aca81d6f1061a026df786c014c6599faf8bb77bdba7c7ecf902aed5cb3940541

Analysis

max time kernel
22s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Size

64KB
MD5

81c4f9963dd2099915fd4e6f54dad969
SHA1

f155b91ef95f08884e01e81d3938d8fb1bece37e
SHA256

aca81d6f1061a026df786c014c6599faf8bb77bdba7c7ecf902aed5cb3940541
SHA512

042ec8438e47a6b7b95122abed3b7f10537aba1995f4bacf7067a155257107638f654e68a03ae0a807ce9a2b04f0af6ee0bc6fd02be105042d11602a5986f2f4
SSDEEP

768:7XK1Jsz/2COCKvxPD3WDKaZbO0lBo+fKpxcP60BPYXcgIufVXHo+DNXK:rOJsz/2HCKvRLUipy9BPkcgIutXfDZ

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\10.1.08.exe init"	1o.1.o8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\1o.1.o8.exe shell"	1o.1.o8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\10.1.08.exe init"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\1o.1.o8.exe shell"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\10.1.08.exe init"	10.1.08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\1o.1.o8.exe shell"	10.1.08.exe

Modifies visibility of file extensions in Explorer 2 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	10.1.08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	1o.1.o8.exe

Disables RegEdit via registry modification 3 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	10.1.08.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	1o.1.o8.exe

Disables Task Manager via registry modification
evasion

Executes dropped EXE 2 IoCs

pid	Process
4992	10.1.08.exe
3364	1o.1.o8.exe

Modifies system executable filetype association 2 TTPs 3 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	1o.1.o8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\.exe %1swindler%*"	1o.1.o8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\Fonts\\.exe %1swindler%*"	1o.1.o8.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\10.1.08 = "C:\\Windows\\10.1.08.exe hlmrun"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1o.1.o8 = "C:\\Windows\\1o.1.o8.exe hcurun"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\10.1.08 = "C:\\Windows\\10.1.08.exe hlmrun"	10.1.08.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1o.1.o8 = "C:\\Windows\\1o.1.o8.exe hcurun"	10.1.08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\10.1.08 = "C:\\Windows\\10.1.08.exe hlmrun"	1o.1.o8.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1o.1.o8 = "C:\\Windows\\1o.1.o8.exe hcurun"	1o.1.o8.exe

Drops autorun.inf file 1 TTPs 6 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\autorun.inf	10.1.08.exe
File opened for modification	C:\autorun.inf	10.1.08.exe
File opened for modification	C:\autorun.inf	1o.1.o8.exe
File opened for modification	F:\autorun.inf	1o.1.o8.exe
File created	F:\autorun.inf	10.1.08.exe
File opened for modification	F:\autorun.inf	10.1.08.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\userinit.exe	1o.1.o8.exe
File opened for modification	C:\Windows\SysWOW64\userinit.exe	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\userinit.exe	10.1.08.exe

Drops file in Program Files directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\.exe	10.1.08.exe
File opened for modification	C:\Program Files\Microsoft Office 15.exe	10.1.08.exe
File opened for modification	C:\Program Files\Microsoft Office 15\.exe	10.1.08.exe
File created	C:\Program Files (x86)\Windows Photo Viewer.exe	1o.1.o8.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT.exe	1o.1.o8.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\.exe	1o.1.o8.exe
File created	C:\Program Files\.exe	10.1.08.exe
File created	C:\Program Files\Microsoft Office 15\.exe	10.1.08.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64.exe	10.1.08.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64.exe	10.1.08.exe
File created	C:\Program Files (x86)\.exe	1o.1.o8.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\.exe	1o.1.o8.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT.exe	1o.1.o8.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\.exe	1o.1.o8.exe
File created	C:\Program Files\Microsoft Office 15.exe	10.1.08.exe
File opened for modification	C:\Program Files\Microsoft Office 15	10.1.08.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\.exe	10.1.08.exe
File opened for modification	C:\Program Files (x86)\.exe	1o.1.o8.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer.exe	1o.1.o8.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer	1o.1.o8.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\.exe	1o.1.o8.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64	10.1.08.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\.exe	10.1.08.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT	1o.1.o8.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\.exe	1o.1.o8.exe
File opened for modification	C:\Windows\.exe	1o.1.o8.exe
File opened for modification	C:\Windows\Fonts.exe	1o.1.o8.exe
File opened for modification	C:\Windows\Fonts\.exe	1o.1.o8.exe
File created	C:\Windows\10.1.08.exe	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
File opened for modification	C:\Windows\10.1.08.exe	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
File opened for modification	C:\Windows\1o.1.o8.exe	10.1.08.exe
File created	C:\Windows\1o.1.o8.exe	10.1.08.exe
File created	C:\Windows\Fonts.exe	1o.1.o8.exe
File created	C:\Windows\Fonts\.exe	1o.1.o8.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10.1.08.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1o.1.o8.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	10.1.08.exe
Key created	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	1o.1.o8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg\ = "exefile"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsh	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.msi	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "exefile"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "exefile"	10.1.08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.scr\ = "exefile"	10.1.08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd	1o.1.o8.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e00310000000000015916a9100054656d7000003a0009000400efbefe58ac75015916a92e00000091e10100000001000000000000000000000000000000590ffd00540065006d007000000014000000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bat	10.1.08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.VBE\ = "exefile"	10.1.08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "exefile"	1o.1.o8.exe
Key created	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbe	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSF\ = "exefile"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta\ = "exefile"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "exefile"	10.1.08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.com\ = "exefile"	1o.1.o8.exe
Key created	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.msi	10.1.08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.jse	1o.1.o8.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 5600310000000000fe58ac7512004170704461746100400009000400efbefe58ac75015916a92e0000007de101000000010000000000000000000000000000000b5ec6004100700070004400610074006100000016000000	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.msi\ = "exefile"	10.1.08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5000310000000000fe58147c100041646d696e003c0009000400efbefe58ac75015916a92e00000072e101000000010000000000000000000000000000004184bc00410064006d0069006e00000014000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.js	10.1.08.exe
Key created	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cmd\ = "exefile"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wsf	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "exefile"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.reg	10.1.08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.jse	10.1.08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pif\ = "exefile"	10.1.08.exe
Key created	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\.exe %1swindler%*"	1o.1.o8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "exefile"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	10.1.08.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.pif	10.1.08.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\0	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.JSE\ = "exefile"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.vbs	1o.1.o8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta	1o.1.o8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	1o.1.o8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.com	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WSH\ = "exefile"	10.1.08.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "exefile"	1o.1.o8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.com	1o.1.o8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.scr\ = "exefile"	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hta	10.1.08.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4576	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1700	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
1700	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
4992	10.1.08.exe
4992	10.1.08.exe
4992	10.1.08.exe
4992	10.1.08.exe
3364	1o.1.o8.exe
3364	1o.1.o8.exe
4992	10.1.08.exe
4992	10.1.08.exe
3364	1o.1.o8.exe
3364	1o.1.o8.exe
4992	10.1.08.exe
4992	10.1.08.exe
3364	1o.1.o8.exe
3364	1o.1.o8.exe
4992	10.1.08.exe
4992	10.1.08.exe
3364	1o.1.o8.exe
3364	1o.1.o8.exe
4992	10.1.08.exe
4992	10.1.08.exe
3364	1o.1.o8.exe
3364	1o.1.o8.exe
4992	10.1.08.exe
4992	10.1.08.exe
3364	1o.1.o8.exe
3364	1o.1.o8.exe
4992	10.1.08.exe
4992	10.1.08.exe
3364	1o.1.o8.exe
3364	1o.1.o8.exe
4992	10.1.08.exe
4992	10.1.08.exe
3364	1o.1.o8.exe
3364	1o.1.o8.exe
4992	10.1.08.exe
4992	10.1.08.exe
3364	1o.1.o8.exe
3364	1o.1.o8.exe
4992	10.1.08.exe
4992	10.1.08.exe
3364	1o.1.o8.exe
3364	1o.1.o8.exe
4992	10.1.08.exe
4992	10.1.08.exe
3364	1o.1.o8.exe
3364	1o.1.o8.exe
4992	10.1.08.exe
4992	10.1.08.exe
3364	1o.1.o8.exe
3364	1o.1.o8.exe
4992	10.1.08.exe
4992	10.1.08.exe
4992	10.1.08.exe
4992	10.1.08.exe
3364	1o.1.o8.exe
3364	1o.1.o8.exe
4992	10.1.08.exe
4992	10.1.08.exe
3364	1o.1.o8.exe
3364	1o.1.o8.exe
4992	10.1.08.exe
4992	10.1.08.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
1700	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
4992	10.1.08.exe
3364	1o.1.o8.exe
4576	explorer.exe
4576	explorer.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 5004	1700	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe	84
PID 1700 wrote to memory of 5004	1700	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe	84
PID 1700 wrote to memory of 5004	1700	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe	84
PID 1700 wrote to memory of 4992	1700	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe	87
PID 1700 wrote to memory of 4992	1700	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe	87
PID 1700 wrote to memory of 4992	1700	81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe	87
PID 4992 wrote to memory of 3364	4992	10.1.08.exe	89
PID 4992 wrote to memory of 3364	4992	10.1.08.exe	89
PID 4992 wrote to memory of 3364	4992	10.1.08.exe	89

C:\Users\Admin\AppData\Local\Temp\81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Disables RegEdit via registry modification
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe C:\Users\Admin\AppData\Local\Temp\81c4f9963dd2099915fd4e6f54dad969_JaffaCakes118
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5004
- C:\Windows\10.1.08.exe
  C:\Windows\10.1.08.exe first
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Windows\1o.1.o8.exe
    C:\Windows\1o.1.o8.exe first
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Adds Run key to start application
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3364

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4576

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

F:\10.1.08.exe

Filesize
64KB

MD5
81c4f9963dd2099915fd4e6f54dad969

SHA1
f155b91ef95f08884e01e81d3938d8fb1bece37e

SHA256
aca81d6f1061a026df786c014c6599faf8bb77bdba7c7ecf902aed5cb3940541

SHA512
042ec8438e47a6b7b95122abed3b7f10537aba1995f4bacf7067a155257107638f654e68a03ae0a807ce9a2b04f0af6ee0bc6fd02be105042d11602a5986f2f4

Download Submit
F:\autorun.inf

Filesize
202B

MD5
df3298142cadd966aed043f2e44e841b

SHA1
b22111a6e77fe6ec8daea24da5545552ffedd187

SHA256
adff5fba26d6f1cd6de55e9c0b32b74bbbf979817eb10aa3f84d9967f53509de

SHA512
be89b677613043855003d693dbe924983009647ee47e6dd7eca200fa1ab0c79994e7b2b305edfe48a584ef7187725dbf8d6b78b2f396afcd2ff567a161e34ff0

Download Submit
memory/1700-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1700-17-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3364-24-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download