95fcfce99984e6b12599752f07a93b4ea22b9b463220adfefd2ddc628b1f5e4e

Analysis

max time kernel
134s
max time network
127s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 01:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7695e3b8089c5e344d9260492bd39ca2_JaffaCakes118.exe
Size

93KB
MD5

7695e3b8089c5e344d9260492bd39ca2
SHA1

5cddd4c3c8e1cb4e86782b393dd90a8c8feacd50
SHA256

95fcfce99984e6b12599752f07a93b4ea22b9b463220adfefd2ddc628b1f5e4e
SHA512

47e42b1204fa73127d1e47d73e7463bd0d5521a2d29cfebff36d4a41206571fd4d7a08a5345e344ab411f8408d5e2e622ea8a11c3d52504e0c5a5b8a48fc282a
SSDEEP

1536:0P45ClPk0fQIrOkvKKPHabMPC5byRuImtznCEl0D0vtScwOaG7Ciy3Jh:O5lzOoabMuyRuI/pcjCia

Score

7^/10

adware discovery stealer upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2028	regsvr32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2556-1-0x0000000000400000-0x0000000000445000-memory.dmp	upx
behavioral1/memory/2556-30-0x0000000000400000-0x0000000000445000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2D0733B6-0BAC-47C1-909A-D9DB0533FFAF}	regsvr32.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fejokt.dll	7695e3b8089c5e344d9260492bd39ca2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\p.ico	7695e3b8089c5e344d9260492bd39ca2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sf.ico	7695e3b8089c5e344d9260492bd39ca2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\c.ico	7695e3b8089c5e344d9260492bd39ca2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\m.ico	7695e3b8089c5e344d9260492bd39ca2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\m3.ico	7695e3b8089c5e344d9260492bd39ca2_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\s.ico	7695e3b8089c5e344d9260492bd39ca2_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ios.dat	7695e3b8089c5e344d9260492bd39ca2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7695e3b8089c5e344d9260492bd39ca2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6653F631-4E30-11EF-A2D0-E643F72B7232} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecca440099c424d92937bb9b1db2c9200000000020000000000106600000001000020000000563744b9854d342e0ad18674a64ae7ba6cc18cd95cd172b0d3cd12f6c2bbdd5a000000000e800000000200002000000055e75dbe76356835107cb78be7f33295b152237784a7235d39b99d2fcbc0ea9d900000001e1fac37618ee6fc64cb8099c8c06407cafed2ff4ebdf2878be53b012abff973cc887ba37c695ee6210528b617cddf316c1cf665b39e8961e8e57a367069ff35c7af165bf56fd1a6265c3bdecdea6a578bfc10db6ac03382f83fa0acb0a42124396580e0bc59295658b9dcbb5b54b0a2c0148a637e8c56fc250308a81e480d53dc585165e443a1b38faf99d15dfcfc1640000000e876939d47b243fdcf6dfdf5bdd8f0f1c3dd4bb13040466724fe8d81a9b9725e790bbe71c1b63923bb240057b15b4581146435469d60ae8b4d9182fac64e2d9c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428477393"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0e2e03a3de2da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecca440099c424d92937bb9b1db2c92000000000200000000001066000000010000200000008024abdeca836626dff0d644f8c86538b8960bc2a362869a27c6f8b85f6f3ee1000000000e8000000002000020000000cd3bcc770887cb11d57e32e276339d2066175f28e6d4c7fcc7d2caa2ba19c81420000000ab0403428f385a4c8a47b04cb6170d70e2dc667f0418a022a9484721bed53e8e40000000bd10233ff55607cd8975758034344784186e9489be0cadab585826ccc04d23efe89049205349c40d9c74bab33b1ea044a0341e85841e10586abbc028fb13069f	iexplore.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2644A8E6-6AD2-4068-B902-5ABC07441EED}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2644A8E6-6AD2-4068-B902-5ABC07441EED}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2644A8E6-6AD2-4068-B902-5ABC07441EED}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A0960DBB-D8C8-4771-AD4A-F0493CCB1582}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A0960DBB-D8C8-4771-AD4A-F0493CCB1582}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0733B6-0BAC-47C1-909A-D9DB0533FFAF}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2644A8E6-6AD2-4068-B902-5ABC07441EED}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2644A8E6-6AD2-4068-B902-5ABC07441EED}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A0960DBB-D8C8-4771-AD4A-F0493CCB1582}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0733B6-0BAC-47C1-909A-D9DB0533FFAF}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0733B6-0BAC-47C1-909A-D9DB0533FFAF}\InprocServer32\ = "C:\\Windows\\SysWow64\\fejokt.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A0960DBB-D8C8-4771-AD4A-F0493CCB1582}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ginaos.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0733B6-0BAC-47C1-909A-D9DB0533FFAF}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2644A8E6-6AD2-4068-B902-5ABC07441EED}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A0960DBB-D8C8-4771-AD4A-F0493CCB1582}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A0960DBB-D8C8-4771-AD4A-F0493CCB1582}\ = "Ibhoscl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0733B6-0BAC-47C1-909A-D9DB0533FFAF}\ = "SysCli.Ctrl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A0960DBB-D8C8-4771-AD4A-F0493CCB1582}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A0960DBB-D8C8-4771-AD4A-F0493CCB1582}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2644A8E6-6AD2-4068-B902-5ABC07441EED}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ginaos.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ginaos\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\ = "sclbho Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\fejokt.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2644A8E6-6AD2-4068-B902-5ABC07441EED}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2644A8E6-6AD2-4068-B902-5ABC07441EED}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ginaos	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0733B6-0BAC-47C1-909A-D9DB0533FFAF}\VersionIndependentProgID\ = "Ginaos"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ginaos\ = "SysCli.Ctrl"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A0960DBB-D8C8-4771-AD4A-F0493CCB1582}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A0960DBB-D8C8-4771-AD4A-F0493CCB1582}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ginaos.1\CLSID\ = "{2D0733B6-0BAC-47C1-909A-D9DB0533FFAF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0733B6-0BAC-47C1-909A-D9DB0533FFAF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0733B6-0BAC-47C1-909A-D9DB0533FFAF}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0733B6-0BAC-47C1-909A-D9DB0533FFAF}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0733B6-0BAC-47C1-909A-D9DB0533FFAF}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2644A8E6-6AD2-4068-B902-5ABC07441EED}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ginaos\CLSID\ = "{2D0733B6-0BAC-47C1-909A-D9DB0533FFAF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0733B6-0BAC-47C1-909A-D9DB0533FFAF}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A0960DBB-D8C8-4771-AD4A-F0493CCB1582}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ginaos\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2644A8E6-6AD2-4068-B902-5ABC07441EED}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2644A8E6-6AD2-4068-B902-5ABC07441EED}\ = "_IbhosclEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2644A8E6-6AD2-4068-B902-5ABC07441EED}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A0960DBB-D8C8-4771-AD4A-F0493CCB1582}\ = "Ibhoscl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A0960DBB-D8C8-4771-AD4A-F0493CCB1582}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ginaos.1\ = "SysCli.Ctrl"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ginaos\CurVer\ = "Ginaos.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2D0733B6-0BAC-47C1-909A-D9DB0533FFAF}\ProgID\ = "Ginaos.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2644A8E6-6AD2-4068-B902-5ABC07441EED}\ = "_IbhosclEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A0960DBB-D8C8-4771-AD4A-F0493CCB1582}\TypeLib	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2712	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2712	iexplore.exe
2712	iexplore.exe
2900	IEXPLORE.EXE
2900	IEXPLORE.EXE
2900	IEXPLORE.EXE
2900	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2028	2556	7695e3b8089c5e344d9260492bd39ca2_JaffaCakes118.exe	29
PID 2556 wrote to memory of 2028	2556	7695e3b8089c5e344d9260492bd39ca2_JaffaCakes118.exe	29
PID 2556 wrote to memory of 2028	2556	7695e3b8089c5e344d9260492bd39ca2_JaffaCakes118.exe	29
PID 2556 wrote to memory of 2028	2556	7695e3b8089c5e344d9260492bd39ca2_JaffaCakes118.exe	29
PID 2556 wrote to memory of 2028	2556	7695e3b8089c5e344d9260492bd39ca2_JaffaCakes118.exe	29
PID 2556 wrote to memory of 2028	2556	7695e3b8089c5e344d9260492bd39ca2_JaffaCakes118.exe	29
PID 2556 wrote to memory of 2028	2556	7695e3b8089c5e344d9260492bd39ca2_JaffaCakes118.exe	29
PID 2556 wrote to memory of 2712	2556	7695e3b8089c5e344d9260492bd39ca2_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2712	2556	7695e3b8089c5e344d9260492bd39ca2_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2712	2556	7695e3b8089c5e344d9260492bd39ca2_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2712	2556	7695e3b8089c5e344d9260492bd39ca2_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2900	2712	iexplore.exe	31
PID 2712 wrote to memory of 2900	2712	iexplore.exe	31
PID 2712 wrote to memory of 2900	2712	iexplore.exe	31
PID 2712 wrote to memory of 2900	2712	iexplore.exe	31

C:\Users\Admin\AppData\Local\Temp\7695e3b8089c5e344d9260492bd39ca2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7695e3b8089c5e344d9260492bd39ca2_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\fejokt.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2028
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://configupdatestart.com/bind2.php?id=3913102
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2712 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85d11cc686f385dd568e9fc7a83ed56f

SHA1
44c7ae19a672952d8f37c4c8449e08c4d67c7b24

SHA256
95c153dc7511fcdae36ab2defaf8f49a0071897db4354b118450debe566533ec

SHA512
466010434c003d7dad21f7714f544ccf03cf5d409698a65659a0069e32507d91638a3220b6abac233a33a5c609fc10262903a569009f2cedef12e0a76b0b6e44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e01900f60af2c3ed981cb90a99738888

SHA1
1f16b95c2741ca84b58c4fbf2fce61b30ff7ccbe

SHA256
dc46e35a40e125428b1f376ba553864a7a9f0783578ad4b100b5ce7de488c7d1

SHA512
0c7ff3897311164ace81d3a6f7d58911ba27bb9ad02ed901bb0dcce07f918796accce83f728cb44ae2af3a879ab9aa8c9e468ddec02a3078c71571bedfe69754

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6845268f6e0814fe25b0c4536daa079

SHA1
e473e6a64c61adc8eefe0e19090b33fc98f695f4

SHA256
c3dd92806770e298554768bb945022e2582d1c6ea92fa2efc476f11a890ada4c

SHA512
b0e0491feeb079609ae7fed70403653ea78b37517c5a90e6c1fbc1ef35f18b5d2a7ed780143b19a83de48984463236f3379ea2cda84d479845092b297f13977e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b93ac26ebcb968b776ee7d2673ff471

SHA1
c1776d4a85cfb059c9157af56f8e09013d99f149

SHA256
f7be32e6a34ddf8335bacc56cf259edcdebf83d001d2fffd11c99b6a35383960

SHA512
55e66177a29d9b28b1514340f60edf75b1f11ae96f3eb89223d8455acfb415d81227dbdb547ea7929addd052d6feedc5b93a47293b628b34092e8bc787c5a9b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
451cb8bb35dbdde8030ee7a4e45453c4

SHA1
bf1146e90f8f792f6257eb8664793442da5b34ba

SHA256
458c2a33f85302893cdec30120a3c3c115f6c20d8c3a8d0ec4ae0f12f091c1a3

SHA512
873ab03b4094a5db2b0714e20421de4f07dcb217916f4ce562ce37728c5c524b60b5d539fd8b54628f85e9d23632b9cab3bae980d55d89409659e7897ded09c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
599b5bca4d2d367405e5cceaa1a71821

SHA1
9f0efe090bee7fa121826ee983b9f195f0c6b798

SHA256
5fb69b73ca826270f2b65a870385850afcbaa1073a6f18e88cfe68c9b6bd1323

SHA512
8d0fa2c06fe483b509837b643c6009d4664de45bbe09370bf6e7b5dc69c8624936501e2eca1a12d05b522d1110ae2d2c65caaf84529aa9753731c24db739dafb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49abc8ffa32ec0e80afe2bbb3e5eaace

SHA1
b3612f52f30dd398c9cbd493586c48a8cafcb78d

SHA256
350bd760b81f1274780d623471ec21ebf93970f4e06515e4cc7e7f1704bec349

SHA512
a2b971c6b21bf76e5b56d2d8baae8dbfef8763f8ecf22a254f59e009224b832f54a86013effaf03ca04a02b422c46f8fddfab600170c9563c22bad2ad1cd732a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
add9d3e5a65c28ef7be5a600edbf94d8

SHA1
a07ef0a014e868bc4b9023ff59a3dd0600dcae47

SHA256
593f14cdb318f00f67f6a9527c0eeec11ba490371a077fef27b100d099c773da

SHA512
93ef3d4fe4c42396bb86403a4c04f5aa58a58c3b523944a67104409da78bf3797d41dca4bb06a146ea4cc0c7e0a32d39e62ea9546e9d4654d3541ab93175435b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76c65aee667c8564ed3d3631adadb389

SHA1
8f634f243e3b29940299e456275f0c6ed6e29ac7

SHA256
fffe251bb40cfc3d74224f5b2f7634b4b099bbb3d28358690fdd6b58309a5415

SHA512
c932683eae5a4b956fcd91d88a24a00086b54819fecc403895246adcfe800cef30b9ba9dbecb331e54bb801ae7a6d1e1638952800ff3c98a7e72d211dfcca84e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4587a6975a022c753f9a98fdaaa44e46

SHA1
c755e9ad0703442fccb2ebe1977904e3964f43a1

SHA256
0263eddf1969c0a3e28062a5957c7da1eeebb22228f4dd8bfc65da01060922d2

SHA512
afa49bc20655333b1dc1b2d8e056fb2784e4ead1ca4d6d3831281eda7387c291fb05a0003e1c2ac019a8c7956a0282c2d6f3bf4684c5682375b34a6cc3abcf02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec3a03ab09a74ec07c2152fd6a855af4

SHA1
ec4c08594bf562a65dac5bae0af9cd73843ddc54

SHA256
57f75106dd97a746c164eb08b2bcd3db1398ee15f2c39eba99b47bd4d1073938

SHA512
24c21b9a5600f5a366416a5084d0010fbd7eb730e95365187977d3cbce9bb8ea9cfabded912bbad5427fdebca843a2bb3cb2beab9671a5aa8a88b33dd8b15f72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4800851f5a313f4c0a97629587864ebf

SHA1
222a4c455a02cbf5244b901a5ca4d35d3f4cad83

SHA256
97ed6236620ef051f04c86b670158062577897401867ecacbc7d2b0bf985faf4

SHA512
63825d5b4663906945d4dfa3290bac26c0b1202b6371bd0e90d2500991fcc5d6a1c81ec36f67fb80daf2bc0eda4dc340240d3eebf042fad39e0a484eb811a86d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f76f3114a6c7346ba56e0b0e91cbca7d

SHA1
78e3ccb4da6b841a4059c505343813c37c70b48f

SHA256
71992c3f1b6e3166e2e2e20bb2be44343920aa664899b6de5184ca8d7aa76744

SHA512
80af1a0109ab322a2c6c9d6b2c2e08818dcb2e3f340333a84173c536278d3bfb60b3b83f632aff02b019013c33cc26648daaade9636d3f4b0e8e917bea3f2384

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67c76b5953b224ffa2e2ccc1c3bbe40d

SHA1
b5c1e8ac5ec85c6f31988da3f5f494fff1cc44c5

SHA256
ceec07220308067daea1f5805ab30c1c22113a1b026826883bed9355fb95e243

SHA512
9e4a4be008a43be57a5e46bd95f43d4267981f1708e8bab3e2cddd3a3389df440d5d3496c3a847ad3650745f13df7aa54200fc352080e7b1dd641922b9021d26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cbc9c6600016e3bfe2cdfe068e14e93

SHA1
accfdac292aa978c58ba1e1f0437c08012b85441

SHA256
2d0f4476ff1a812060a4c87dd81dc60832a30e5c311678831d18cccc7a239bb0

SHA512
15c53bee7f2b3f55cc93f800ae92cd1de3bcbd4a3c1cb6f37bc323d40b9b15f27012f0b20a27f9b4affd902ecd66d7c11d3a6c9168075ab5af6ba747ab71818b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85ea72e851729f2aabc9b260d0f0de22

SHA1
f1eee98ef279a4ff733fc449c48ec2e3806c7657

SHA256
504b06ac4aaf5116e328ac0eff56236ce7611bf24f5a905b976ffff31aa2c890

SHA512
d91725abf2d2f63b6634749674521ae5d8acc77ebeabf3b09d67f0aae89ad740687b1761455dedeec7024ee1b3a295345fd82210c31e82175a802629c62daf03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf5284725015264b4ffb764b7d148f91

SHA1
6bbd0f1d7818007e1d7ef1ac967cac371e70927e

SHA256
c7330e6ea6e27d36e7b5b861013719950378f2201575e76d0ef4494b96a882e2

SHA512
7f02eb3241bdee984bdbb61c61881fa3119617bf6f7fff3dce1a4e107697c2807c967b1895f93237e452d5efa084d519690dd4abbb7cd66075f4226f1e0e5bce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c685f42ac41d682ab580c1755e4f654a

SHA1
15c0e88021ae384e1a17cf517ef87358b79b6c46

SHA256
d31f59bb90e8edf0a613a944b96ad607eb3e065a6644fb22c14fa81e80b794ea

SHA512
327b161bcbe2d0610f29c608b9ab9abbe4f69b20119d137271ce2eb203baddb7bb961e686797bf1e77516f176436d790368ae12022c389b71fc0012c7ace4b74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab67277e996a1a5cdc89a017007e63b9

SHA1
cdb374021cd89410c023e5bdb1908b4a1efcb6df

SHA256
4098253d265df4e98a14311a30bcb2b0a9423d277c1b4f5c30ca9eac72ab4f95

SHA512
d3eb0f6d973fe181d50258db47e376beba3343444999d03490a7d6aaddd7d4f8046770d0579b80ecb9af95b812ca832fd148828ee883188b80b667a4e302dbf4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9515fcb1a8d6dc871e0627c9951a0c7a

SHA1
95e8c336dd39786c7d9b2b27618d74e8d5eb6aab

SHA256
f294c9386b8f0afe132c2505fd0fe7b7be85c7f28e59baa9f88f2382f3e74c64

SHA512
38ee676fc039345464f3eb090128624e477c4ff0be0ab35b1e06e1324e573fcd559e450344ebe0769f1d0943d49d1c9fbf256b443237e8eba4add1ea02c47bba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6984e2c7a23a46df2ed895ab9774fb91

SHA1
1f521564cbd6310b1edb9a5b6bc509802a15820c

SHA256
8b2dcd58d2fb45866a14280d7b35f9e84395b17bc3864a5d290fa829c47448fe

SHA512
eb94ff89efb63c475cb78a48d17d5142a53172a5dbdf7475256a3db1e236e1f50bbf0d49f6bdbed43ff5ab1aec96a95bd2d92bf3522ebdd585642e18641313d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07c26cb417532ec4b62c1df68f4bc661

SHA1
c66741ab4693f6634e4815212ed51fa898585dff

SHA256
64c78218275803342592a92ac807d4c6126fbeaa02960974f4f4d6c5f919d619

SHA512
d4969c2220b037479cddc49c70c59916925fbeb873db481491ba0f9305c1654e5fb1c438f2cc307fadf223d67923b2528f0a20ee2c94e722e56e253024c2a0ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAFB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB6C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Windows\SysWOW64\fejokt.dll

Filesize
124KB

MD5
63ad1973b0d23f1d09e9dc7e8b17780b

SHA1
c0b4b5c370b143c1ddfea293b41b67247dec6258

SHA256
43af639d285c1f3015645f4658e469c1b72c396bca27e98d2d1524f92a7c236a

SHA512
cc60f0244c661053894dfd5fb4e81412a4672acbb8c5b4139cae566d6cac63e0cbf5cd00e821799cb5bda1bbb7a86f0cb0cbfccd616d553cb2bfe9372708b20d

Download Submit
memory/2556-1-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download
memory/2556-30-0x0000000000400000-0x0000000000445000-memory.dmp

Filesize
276KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads