2f96cfd1afc65fe6416d98d7c5b1778e88833c3a5e03a5a906905efc2e9abf5b

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
11-08-2024 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8afb6a76ab9327eb68eb22dbe703a2f1_JaffaCakes118.exe
Size

95KB
MD5

8afb6a76ab9327eb68eb22dbe703a2f1
SHA1

67364186bc86a0209af33a9b1a024d3db076027d
SHA256

2f96cfd1afc65fe6416d98d7c5b1778e88833c3a5e03a5a906905efc2e9abf5b
SHA512

1fc77f975e580e4d245b07a2bb19afb00c8602c73a57c048bba7be28542b4af4d106f8c5852086b2a63b58c7ad8a7556ca767ba95977067937b9508c2b097026
SSDEEP

1536:OK/LqEbsheNZuuAfJcl3TKJZ4RYKJVsWSuDxCwDv65UJZgtWgLeF:OwwbfJZVK1tU0R5geF

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2484	3FBE3.exe
2128	3FBE3.exe
2968	B7FA8.exe

Loads dropped DLL 8 IoCs

pid	Process
1420	8afb6a76ab9327eb68eb22dbe703a2f1_JaffaCakes118.exe
1420	8afb6a76ab9327eb68eb22dbe703a2f1_JaffaCakes118.exe
2128	3FBE3.exe
2128	3FBE3.exe
2968	B7FA8.exe
2968	B7FA8.exe
2968	B7FA8.exe
2968	B7FA8.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\L2J2LQQE.txt	B7FA8.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\TZJD2LKJ.txt	B7FA8.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\400CUWJQ.txt	B7FA8.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\DJKMGQOR.txt	B7FA8.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\DJKMGQOR.txt	B7FA8.exe
File opened for modification	C:\Windows\SysWOW64\B7FA8.exe	3FBE3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	B7FA8.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XOQGWBZ4.htm	B7FA8.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\TZJD2LKJ.txt	B7FA8.exe
File opened for modification	C:\Windows\SysWOW64\3FBE3.exe	8afb6a76ab9327eb68eb22dbe703a2f1_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	3FBE3.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\L2J2LQQE.txt	B7FA8.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\400CUWJQ.txt	B7FA8.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8afb6a76ab9327eb68eb22dbe703a2f1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3FBE3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	B7FA8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3FBE3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7C53568E-B008-4F96-8C88-A32D582F89E9}	B7FA8.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7C53568E-B008-4F96-8C88-A32D582F89E9}\WpadDecision = "0"	B7FA8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-2f-a6-c2-ba-e2	B7FA8.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	B7FA8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	B7FA8.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	B7FA8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	B7FA8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	B7FA8.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-2f-a6-c2-ba-e2\WpadDecisionTime = 208772b206ecda01	B7FA8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	B7FA8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	B7FA8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	B7FA8.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-2f-a6-c2-ba-e2\WpadDecisionReason = "1"	B7FA8.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	B7FA8.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7C53568E-B008-4F96-8C88-A32D582F89E9}\WpadDecisionReason = "1"	B7FA8.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7C53568E-B008-4F96-8C88-A32D582F89E9}\WpadNetworkName = "Network 3"	B7FA8.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7C53568E-B008-4F96-8C88-A32D582F89E9}\WpadDecisionTime = 208772b206ecda01	B7FA8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{7C53568E-B008-4F96-8C88-A32D582F89E9}\92-2f-a6-c2-ba-e2	B7FA8.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\92-2f-a6-c2-ba-e2\WpadDecision = "0"	B7FA8.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	B7FA8.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	B7FA8.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	B7FA8.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	B7FA8.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0079000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	B7FA8.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	B7FA8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID\ = "MSWinsock.Winsock"	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX"	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX"	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX, 1"	B7FA8.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	B7FA8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	B7FA8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	B7FA8.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1420	8afb6a76ab9327eb68eb22dbe703a2f1_JaffaCakes118.exe
2484	3FBE3.exe
2128	3FBE3.exe
2968	B7FA8.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1420 wrote to memory of 2484	1420	8afb6a76ab9327eb68eb22dbe703a2f1_JaffaCakes118.exe	29
PID 1420 wrote to memory of 2484	1420	8afb6a76ab9327eb68eb22dbe703a2f1_JaffaCakes118.exe	29
PID 1420 wrote to memory of 2484	1420	8afb6a76ab9327eb68eb22dbe703a2f1_JaffaCakes118.exe	29
PID 1420 wrote to memory of 2484	1420	8afb6a76ab9327eb68eb22dbe703a2f1_JaffaCakes118.exe	29
PID 2484 wrote to memory of 2624	2484	3FBE3.exe	30
PID 2484 wrote to memory of 2624	2484	3FBE3.exe	30
PID 2484 wrote to memory of 2624	2484	3FBE3.exe	30
PID 2484 wrote to memory of 2624	2484	3FBE3.exe	30
PID 2484 wrote to memory of 2660	2484	3FBE3.exe	32
PID 2484 wrote to memory of 2660	2484	3FBE3.exe	32
PID 2484 wrote to memory of 2660	2484	3FBE3.exe	32
PID 2484 wrote to memory of 2660	2484	3FBE3.exe	32
PID 1420 wrote to memory of 2728	1420	8afb6a76ab9327eb68eb22dbe703a2f1_JaffaCakes118.exe	33
PID 1420 wrote to memory of 2728	1420	8afb6a76ab9327eb68eb22dbe703a2f1_JaffaCakes118.exe	33
PID 1420 wrote to memory of 2728	1420	8afb6a76ab9327eb68eb22dbe703a2f1_JaffaCakes118.exe	33
PID 1420 wrote to memory of 2728	1420	8afb6a76ab9327eb68eb22dbe703a2f1_JaffaCakes118.exe	33
PID 2624 wrote to memory of 2756	2624	cmd.exe	35
PID 2624 wrote to memory of 2756	2624	cmd.exe	35
PID 2624 wrote to memory of 2756	2624	cmd.exe	35
PID 2624 wrote to memory of 2756	2624	cmd.exe	35
PID 2660 wrote to memory of 2892	2660	cmd.exe	37
PID 2660 wrote to memory of 2892	2660	cmd.exe	37
PID 2660 wrote to memory of 2892	2660	cmd.exe	37
PID 2660 wrote to memory of 2892	2660	cmd.exe	37
PID 2728 wrote to memory of 2540	2728	cmd.exe	38
PID 2728 wrote to memory of 2540	2728	cmd.exe	38
PID 2728 wrote to memory of 2540	2728	cmd.exe	38
PID 2728 wrote to memory of 2540	2728	cmd.exe	38
PID 2756 wrote to memory of 3056	2756	net.exe	39
PID 2756 wrote to memory of 3056	2756	net.exe	39
PID 2756 wrote to memory of 3056	2756	net.exe	39
PID 2756 wrote to memory of 3056	2756	net.exe	39
PID 2892 wrote to memory of 2648	2892	net.exe	40
PID 2892 wrote to memory of 2648	2892	net.exe	40
PID 2892 wrote to memory of 2648	2892	net.exe	40
PID 2892 wrote to memory of 2648	2892	net.exe	40
PID 2540 wrote to memory of 2792	2540	net.exe	41
PID 2540 wrote to memory of 2792	2540	net.exe	41
PID 2540 wrote to memory of 2792	2540	net.exe	41
PID 2540 wrote to memory of 2792	2540	net.exe	41
PID 2128 wrote to memory of 2840	2128	3FBE3.exe	43
PID 2128 wrote to memory of 2840	2128	3FBE3.exe	43
PID 2128 wrote to memory of 2840	2128	3FBE3.exe	43
PID 2128 wrote to memory of 2840	2128	3FBE3.exe	43
PID 2840 wrote to memory of 2604	2840	cmd.exe	45
PID 2840 wrote to memory of 2604	2840	cmd.exe	45
PID 2840 wrote to memory of 2604	2840	cmd.exe	45
PID 2840 wrote to memory of 2604	2840	cmd.exe	45
PID 2604 wrote to memory of 2652	2604	net.exe	46
PID 2604 wrote to memory of 2652	2604	net.exe	46
PID 2604 wrote to memory of 2652	2604	net.exe	46
PID 2604 wrote to memory of 2652	2604	net.exe	46
PID 2128 wrote to memory of 2968	2128	3FBE3.exe	47
PID 2128 wrote to memory of 2968	2128	3FBE3.exe	47
PID 2128 wrote to memory of 2968	2128	3FBE3.exe	47
PID 2128 wrote to memory of 2968	2128	3FBE3.exe	47

C:\Users\Admin\AppData\Local\Temp\8afb6a76ab9327eb68eb22dbe703a2f1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8afb6a76ab9327eb68eb22dbe703a2f1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1420
- C:\Windows\SysWOW64\3FBE3.exe
  C:\Windows\system32\3FBE3.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "net start 3FBE3"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\SysWOW64\net.exe
      net start 3FBE3
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start 3FBE3
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "net start 3FBE3"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Windows\SysWOW64\net.exe
      net start 3FBE3
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start 3FBE3
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2648
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "net start 3FBE3"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\net.exe
    net start 3FBE3
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start 3FBE3
      4⤵
      System Location Discovery: System Language Discovery
      PID:2792

C:\Windows\SysWOW64\3FBE3.exe
C:\Windows\SysWOW64\3FBE3.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "net start 3FBE3"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\SysWOW64\net.exe
    net start 3FBE3
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start 3FBE3
      4⤵
      System Location Discovery: System Language Discovery
      PID:2652
- C:\Windows\SysWOW64\B7FA8.exe
  C:\Windows\system32\B7FA8.exe eee
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\3FBE3.exe

Filesize
95KB

MD5
8afb6a76ab9327eb68eb22dbe703a2f1

SHA1
67364186bc86a0209af33a9b1a024d3db076027d

SHA256
2f96cfd1afc65fe6416d98d7c5b1778e88833c3a5e03a5a906905efc2e9abf5b

SHA512
1fc77f975e580e4d245b07a2bb19afb00c8602c73a57c048bba7be28542b4af4d106f8c5852086b2a63b58c7ad8a7556ca767ba95977067937b9508c2b097026

Download Submit
\Windows\SysWOW64\B7FA8.exe

Filesize
108KB

MD5
7e83850a9f7b3e41984c6b29ec8fb2ce

SHA1
c3069a19db128dedeff5bbaff5ebfd2c840e5dd1

SHA256
51325db86c6542fd9b892a28b33e0b900a39ace6ad1aca26c3fb3d702c1678f0

SHA512
5f88657d0ca9f1d51785f6c749be842846d1acffac65ca1298b7dc68da8d9c531364413da1985a3299b17758ff7a3540a44ff5655742989dd77a8578787fb8d2

Download Submit
\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
memory/1420-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/1420-0-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1420-12-0x00000000002C0000-0x0000000000307000-memory.dmp

Filesize
284KB

Download
memory/1420-18-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2128-39-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/2484-16-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download