652c519839d52bcf943a8e75c486a1ac546be4ebfdcc5f75996aca92bd38ec98

Analysis

max time kernel
128s
max time network
137s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
01-08-2024 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe
Size

41KB
MD5

81c3ba4d8e5242327c5695453fb197cf
SHA1

843ea522569733ebb57539f7e63c2c8d24deae4c
SHA256

652c519839d52bcf943a8e75c486a1ac546be4ebfdcc5f75996aca92bd38ec98
SHA512

60776cb134e6b7f32fe757ec4ced6709fcc1d10b4a50d881f9c2450e9dcbb173e8d533ce7241d34dc83e98b1adf09cce4ec2568806e1f90892703a12e7434d24
SSDEEP

768:pjl2DPZbVTk3bqtaElJgs9DJ6IStG3x7RZb1UmfScp8Wt08DX0inGrkM5:Fl2DxpMbqQsZnStG3dRt6fSDjlM5

Score

8^/10

discovery evasion execution persistence trojan

Malware Config

Signatures

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
2640	MW3GDYBQF.exe
2944	MW3GDYBQF.exe

Loads dropped DLL 7 IoCs

pid	Process
712	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe
712	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe
712	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe
712	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe
2964	WerFault.exe
2964	WerFault.exe
2964	WerFault.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe

Drops file in Program Files directory 42 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Microsoft Games\Hearts\Hearts.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Microsoft Games\Mahjong\Mahjong.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\7-Zip\Uninstall.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ConvertInkStore.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE.com	MW3GDYBQF.exe
File created	C:\Program Files\HA2M6ICPR.bat	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE.com	MW3GDYBQF.exe
File created	C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe.com	MW3GDYBQF.exe
File opened for modification	C:\Program Files\QNOU2QVLP774\GRJEC.exe	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe
File created	C:\Program Files\DVD Maker\DVDMaker.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE.com	MW3GDYBQF.exe
File created	C:\Program Files\Mozilla Firefox\crashreporter.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\7-Zip\7zG.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Internet Explorer\iediagcmd.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Microsoft Games\Chess\Chess.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\7-Zip\7z.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\7-Zip\7zFM.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\MW3GDYBQF.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\QNOU2QVLP774\GRJEC.exe	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe
File created	C:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\MW3GDYBQF.exe	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Java\jre7\bin\jabswitch.exe.com	MW3GDYBQF.exe
File created	C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe.com	MW3GDYBQF.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\HNBHFV.bat	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe
File created	C:\Windows\BJN9Y.exe	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe
File opened for modification	C:\Windows\PIF	MW3GDYBQF.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2928	sc.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2964	2640	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MW3GDYBQF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MW3GDYBQF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Play_Animations = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\ = "JScript Language Authoring"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language Encoding"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\ = "JScript Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript Author"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\PROGID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\ = "JScript Language"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\ = "JScript Language Authoring"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID\ = "{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\ = "JScript Compact Profile (ECMA 327)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject	regsvr32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2704	reg.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2640	MW3GDYBQF.exe
Token: SeRestorePrivilege	2640	MW3GDYBQF.exe
Token: SeRestorePrivilege	2640	MW3GDYBQF.exe
Token: SeRestorePrivilege	2640	MW3GDYBQF.exe
Token: SeRestorePrivilege	2640	MW3GDYBQF.exe
Token: SeRestorePrivilege	2640	MW3GDYBQF.exe
Token: SeRestorePrivilege	2640	MW3GDYBQF.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
712	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe
712	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe
712	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe
712	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe
2640	MW3GDYBQF.exe
2640	MW3GDYBQF.exe
2944	MW3GDYBQF.exe
2944	MW3GDYBQF.exe
712	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 712 wrote to memory of 2640	712	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe	30
PID 712 wrote to memory of 2640	712	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe	30
PID 712 wrote to memory of 2640	712	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe	30
PID 712 wrote to memory of 2640	712	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe	30
PID 712 wrote to memory of 2944	712	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe	31
PID 712 wrote to memory of 2944	712	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe	31
PID 712 wrote to memory of 2944	712	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe	31
PID 712 wrote to memory of 2944	712	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe	31
PID 712 wrote to memory of 2492	712	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe	32
PID 712 wrote to memory of 2492	712	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe	32
PID 712 wrote to memory of 2492	712	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe	32
PID 712 wrote to memory of 2492	712	81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe	32
PID 2492 wrote to memory of 2928	2492	cmd.exe	34
PID 2492 wrote to memory of 2928	2492	cmd.exe	34
PID 2492 wrote to memory of 2928	2492	cmd.exe	34
PID 2492 wrote to memory of 2928	2492	cmd.exe	34
PID 2492 wrote to memory of 2272	2492	cmd.exe	35
PID 2492 wrote to memory of 2272	2492	cmd.exe	35
PID 2492 wrote to memory of 2272	2492	cmd.exe	35
PID 2492 wrote to memory of 2272	2492	cmd.exe	35
PID 2492 wrote to memory of 2272	2492	cmd.exe	35
PID 2492 wrote to memory of 2272	2492	cmd.exe	35
PID 2492 wrote to memory of 2272	2492	cmd.exe	35
PID 2492 wrote to memory of 2852	2492	cmd.exe	36
PID 2492 wrote to memory of 2852	2492	cmd.exe	36
PID 2492 wrote to memory of 2852	2492	cmd.exe	36
PID 2492 wrote to memory of 2852	2492	cmd.exe	36
PID 2492 wrote to memory of 2852	2492	cmd.exe	36
PID 2492 wrote to memory of 2852	2492	cmd.exe	36
PID 2492 wrote to memory of 2852	2492	cmd.exe	36
PID 2492 wrote to memory of 2696	2492	cmd.exe	37
PID 2492 wrote to memory of 2696	2492	cmd.exe	37
PID 2492 wrote to memory of 2696	2492	cmd.exe	37
PID 2492 wrote to memory of 2696	2492	cmd.exe	37
PID 2492 wrote to memory of 2696	2492	cmd.exe	37
PID 2492 wrote to memory of 2696	2492	cmd.exe	37
PID 2492 wrote to memory of 2696	2492	cmd.exe	37
PID 2492 wrote to memory of 2888	2492	cmd.exe	38
PID 2492 wrote to memory of 2888	2492	cmd.exe	38
PID 2492 wrote to memory of 2888	2492	cmd.exe	38
PID 2492 wrote to memory of 2888	2492	cmd.exe	38
PID 2492 wrote to memory of 2888	2492	cmd.exe	38
PID 2492 wrote to memory of 2888	2492	cmd.exe	38
PID 2492 wrote to memory of 2888	2492	cmd.exe	38
PID 2492 wrote to memory of 2840	2492	cmd.exe	39
PID 2492 wrote to memory of 2840	2492	cmd.exe	39
PID 2492 wrote to memory of 2840	2492	cmd.exe	39
PID 2492 wrote to memory of 2840	2492	cmd.exe	39
PID 2492 wrote to memory of 2840	2492	cmd.exe	39
PID 2492 wrote to memory of 2840	2492	cmd.exe	39
PID 2492 wrote to memory of 2840	2492	cmd.exe	39
PID 2492 wrote to memory of 2720	2492	cmd.exe	40
PID 2492 wrote to memory of 2720	2492	cmd.exe	40
PID 2492 wrote to memory of 2720	2492	cmd.exe	40
PID 2492 wrote to memory of 2720	2492	cmd.exe	40
PID 2492 wrote to memory of 2728	2492	cmd.exe	41
PID 2492 wrote to memory of 2728	2492	cmd.exe	41
PID 2492 wrote to memory of 2728	2492	cmd.exe	41
PID 2492 wrote to memory of 2728	2492	cmd.exe	41
PID 2492 wrote to memory of 2976	2492	cmd.exe	42
PID 2492 wrote to memory of 2976	2492	cmd.exe	42
PID 2492 wrote to memory of 2976	2492	cmd.exe	42
PID 2492 wrote to memory of 2976	2492	cmd.exe	42
PID 2492 wrote to memory of 2672	2492	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:712
- C:\Program Files\MW3GDYBQF.exe
  "C:\Program Files\MW3GDYBQF.exe" C:\Users\Admin\AppData\Local\Temp\81c3ba4d8e5242327c5695453fb197cf_JaffaCakes118.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 472
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2964
- C:\Program Files\MW3GDYBQF.exe
  "C:\Program Files\MW3GDYBQF.exe" rb
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2944
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Program Files\HA2M6ICPR.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Windows\SysWOW64\sc.exe
    sc.exe create U3LBAXG5ZBinPath= "C:\Program Files\QNOU2QVLP774\GRJEC.exe -start" type= own type= interact start= auto DisplayName= NES9H62ZJJK
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2928
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s shimgvw.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2272
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s itss.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2852
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s scrrun.dll
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2696
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s vbscript.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2888
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s jscript.dll
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2840
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2720
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2728
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2976
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2672
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2684
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2692
- - C:\Windows\SysWOW64\reg.exe
    reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7zG.exe.com

Filesize
41KB

MD5
81c3ba4d8e5242327c5695453fb197cf

SHA1
843ea522569733ebb57539f7e63c2c8d24deae4c

SHA256
652c519839d52bcf943a8e75c486a1ac546be4ebfdcc5f75996aca92bd38ec98

SHA512
60776cb134e6b7f32fe757ec4ced6709fcc1d10b4a50d881f9c2450e9dcbb173e8d533ce7241d34dc83e98b1adf09cce4ec2568806e1f90892703a12e7434d24

Download Submit
C:\Program Files\HA2M6ICPR.bat

Filesize
1KB

MD5
2b7eb6643fde78c08e40121bc7330fab

SHA1
c13542cea7d669b9ac4adc87bffe1ef64ad54891

SHA256
25f22ab625bfb1f2ff665fb26170cb6d20b561f6500eebf293bb0b6d4537d2b0

SHA512
bc06436ed410dde349d5e0b0579543bc5818077be4696cb3b29ef64a9b2005e7dac709457825ccf8e5f097a26bccdca358efc2cdb68d6cf4ef53897385596964

Download Submit
\Program Files\MW3GDYBQF.exe

Filesize
28KB

MD5
16b931eb346d9ddd833cf9fb6f6fe829

SHA1
564d9d92ada66930d759645ed60c331bf6a20216

SHA256
dd8ef34c2a7048f2970da5ec121c13c491eb86e0c149e1b57f65fd84e488de40

SHA512
040afe83fd90d79b44cb9c535e993610d2de034e4c807443f7d77e0fd1ec950e8326b93338c868c1ef4f357d6835aff82064470c7b687b03c8895f3cdac91ae1

Download Submit
memory/712-1-0x0000000000400000-0x000000000042174F-memory.dmp

Filesize
133KB

Download
memory/712-2-0x0000000000411000-0x0000000000412000-memory.dmp

Filesize
4KB

Download
memory/712-3-0x0000000000400000-0x000000000042174F-memory.dmp

Filesize
133KB

Download
memory/712-0-0x0000000000400000-0x000000000042174F-memory.dmp

Filesize
133KB

Download
memory/712-76-0x0000000000400000-0x000000000042174F-memory.dmp

Filesize
133KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads