metasploit | 1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/08/2024, 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Size

498KB
MD5

88d16eafa3d80cbc183085f120475998
SHA1

d9898f4b77ed203106fdb6eaf9b83afec20b6022
SHA256

1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6
SHA512

b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a
SSDEEP

12288:yBIImxhfDKSpPZIo1TzQfNO3xK/AZNPL/nDc/Raowh/u3b:ykpLhZIo1YVuxBzjow9ur

Score

10^/10

metasploit backdoor discovery trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Executes dropped EXE 16 IoCs

pid	Process
4984	olbpqor.exe
948	olbpqor.exe
672	qspagga.exe
4168	qspagga.exe
3504	omlnwjh.exe
4008	omlnwjh.exe
836	vuynqyi.exe
2160	vuynqyi.exe
3832	fpzyysr.exe
4088	fpzyysr.exe
3616	qlainns.exe
3656	qlainns.exe
3108	agtavhs.exe
2952	agtavhs.exe
980	lnftxto.exe
3416	lnftxto.exe

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\qspagga.exe	qspagga.exe
File created	C:\Windows\SysWOW64\omlnwjh.exe	qspagga.exe
File opened for modification	C:\Windows\SysWOW64\omlnwjh.exe	qspagga.exe
File opened for modification	C:\Windows\SysWOW64\fpzyysr.exe	vuynqyi.exe
File opened for modification	C:\Windows\SysWOW64\qlainns.exe	fpzyysr.exe
File created	C:\Windows\SysWOW64\agtavhs.exe	qlainns.exe
File opened for modification	C:\Windows\SysWOW64\agtavhs.exe	agtavhs.exe
File created	C:\Windows\SysWOW64\lnftxto.exe	agtavhs.exe
File opened for modification	C:\Windows\SysWOW64\olbpqor.exe	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\qspagga.exe	olbpqor.exe
File opened for modification	C:\Windows\SysWOW64\qspagga.exe	olbpqor.exe
File opened for modification	C:\Windows\SysWOW64\vuynqyi.exe	omlnwjh.exe
File opened for modification	C:\Windows\SysWOW64\fpzyysr.exe	fpzyysr.exe
File opened for modification	C:\Windows\SysWOW64\qlainns.exe	qlainns.exe
File opened for modification	C:\Windows\SysWOW64\agtavhs.exe	qlainns.exe
File created	C:\Windows\SysWOW64\olbpqor.exe	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\olbpqor.exe	olbpqor.exe
File opened for modification	C:\Windows\SysWOW64\omlnwjh.exe	omlnwjh.exe
File created	C:\Windows\SysWOW64\vuynqyi.exe	omlnwjh.exe
File opened for modification	C:\Windows\SysWOW64\vuynqyi.exe	vuynqyi.exe
File created	C:\Windows\SysWOW64\fpzyysr.exe	vuynqyi.exe
File created	C:\Windows\SysWOW64\qlainns.exe	fpzyysr.exe
File opened for modification	C:\Windows\SysWOW64\lnftxto.exe	agtavhs.exe
File opened for modification	C:\Windows\SysWOW64\lnftxto.exe	lnftxto.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process	procid_target
PID 3028 set thread context of 5068	3028	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe	84
PID 4984 set thread context of 948	4984	olbpqor.exe	87
PID 672 set thread context of 4168	672	qspagga.exe	90
PID 3504 set thread context of 4008	3504	omlnwjh.exe	92
PID 836 set thread context of 2160	836	vuynqyi.exe	95
PID 3832 set thread context of 4088	3832	fpzyysr.exe	97
PID 3616 set thread context of 3656	3616	qlainns.exe	100
PID 3108 set thread context of 2952	3108	agtavhs.exe	102
PID 980 set thread context of 3416	980	lnftxto.exe	104

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2020	3416	WerFault.exe	104

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qspagga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fpzyysr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	agtavhs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	olbpqor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	olbpqor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qspagga.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fpzyysr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omlnwjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vuynqyi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qlainns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qlainns.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	agtavhs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lnftxto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	omlnwjh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vuynqyi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lnftxto.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}\1.0	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9D41FAEC-CD03-4685-9B52-229FB3DDF406}\TypeLib\Version = "1.0"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\TypeLib	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\TypeLib	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1}\TypeLib	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\adadadada.Class1	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D34601CE-E784-4328-9E28-A65E6F1D2BCD}\Implemented Categories	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\TypeLib\ = "{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9D41FAEC-CD03-4685-9B52-229FB3DDF406}\ProxyStubClsid32	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D34601CE-E784-4328-9E28-A65E6F1D2BCD}\ProgID	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9D41FAEC-CD03-4685-9B52-229FB3DDF406}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\TypeLib\Version = "1.0"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7814234-0237-4DFC-9D71-0F36D48D09D0}	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7814234-0237-4DFC-9D71-0F36D48D09D0}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1}\ProxyStubClsid	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\ProxyStubClsid32	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1}\TypeLib\ = "{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C3BE5F8-0CAF-4464-9BBD-B9FD25B15E00}\TypeLib	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D34601CE-E784-4328-9E28-A65E6F1D2BCD}\LocalServer32	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\.2.0#\u00a0\x01.°"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1}\ProxyStubClsid32	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1}\TypeLib	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\adadadada.Class1\ = "adadadada.Class1"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D34601CE-E784-4328-9E28-A65E6F1D2BCD}\Programmable	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\TypeLib\Version = "1.0"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1}\TypeLib\Version = "1.0"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C3BE5F8-0CAF-4464-9BBD-B9FD25B15E00}\VERSION\ = "1.0"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\adadadada.Class2\ = "adadadada.Class2"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}\1.0\0\win32	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\TypeLib\ = "{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\ = "_Class1"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9D41FAEC-CD03-4685-9B52-229FB3DDF406}\TypeLib	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9D41FAEC-CD03-4685-9B52-229FB3DDF406}	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\TypeLib\Version = "1.0"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9D41FAEC-CD03-4685-9B52-229FB3DDF406}\TypeLib\ = "{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\adadadada.Class1\Clsid	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\ = "mdsaaaaad"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C3BE5F8-0CAF-4464-9BBD-B9FD25B15E00}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\ProxyStubClsid32	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9D41FAEC-CD03-4685-9B52-229FB3DDF406}\ProxyStubClsid32	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0AEC2553-4818-4756-A2CB-D0D38FEBDEE1}\TypeLib\ = "{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C3BE5F8-0CAF-4464-9BBD-B9FD25B15E00}\TypeLib\ = "{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7814234-0237-4DFC-9D71-0F36D48D09D0}\TypeLib	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D34601CE-E784-4328-9E28-A65E6F1D2BCD}\VERSION\ = "1.0"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\ = "_mdsaaaaad"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\ProxyStubClsid	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C3BE5F8-0CAF-4464-9BBD-B9FD25B15E00}\Programmable	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F7814234-0237-4DFC-9D71-0F36D48D09D0}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}\1.0\FLAGS	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}\1.0\HELPDIR	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9C3BE5F8-0CAF-4464-9BBD-B9FD25B15E00}	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\adadadada.Class2	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4A175F7B-0C86-4EFA-A235-F498F2892A89}\ = "Class1"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9D41FAEC-CD03-4685-9B52-229FB3DDF406}	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9D41FAEC-CD03-4685-9B52-229FB3DDF406}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8BD5643A-9D25-4CF4-ACF7-B643A7DFF8B7}\TypeLib\ = "{A0F0FD66-5D37-4959-8B3E-7F76ABAE04CD}"	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3028	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
4984	olbpqor.exe
672	qspagga.exe
3504	omlnwjh.exe
836	vuynqyi.exe
3832	fpzyysr.exe
3616	qlainns.exe
3108	agtavhs.exe
980	lnftxto.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 5068	3028	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe	84
PID 3028 wrote to memory of 5068	3028	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe	84
PID 3028 wrote to memory of 5068	3028	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe	84
PID 3028 wrote to memory of 5068	3028	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe	84
PID 3028 wrote to memory of 5068	3028	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe	84
PID 3028 wrote to memory of 5068	3028	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe	84
PID 3028 wrote to memory of 5068	3028	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe	84
PID 3028 wrote to memory of 5068	3028	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe	84
PID 3028 wrote to memory of 5068	3028	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe	84
PID 3028 wrote to memory of 5068	3028	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe	84
PID 5068 wrote to memory of 4984	5068	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe	85
PID 5068 wrote to memory of 4984	5068	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe	85
PID 5068 wrote to memory of 4984	5068	88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe	85
PID 4984 wrote to memory of 948	4984	olbpqor.exe	87
PID 4984 wrote to memory of 948	4984	olbpqor.exe	87
PID 4984 wrote to memory of 948	4984	olbpqor.exe	87
PID 4984 wrote to memory of 948	4984	olbpqor.exe	87
PID 4984 wrote to memory of 948	4984	olbpqor.exe	87
PID 4984 wrote to memory of 948	4984	olbpqor.exe	87
PID 4984 wrote to memory of 948	4984	olbpqor.exe	87
PID 4984 wrote to memory of 948	4984	olbpqor.exe	87
PID 4984 wrote to memory of 948	4984	olbpqor.exe	87
PID 4984 wrote to memory of 948	4984	olbpqor.exe	87
PID 948 wrote to memory of 672	948	olbpqor.exe	88
PID 948 wrote to memory of 672	948	olbpqor.exe	88
PID 948 wrote to memory of 672	948	olbpqor.exe	88
PID 672 wrote to memory of 4168	672	qspagga.exe	90
PID 672 wrote to memory of 4168	672	qspagga.exe	90
PID 672 wrote to memory of 4168	672	qspagga.exe	90
PID 672 wrote to memory of 4168	672	qspagga.exe	90
PID 672 wrote to memory of 4168	672	qspagga.exe	90
PID 672 wrote to memory of 4168	672	qspagga.exe	90
PID 672 wrote to memory of 4168	672	qspagga.exe	90
PID 672 wrote to memory of 4168	672	qspagga.exe	90
PID 672 wrote to memory of 4168	672	qspagga.exe	90
PID 672 wrote to memory of 4168	672	qspagga.exe	90
PID 4168 wrote to memory of 3504	4168	qspagga.exe	91
PID 4168 wrote to memory of 3504	4168	qspagga.exe	91
PID 4168 wrote to memory of 3504	4168	qspagga.exe	91
PID 3504 wrote to memory of 4008	3504	omlnwjh.exe	92
PID 3504 wrote to memory of 4008	3504	omlnwjh.exe	92
PID 3504 wrote to memory of 4008	3504	omlnwjh.exe	92
PID 3504 wrote to memory of 4008	3504	omlnwjh.exe	92
PID 3504 wrote to memory of 4008	3504	omlnwjh.exe	92
PID 3504 wrote to memory of 4008	3504	omlnwjh.exe	92
PID 3504 wrote to memory of 4008	3504	omlnwjh.exe	92
PID 3504 wrote to memory of 4008	3504	omlnwjh.exe	92
PID 3504 wrote to memory of 4008	3504	omlnwjh.exe	92
PID 3504 wrote to memory of 4008	3504	omlnwjh.exe	92
PID 4008 wrote to memory of 836	4008	omlnwjh.exe	93
PID 4008 wrote to memory of 836	4008	omlnwjh.exe	93
PID 4008 wrote to memory of 836	4008	omlnwjh.exe	93
PID 836 wrote to memory of 2160	836	vuynqyi.exe	95
PID 836 wrote to memory of 2160	836	vuynqyi.exe	95
PID 836 wrote to memory of 2160	836	vuynqyi.exe	95
PID 836 wrote to memory of 2160	836	vuynqyi.exe	95
PID 836 wrote to memory of 2160	836	vuynqyi.exe	95
PID 836 wrote to memory of 2160	836	vuynqyi.exe	95
PID 836 wrote to memory of 2160	836	vuynqyi.exe	95
PID 836 wrote to memory of 2160	836	vuynqyi.exe	95
PID 836 wrote to memory of 2160	836	vuynqyi.exe	95
PID 836 wrote to memory of 2160	836	vuynqyi.exe	95
PID 2160 wrote to memory of 3832	2160	vuynqyi.exe	96
PID 2160 wrote to memory of 3832	2160	vuynqyi.exe	96

C:\Users\Admin\AppData\Local\Temp\88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Users\Admin\AppData\Local\Temp\88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\SysWOW64\olbpqor.exe
    C:\Windows\system32\olbpqor.exe 1000 "C:\Users\Admin\AppData\Local\Temp\88d16eafa3d80cbc183085f120475998_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Windows\SysWOW64\olbpqor.exe
      "C:\Windows\SysWOW64\olbpqor.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:948
    - - C:\Windows\SysWOW64\qspagga.exe
        
        C:\Windows\system32\qspagga.exe 1148 "C:\Windows\SysWOW64\olbpqor.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:672
      - C:\Windows\SysWOW64\qspagga.exe
        
        "C:\Windows\SysWOW64\qspagga.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4168
        
        C:\Windows\SysWOW64\omlnwjh.exe
        
        C:\Windows\system32\omlnwjh.exe 1044 "C:\Windows\SysWOW64\qspagga.exe"
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3504
        
        C:\Windows\SysWOW64\omlnwjh.exe
        
        "C:\Windows\SysWOW64\omlnwjh.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4008
        
        C:\Windows\SysWOW64\vuynqyi.exe
        
        C:\Windows\system32\vuynqyi.exe 1044 "C:\Windows\SysWOW64\omlnwjh.exe"
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\SysWOW64\vuynqyi.exe
        
        "C:\Windows\SysWOW64\vuynqyi.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\SysWOW64\fpzyysr.exe
        
        C:\Windows\system32\fpzyysr.exe 1044 "C:\Windows\SysWOW64\vuynqyi.exe"
        11⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3832
        
        C:\Windows\SysWOW64\fpzyysr.exe
        
        "C:\Windows\SysWOW64\fpzyysr.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4088
        
        C:\Windows\SysWOW64\qlainns.exe
        
        C:\Windows\system32\qlainns.exe 1016 "C:\Windows\SysWOW64\fpzyysr.exe"
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3616
        
        C:\Windows\SysWOW64\qlainns.exe
        
        "C:\Windows\SysWOW64\qlainns.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3656
        
        C:\Windows\SysWOW64\agtavhs.exe
        
        C:\Windows\system32\agtavhs.exe 1052 "C:\Windows\SysWOW64\qlainns.exe"
        15⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3108
        
        C:\Windows\SysWOW64\agtavhs.exe
        
        "C:\Windows\SysWOW64\agtavhs.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2952
        
        C:\Windows\SysWOW64\lnftxto.exe
        
        C:\Windows\system32\lnftxto.exe 1148 "C:\Windows\SysWOW64\agtavhs.exe"
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:980
        
        C:\Windows\SysWOW64\lnftxto.exe
        
        "C:\Windows\SysWOW64\lnftxto.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 216
        19⤵
        Program crash
        
        PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3416 -ip 3416
1⤵
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\olbpqor.exe

Filesize
498KB

MD5
88d16eafa3d80cbc183085f120475998

SHA1
d9898f4b77ed203106fdb6eaf9b83afec20b6022

SHA256
1069d2ad83c0264ebf61b490d6385fa9eb678f93dedf165b6863177ea4ac38f6

SHA512
b2d97d022d6738a08333bbf5b652c9f96ed5198b189b86912689b5a6a1169f7a4444f947e3c286973cd43643617206051d2da07070d72a1b14f2e22a78ad862a

Download Submit
memory/672-38-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/672-30-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/836-64-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/836-58-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/948-20-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/948-33-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/948-17-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/948-21-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/980-114-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/980-119-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/2160-78-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/2952-120-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3028-7-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/3028-0-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/3108-108-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/3108-100-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/3416-117-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3416-122-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3504-44-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/3504-52-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/3616-86-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/3616-92-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/3656-106-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/3832-80-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/3832-72-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/4008-65-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4088-93-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4168-50-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/4984-22-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/4984-14-0x0000000000400000-0x0000000000481600-memory.dmp

Filesize
517KB

Download
memory/5068-23-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/5068-6-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/5068-5-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download
memory/5068-3-0x0000000000400000-0x000000000050E000-memory.dmp

Filesize
1.1MB

Download