s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
26/07/2024, 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Size

108KB
MD5

734f7fd3277bcf2a9bace95d12829d0f
SHA1

434054b9c1fb789194324210d9dc253d8069060c
SHA256

549891aef8565b8cdb2ad43e39fb7f7948f677f27292c3ff11da8827fbab2717
SHA512

7bbd5d4531f79588690d9522162e8358cb027d8c8934fc903b880dd017e2efe09e7af12afc84e2710d4a404001236a9e7002bcf8f0e8a06959a02b0336b66137
SSDEEP

3072:5EJhcz6bmFM8A2qJMYv0Pckj8uAkptf0pb:OJhi6b6MZhF0UkIuLptqb

Score

8^/10

adware discovery stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
3024	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
280	regsvr32.exe
2788	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{CE7C3CF0-4B15-11D1-ABED-709549C10020}	regsvr32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\900mrrccs2.dll	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\23szqlfzpm.dll	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\myin.hta	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mydi.hta	mshta.exe
File created	C:\Windows\SysWOW64\900mrrccs2.dll	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\defcolors.txt	mshta.exe
File opened for modification	C:\Windows\defcolors.txt	mshta.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 50 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\SOFTWARE\Microsoft\Internet Explorer\Styles	mshta.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC}\Default Visible = "Yes"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\TypedURLs\url9 = "http://pornomix.com/"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\TypedURLs\url14 = "http://www.next-tgp.com/?from=bookmark_3"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TypedURLs\url4 = "http://xxx-tv.us/tgp/group"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\TypedURLs\url7 = "http://sexpornseek.com/"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TypedURLs\url2 = "http://ie-search.com"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\TypedURLs\url4 = "http://xxx-tv.us/tgp/group"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\TypedURLs\url10 = "http://teen.any-porn.com/enter.php"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TypedURLs\url11 = "http://www.pornmovieslinks.com/hardcore_1.php"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TypedURLs\url16 = "http://xxx-samples.com/"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC}\Icon = "shell32.dll,23"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\TypedURLs\url2 = "http://ie-search.com"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\TypedURLs\url13 = "http://hardcore.xxx-samples.com/"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\TypedURLs\url16 = "http://xxx-samples.com/"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\TypedURLs\url11 = "http://www.pornmovieslinks.com/hardcore_1.php"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Styles\Use My Stylesheet = "1"	mshta.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC}\ButtonText = "The Simple Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC}\Clsid = "{E0DD6CAB-2D10-11D2-8F1A-0000F87ABD16}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TypedURLs\url3 = "http://xxx-tv.us"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TypedURLs\url12 = "http://mature-x-mom.com"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TypedURLs\url14 = "http://www.next-tgp.com/?from=bookmark_3"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\TypedURLs\url15 = "http://www.sexpornseek.com/"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TypedURLs\url7 = "http://sexpornseek.com/"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC}\Hot Icon = "shell32.dll,23"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\TypedURLs\url12 = "http://mature-x-mom.com"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TypedURLs\url9 = "http://pornomix.com/"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TypedURLs\url13 = "http://hardcore.xxx-samples.com/"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC}\BandClsid = "{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TypedURLs\url8 = "http://best.xxx-samples.com/"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TypedURLs\url15 = "http://www.sexpornseek.com/"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC}\MenuStatusBar = "The Simple Toolbar"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC}\ = "The Simple Toolbar Search"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\TypedURLs\url1 = "http://hereisit.com"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\TypedURLs\url6 = "http://sexmosaic.com/members/enter.php?id=nikifor"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\TypedURLs\url8 = "http://best.xxx-samples.com/"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TypedURLs\url1 = "http://hereisit.com"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC}\MenuText = "The Simple Toolbar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\TypedURLs	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TypedURLs\url5 = "http://next-tgp.com/?from=bookmark_3"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TypedURLs\url6 = "http://sexmosaic.com/members/enter.php?id=nikifor"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\TypedURLs\url5 = "http://next-tgp.com/?from=bookmark_3"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TypedURLs	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Styles\User Stylesheet = "C:\\Windows\\defcolors.txt"	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{A26ABCF0-1C8F-46e7-A67C-0489DC21B9CC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\TypedURLs\url3 = "http://xxx-tv.us"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TypedURLs\url10 = "http://teen.any-porn.com/enter.php"	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SimpleTbar.StockBar.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB}\InprocServer32\ = "C:\\Windows\\SysWow64\\900mrrccs2.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}\TypeLib\ = "{84C94803-B5EC-4491-B2BE-7B113E013B77}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}\TypeLib\ = "{84C94803-B5EC-4491-B2BE-7B113E013B77}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB}\ProgID\ = "SimpleTbar.StockBar.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "IEHlprObj Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\TypeLib\ = "{CE7C3CE2-4B15-11D1-ABED-709549C10000}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10020}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10020}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}\ = "IStockBar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10020}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB}\VersionIndependentProgID\ = "SimpleTbar.StockBar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10020}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SimpleTbar.StockBar.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\HELPDIR\ = "C:\\Windows\\system32"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SimpleTbar.StockBar\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}\1.0\HELPDIR\ = "C:\\Windows\\system32"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10020}\ = "IEHlprObj Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\23szqlfzpm.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{84C94803-B5EC-4491-B2BE-7B113E013B77}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}\ = "IStockBar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10020}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\ = "IEHelper 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SimpleTbar.StockBar.1\ = "The Simple Toolbar Search"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE7C3CE2-4B15-11D1-ABED-709549C10000}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SimpleTbar.StockBar\CLSID\ = "{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10020}\ProgID\ = "IEHlprObj.IEHlprObj.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SimpleTbar.StockBar.1\CLSID\ = "{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SimpleTbar.StockBar	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DEEE498-08CC-43F0-BCA0-DBB5A25C9501}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CE7C3CF0-4B15-11D1-ABED-709549C10020}\InprocServer32\ = "C:\\Windows\\SysWow64\\23szqlfzpm.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\ = "IIEHlprObj"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CE7C3CEF-4B15-11D1-ABED-709549C10000}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SimpleTbar.StockBar\CurVer\ = "SimpleTbar.StockBar.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6790AA5-C6C7-4BCF-A46D-0FDAC4EA99EB}\ = "The Simple Toolbar Search"	regsvr32.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 280	1864	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe	30
PID 1864 wrote to memory of 280	1864	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe	30
PID 1864 wrote to memory of 280	1864	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe	30
PID 1864 wrote to memory of 280	1864	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe	30
PID 1864 wrote to memory of 280	1864	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe	30
PID 1864 wrote to memory of 280	1864	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe	30
PID 1864 wrote to memory of 280	1864	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe	30
PID 1864 wrote to memory of 2076	1864	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe	31
PID 1864 wrote to memory of 2076	1864	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe	31
PID 1864 wrote to memory of 2076	1864	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe	31
PID 1864 wrote to memory of 2076	1864	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe	31
PID 2076 wrote to memory of 2888	2076	mshta.exe	32
PID 2076 wrote to memory of 2888	2076	mshta.exe	32
PID 2076 wrote to memory of 2888	2076	mshta.exe	32
PID 2076 wrote to memory of 2888	2076	mshta.exe	32
PID 1864 wrote to memory of 2788	1864	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe	33
PID 1864 wrote to memory of 2788	1864	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe	33
PID 1864 wrote to memory of 2788	1864	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe	33
PID 1864 wrote to memory of 2788	1864	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe	33
PID 1864 wrote to memory of 2788	1864	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe	33
PID 1864 wrote to memory of 2788	1864	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe	33
PID 1864 wrote to memory of 2788	1864	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe	33
PID 1864 wrote to memory of 3024	1864	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe	34
PID 1864 wrote to memory of 3024	1864	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe	34
PID 1864 wrote to memory of 3024	1864	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe	34
PID 1864 wrote to memory of 3024	1864	734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\734f7fd3277bcf2a9bace95d12829d0f_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s C:\Windows\system32\23szqlfzpm.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:280
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Windows\system32\myin.hta"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Windows\System32\mydi.hta"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2888
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s C:\Windows\system32\900mrrccs2.dll
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\delself.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\delself.bat

Filesize
256B

MD5
c2905bd5fe2e33bfcf6c0d959df3a879

SHA1
c038b802de12503bcd833e7bfbb331f358dc1b1e

SHA256
e5959e4188f33c046b79700c1cb83460c194b9f003abb25596b928e01497f8d2

SHA512
409ca331119c440e4f246106c00aed70160a5c69039b449c0095e5fd3955a6d935ceda2fbe5d1b0382c3282f8f5b9ac85764e8d9ac0a1b526cfd3cd7c3523baf

Download Submit
C:\Users\Admin\Favorites\!SEX SEARCH ENGINE.url

Filesize
76B

MD5
b26889af5dbf210217b9dd07c1d8d4cc

SHA1
5cd7e4f36cee5b02fce20d9511fb109aabf67dea

SHA256
3f5147827fb23019c32fa8b358e88c46b70cce7ea779c240e7c5b256501742a6

SHA512
e1954e1271563da3a3690ded3af226eecb4a9beab0537d8f02c206fd0b10f62b372f54c8db831eedf90e213497b1505599943722e71a0c37713af22d69367a8a

Download Submit
C:\Users\Admin\Favorites\-= FREE SEX THUMBNAILED GALLERIES =-.URL

Filesize
125B

MD5
750d81c0d37be388535e38f5b02117ec

SHA1
8c596457f2545c5cf901467f24b758fd3999ddaa

SHA256
270335c92918786b08638d46b4a5a20ceb10d316afc56b7885fd8f86bc3fa476

SHA512
cfe158cd61f5cff3c595666d7e294f3c61e09f868f7dd574d2cb183d7d2ac01ecbd8fcb47a49001d8b3ece7763588cc87452c0779ed43d3dbd621d2d0af6ee74

Download Submit
C:\Users\Admin\Favorites\-= FREE SEX THUMBNAILED GALLERIES =-.url

Filesize
89B

MD5
a6f8920125734b6d967cae9eeb46db3e

SHA1
fcb73764b3c1b09e979ae32f2bd23021c1bac318

SHA256
804237f03afb1068cba5aa1fd0356e9dee7f45b123c531cc08d855608179c82f

SHA512
50e244df1d3079e75ac9f3a30e310df3500f5eb9e7eead62aeac5f94bd342490bddf4344a923a7bf235462f7c20fbdd19ef04d264a03fcfa75a0d13b7c20bca8

Download Submit
C:\Users\Admin\Favorites\1st! XXX-TV.US - FREE XXX THUMBS DAILY!.URL

Filesize
106B

MD5
5bff1c24fcaf75748eaabc1b8218d4f7

SHA1
99a5fbcd5293ce73f2155d4b5eecf6fd76f5d125

SHA256
f6c897e93cdb3ee780bba6a88df6f7fc83842a6b86cca53a1a57e3ebeea5676b

SHA512
5da8c364d045576385878e712b10455b1fc29b4feae697888fcf10dd2670bdf013f0a6bfd812586c5cc5509eaed397c676a06ce3847a6ee0d47b0c4487dd30b3

Download Submit
C:\Users\Admin\Favorites\1st! XXX-TV.US - FREE XXX THUMBS DAILY!.url

Filesize
69B

MD5
6eff3b23b5849e3d3d1175e89f38b09e

SHA1
ebaa379855f34f33f7dfdecc5705fd2fb30be3ae

SHA256
434314eec5630261a8a4c4b906db10f1d0fc68c581c26e32aca57456f0aae0ac

SHA512
c95afffc821d135c54a1da777bdb674b38d965ed26692e9564cd030bc3009dbc281396a27953bf22954c8108e77a6d1606cdacb3472f3135df6a0df08f31f6b9

Download Submit
C:\Users\Admin\Favorites\FREE PORN PICS.URL

Filesize
109B

MD5
fae17856d718f6a4be6688d6ef4c7def

SHA1
5ba75452b6a26cbcfd3f4df5f13adbf3e450fb06

SHA256
1584dff92ff54c16bbe0aff07140c58def321cb1244b55e6552116b16df57915

SHA512
68f66d120b7db15243e70e863d4c430ea59929cabf38dd4a1bb8c6eee90d2a1cc1fb13e22abe112ac54a092dff85d0b2b347fdfefb03e7e22e30c2eaba2ff255

Download Submit
C:\Users\Admin\Favorites\Uncensored Sex Pics and Live Cams.url

Filesize
87B

MD5
efb656322d20e112a2de2946bfe1c66c

SHA1
cd858cbb184230475c53b4b1f51c0b078fe91229

SHA256
98d55745d1ee155802641c3b997aaa4cb990fc9673bb3cf276bf8f637444b0a0

SHA512
7d82b57a0be053a8b9a87d88b8d25fbdc1f478260e42f23d573cbe7191e9d0a56f12360069ed7da871ac2aa1882afa9b5d3ccb1010b9182dc0354f105b4a611a

Download Submit
C:\Users\Admin\Favorites\~ Porn Movies ~.URL

Filesize
116B

MD5
ddc967d2e798cb4830dc8a2a720352f4

SHA1
f40b7ff8d460d675a8b55b45d134d8a5c1e83829

SHA256
bbaf466d10ca64fa5ba7a7653056eec6ad2822d9e6939c85592566bf22bfa4f3

SHA512
2702929ff7d58d415d86d6ba1ba3e4cc28e1177bc2ec722fde566a60c6c0aafc28fdbcf13ebd8abc2c7ccffdb6d15a3ac598ce8dc5284ee9c4638e877ab7f84c

Download Submit
C:\Users\Admin\Favorites\~ Porn Movies ~.url

Filesize
79B

MD5
916fd4e4a2bfb72fa5ba9d0deadee645

SHA1
e4ff36e5a6ae1cb617bdd0e2250c2a618de29e14

SHA256
b97d368edddd349a3baf37df129fc8c852d9f358dd14f1d182edd1450153a33f

SHA512
5a761c65e73bd9cc14ed44d742d857fc836fa281dc7d1a0ba758cbcb9d86f8ab05bdc94b498d43f940592f6cfa6b83a3fecbbf17f25c2a97d189b8283c1c49f0

Download Submit
C:\Windows\SysWOW64\23szqlfzpm.dll

Filesize
41KB

MD5
da27fcdbb081b9ebbc2134866aaddb40

SHA1
ff07e1c378192b254c1e69513045d2ff6d0c8ec6

SHA256
1351d5cadfd3e4677573ba3b511e1a9647747345cb873364842fcd4a0db574b0

SHA512
5aabda4999e01d02008cb6a9d4f92d98367232adb1242bbae819a41b139e457705e19dce4fdf9d88b330e9acb2f60c132c0e35162f33fa46c4b35cd221652dfa

Download Submit
C:\Windows\SysWOW64\900mrrccs2.dll

Filesize
31KB

MD5
b78a37653d668705699a5d1b672c50ea

SHA1
12c7df63ced3327ffda5759f307b8ba0a0bb08a8

SHA256
eef5fab9188c0569bf8af6d5c6cf72326701c5cd64c21889ba8b047de743938f

SHA512
1564a17c7257f02900b576aa16d19bb27ec20ffb2f65dd0f2a39ad647de26ab91ba1fd6010d37bd0cc4720d0c538cfb3a9743e29c42f85c94125399618720471

Download Submit
C:\Windows\SysWOW64\mydi.hta

Filesize
506B

MD5
a692abbc4b5025c9042d3c725cab5d64

SHA1
7da841a081ab1418b4797e30fc9fb8de6f27e422

SHA256
f85ee7a6a9ce0e94bb85f32bc37d8b3ca970a8c178b40e5d9c80efeebf7851bd

SHA512
8d9da6f7c683f7d73a6aeed4ec75780cc9866b3cb404ddcb31a2d348365edbd723b75f7048bf11857a21a8c7a79e518c255f7422070a39df680d43dbb9d71bea

Download Submit
C:\Windows\SysWOW64\myin.hta

Filesize
4KB

MD5
9b0ecb0a2cfc62a69297260be27b12b4

SHA1
5ccb3aa208957e4aeec63be08741eca02ae08a20

SHA256
81ec9607aa7d0f047c9c3d254caeb033f6908a2978a2313a9570cee5aba122ba

SHA512
e7d75273ca566b806257fa55f86324ecad28f52d8473d474a0cc97a3a87be3e11e828aa1ee206566cb31d080739b6b6082c4e827071c4eb301a262c24d0d7669

Download Submit
memory/280-5-0x0000000010000000-0x0000000010019000-memory.dmp

Filesize
100KB

Download
memory/1864-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1864-73-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2788-53-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads