ffebdcf761ac42e8c5d0750bd756bded89e8cb28e9a694ab3a57383bd4c970c2

Analysis

max time kernel
137s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 11:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe
Size

356KB
MD5

78044019f77916fee0b21d1a3dec9f10
SHA1

a966f862ec2e3065c57683ca48ae225bab5180ab
SHA256

ffebdcf761ac42e8c5d0750bd756bded89e8cb28e9a694ab3a57383bd4c970c2
SHA512

92758a5a041b768da6d609a25827b4f1d883ac5318d687eedd743868e694b0908af21b783441b84caf1317636d9b35890a9ec41af6bc05309aaed43b1260b7ab
SSDEEP

6144:p92AKw2Dd1CGxDTx6ENVAyWNgrzuRXGF88/HfaJhXm:p0AKhvgEbAlgCtefchX

Score

10^/10

adware discovery evasion persistence stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\shell.exe"	printer.exe

Modifies firewall policy service 3 TTPs 32 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\printer.exe = "C:\\Windows\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\autorun.exe = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\printer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\findfast.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\findfast.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\shell.exe = "C:\\Windows\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\shell.exe = "C:\\Windows\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\system32\spoolvs.exe = "C:\\Windows\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\shell.exe = "C:\\Windows\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\autorun.exe = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\system32\winav.exe = "%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\printer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\autorun.exe = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\system32\winav.exe = "%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\system32\winav.exe = "%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\system32\printer.exe = "C:\\Windows\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\findfast.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\spoolvs.exe = "C:\\Windows\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\system32\winav.exe = "%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\shell.exe = "C:\\Windows\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\findfast.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\autorun.exe = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\system32\printer.exe = "C:\\Windows\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\printer.exe = "C:\\Windows\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\system32\spoolvs.exe = "C:\\Windows\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\spoolvs.exe = "C:\\Windows\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\printer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\printer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	printer.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\st.im	printer.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0006000000019244-20.dat	acprotect

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\findfast.exe	printer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\findfast.exe	printer.exe

Executes dropped EXE 2 IoCs

pid	Process
2792	printer.exe
2548	npad.exe

Loads dropped DLL 6 IoCs

pid	Process
2180	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe
2180	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe
2180	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe
2180	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe
2180	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe
2548	npad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Printer = "C:\\Windows\\system32\\printer.exe"	printer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Spoolsv = "C:\\Windows\\system32\\spoolvs.exe"	printer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2A8D06B4-1B40-009F-E531-629A59080F43}	npad.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\npad.exe	npad.exe
File opened for modification	C:\Windows\SysWOW64\78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\printer.exe	printer.exe
File opened for modification	C:\Windows\SysWOW64\printer.exe	printer.exe
File created	C:\Windows\SysWOW64\spoolvs.exe	printer.exe
File opened for modification	C:\Windows\SysWOW64\spoolvs.exe	printer.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\altcmd\altcmd.inf	npad.exe
File opened for modification	C:\Program Files (x86)\altcmd\altcmd.inf	npad.exe
File created	C:\Program Files (x86)\altcmd\uninstall.bat	npad.exe
File opened for modification	C:\Program Files (x86)\altcmd\uninstall.bat	npad.exe
File created	C:\Program Files (x86)\altcmd\altcmd32.dll	npad.exe
File opened for modification	C:\Program Files (x86)\altcmd\altcmd32.dll	npad.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\shell.exe	printer.exe
File opened for modification	C:\Windows\shell.exe	printer.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	npad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\ShowedCheckBrowser = "Yes"	printer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Check_Associations = "No"	printer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	printer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hzfeL1.BhoApp\CurVer	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gopher\shell\open	printer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\ = "htmlfile"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hzfeL1.BhoApp.1\CLSID\ = "{2A8D06B4-1B40-009F-E531-629A59080F43}"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\Version = "1.0"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hzfeL1.BhoApp.1	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A8D06B4-1B40-009F-E531-629A59080F43}\ = "BhoApp Class"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gopher	printer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hzfeL1.BhoApp.1\ = "BhoApp Class"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hzfeL1.BhoApp\CLSID\ = "{2A8D06B4-1B40-009F-E531-629A59080F43}"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gopher\shell\open\command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" %1"	printer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32\ = "C:\\Program Files (x86)\\altcmd\\altcmd32.dll"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\altcmd\\"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" %1"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xht\ = "htmlfile"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hzfeL1.BhoApp\CurVer\ = "hzfeL1.BhoApp.1"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A8D06B4-1B40-009F-E531-629A59080F43}\ProgID	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A8D06B4-1B40-009F-E531-629A59080F43}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\ = "MsVCL1 1.0 Type Library"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS\ = "0"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ = "_IBhoAppEvents"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\ = "htmlfile"	printer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hzfeL1.BhoApp	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A8D06B4-1B40-009F-E531-629A59080F43}\VersionIndependentProgID\ = "hzfeL1.BhoApp"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A8D06B4-1B40-009F-E531-629A59080F43}\Programmable	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ = "_IBhoAppEvents"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hzfeL1.BhoApp\ = "BhoApp Class"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A8D06B4-1B40-009F-E531-629A59080F43}\ProgID\ = "hzfeL1.BhoApp.1"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gopher\shell\open\command	printer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" %1"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.html\ = "htmlfile"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\ = "htmlfile"	printer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A8D06B4-1B40-009F-E531-629A59080F43}\InprocServer32	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A8D06B4-1B40-009F-E531-629A59080F43}\InprocServer32\ThreadingModel = "Apartment"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hzfeL1.BhoApp\CLSID	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2A8D06B4-1B40-009F-E531-629A59080F43}\VersionIndependentProgID	npad.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2180	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2792	printer.exe
2792	printer.exe
2792	printer.exe
2792	printer.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2792	printer.exe
2792	printer.exe
2792	printer.exe
2792	printer.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2180 wrote to memory of 2792	2180	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe	30
PID 2180 wrote to memory of 2792	2180	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe	30
PID 2180 wrote to memory of 2792	2180	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe	30
PID 2180 wrote to memory of 2792	2180	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe	30
PID 2180 wrote to memory of 2548	2180	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2548	2180	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2548	2180	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2548	2180	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe	31
PID 2180 wrote to memory of 2544	2180	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe	32
PID 2180 wrote to memory of 2544	2180	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe	32
PID 2180 wrote to memory of 2544	2180	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe	32
PID 2180 wrote to memory of 2544	2180	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe	32
PID 2548 wrote to memory of 2452	2548	npad.exe	33
PID 2548 wrote to memory of 2452	2548	npad.exe	33
PID 2548 wrote to memory of 2452	2548	npad.exe	33
PID 2548 wrote to memory of 2452	2548	npad.exe	33

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	printer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	printer.exe

C:\Users\Admin\AppData\Local\Temp\78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Roaming\printer.exe
  "C:\Users\Admin\AppData\Roaming\printer.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies firewall policy service
  - Disables RegEdit via registry modification
  - Drops file in Drivers directory
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - System policy modification
  PID:2792
- C:\Users\Admin\AppData\Roaming\npad.exe
  "C:\Users\Admin\AppData\Roaming\npad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\E33E.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2452
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\E2E0.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\E2E0.bat

Filesize
259B

MD5
c94bf8d31af5b530940bfd8272a26d6b

SHA1
1607c6e3d4727a0d765e355b00c380f20014ba3a

SHA256
c083e28bcced815467458d5b8653f63794055d18d62090f7b5ed20dcbee0fb0e

SHA512
95a2855604d13228875f82c81770aad35daa7a30448ada9d961ef5444eb5ecf4fb1c0670fe9afc4103e85f0bdbe113d6774930ed786874b51b41451282da0e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\E33E.bat

Filesize
169B

MD5
a52cc5f6b63e27f50e4007d2a930bbd2

SHA1
bafe5992debdf57766aae40ef3ef3d4be9dc2e45

SHA256
b87270bdae3b1b4130fda73b64e78795f2e8645fcbe353f862f04882a55883e2

SHA512
4c23445f5e711af7e34065a4dfeaea56f1310d87e833735ced91fe0012d892d2c15e8c29a94a73c105d3d53dcf57adbfe6b85a6fc8c67d9aee0e9c3dfcd1b6d8

Download Submit
C:\Users\Admin\AppData\Roaming\printer.exe

Filesize
76KB

MD5
b5cc2c60341b5950e9fad7a00ea7b05f

SHA1
0a28b51a61a7057efc05f3aba13db43b21cde0f1

SHA256
33fb4da8e40fefdabe9351af64bb073b45777894ab006b81056dcdf4affe1e6d

SHA512
25fdf48da73a7558730cb92552cc958a19b2bdfda7df9ab5abdc91612765b364ebade3518fcbd52490c78cf80e007d4e196f6afdba963a6d1b9835190c5d628c

Download Submit
\Program Files (x86)\altcmd\altcmd32.dll

Filesize
180KB

MD5
d602673268d6498ee95742aba16351e9

SHA1
75652a3a73095ebb18d43bb9aef5ffba62d2a52f

SHA256
fad1ee29098f536856649cf2e329437a970b6873605e4856d36ad800adce81b5

SHA512
569c125cc403f6f0c426d98044e104934bd9f1b59cce6457dec65a842f2ffa4b52bdd99f55d577c027503e0bd7404f5bcded8b7c6da635bdc8ffa5b1ac22104a

Download Submit
\Users\Admin\AppData\Roaming\npad.exe

Filesize
204KB

MD5
9d0d44f7e2da814b874cac61e37b865f

SHA1
59f4cf3144d5f9ddc9e7b839947c934141fd2e5a

SHA256
fe7418b6d4afdb28d9c3b5a3e56a9f0e856d8800ca337f781dda22327b71a504

SHA512
8515ee449faf55de31e998f085985a3e407d7b3b0f45a63efd4bfa5e02be44b573efc3a952b69ddf576f96cc7d5004c65086d26f9d74d78b246c117211c808ba

Download Submit
\Users\Admin\AppData\Roaming\nvsvc1024.dll

Filesize
56KB

MD5
dd4afbcf01b1eeff176324dd83682e20

SHA1
4e5b4eea02e0365ce97a059a456cf769c4017353

SHA256
a258f68eae18fae9d0fb7110527a8dd6e2cbd0e44016a19373ad10bb5eb16020

SHA512
2db69c8507b0407713b6d2f638425bbd632c4493e5d4cf86352481f4a8efa8f954092f1efe5c47ba38afddec94a19dffec7e7ef5bc0d42b76a42ac463a47ce7a

Download Submit
memory/2180-29-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads