ffebdcf761ac42e8c5d0750bd756bded89e8cb28e9a694ab3a57383bd4c970c2

Analysis

max time kernel
136s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240729-en
resource tags

arch:x64arch:x86image:win10v2004-20240729-enlocale:en-usos:windows10-2004-x64system
submitted
27/07/2024, 11:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe
Size

356KB
MD5

78044019f77916fee0b21d1a3dec9f10
SHA1

a966f862ec2e3065c57683ca48ae225bab5180ab
SHA256

ffebdcf761ac42e8c5d0750bd756bded89e8cb28e9a694ab3a57383bd4c970c2
SHA512

92758a5a041b768da6d609a25827b4f1d883ac5318d687eedd743868e694b0908af21b783441b84caf1317636d9b35890a9ec41af6bc05309aaed43b1260b7ab
SSDEEP

6144:p92AKw2Dd1CGxDTx6ENVAyWNgrzuRXGF88/HfaJhXm:p0AKhvgEbAlgCtefchX

Score

10^/10

adware discovery evasion persistence stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\shell.exe"	printer.exe

Modifies firewall policy service 3 TTPs 40 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List	printer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\shell.exe = "C:\\Windows\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\findfast.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\autorun.exe = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	printer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\printer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\printer.exe = "C:\\Windows\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\printer.exe = "C:\\Windows\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\spoolvs.exe = "C:\\Windows\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\spoolvs.exe = "C:\\Windows\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\shell.exe = "C:\\Windows\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\system32\winav.exe = "%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\autorun.exe = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%windir%\system32\winav.exe = "%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications	printer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\system32\spoolvs.exe = "C:\\Windows\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\shell.exe = "C:\\Windows\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\findfast.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\autorun.exe = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\printer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\system32\printer.exe = "C:\\Windows\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\printer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	printer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\findfast.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\system32\winav.exe = "%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\printer.exe = "C:\\Users\\Admin\\AppData\\Roaming\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications	printer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\system32\printer.exe = "C:\\Windows\\system32\\printer.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\system32\spoolvs.exe = "C:\\Windows\\system32\\spoolvs.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\shell.exe = "C:\\Windows\\shell.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\findfast.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\findfast.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\autorun.exe = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\autorun.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%windir%\system32\winav.exe = "%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"	printer.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	printer.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\st.im	printer.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023589-20.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\Control Panel\International\Geo\Nation	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\findfast.exe	printer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\findfast.exe	printer.exe

Executes dropped EXE 2 IoCs

pid	Process
4544	printer.exe
700	npad.exe

Loads dropped DLL 2 IoCs

pid	Process
3636	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe
700	npad.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Printer = "C:\\Windows\\system32\\printer.exe"	printer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spoolsv = "C:\\Windows\\system32\\spoolvs.exe"	printer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2A8D06B4-1B40-009F-E531-629A59080F43}	npad.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\spoolvs.exe	printer.exe
File opened for modification	C:\Windows\SysWOW64\npad.exe	npad.exe
File created	C:\Windows\SysWOW64\printer.exe	printer.exe
File opened for modification	C:\Windows\SysWOW64\printer.exe	printer.exe
File created	C:\Windows\SysWOW64\spoolvs.exe	printer.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\altcmd\uninstall.bat	npad.exe
File created	C:\Program Files (x86)\altcmd\altcmd32.dll	npad.exe
File opened for modification	C:\Program Files (x86)\altcmd\altcmd32.dll	npad.exe
File created	C:\Program Files (x86)\altcmd\altcmd.inf	npad.exe
File opened for modification	C:\Program Files (x86)\altcmd\altcmd.inf	npad.exe
File created	C:\Program Files (x86)\altcmd\uninstall.bat	npad.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\shell.exe	printer.exe
File opened for modification	C:\Windows\shell.exe	printer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	printer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	npad.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\SOFTWARE\Microsoft\Internet Explorer\Main\ShowedCheckBrowser = "Yes"	printer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Check_Associations = "No"	printer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	printer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A8D06B4-1B40-009F-E531-629A59080F43}\TypeLib	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\Version = "1.0"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hzfeL1.BhoApp.1	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hzfeL1.BhoApp\CLSID\ = "{2A8D06B4-1B40-009F-E531-629A59080F43}"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\ = "MsVCL1 1.0 Type Library"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS\ = "0"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ = "_IBhoAppEvents"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell\open\command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" %1"	printer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gopher\shell\open\command	printer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hzfeL1.BhoApp\ = "BhoApp Class"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A8D06B4-1B40-009F-E531-629A59080F43}\VersionIndependentProgID\ = "hzfeL1.BhoApp"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A8D06B4-1B40-009F-E531-629A59080F43}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ = "_IBhoAppEvents"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A8D06B4-1B40-009F-E531-629A59080F43}\Programmable	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A8D06B4-1B40-009F-E531-629A59080F43}\VersionIndependentProgID	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\altcmd\\"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gopher\shell\open	printer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-735441492-2964205366-2526932795-1000_Classes\.html\ = "htmlfile"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A8D06B4-1B40-009F-E531-629A59080F43}\InprocServer32\ = "C:\\Program Files (x86)\\altcmd\\altcmd32.dll"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" %1"	printer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gopher\shell	printer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hzfeL1.BhoApp\CLSID	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hzfeL1.BhoApp\CurVer	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A8D06B4-1B40-009F-E531-629A59080F43}\ProgID	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\gopher	printer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32\ = "C:\\Program Files (x86)\\altcmd\\altcmd32.dll"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\gopher\shell\open\command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" %1"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe\" %1"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\ = "htmlfile"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hzfeL1.BhoApp.1\ = "BhoApp Class"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A8D06B4-1B40-009F-E531-629A59080F43}	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A8D06B4-1B40-009F-E531-629A59080F43}\InprocServer32\ThreadingModel = "Apartment"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\ProxyStubClsid32	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{967A494A-6AEC-4555-9CAF-FA6EB00ACF91}\TypeLib\Version = "1.0"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xht\ = "htmlfile"	printer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2A8D06B4-1B40-009F-E531-629A59080F43}\ = "BhoApp Class"	npad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0	npad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\ = "htmlfile"	printer.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3636	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4544	printer.exe
4544	printer.exe
4544	printer.exe
4544	printer.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
4544	printer.exe
4544	printer.exe
4544	printer.exe
4544	printer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3636 wrote to memory of 4544	3636	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe	85
PID 3636 wrote to memory of 4544	3636	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe	85
PID 3636 wrote to memory of 4544	3636	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe	85
PID 3636 wrote to memory of 700	3636	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe	86
PID 3636 wrote to memory of 700	3636	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe	86
PID 3636 wrote to memory of 700	3636	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe	86
PID 3636 wrote to memory of 1928	3636	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe	87
PID 3636 wrote to memory of 1928	3636	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe	87
PID 3636 wrote to memory of 1928	3636	78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe	87
PID 700 wrote to memory of 1436	700	npad.exe	88
PID 700 wrote to memory of 1436	700	npad.exe	88
PID 700 wrote to memory of 1436	700	npad.exe	88

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	printer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	printer.exe

C:\Users\Admin\AppData\Local\Temp\78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\78044019f77916fee0b21d1a3dec9f10_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
- Suspicious use of WriteProcessMemory
PID:3636
- C:\Users\Admin\AppData\Roaming\printer.exe
  "C:\Users\Admin\AppData\Roaming\printer.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies firewall policy service
  - Disables RegEdit via registry modification
  - Drops file in Drivers directory
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - System policy modification
  PID:4544
- C:\Users\Admin\AppData\Roaming\npad.exe
  "C:\Users\Admin\AppData\Roaming\npad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\635A.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1436
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\62FC.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\altcmd\altcmd32.dll

Filesize
180KB

MD5
d602673268d6498ee95742aba16351e9

SHA1
75652a3a73095ebb18d43bb9aef5ffba62d2a52f

SHA256
fad1ee29098f536856649cf2e329437a970b6873605e4856d36ad800adce81b5

SHA512
569c125cc403f6f0c426d98044e104934bd9f1b59cce6457dec65a842f2ffa4b52bdd99f55d577c027503e0bd7404f5bcded8b7c6da635bdc8ffa5b1ac22104a

Download Submit
C:\Users\Admin\AppData\Local\Temp\62FC.bat

Filesize
259B

MD5
f360cd6fcd9d7a476ceb3736725ca348

SHA1
5e75667ba044a77b4f0fe9403e3c1ac058a9db2d

SHA256
8c37845530051b192e7ca64115b5f60e3f1304aef99d2b7e6fd1a41f4359f8dd

SHA512
b85e12769a9e9bd756d5ccb9ca16b7578bcfc9214a071b9277a384cca5f2c65f79dc6ef29b1c8638da28086e3e9b3a15f8e1a7fdaf45966f469bac834ac4858c

Download Submit
C:\Users\Admin\AppData\Local\Temp\635A.bat

Filesize
169B

MD5
f1d1cff5cc8ec3d4b3d97668971f70a0

SHA1
45591ace06b008c518f431a68c782699755420b2

SHA256
cdd6a6a1288c35413ae144de57bd9d4fed008bf047a5f80800c845e6d889da8b

SHA512
5fab34b5b9225466fdec1088ac5b9007a38d14524396c71ee039fc8cb97f552938cf0014942779e9c03bedebc59294a7f91848ecb6a1a8b8bd223f4c46b017bc

Download Submit
C:\Users\Admin\AppData\Roaming\npad.exe

Filesize
204KB

MD5
9d0d44f7e2da814b874cac61e37b865f

SHA1
59f4cf3144d5f9ddc9e7b839947c934141fd2e5a

SHA256
fe7418b6d4afdb28d9c3b5a3e56a9f0e856d8800ca337f781dda22327b71a504

SHA512
8515ee449faf55de31e998f085985a3e407d7b3b0f45a63efd4bfa5e02be44b573efc3a952b69ddf576f96cc7d5004c65086d26f9d74d78b246c117211c808ba

Download Submit
C:\Users\Admin\AppData\Roaming\nvsvc1024.dll

Filesize
56KB

MD5
dd4afbcf01b1eeff176324dd83682e20

SHA1
4e5b4eea02e0365ce97a059a456cf769c4017353

SHA256
a258f68eae18fae9d0fb7110527a8dd6e2cbd0e44016a19373ad10bb5eb16020

SHA512
2db69c8507b0407713b6d2f638425bbd632c4493e5d4cf86352481f4a8efa8f954092f1efe5c47ba38afddec94a19dffec7e7ef5bc0d42b76a42ac463a47ce7a

Download Submit
C:\Users\Admin\AppData\Roaming\printer.exe

Filesize
76KB

MD5
b5cc2c60341b5950e9fad7a00ea7b05f

SHA1
0a28b51a61a7057efc05f3aba13db43b21cde0f1

SHA256
33fb4da8e40fefdabe9351af64bb073b45777894ab006b81056dcdf4affe1e6d

SHA512
25fdf48da73a7558730cb92552cc958a19b2bdfda7df9ab5abdc91612765b364ebade3518fcbd52490c78cf80e007d4e196f6afdba963a6d1b9835190c5d628c

Download Submit
memory/700-59-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/3636-33-0x0000000000400000-0x0000000000459000-memory.dmp

Filesize
356KB

Download
memory/3636-30-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads