aff358ac6305a73e571fe0d17f368cbda6159137415ca886d3422c0f3a81ded5

Analysis

max time kernel
137s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240729-en
resource tags

arch:x64arch:x86image:win10v2004-20240729-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe
Size

47KB
MD5

778ccc53d9bc03304518e8f2c93f0e8f
SHA1

da2eee16848d39f6e0ef033a7c0adf4fad619e94
SHA256

aff358ac6305a73e571fe0d17f368cbda6159137415ca886d3422c0f3a81ded5
SHA512

b16bf80b0fe359d8245ecb5b8448c8a07747f54ad9befc7c27224f0510559823a6fe0e7d2b987b6ba06d4b7cb1e5b3c43e9001ad35ca8f39464893c53957f353
SSDEEP

768:NNeNnE73LMdK1STfHVdr9ZgahwkSHgQV178vwRQ/dLI3CG+Nxg+EWoQ:Nb77kfbTgaQAQTO/BI3xgq1Q

Score

7^/10

adware discovery evasion execution persistence stealer trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1860	A9PZ62.EXE

Loads dropped DLL 1 IoCs

pid	Process
4956	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C97C29FC-88AE-7FB3-407D-D50FB0CFD753}	regsvr32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\8HAUB1IEZKA0\DU00PU4E9.EXE	A9PZ62.EXE
File opened for modification	C:\Program Files\8HAUB1IEZKA0\DU00PU4E9.EXE	A9PZ62.EXE
File created	C:\Program Files\8HAUB1IEZKA0\IKIL5.EXE	A9PZ62.EXE
File opened for modification	C:\Program Files\8HAUB1IEZKA0\IKIL5.EXE	A9PZ62.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\FDONSZUYCQS.txt	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe
File created	\??\c:\windows\fdonszuycqs.dll	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A9PZ62.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Play_Animations = "no"	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\ = "JScript Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\ASPFILE\SCRIPTHOSTENCODE	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language Encoding"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID\ = "{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\0\win32\ = "c:\\windows\\fdonszuycqs.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.2\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT.ENCODE\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C97C29FC-88AE-7FB3-407D-D50FB0CFD753}\TypeLib\ = "{97EFC6B7-C73A-423E-8458-82C589CA7E3B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.1 AUTHOR\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWow64\\jscript.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT.ENCODE\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.1\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\INPROCSERVER32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C97C29FC-88AE-7FB3-407D-D50FB0CFD753}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\HELPDIR\ = "c:\\windows"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{97EFC6B7-C73A-423E-8458-82C589CA7E3B}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\ = "JScript Language"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT AUTHOR\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID\ = "{C97C29FC-88AE-7FB3-407D-D50FB0CFD753}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\PROGID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID\ = "JScript.Compact"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ = "Ixunlei"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\ = "JScript Language"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\ = "JScript Language"	regsvr32.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
388	reg.exe
4572	reg.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3820	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe
3820	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe
3820	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe
3820	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe
3820	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe
1860	A9PZ62.EXE
1860	A9PZ62.EXE

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3820 wrote to memory of 1860	3820	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe	84
PID 3820 wrote to memory of 1860	3820	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe	84
PID 3820 wrote to memory of 1860	3820	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe	84
PID 3820 wrote to memory of 4956	3820	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe	85
PID 3820 wrote to memory of 4956	3820	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe	85
PID 3820 wrote to memory of 4956	3820	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe	85
PID 3820 wrote to memory of 1752	3820	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe	86
PID 3820 wrote to memory of 1752	3820	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe	86
PID 3820 wrote to memory of 1752	3820	778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe	86
PID 1752 wrote to memory of 2804	1752	cmd.exe	88
PID 1752 wrote to memory of 2804	1752	cmd.exe	88
PID 1752 wrote to memory of 2804	1752	cmd.exe	88
PID 1752 wrote to memory of 4068	1752	cmd.exe	89
PID 1752 wrote to memory of 4068	1752	cmd.exe	89
PID 1752 wrote to memory of 4068	1752	cmd.exe	89
PID 1752 wrote to memory of 900	1752	cmd.exe	90
PID 1752 wrote to memory of 900	1752	cmd.exe	90
PID 1752 wrote to memory of 900	1752	cmd.exe	90
PID 1752 wrote to memory of 4808	1752	cmd.exe	91
PID 1752 wrote to memory of 4808	1752	cmd.exe	91
PID 1752 wrote to memory of 4808	1752	cmd.exe	91
PID 1752 wrote to memory of 2616	1752	cmd.exe	92
PID 1752 wrote to memory of 2616	1752	cmd.exe	92
PID 1752 wrote to memory of 2616	1752	cmd.exe	92
PID 1752 wrote to memory of 820	1752	cmd.exe	93
PID 1752 wrote to memory of 820	1752	cmd.exe	93
PID 1752 wrote to memory of 820	1752	cmd.exe	93
PID 1752 wrote to memory of 1604	1752	cmd.exe	94
PID 1752 wrote to memory of 1604	1752	cmd.exe	94
PID 1752 wrote to memory of 1604	1752	cmd.exe	94
PID 1752 wrote to memory of 5060	1752	cmd.exe	95
PID 1752 wrote to memory of 5060	1752	cmd.exe	95
PID 1752 wrote to memory of 5060	1752	cmd.exe	95
PID 1752 wrote to memory of 2820	1752	cmd.exe	96
PID 1752 wrote to memory of 2820	1752	cmd.exe	96
PID 1752 wrote to memory of 2820	1752	cmd.exe	96
PID 1752 wrote to memory of 1616	1752	cmd.exe	97
PID 1752 wrote to memory of 1616	1752	cmd.exe	97
PID 1752 wrote to memory of 1616	1752	cmd.exe	97
PID 1752 wrote to memory of 1560	1752	cmd.exe	98
PID 1752 wrote to memory of 1560	1752	cmd.exe	98
PID 1752 wrote to memory of 1560	1752	cmd.exe	98
PID 1752 wrote to memory of 388	1752	cmd.exe	99
PID 1752 wrote to memory of 388	1752	cmd.exe	99
PID 1752 wrote to memory of 388	1752	cmd.exe	99
PID 1752 wrote to memory of 4572	1752	cmd.exe	100
PID 1752 wrote to memory of 4572	1752	cmd.exe	100
PID 1752 wrote to memory of 4572	1752	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\778ccc53d9bc03304518e8f2c93f0e8f_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3820
- C:\A9PZ62.EXE
  C:\A9PZ62.EXE FDONSZUYCQS
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1860
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "c:\windows\fdonszuycqs.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4956
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\W32R4V4KW7.BAT
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s scrrun.dll
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2804
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s itss.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4068
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:900
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:4808
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2616
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s msvidctl.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:820
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1604
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s vbscript.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5060
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s jscript.dll
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2820
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1616
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1560
- - C:\Windows\SysWOW64\reg.exe
    reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:388
- - C:\Windows\SysWOW64\reg.exe
    reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\A9PZ62.EXE

Filesize
10KB

MD5
545207a2c51329d284b28c9be5769d75

SHA1
33dba2c5f52eaefd2a24d9e5f2da0dc1c082299f

SHA256
ba6890aaa3aa74cf87a2e13e754f3b3d7e9561cab45f050bb604d21ca9a532f0

SHA512
6b39e1140e1feec4c5ec54c666ff9cc3dddaa6adf16bc33efde30272c26274e1a663dda0762181d440f7a97c5f2ba979e60ae0df1062637f13b6dfafbd2e4438

Download Submit
C:\Program Files\8HAUB1IEZKA0\IKIL5.EXE

Filesize
47KB

MD5
778ccc53d9bc03304518e8f2c93f0e8f

SHA1
da2eee16848d39f6e0ef033a7c0adf4fad619e94

SHA256
aff358ac6305a73e571fe0d17f368cbda6159137415ca886d3422c0f3a81ded5

SHA512
b16bf80b0fe359d8245ecb5b8448c8a07747f54ad9befc7c27224f0510559823a6fe0e7d2b987b6ba06d4b7cb1e5b3c43e9001ad35ca8f39464893c53957f353

Download Submit
C:\W32R4V4KW7.BAT

Filesize
1KB

MD5
eaababfc3d48375a200c2f1f84242e77

SHA1
0f4601f9b49fa3dd4daadae190762092a02c5021

SHA256
5ec74888058cfa112df9302932d187cd539f0e58753ce207150a08e404628682

SHA512
67958be2662453e4c316c5f0b7181944ae9288bb69e4b79201765ca843d9f260ebb0554c83f1b6c4a2bb28f808ef7822e1d2108dccd851e2b8d0c88c06ce281e

Download Submit
C:\Windows\FDONSZUYCQS.txt

Filesize
47KB

MD5
2b1a668e886599023df6e2ace036f968

SHA1
8a50ad07ef8e6a8025b30f83da5bb2317c43a858

SHA256
0fd343347584bb0a74898cccc1d546761d4f85642598b34e69145dbeb7964fc9

SHA512
635590e5255c85cf2433813288e3f974d162acb536e09071213f124d0687742c840d11f74e1b2ea18dd34419e8b0b95335c4e539882e05f0507d79757793f5ad

Download Submit
\??\c:\windows\fdonszuycqs.dll

Filesize
28KB

MD5
b058a1cb4bf45a95cfe8665d09435afb

SHA1
32ae960f17f6c469c416775940faf81f69e1aaa8

SHA256
5d1361846da7c06657d204ec0888a8e3371a0971cc3cc12c79ce6a03c70aa670

SHA512
e6e3b90637790ff551b3b5f8b1c10b0155951037582031f7e0bd3d66846d75e2ee74be3aa987e01d9ae2b1678b996a6a6b85c07e0ff2a36e6001542a742ac27f

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads