43db744b91e2fdf747fc2ec683274d830caa377118554492acf4a9425df07dc0

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2024 03:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76f12d7f400b862ec84f6e0ea60dca7d_JaffaCakes118.exe
Size

4.3MB
MD5

76f12d7f400b862ec84f6e0ea60dca7d
SHA1

b0353ad4552c116290c83deb1cff818faf50766e
SHA256

43db744b91e2fdf747fc2ec683274d830caa377118554492acf4a9425df07dc0
SHA512

5807d4caba653d2c8d878768d0f562d42b0a008cc6e13cd8c3da1a191f140bc5a744255ec9b37d91ce9197dc005bdad56d4b4bc308ca978d704a84b752331959
SSDEEP

98304:a8pd5/USq+E7XYEgTJSK68JOnIAKekgKfuT+s:n8S6j5gTYK2nIAwg+Ls

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
3676	mp3tube-tb-setup.exe
3200	Mp3TubeSvc.exe
528	Mp3TubeSvc.exe
1016	Mp3TubeSvc.exe
3928	Mp3TubeVideoToMp3.exe

Loads dropped DLL 31 IoCs

pid	Process
1644	76f12d7f400b862ec84f6e0ea60dca7d_JaffaCakes118.exe
1644	76f12d7f400b862ec84f6e0ea60dca7d_JaffaCakes118.exe
1644	76f12d7f400b862ec84f6e0ea60dca7d_JaffaCakes118.exe
3676	mp3tube-tb-setup.exe
3676	mp3tube-tb-setup.exe
3676	mp3tube-tb-setup.exe
3676	mp3tube-tb-setup.exe
3676	mp3tube-tb-setup.exe
3676	mp3tube-tb-setup.exe
3676	mp3tube-tb-setup.exe
3676	mp3tube-tb-setup.exe
3676	mp3tube-tb-setup.exe
3676	mp3tube-tb-setup.exe
3676	mp3tube-tb-setup.exe
3676	mp3tube-tb-setup.exe
3676	mp3tube-tb-setup.exe
3676	mp3tube-tb-setup.exe
3676	mp3tube-tb-setup.exe
3676	mp3tube-tb-setup.exe
1644	76f12d7f400b862ec84f6e0ea60dca7d_JaffaCakes118.exe
1644	76f12d7f400b862ec84f6e0ea60dca7d_JaffaCakes118.exe
1644	76f12d7f400b862ec84f6e0ea60dca7d_JaffaCakes118.exe
1644	76f12d7f400b862ec84f6e0ea60dca7d_JaffaCakes118.exe
1644	76f12d7f400b862ec84f6e0ea60dca7d_JaffaCakes118.exe
1644	76f12d7f400b862ec84f6e0ea60dca7d_JaffaCakes118.exe
1644	76f12d7f400b862ec84f6e0ea60dca7d_JaffaCakes118.exe
1644	76f12d7f400b862ec84f6e0ea60dca7d_JaffaCakes118.exe
1644	76f12d7f400b862ec84f6e0ea60dca7d_JaffaCakes118.exe
1644	76f12d7f400b862ec84f6e0ea60dca7d_JaffaCakes118.exe
1644	76f12d7f400b862ec84f6e0ea60dca7d_JaffaCakes118.exe
1644	76f12d7f400b862ec84f6e0ea60dca7d_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\Thumbs.db	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\buttons\plainbutton.png	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\ffmpeg.exe	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\content\tbcore.js	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\content\convertvideodlg.xul	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\buttons\savemp3popup.png	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\feeditem.png	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\weather\mostly_cloudy.png	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\install.rdf	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\mp3tubetb.dll	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\content\savetomp3popup.js	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\arrow_partner.png	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\buttons\youtube.png	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\content\savetomp3popup.xul	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\popupWindow.css	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\buttons\separator_line.png	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\arrow_small.png	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\weather\snow.png	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\buttons\savemp3_disabled.png	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\weather\cloudy.png	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\weather\mostly_sunny.png	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\weather\Thumbs.db	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\weather\weatherbug.png	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\buttons\youtube.png	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\weather\chance_of_storm.png	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\weather\hazy.png	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\buttons\savemp3popup-musicicon.png	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\buttons\saveyoutubevideos.png	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\buttons\watermark.png	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\buttons\	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\content\constants.js	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\arrow_small.png	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\buttons\facebook.png	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\weather\mist.png	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\content\weatherLoc.js	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\arrow-grey.png	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\logo.png	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\buttons\btn_close.png	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\buttons\Thumbs.db	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\buttons\search.png	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\weather\storm.png	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\bg.jpg	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\buttons\Thumbs.db	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\news_refresh.png	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\savetomp3PopUp.css	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\content\convertvideodlg.js	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\news_refresh.png	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\buttons\news.png	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\weather\chance_of_snow.png	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\weather\sleet.png	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\weather\sunny.png	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\weather\windy.png	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\buttons\btn_close.png	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\buttons\savemp3.png	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\weather\chance_of_rain.png	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\weather\chance_of_snow.png	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\weather\flurries.png	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\weather\	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\uninstall.exe	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\bg.jpg	mp3tube-tb-setup.exe
File created	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\buttons\divider.png	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\buttons\icon-RSS.png	mp3tube-tb-setup.exe
File opened for modification	C:\Program Files (x86)\Mp3Tube Toolbar\xpi\chrome\skin\buttons\searchbar-grey-250.png	mp3tube-tb-setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mp3TubeSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mp3TubeSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mp3TubeSvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mp3TubeVideoToMp3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76f12d7f400b862ec84f6e0ea60dca7d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mp3tube-tb-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000234c5-15.dat	nsis_installer_1

Modifies Internet Explorer settings 1 TTPs 25 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Main	mp3tube-tb-setup.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{46897C77-E7A6-4c33-BFFB-E9C2E2718942}	mp3tube-tb-setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5DF6DC69-6607-4732-90B2-10EBD5B58698}\URL = "http://mp3tubetoolbar.com/?tmp=toolbar_sb_results&prt=pinballtbfour01ie&Keywords={searchTerms}&clid=44991252d31f49fe87ff0433b3aca084"	mp3tube-tb-setup.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{5DF6DC69-6607-4732-90B2-10EBD5B58698}"	mp3tube-tb-setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D2912033-4E38-11EF-9338-C22FF2BD35B2} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5DF6DC69-6607-4732-90B2-10EBD5B58698}\FaviconURL = "http://www.yahoo.com/favicon.ico"	mp3tube-tb-setup.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5DF6DC69-6607-4732-90B2-10EBD5B58698}	mp3tube-tb-setup.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar	mp3tube-tb-setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\SearchScopes	mp3tube-tb-setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{5DF6DC69-6607-4732-90B2-10EBD5B58698}\DisplayName = "Yahoo-Mp3Tube"	mp3tube-tb-setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Main\AutoSearch = "0"	mp3tube-tb-setup.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://mp3tubetoolbar.com/?tmp=toolbar_Mp3Tube_homepage&prt=pinballtbfour04ie&clid=44991252d31f49fe87ff0433b3aca084"	mp3tube-tb-setup.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46897C77-E7A6-4c33-BFFB-E9C2E2718942}	mp3tube-tb-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46897C77-E7A6-4c33-BFFB-E9C2E2718942}\ = "Mp3Tube Toolbar"	mp3tube-tb-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46897C77-E7A6-4c33-BFFB-E9C2E2718942}\InProcServer32	mp3tube-tb-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46897C77-E7A6-4c33-BFFB-E9C2E2718942}\InProcServer32\ = "\"C:\\Program Files (x86)\\Mp3Tube Toolbar\\mp3tubetb.DLL\""	mp3tube-tb-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{46897C77-E7A6-4c33-BFFB-E9C2E2718942}\InProcServer32\ThreadingModel = "Apartment"	mp3tube-tb-setup.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1016	Mp3TubeSvc.exe
1016	Mp3TubeSvc.exe
1016	Mp3TubeSvc.exe
1016	Mp3TubeSvc.exe
1016	Mp3TubeSvc.exe
1016	Mp3TubeSvc.exe
1016	Mp3TubeSvc.exe
1016	Mp3TubeSvc.exe
1016	Mp3TubeSvc.exe
1016	Mp3TubeSvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3888	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3888	iexplore.exe
3888	iexplore.exe
1808	IEXPLORE.EXE
1808	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 3676	1644	76f12d7f400b862ec84f6e0ea60dca7d_JaffaCakes118.exe	85
PID 1644 wrote to memory of 3676	1644	76f12d7f400b862ec84f6e0ea60dca7d_JaffaCakes118.exe	85
PID 1644 wrote to memory of 3676	1644	76f12d7f400b862ec84f6e0ea60dca7d_JaffaCakes118.exe	85
PID 3888 wrote to memory of 1808	3888	iexplore.exe	90
PID 3888 wrote to memory of 1808	3888	iexplore.exe	90
PID 3888 wrote to memory of 1808	3888	iexplore.exe	90
PID 3676 wrote to memory of 3200	3676	mp3tube-tb-setup.exe	91
PID 3676 wrote to memory of 3200	3676	mp3tube-tb-setup.exe	91
PID 3676 wrote to memory of 3200	3676	mp3tube-tb-setup.exe	91
PID 3676 wrote to memory of 528	3676	mp3tube-tb-setup.exe	93
PID 3676 wrote to memory of 528	3676	mp3tube-tb-setup.exe	93
PID 3676 wrote to memory of 528	3676	mp3tube-tb-setup.exe	93
PID 1016 wrote to memory of 3928	1016	Mp3TubeSvc.exe	96
PID 1016 wrote to memory of 3928	1016	Mp3TubeSvc.exe	96
PID 1016 wrote to memory of 3928	1016	Mp3TubeSvc.exe	96

C:\Users\Admin\AppData\Local\Temp\76f12d7f400b862ec84f6e0ea60dca7d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\76f12d7f400b862ec84f6e0ea60dca7d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\mp3tube-tb-setup.exe
  "C:\Users\Admin\AppData\Local\Temp\mp3tube-tb-setup.exe" -i 44991252d31f49fe87ff0433b3aca084 -p pinballtbfour
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Program Files (x86)\Mp3Tube Toolbar\Mp3TubeSvc.exe
    "Mp3TubeSvc.exe" -i
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3200
- - C:\Program Files (x86)\Mp3Tube Toolbar\Mp3TubeSvc.exe
    "Mp3TubeSvc.exe" -r
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:528

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:228

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3888 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1808

C:\Program Files (x86)\Mp3Tube Toolbar\Mp3TubeSvc.exe
"C:\Program Files (x86)\Mp3Tube Toolbar\Mp3TubeSvc.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Program Files (x86)\Mp3Tube Toolbar\Mp3TubeVideoToMp3.exe
  "C:\Program Files (x86)\Mp3Tube Toolbar\Mp3TubeVideoToMp3.exe" c55e45dcae0d5907cd8fce0d34bc48cd
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Mp3Tube Toolbar\Mp3TubeSvc.exe

Filesize
222KB

MD5
4427878b91743c24565ba2e32968920d

SHA1
86e451c7446f4f9ce76bd55dc7209605150e1e89

SHA256
4dd3117ced749186ef97199a62b3a591e8699241e3d99ba6e1451c4b3a6c8e5f

SHA512
b094ae651d0b1f13aa56f4472ceb88e709e2099fda434fbc16d8b3c360babe8b983e2b2f011d7ae2195b74cdc681d5c22428476ecb2b7f3afc4786458289780d

Download Submit
C:\Program Files (x86)\Mp3Tube Toolbar\Mp3TubeVideoToMp3.exe

Filesize
180KB

MD5
c254ad1c8e36199c51c55a5b09c47f45

SHA1
cb10f4785133fe72d7bb84eb3d0db421cfc0a144

SHA256
dbec14e5034a09307dc4edcf99b462e3da60d038e29fa9b0375d989c0b8cca74

SHA512
309ace0b056b9fc9fa7198265cd2d747f117414e8770d15c7780a09e9e6a68be9f1d0f73d6d1d678c1b8fd6d16b7309fdf6a136ece95fbb12144bc72b8aa84fe

Download Submit
C:\Program Files (x86)\Mp3Tube Toolbar\mp3tubetb.dll

Filesize
1.0MB

MD5
7661262a701827d40a4b0e6db3de835f

SHA1
733f9bd3ce1c163f2071b71dabbd6f85006be2e8

SHA256
aa403c5e0eb6423d3753f65d99be57b833f5f7d758cbfd425320fa7b9af52a7d

SHA512
7a7d02145e417093aa14b966459522126a5cd790f99c9d6c4d867324ff127d0e38793358042cd91f836e68798bfd64f780888908fe4435054f37097edd60a0bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mp3tube-tb-setup.exe

Filesize
4.2MB

MD5
d07520b0b2a63ba90b8a81c32d23dc2f

SHA1
25a7edc723434453a4867528d3db375b6f4e93cd

SHA256
bb401d2ed364fdee35c659b6d247e0a651175fc57cd47f842c26b8987764d87d

SHA512
f9e831378c7ddf2ea654174d8c8be962d09e764799ff4d6a711b8337b0dd1d4ef2f390926af953eaea1bd76ce0922a90c70a32631c08352e9f7c126a0ce5309a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgB056.tmp\System.dll

Filesize
10KB

MD5
fe24766ba314f620d57d0cf7339103c0

SHA1
8641545f03f03ff07485d6ec4d7b41cbb898c269

SHA256
802ef71440f662f456bed6283a5ff78066af016897fe6bfd29cac6edc2967bbd

SHA512
60d36959895cebf29c4e7713e6d414980139c7aa4ed1c8c96fefb672c1263af0ce909fb409534355895649c0e8056635112efb0da2ba05694446aec2ca77e2e3

Download Submit
memory/3676-244-0x0000000002F00000-0x000000000300C000-memory.dmp

Filesize
1.0MB

Download