9bbad35921675083c62d907c76a35a39cebfff12cc221dc186002a2ca21d639d

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 13:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

86282337242629e73c4693b601c7fd60_JaffaCakes118.exe
Size

150KB
MD5

86282337242629e73c4693b601c7fd60
SHA1

1d296f20f2121376622f37433aa15c5221d3d407
SHA256

9bbad35921675083c62d907c76a35a39cebfff12cc221dc186002a2ca21d639d
SHA512

ebdfd09d59cd11cdcac1b5a2f36ba63cf6b08f542ba87e5533204d84f84f42b8504fba62a516ac033e311575b3df932ae8fc71f4a04d9dba4dfdaf175e087103
SSDEEP

3072:nhFXUYwMfLarzbekew1db4kIzsTvbcu8gG/OAV8rDITrbPq3ZjXRNFVx:nhRwtekewZ4sHPDITrbi3ZjXRNFVx

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Access WebControl = "{FA8BF6DF-E868-454E-9F5B-21CC5699D3F8}"	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,mqoasvcs.exe"	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,C:\\Windows\\system32\\mqoasvcs.exe"	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Access Connection = "C:\\Windows\\system32\\mqoasvcs.exe"	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Access Connection = "C:\\Windows\\system32\\mqoasvcs.exe"	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\bzqiuwjs.dll	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bzqiuwjs.dll	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\testtest.exe	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\hgakheg.dll	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429456869"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000d0c81e4be3b0a6cd1a1141323f6cffa17e030a34a590b353128756d843699a71000000000e800000000200002000000018e3274c2d06bc6cd2f23f28cd005125bb4fe57519c9d0b3b8e05200d57401fd900000007705104ec571fca68ce0e6b3ba61cf44cf7b89ed27fbd4d183200a46d950734d11cd7562f5608df9303e7575e109f6c4bb0fbb35848264a7bca9e04ec11c0f5691641f7eb78b2dfd1b2a5dafec7fc3de1e55ead53829438ada60970f594a1b2311df591dc44a07bebaf8f53c3892ad5fc36aa1134be070e3d9efd625ef7e96e1c03be594637ebf4d35a084f5dddc6c4a400000000bb7e08078a87cb056614cb097821e562b96f0c6b7833197c14ad0237a9f1a2828be05356972f5d227d04161d5c382b1730f0d2d7593bc937a0e232a2d354e4b	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EB87E4B1-5718-11EF-9438-E643F72B7232} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000e14cc177e3e0cf7b18eee41d8e0dcd6a2bcb333bb60b59a27e4ae7245d230e16000000000e80000000020000200000003f24df98b091a25ced28bc69862d1e0c1b0a9091a426de8c9bba7f8aee71cd9520000000bd7f5472b1e5db093eb5a75533c3699b92e5cf47f8a875f25e7df9a7ca7b962b4000000000c6f1255bb64bca0515a2801c4da660fd7765c21e1c91437cfae1bb6b4b83ac6efe78ffc2dfee4b35e37aee090b118af37a194075ba8e944e1eb7d4758c4962	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EB93CB91-5718-11EF-9438-E643F72B7232} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EB763171-5718-11EF-9438-E643F72B7232} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA8BF6DF-E868-454E-9F5B-21CC5699D3F8}\InProcServer32\ = "C:\\Windows\\SysWow64\\msutache.dll"	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA8BF6DF-E868-454E-9F5B-21CC5699D3F8}\InProcServer32	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FA8BF6DF-E868-454E-9F5B-21CC5699D3F8}	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE
2136	IEXPLORE.EXE
2880	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE
1196	IEXPLORE.EXE
1196	IEXPLORE.EXE
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE
2760	IEXPLORE.EXE
2760	IEXPLORE.EXE
2136	IEXPLORE.EXE
2136	IEXPLORE.EXE
3088	IEXPLORE.EXE
3088	IEXPLORE.EXE
2880	IEXPLORE.EXE
2880	IEXPLORE.EXE
3196	IEXPLORE.EXE
3196	IEXPLORE.EXE
3196	IEXPLORE.EXE
3196	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 1968	2572	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe	31
PID 2572 wrote to memory of 1968	2572	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe	31
PID 2572 wrote to memory of 1968	2572	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe	31
PID 2572 wrote to memory of 1968	2572	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe	31
PID 1968 wrote to memory of 1196	1968	IEXPLORE.EXE	32
PID 1968 wrote to memory of 1196	1968	IEXPLORE.EXE	32
PID 1968 wrote to memory of 1196	1968	IEXPLORE.EXE	32
PID 1968 wrote to memory of 1196	1968	IEXPLORE.EXE	32
PID 2572 wrote to memory of 2136	2572	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe	33
PID 2572 wrote to memory of 2136	2572	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe	33
PID 2572 wrote to memory of 2136	2572	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe	33
PID 2572 wrote to memory of 2136	2572	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe	33
PID 2572 wrote to memory of 2880	2572	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe	34
PID 2572 wrote to memory of 2880	2572	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe	34
PID 2572 wrote to memory of 2880	2572	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe	34
PID 2572 wrote to memory of 2880	2572	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe	34
PID 2572 wrote to memory of 2612	2572	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe	35
PID 2572 wrote to memory of 2612	2572	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe	35
PID 2572 wrote to memory of 2612	2572	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe	35
PID 2572 wrote to memory of 2612	2572	86282337242629e73c4693b601c7fd60_JaffaCakes118.exe	35
PID 1968 wrote to memory of 2760	1968	IEXPLORE.EXE	36
PID 1968 wrote to memory of 2760	1968	IEXPLORE.EXE	36
PID 1968 wrote to memory of 2760	1968	IEXPLORE.EXE	36
PID 1968 wrote to memory of 2760	1968	IEXPLORE.EXE	36
PID 2136 wrote to memory of 3088	2136	IEXPLORE.EXE	37
PID 2136 wrote to memory of 3088	2136	IEXPLORE.EXE	37
PID 2136 wrote to memory of 3088	2136	IEXPLORE.EXE	37
PID 2136 wrote to memory of 3088	2136	IEXPLORE.EXE	37
PID 2880 wrote to memory of 3196	2880	IEXPLORE.EXE	38
PID 2880 wrote to memory of 3196	2880	IEXPLORE.EXE	38
PID 2880 wrote to memory of 3196	2880	IEXPLORE.EXE	38
PID 2880 wrote to memory of 3196	2880	IEXPLORE.EXE	38

C:\Users\Admin\AppData\Local\Temp\86282337242629e73c4693b601c7fd60_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\86282337242629e73c4693b601c7fd60_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "C:\Users\Admin\AppData\Local\Temp\tmpE4C4.tmp"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1968 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1196
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1968 CREDAT:537605 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2760
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "C:\Users\Admin\AppData\Local\Temp\tmpE561.tmp"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2136 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3088
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "http://www.easy-free-sex.biz/"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2880 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3196
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "http://www.easy-free-sex.biz/"
  2⤵
  PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb34a71f39688c3633dfaa8a9c8c87dd

SHA1
6beee2c06b9fd1f1f257b0866c6ad9e821c770a8

SHA256
774bde8bc0909a6a0d5bb31fc861fe888faaeeed0fa6e597cbde023d558b52bb

SHA512
b8ca1328727449b05e4adaf0e7261b20731ed3ced86224067f025456660208b40c1088ed349e0cfe1027fe63c2a880967d3a686c162beb2464bb970c0b2e5723

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7bc095ecc7fb341398fac8efe999b840

SHA1
fc7287217bb0f9370c8f9f4aecdd6cf2b61dadb9

SHA256
897be1277f9d049352d4334fd5fa7206c4f666b72c7a02726189c97dba13649f

SHA512
b7d0dcc5cd1865391a26d5ee8e1c3fe064d6a83b7fc38542717608d312a03d58a990e6010a7b6ec4ad6a97f8a7ad2f4f102dd41e37b7a17c77c00a0189197bfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1609739b708beabfc4ef197c41cbec6a

SHA1
72b77dcd46bcc8bd1e44af9edc1106cb61c907b4

SHA256
ffe8330cb9fc256612d376683d8193bdeba245a4c8e0b30015fca59edc803f00

SHA512
f8886c687a4605b6b290504cedb43565c882d09105f32dc203a274fcd60ae63a651e5d09e85733cd2d2939e5b7350b12d72ba3609e0db50f201936412fb57586

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfa9f0679344133922d8a4a6e034f556

SHA1
06a698992e90fa6781e6eace95de06b18b49e298

SHA256
a04022de975fcd3facb6318bc370bc380ab76c649f4e10d6f3f51e804bc826ef

SHA512
27c73dad46f2c9df7ac51b5e5f8572e83952df75992d8aac743c65311cb928b08c48d95866213e27dc378f5a27d08a8569da354483b65a40afb114e72e04d214

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9cb53dab8624c7a2f030f15014e9ce3

SHA1
7ad2764f302f77626e36a73ca03db223b9a35510

SHA256
4f284ffe08d51be3b5142f860c37cf7d50059de336159763dbc118a592d92457

SHA512
c17d70bb40d25bf7b13d70e11aac6eb2df591a59d93ba6e6ff615bf536ca8799e0094ec4daa317926063403dbe01bf22631b643b4d99447e8f9638f43fc720f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
166b0534045f0e6636fee3ac92051156

SHA1
b4cdbcef147abe557f66b04b4b561d8b9ce335dd

SHA256
a368e2869b292611c04ac09adba0d430ae06c703481f313c693d02c2d1d323cb

SHA512
c5e92eb478c7ffe75b38f64a5b52f8eeff9439ee406edc8d209a3e8a9b3190d98bb000b950ca780b300a65d441b49b5d3071cd319e6d11c6a7a3f025c0773416

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d619c6fcb27f1133289de7e9351852d

SHA1
6204f621c08eb068f4d0c5d405484a52f9c4868d

SHA256
be4c2b2711acecfc487db5f4d326031f240dd110bac91f7a05cf69c91205e29d

SHA512
8bac15041c057f4bf2251529e8cd9d5e1fd172abfe05a5da73d50ac1336f10c58cbda2f446f1b6f166b0bc482e232130938fab113c9df290b92176a6b6ca3d1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0840b31591fcc005e96b2f65b7f27d78

SHA1
eeee4cd00d90bfe8e5cd08dfa2d5d8eb2dbc6008

SHA256
3d368da26b77f78122537021e9031a077b9b9f645c84aca35a3f2a7f3357933b

SHA512
6b430d3b38acf2f6121649e03e90ba14dc92c6350b466fab21a50cd47b0ac5a8e56cb302f69658ac129bd1032e4b964aa78c5401fdf5fca6ce43375c50f715ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d919bc2a47f1d4b887d0de2b31aaa1f

SHA1
996d1ccc70e8c379187363997c8c830e642ac030

SHA256
108159d8cae23a822ce05f483157eeccaa7b6adceb3ead64678b53931d4e35a0

SHA512
fed33a324f61598bccffa13d67aa19a3ac7e59d129880fddc8887f5d41e0bd77247f448d027d6b1765df74959b0acd2cc27502d2e34d75d4d96bd429f56dc750

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4af713e6e16c68ef60a7117aa1d05eba

SHA1
8bd62981a93164e7590959acff431292b6cfe033

SHA256
956a6e1b7d0df2c041ee5f4acd99d31b08d9f56eba13fb14d3849457571f84f7

SHA512
f5cfc0a00460756b44ec8d73dd2eb69d0c97ff12378448508fdeb83dbd8e2fffa8b36430c7e7d9851a719ac834c3f0ab1ac8f0bdb4ccdb5fdad8c0d10e5c10c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2a2ec0261a99d259b85937738834eaa

SHA1
872d452045cdaf073972a557c793f879b6ce3d3f

SHA256
3e695ee63f96f637082499b49ed4af30be0097efacb486a9d69ac862109da522

SHA512
225bf89042f02516eb78840515b76b052ae5d75dcaa1e4c4e328b813de234f55ffe712537b5ad6b9a247f251a9fceb06f3264f5e62b3530b57abb5da39b33fd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b13e9bfdfb8024d523ad82b53af1c8e8

SHA1
8f971321c7985606374dd8eb95d30083887861c3

SHA256
1e411b83bf88ac5856eaebd1fb1f3f52e565c915c2c0da1cd8db277d25691164

SHA512
32c2512b5fd12547846894ee02a11943ef7d0202fb7b78fbffa5d86e7fc296d90d843765fb3d58b19e2f9ea8f41828b9b8734ac5a384dd775c5b7a314b81e491

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f00352baacfecf6c851877026eb3ee9f

SHA1
a386010bc7f65278b787a81a78e8788a5117a7d2

SHA256
a5a7b07430b89b706434af4ead4174396cbfb064a59d981ae8d133fb70f385cc

SHA512
c47d442641097ddc7ed24ca6c560525e2485434f9008efe852fe86f5360bc2fd265a7563fd95b5e4a5c28ed90240f9d5f66290bfc283a1e94b2d0f7453104613

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5662de6a52d08f5c0cb0c1cd38df4332

SHA1
379e5c3a850323ed207c2f24f0755cc36453bfbd

SHA256
b29a60fc065e83322d109af62de228358a9bb1548b3bb0e1ed3a1303f321bc67

SHA512
3663f7d5de2bb3dab81e0f756c3398674871187f66b50ba9bcf4ddac1512a6c212c7b5116d443ed54f96581227998eead508b63db2ac2d29ab9f3af2799bdeb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f435e7ce998265b90caf7eb026cf29e

SHA1
f6644c5e63380fcab2a7cfd3bb4233a6a9ad435b

SHA256
24b8945bbb4c28c9dbeba78246f26f6528dbfcc4301abfa03af6ebe131734664

SHA512
0e6ba128b483b3de2cc62198eccc587be6e9285b3b150a8eaa255ffc7518421de31d13a2f3fc4b56cd77f7dd677a777ef31f32eb077c4b292091ce341e20f1da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c618ecdcd0eb0e997cdaa4380876618

SHA1
51a01b47df2d22f72aefc3811cf28a93cc7feccc

SHA256
4306d9a6bafe2c65c1949c7584322833e31926f4cdbcef5f80bc5cf50299833c

SHA512
d883df12e642c12eaef64cf2ee27aabfa36c070d04b477c3ccb0cfd15bd0d1755c97071aa611449259ddc4ffc2885840a8dcc4adeb2a438e5ab18f80ee1ee449

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5af0f5c6bb1890e9a3c1f4e1b2287193

SHA1
91ddf7c5279d071fcd6ca4e4470fa963f61402d2

SHA256
096b25a4369d9d92a02983e2651a47a082fc262525fe1b8fb1181d541578087e

SHA512
9dfb401f5c1be253dba1580ec12b4b199db3392d2205214f5a421148a7bd092dfbbbb3fa79e3be92c29136d83e0a9403d495973e6138494e4a5050522a32171f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7a5f576973b948eb6182442a3de67ef

SHA1
7bbd6e98a1d1dd9ca827c2405092ba36a2d44b53

SHA256
c9e91a40b1ed340e891a369b60570b857a37d01a2b224257b4427e564b7a4aa8

SHA512
5eeb16f1fe32c903e4b2c7bbeb3b8601f11ddfc2d3d4040cf8e5af72b40db638b0951fe6f02fdd497828603e2fb2a45f3d6447a8df60a932a6832ad9a0c4baa4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd782491310baffc9b38eb4c5e0e0c2c

SHA1
fd93b3a8db129aa13d62253572c1f1f338a282dc

SHA256
dc14551ddf0b3b99836026ad498176d1806ee54141ad557a2817de3bdfbcd864

SHA512
bbbad2913a83caf19126d098f4a40a38876e1f4b690a1b55d1bbc0b4a95ae5ecc2a6c1b624506b46027197204334ce90c524ddb3e2d199db1fbe02777284ecbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EB763171-5718-11EF-9438-E643F72B7232}.dat

Filesize
5KB

MD5
5b46dff842b0e6c2a3a44890379a7e0b

SHA1
c378019bb795ba7a19039d2cd291ccc7d5e05fe2

SHA256
5dbca6780893a3dbec53454c035f8734035ed28a0361661bac77920e5fc367cb

SHA512
e95ae1ab6505938a633a1e64d7f66222fa87772080302efeee7203e5810986e53ed5920ec00fe321fd88a1b3e7514bdbf54aaff5ee5b1b88026dfa9aba00fa2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EB87E4B1-5718-11EF-9438-E643F72B7232}.dat

Filesize
5KB

MD5
d18e23081ffb94feb55e8228f8cdb325

SHA1
97c222a607cdc6a578af0239e569aac0664bd6de

SHA256
a9ea148a30935654f5ab6fa32e036d01f288f8099c0dd7516dd4bcd6975b69b2

SHA512
17ecfa85e7d521bcafa2a967f26a2319cad32534f1eff894e4fc2acfafb836b48af3ae24c7a2dff07b6d5876e2dd82b193d0051566e64eec04455977ec69a040

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab688.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar709.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE4C4.tmp

Filesize
442B

MD5
11919d4be6573fa86778220f8c235f5f

SHA1
9fd4fe1088d23bf7bff1c6209fccdba7ff5150b1

SHA256
b3fca75b6f1744455839fec36788873ba6d4700ee79b0beecae902214d98829e

SHA512
ed1d993402778a941f24009877bfdc470398fb9fc7fe4889d0b56a194cb019da094915fa10b9349f922f5af41dc0274d7b1dc9854b5b105fe5a59821ce2843bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE561.tmp

Filesize
466B

MD5
ab9bf535b85650bedd40fd87b6cac611

SHA1
2217b502d69f71d1e362e621638e6ab17f4884a7

SHA256
27637d3fe2b614bb18768d26d331beb1931e59d70499f76a41e15351a922bb98

SHA512
bd5dff99a1fb61f0f7b37fd5813521e0efbe26a4da1c5a7b6ee401491a01132bc6c2ace3b9e6431fb8d53939f7dfda4df8b493e02da130e65bdcf62b04b96323

Download Submit
C:\Windows\SysWOW64\hgakheg.dll

Filesize
564B

MD5
39ff784965001d1f8dbc27e3b41fa343

SHA1
7bcebb49dec74a5f3335f7c1f64079528d405957

SHA256
847ee6424f6b327bef0dc3d8793baa24e0732a5a7274e5f1b2ec35386c6bfb0d

SHA512
c592e92bc7b2518be18b00e258494d58c9ae7d11240bdb4be238ec91f532a9988be15b4888eb0efc46d27c28c51fda16b14f4cf3635b1a4640892e86eb417d2a

Download Submit
memory/2572-12-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads