aff358ac6305a73e571fe0d17f368cbda6159137415ca886d3422c0f3a81ded5

Analysis

max time kernel
143s
max time network
149s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe
Size

47KB
MD5

778ccc53d9bc03304518e8f2c93f0e8f
SHA1

da2eee16848d39f6e0ef033a7c0adf4fad619e94
SHA256

aff358ac6305a73e571fe0d17f368cbda6159137415ca886d3422c0f3a81ded5
SHA512

b16bf80b0fe359d8245ecb5b8448c8a07747f54ad9befc7c27224f0510559823a6fe0e7d2b987b6ba06d4b7cb1e5b3c43e9001ad35ca8f39464893c53957f353
SSDEEP

768:NNeNnE73LMdK1STfHVdr9ZgahwkSHgQV178vwRQ/dLI3CG+Nxg+EWoQ:Nb77kfbTgaQAQTO/BI3xgq1Q

Score

7^/10

adware discovery evasion execution persistence stealer trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2176	GGI2K26K.EXE

Loads dropped DLL 1 IoCs

pid	Process
2176	GGI2K26K.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C97C29FC-88AE-7FB3-407D-D50FB0CFD753}	regsvr32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\24LS3I\AI0D9ZBAY0W.EXE	GGI2K26K.EXE
File opened for modification	C:\Program Files\24LS3I\AI0D9ZBAY0W.EXE	GGI2K26K.EXE
File created	C:\Program Files\24LS3I\OO8BTFD.EXE	GGI2K26K.EXE
File opened for modification	C:\Program Files\24LS3I\OO8BTFD.EXE	GGI2K26K.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\FDONSZUYCQS.txt	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe
File created	\??\c:\windows\fdonszuycqs.dll	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GGI2K26K.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Play_Animations = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\PROGID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID\ = "{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ = "C:\\Windows\\SysWOW64\\jscript.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\ = "JScript Language"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language Authoring"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\SCRIPTHOSTENCODE	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\ = "JScript Language Encoding"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\FLAGS	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID\ = "JScript.Compact"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\SCRIPTHOSTENCODE	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWOW64\\jscript.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{97EFC6B7-C73A-423E-8458-82C589CA7E3B}"	regsvr32.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2632	reg.exe
2884	reg.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2584	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe
2584	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe
2584	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe
2584	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe
2584	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe
2176	GGI2K26K.EXE
2176	GGI2K26K.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2176	2584	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe	29
PID 2584 wrote to memory of 2176	2584	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe	29
PID 2584 wrote to memory of 2176	2584	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe	29
PID 2584 wrote to memory of 2176	2584	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe	29
PID 2584 wrote to memory of 2776	2584	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe	30
PID 2584 wrote to memory of 2776	2584	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe	30
PID 2584 wrote to memory of 2776	2584	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe	30
PID 2584 wrote to memory of 2776	2584	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe	30
PID 2584 wrote to memory of 2776	2584	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe	30
PID 2584 wrote to memory of 2776	2584	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe	30
PID 2584 wrote to memory of 2776	2584	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe	30
PID 2584 wrote to memory of 2876	2584	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe	31
PID 2584 wrote to memory of 2876	2584	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe	31
PID 2584 wrote to memory of 2876	2584	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe	31
PID 2584 wrote to memory of 2876	2584	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe	31
PID 2876 wrote to memory of 2756	2876	cmd.exe	33
PID 2876 wrote to memory of 2756	2876	cmd.exe	33
PID 2876 wrote to memory of 2756	2876	cmd.exe	33
PID 2876 wrote to memory of 2756	2876	cmd.exe	33
PID 2876 wrote to memory of 2756	2876	cmd.exe	33
PID 2876 wrote to memory of 2756	2876	cmd.exe	33
PID 2876 wrote to memory of 2756	2876	cmd.exe	33
PID 2876 wrote to memory of 2740	2876	cmd.exe	34
PID 2876 wrote to memory of 2740	2876	cmd.exe	34
PID 2876 wrote to memory of 2740	2876	cmd.exe	34
PID 2876 wrote to memory of 2740	2876	cmd.exe	34
PID 2876 wrote to memory of 2740	2876	cmd.exe	34
PID 2876 wrote to memory of 2740	2876	cmd.exe	34
PID 2876 wrote to memory of 2740	2876	cmd.exe	34
PID 2876 wrote to memory of 2976	2876	cmd.exe	35
PID 2876 wrote to memory of 2976	2876	cmd.exe	35
PID 2876 wrote to memory of 2976	2876	cmd.exe	35
PID 2876 wrote to memory of 2976	2876	cmd.exe	35
PID 2876 wrote to memory of 2636	2876	cmd.exe	36
PID 2876 wrote to memory of 2636	2876	cmd.exe	36
PID 2876 wrote to memory of 2636	2876	cmd.exe	36
PID 2876 wrote to memory of 2636	2876	cmd.exe	36
PID 2876 wrote to memory of 2848	2876	cmd.exe	37
PID 2876 wrote to memory of 2848	2876	cmd.exe	37
PID 2876 wrote to memory of 2848	2876	cmd.exe	37
PID 2876 wrote to memory of 2848	2876	cmd.exe	37
PID 2876 wrote to memory of 2972	2876	cmd.exe	38
PID 2876 wrote to memory of 2972	2876	cmd.exe	38
PID 2876 wrote to memory of 2972	2876	cmd.exe	38
PID 2876 wrote to memory of 2972	2876	cmd.exe	38
PID 2876 wrote to memory of 2972	2876	cmd.exe	38
PID 2876 wrote to memory of 2972	2876	cmd.exe	38
PID 2876 wrote to memory of 2972	2876	cmd.exe	38
PID 2876 wrote to memory of 1808	2876	cmd.exe	39
PID 2876 wrote to memory of 1808	2876	cmd.exe	39
PID 2876 wrote to memory of 1808	2876	cmd.exe	39
PID 2876 wrote to memory of 1808	2876	cmd.exe	39
PID 2876 wrote to memory of 2800	2876	cmd.exe	40
PID 2876 wrote to memory of 2800	2876	cmd.exe	40
PID 2876 wrote to memory of 2800	2876	cmd.exe	40
PID 2876 wrote to memory of 2800	2876	cmd.exe	40
PID 2876 wrote to memory of 2800	2876	cmd.exe	40
PID 2876 wrote to memory of 2800	2876	cmd.exe	40
PID 2876 wrote to memory of 2800	2876	cmd.exe	40
PID 2876 wrote to memory of 2808	2876	cmd.exe	41
PID 2876 wrote to memory of 2808	2876	cmd.exe	41
PID 2876 wrote to memory of 2808	2876	cmd.exe	41
PID 2876 wrote to memory of 2808	2876	cmd.exe	41
PID 2876 wrote to memory of 2808	2876	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2584
- C:\GGI2K26K.EXE
  C:\GGI2K26K.EXE FDONSZUYCQS
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2176
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "c:\windows\fdonszuycqs.dll"
  2⤵
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2776
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\27RUR9IZIBT.BAT
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s scrrun.dll
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2756
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s itss.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2740
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2976
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2636
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2848
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s msvidctl.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2972
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1808
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s vbscript.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2800
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s jscript.dll
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2808
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1592
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2684
- - C:\Windows\SysWOW64\reg.exe
    reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2884
- - C:\Windows\SysWOW64\reg.exe
    reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\27RUR9IZIBT.BAT

Filesize
1KB

MD5
eaababfc3d48375a200c2f1f84242e77

SHA1
0f4601f9b49fa3dd4daadae190762092a02c5021

SHA256
5ec74888058cfa112df9302932d187cd539f0e58753ce207150a08e404628682

SHA512
67958be2662453e4c316c5f0b7181944ae9288bb69e4b79201765ca843d9f260ebb0554c83f1b6c4a2bb28f808ef7822e1d2108dccd851e2b8d0c88c06ce281e

Download Submit
C:\GGI2K26K.EXE

Filesize
10KB

MD5
545207a2c51329d284b28c9be5769d75

SHA1
33dba2c5f52eaefd2a24d9e5f2da0dc1c082299f

SHA256
ba6890aaa3aa74cf87a2e13e754f3b3d7e9561cab45f050bb604d21ca9a532f0

SHA512
6b39e1140e1feec4c5ec54c666ff9cc3dddaa6adf16bc33efde30272c26274e1a663dda0762181d440f7a97c5f2ba979e60ae0df1062637f13b6dfafbd2e4438

Download Submit
C:\Program Files\24LS3I\OO8BTFD.EXE

Filesize
47KB

MD5
778ccc53d9bc03304518e8f2c93f0e8f

SHA1
da2eee16848d39f6e0ef033a7c0adf4fad619e94

SHA256
aff358ac6305a73e571fe0d17f368cbda6159137415ca886d3422c0f3a81ded5

SHA512
b16bf80b0fe359d8245ecb5b8448c8a07747f54ad9befc7c27224f0510559823a6fe0e7d2b987b6ba06d4b7cb1e5b3c43e9001ad35ca8f39464893c53957f353

Download Submit
C:\Windows\FDONSZUYCQS.txt

Filesize
47KB

MD5
2b1a668e886599023df6e2ace036f968

SHA1
8a50ad07ef8e6a8025b30f83da5bb2317c43a858

SHA256
0fd343347584bb0a74898cccc1d546761d4f85642598b34e69145dbeb7964fc9

SHA512
635590e5255c85cf2433813288e3f974d162acb536e09071213f124d0687742c840d11f74e1b2ea18dd34419e8b0b95335c4e539882e05f0507d79757793f5ad

Download Submit
\??\c:\windows\fdonszuycqs.dll

Filesize
28KB

MD5
b058a1cb4bf45a95cfe8665d09435afb

SHA1
32ae960f17f6c469c416775940faf81f69e1aaa8

SHA256
5d1361846da7c06657d204ec0888a8e3371a0971cc3cc12c79ce6a03c70aa670

SHA512
e6e3b90637790ff551b3b5f8b1c10b0155951037582031f7e0bd3d66846d75e2ee74be3aa987e01d9ae2b1678b996a6a6b85c07e0ff2a36e6001542a742ac27f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads