Analysis
-
max time kernel
150s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12/08/2024, 10:08
Behavioral task
behavioral1
Sample
8e52e23315107af7267625ae6585b375_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
8e52e23315107af7267625ae6585b375_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
8e52e23315107af7267625ae6585b375_JaffaCakes118.exe
-
Size
392KB
-
MD5
8e52e23315107af7267625ae6585b375
-
SHA1
36a2e290281a2a6a39c763ee22964f206023e861
-
SHA256
889b91ba5fc0b15d338a48d1f8f71d6860ad5aff3e28336c1f43b445e049e383
-
SHA512
5cd4f72645fe8b9a5e3d5fddc29ea4a2d8a6e4c56ed61d7058a6c77940b28b409274f8fda92dccc77e3081cdaeef4e3f81fa321337e14ec8a36625e40d4475a6
-
SSDEEP
6144:amUPQw5bPV6eJedItmt/shiqV4KIMNSJ7e7ESmA7ptFnMABnZAVnEKYdy/F9htj:N69JP14N/sgk7mA7ptXanEKYdy/F/t
Malware Config
Signatures
-
Adds policy Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Live = "C:\\Program Files (x86)\\Mui\\8e52e23315107af7267625ae6585b375_JaffaCakes118.exe" 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Update = "C:\\Program Files (x86)\\Mui\\8e52e23315107af7267625ae6585b375_JaffaCakes118.exe" 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run igfxext.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Live = "C:\\Program Files (x86)\\Mui\\igfxext.exe" igfxext.exe Set value (str) \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Update = "C:\\Program Files (x86)\\Mui\\igfxext.exe" igfxext.exe Key created \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe -
Sets service image path in registry 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SfCtlCom\ImagePath = "C:\\Program Files\\Trend Micro\\Internet Secuity\\SfCtlCOm.exe" 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TmPfw\ImagePath = "C:\\Program Files\\Trend Micro\\Internet Secuity\\SfCtlCOm.exe" 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SfCtlCom\ImagePath = "C:\\Program Files\\Trend Micro\\Internet Secuity\\SfCtlCOm.exe" igfxext.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TmPfw\ImagePath = "C:\\Program Files\\Trend Micro\\Internet Secuity\\SfCtlCOm.exe" igfxext.exe -
resource yara_rule behavioral2/files/0x000700000002345d-7.dat aspack_v212_v242 behavioral2/files/0x0007000000023469-90.dat aspack_v212_v242 behavioral2/files/0x000700000002345f-75.dat aspack_v212_v242 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation sysmss.exe -
Executes dropped EXE 2 IoCs
pid Process 4384 sysmss.exe 1944 igfxext.exe -
Loads dropped DLL 17 IoCs
pid Process 5080 regsvr32.exe 4404 regsvr32.exe 4404 regsvr32.exe 3284 regsvr32.exe 4516 regsvr32.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 4384 sysmss.exe 2500 regsvr32.exe 1140 regsvr32.exe 1140 regsvr32.exe 1140 regsvr32.exe 1068 regsvr32.exe 1068 regsvr32.exe 2144 regsvr32.exe 1944 igfxext.exe 1944 igfxext.exe -
Drops file in Program Files directory 31 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Common Files\System\ado\config.ini 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\readme.txt igfxext.exe File created C:\Program Files (x86)\mui\igfxext.exe sysmss.exe File created C:\Program Files (x86)\Mui\igfxext.exe igfxext.exe File opened for modification C:\Program Files (x86)\Mui\CABARC.EXE igfxext.exe File opened for modification C:\Program Files (x86)\Mui\8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Mui\igfxext.exe igfxext.exe File created C:\Program Files (x86)\Common Files\System\ado\Wuauclt.exe igfxext.exe File opened for modification C:\Program Files (x86)\Mui\config.ini igfxext.exe File opened for modification C:\Program Files (x86)\mui\KVTBF.DLL igfxext.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\Upload.dll igfxext.exe File created C:\Program Files (x86)\Common Files\System\ado\Wuauclt.exe 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\Wuauclt.exe 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\Upload.dll 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\mui\igfxext.exe sysmss.exe File opened for modification C:\Program Files (x86)\Mui igfxext.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\Wuauclt.exe igfxext.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\CABARC.EXE igfxext.exe File opened for modification C:\Program Files (x86)\Mui 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Mui\CABARC.EXE 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\CABARC.EXE 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Mui\sysmss.exe 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe File created C:\Program Files (x86)\Mui\readme.txt 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Mui\readme.txt igfxext.exe File created C:\Program Files (x86)\Mui\8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Mui\config.ini 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe File created C:\Program Files (x86)\Common Files\System\ado\readme.txt 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Mui\sysmss.exe igfxext.exe File opened for modification C:\Program Files (x86)\Mui\Upload.dll igfxext.exe File opened for modification C:\Program Files (x86)\Mui\Upload.dll 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\System\ado\config.ini igfxext.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\REGTOOL5.DLL 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe File opened for modification C:\Windows\stdole2.tlb 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe File opened for modification C:\Windows\stdole2.tlb igfxext.exe File opened for modification C:\Windows\wshom.ocx igfxext.exe File opened for modification C:\Windows\scrrun.dll igfxext.exe File opened for modification C:\Windows\MSSTDFMT.DLL 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe File opened for modification C:\Windows\scrrun.dll 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe File opened for modification C:\Windows\wshom.ocx 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe File opened for modification C:\Windows\MSSTDFMT.DLL igfxext.exe File opened for modification C:\Windows\REGTOOL5.DLL igfxext.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysmss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language igfxext.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2B11E9B0-9F09-11D0-9484-00A0C91110ED}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\InprocServer32\ = "C:\\Windows\\MSSTDFMT.DLL" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\HTMLFILE\SCRIPTHOSTENCODE regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0CF774D0-F077-11D1-B1BC-00C04F86C324}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131631-480C-11D2-B1F9-00C04F86C324} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99FF4676-FFC3-11D0-BD02-00C04FC2FB86}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject\ = "FileSystem Object" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99FF4676-FFC3-11D0-BD02-00C04FC2FB86}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BCD446B-7095-11D0-9C4E-00AA00BDD685}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1BCD446C-7095-11D0-9C4E-00AA00BDD685}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormats.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B263850-900B-11D0-9484-00A0C91110ED}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1BCD446B-7095-11D0-9C4E-00AA00BDD685}\TypeLib\ = "{1BCD446E-7095-11D0-9C4E-00AA00BDD685}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.asa regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\ScriptHostEncode\ = "{85131630-480C-11D2-B1F9-00C04F86C324}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\JSFile\ScriptHostEncode regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2B11E9B0-9F09-11D0-9484-00A0C91110ED} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2B11E9B0-9F09-11D0-9484-00A0C91110ED}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2B11E9B0-9F09-11D0-9484-00A0C91110ED}\Version\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{699DDBCC-DC7E-11D0-BCF7-00C04FC2FB86}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1BCD446E-7095-11D0-9C4E-00AA00BDD685} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1BCD446B-7095-11D0-9C4E-00AA00BDD685}\TypeLib\ = "{1BCD446E-7095-11D0-9C4E-00AA00BDD685}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject\CLSID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{32DA2B15-CFED-11D1-B747-00C04FC2B085} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormats\CLSID\ = "{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2B11E9B0-9F09-11D0-9484-00A0C91110ED}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2B11E9B0-9F09-11D0-9484-00A0C91110ED}\InprocServer32\ = "C:\\Windows\\MSSTDFMT.DLL" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE09B103-97E0-11CF-978F-00A02463E06F}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\ScriptHostEncode\ = "{0CF774D1-F077-11D1-B1BC-00C04F86C324}" regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\ScriptHostEncode regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1BCD446C-7095-11D0-9C4E-00AA00BDD685}\TypeLib\ = "{1BCD446E-7095-11D0-9C4E-00AA00BDD685}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{699DDBCC-DC7E-11D0-BCF7-00C04FC2FB86}\InprocServer32 regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\ScriptHostEncode regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1BCD446C-7095-11D0-9C4E-00AA00BDD685} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D835690-900B-11D0-9484-00A0C91110ED}\VersionIndependentProgID regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ScriptHostEncode regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cdx regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\REGTool5.Registry\Clsid regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2B11E9B0-9F09-11D0-9484-00A0C91110ED}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1BCD446C-7095-11D0-9C4E-00AA00BDD685}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{699DDBCC-DC7E-11D0-BCF7-00C04FC2FB86}\InprocServer32\ = "C:\\Windows\\MSSTDFMT.DLL" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataValue.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5DE7A180-91B1-11D0-9484-00A0C91110ED}\ = "IStdDataValueDisp" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormat\CurVer\ = "MSSTDFMT.StdDataFormat.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6D835690-900B-11D0-9484-00A0C91110ED}\Programmable regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{699DDBCC-DC7E-11D0-BCF7-00C04FC2FB86} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1BCD446B-7095-11D0-9C4E-00AA00BDD685}\ = "_Registry" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{99FF4677-FFC3-11D0-BD02-00C04FC2FB86}\VersionIndependentProgID\ = "MSSTDFMT.StdDataFormats" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5DE7A180-91B1-11D0-9484-00A0C91110ED} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSSTDFMT.StdDataFormat regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{85131630-480C-11D2-B1F9-00C04F86C324} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1BCD446C-7095-11D0-9C4E-00AA00BDD685}\ProgID regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 4384 sysmss.exe 4384 sysmss.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 4384 sysmss.exe 4384 sysmss.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 1944 igfxext.exe 1944 igfxext.exe 4384 sysmss.exe 4384 sysmss.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 1944 igfxext.exe 1944 igfxext.exe 4384 sysmss.exe 4384 sysmss.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 1944 igfxext.exe 1944 igfxext.exe 4384 sysmss.exe 4384 sysmss.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 1944 igfxext.exe 1944 igfxext.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 4384 sysmss.exe 4384 sysmss.exe 1944 igfxext.exe 1944 igfxext.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 1944 igfxext.exe 1944 igfxext.exe 4384 sysmss.exe 4384 sysmss.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 1944 igfxext.exe 1944 igfxext.exe 4384 sysmss.exe 4384 sysmss.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 1944 igfxext.exe 1944 igfxext.exe 4384 sysmss.exe 4384 sysmss.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 1944 igfxext.exe 1944 igfxext.exe 4384 sysmss.exe 4384 sysmss.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 4384 sysmss.exe 1944 igfxext.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 972 wrote to memory of 5080 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 84 PID 972 wrote to memory of 5080 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 84 PID 972 wrote to memory of 5080 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 84 PID 972 wrote to memory of 4404 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 85 PID 972 wrote to memory of 4404 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 85 PID 972 wrote to memory of 4404 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 85 PID 972 wrote to memory of 3284 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 86 PID 972 wrote to memory of 3284 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 86 PID 972 wrote to memory of 3284 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 86 PID 972 wrote to memory of 4516 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 88 PID 972 wrote to memory of 4516 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 88 PID 972 wrote to memory of 4516 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 88 PID 972 wrote to memory of 4384 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 91 PID 972 wrote to memory of 4384 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 91 PID 972 wrote to memory of 4384 972 8e52e23315107af7267625ae6585b375_JaffaCakes118.exe 91 PID 4384 wrote to memory of 1944 4384 sysmss.exe 92 PID 4384 wrote to memory of 1944 4384 sysmss.exe 92 PID 4384 wrote to memory of 1944 4384 sysmss.exe 92 PID 1944 wrote to memory of 2500 1944 igfxext.exe 93 PID 1944 wrote to memory of 2500 1944 igfxext.exe 93 PID 1944 wrote to memory of 2500 1944 igfxext.exe 93 PID 1944 wrote to memory of 1140 1944 igfxext.exe 94 PID 1944 wrote to memory of 1140 1944 igfxext.exe 94 PID 1944 wrote to memory of 1140 1944 igfxext.exe 94 PID 1944 wrote to memory of 1068 1944 igfxext.exe 95 PID 1944 wrote to memory of 1068 1944 igfxext.exe 95 PID 1944 wrote to memory of 1068 1944 igfxext.exe 95 PID 1944 wrote to memory of 2144 1944 igfxext.exe 96 PID 1944 wrote to memory of 2144 1944 igfxext.exe 96 PID 1944 wrote to memory of 2144 1944 igfxext.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e52e23315107af7267625ae6585b375_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8e52e23315107af7267625ae6585b375_JaffaCakes118.exe"1⤵
- Adds policy Run key to start application
- Sets service image path in registry
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:972 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\MSSTDFMT.DLL2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5080
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\wshom.ocx2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4404
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\scrrun.dll2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3284
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\REGTOOL5.DLL2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4516
-
-
C:\Program Files (x86)\mui\sysmss.exe"C:\Program Files (x86)\mui\sysmss.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4384 -
C:\Program Files (x86)\mui\igfxext.exe"C:\Program Files (x86)\mui\igfxext.exe"3⤵
- Adds policy Run key to start application
- Sets service image path in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\MSSTDFMT.DLL4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2500
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\wshom.ocx4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1140
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\scrrun.dll4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1068
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s C:\Windows\REGTOOL5.DLL4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2144
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36KB
MD51d5bb5211488b51bdeeacaead9dab27b
SHA113f9086aeb6e2684a38ed3dae4112c297e3e3356
SHA2569251ad412e63c920f8ae360beb79e3e7e6a38f047bf965b445044f0402fc8699
SHA5125ab3ff5ef4575dd5538deb22c28fc69b51ba90566f724c72563851adc2b074cb8cc30ccc20a47251d27423b4bb1ce29cd73e5c53e345f66953e87687d14ccb4a
-
Filesize
114KB
MD59f45990fec1b4415b6ec180cbafba623
SHA18db7a82151096c36e3fc5ad740bddbe9ffb522b1
SHA2567e25898a5ad104757d9ab2d2b46d839ca646ef3053e3a2bf4479061e639b6985
SHA512c65410c6e833c812865dbd386865c1a00222e72879babd0fbc54b333b104db89bb6e8e065a4cb5cc3ebcfb7037957096898f890b4d959126b77d3e510f871560
-
Filesize
392KB
MD58e52e23315107af7267625ae6585b375
SHA136a2e290281a2a6a39c763ee22964f206023e861
SHA256889b91ba5fc0b15d338a48d1f8f71d6860ad5aff3e28336c1f43b445e049e383
SHA5125cd4f72645fe8b9a5e3d5fddc29ea4a2d8a6e4c56ed61d7058a6c77940b28b409274f8fda92dccc77e3081cdaeef4e3f81fa321337e14ec8a36625e40d4475a6
-
Filesize
784B
MD599971d6c478302597afa5dcc6c658edc
SHA1cb2d945592b662cf9b7bf4b67ffb59546f6ae0c0
SHA25668b0187adc7b0842e1843e55482618e69e2f9990a34d9f95fa81facef38c513d
SHA512bd611ccb7dd0894e99e7c43d53305ec1f284e175b80420f7aeea64f38134c82f2ba4f9bc9e7214933d02846030284e16e3eda1973e536a8ffc5f1f9a132a2f46
-
Filesize
60B
MD55d813ed34c0ff34684d8c9a86f8af43b
SHA106101fa8079934e2d3051875c880c0e07458efbd
SHA256a3f3b9ee7e6279c47cc92f3d0e9414bc87b6feb024ddcbc52275a47ab8d30dfe
SHA512da3437a113e97bb76d58f64df441163a149d777e83677775642cb30a090f7b9f41229d558497cddba2548434c7e72dc33596cfa56696dc03ab26fb4a004edbe7
-
Filesize
40B
MD54ffa8b4876916115a81642c4be90ea7c
SHA144e66436fd10dccbefb16f4a4ccab617dc9623c8
SHA256abf78384ed9d107c46017b2185e5565bcf8e8a4871502d7bf921a6168bda9793
SHA5128b828d2cb9787b266858ad9a0499f0cc4a2b9cf4e355cef0e71e508a8794bb2b7da8e1ecc10a27f62c99c8403173ca0a72561e2537c87967011ce860b1710170
-
Filesize
72KB
MD5b5bb26012ccca79ece9e3a33e1dac6d5
SHA1cc58c99ecdd2d6889d96f1169add4ea56bc8f095
SHA2561dd51c8777afe6067b6ba7f40b56ba8b8f82d73d14b6f5cbb4698669659fbfaf
SHA51274f9992602743757792cf87774e315286c1dae868834a67bda719d3eef0c2275578df06ea26f0350c2ba35579dda8ca3b31a541f621e659e2ae61cdcddedea46
-
Filesize
29KB
MD5f17ccc7123909fbb13158003edc68034
SHA1f06989a733361ea7f8ad464f4233c4103c6f8ef9
SHA25679f4cded8b29ba5e1ada817322268b5aa4bc1593f39ca9c8be514788709d5168
SHA512632eaf9bad7aadb96e82d458885ed60e28c6544949f0af84502f3f10184cbef26f772f5fc2b6e27e4938f8b414384f56dc5579db7f838acc8dcdb631ee5ecb98
-
Filesize
116KB
MD538950fbc15ea45be9b8988d897007fb1
SHA15aabb9eff890f63c300e0633028b65cd0a93660e
SHA25673eae3c481beaf127017349e0dd03f023d5ed1888b2333b0d562c2522cd34800
SHA5126a392beeb1563977d4b1b39d683f067a6e3ed6af708c598e87fd234b25220c480d0eb5ff5eaedbc573d31fba3b38f7e82dded38824e30be6c4eeb2e40c9061c2
-
Filesize
32KB
MD5c3ab59f59b12d84af6e5d0239568c1b9
SHA1369d577ffb177d1fd5cd08f4c09861952c030834
SHA2565867810967f63871ec9c34c7aa9e4dd8fdf930438e951c621edbf7ec65d0eb67
SHA512840fb4202ca42cb44ff60953f2e6c0a562c6499555def142273b6f3f2e98fbbc5f2e9ce9cff78b918fe5a8279be179d2e41ba75d24efea33afc9bf7279fd12c1
-
Filesize
148KB
MD502016b635e1951eb7ce5d434639e08fc
SHA1dc16249731679f03fd6c7ffef1d02c95d9a0d9b7
SHA2568648112f8908d98beb1f69bc6a3e8a3e3f115805caf322c75f1034b91ab810a7
SHA51250b5766438fc0ec10fcc81cc91cdb463e0286502c386522ce7657d17faca4a40474c74c4cb8ce76e640f772b2cf82975a4db0c10f63ded9085d89f01149eb841
-
Filesize
17KB
MD50857394e30de11ca0cd9497e310d6469
SHA1ba35fba3e44040e7b891fa814dceff94d1c1b114
SHA256e2b26b1ad2d439dded0799d195ca918a03ccf22146690577e2704f871c098426
SHA51205309e02b7c427f379f3235d2d7398d53ee35b3f1f9d7f28ad72607c82e0af6163a2def42734666f7e1fd0b67395031632aff9c9af36fb30c0175fad145f1185
-
Filesize
96KB
MD545a87dbbfb14ff12b81e166147799c81
SHA195100c112ecaad15b4cd652b99c588f00e6e636b
SHA256e102483d03588447dbf8efdf1bac54ebf1458c50429e39c76c20209b501bae18
SHA512d1d6727fc418ba47d3dec2795906897579ac1abafbe935b077de307e967c34a13e7814ed50f9c517b6cb08753c01f064465d7a72615435bdb9bff314c88de228