0213911d2c7c14b6b76ddc7b4afe22fb6c7d66d256bbd51e1a7cdc106ebe4d8f

General

Target

ad30a145446053746e47121f02acb1c2_JaffaCakes118.exe
Size

64KB
MD5

ad30a145446053746e47121f02acb1c2
SHA1

b8fed7c6f8d4717c245807639314c8a2d3f63082
SHA256

0213911d2c7c14b6b76ddc7b4afe22fb6c7d66d256bbd51e1a7cdc106ebe4d8f
SHA512

6ae6fd66f78f96cf3b011c4617aa4c3dd47212915689808401cd6a33f6fbe416cec83713e9662c48c3313fe8aa9764ddd4c51f8a897819e3425ed28d00ba9633
SSDEEP

1536:jfbqmKdtRLgNCAlmFuRCwO7KDUpvSBFdC6QS:jflKdrHJuXO7KDi6XCjS

Score

10^/10

aspackv2 discovery persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ad30a145446053746e47121f02acb1c2_JaffaCakes118.exespoollb.exespoollb.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoollb.exe"	ad30a145446053746e47121f02acb1c2_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoollb.exe"	spoollb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe spoollb.exe"	spoollb.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Windows\spoollb.exe	aspack_v212_v242

Executes dropped EXE 2 IoCs

Processes:

spoollb.exespoollb.exe

pid process

3028 spoollb.exe
2728 spoollb.exe

pid	process
3028	spoollb.exe
2728	spoollb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ad30a145446053746e47121f02acb1c2_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Service Host = "C:\\Windows\\spoollb.exe"	ad30a145446053746e47121f02acb1c2_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

Processes:

spoollb.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	spoollb.exe

Drops file in Program Files directory 64 IoCs

Processes:

spoollb.exe

description	ioc	process
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsColorChart.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsPreviewTemplateRTL.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OUTLFLTR.DAT	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Document Parts\1033\14\Built-In Building Blocks.dotx	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePage.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPreviewTemplate.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewTemplate.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OCRHC.DAT	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHSRN.DAT	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsImageTemplate.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPrintTemplate.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsVersion1Warning.htm	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Newsprint.dotx	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBrowserUpgrade.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ENGIDX.DAT	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\JFONT.DAT	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Elegant.dotx	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Fancy.dotx	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBrowserUpgrade.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsDoNotTrust.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsColorChart.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsFormTemplate.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewFrame.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsFormTemplate.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Modern.dotx	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\PROTTPLV.DOC	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsBlankPage.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsVersion1Warning.htm	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplate.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewTemplate.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsPreviewTemplate.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Manuscript.dotx	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsPrintTemplate.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPreviewTemplate.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsVersion1Warning.htm	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Formal.dotx	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBrowserUpgrade.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsImageTemplate.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OSPP.HTM	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsMacroTemplate.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Classic.dotx	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHLEX.DAT	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewFrame.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewFrame.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsHomePage.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsImageTemplate.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsMacroTemplate.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplateRTL.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OCRVC.DAT	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\DefaultBlackAndWhite.dotx	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Simple.dotx	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsBlankPage.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsMacroTemplate.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHKEY.DAT	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsBlankPage.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Default.dotx	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Distinctive.dotx	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Thatch.dotx	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\OUTFORM.DAT	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsPrintTemplate.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsColorChart.html	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\QuickStyles\Perspective.dotx	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\1033\PSRCHPHN.DAT	spoollb.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePage.html	spoollb.exe

Drops file in Windows directory 64 IoCs

Processes:

spoollb.exespoollb.exead30a145446053746e47121f02acb1c2_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\svchost.exe	spoollb.exe
File created	C:\Windows\message.dat	spoollb.exe
File created	C:\Windows\mstorvil\McAfee VirusScan Home Edition 2004 Crack.exe	spoollb.exe
File created	C:\Windows\mstorvil\FormsFormTemplate.html	spoollb.exe
File created	C:\Windows\mstorvil\FormsFormTemplateRTL.html	spoollb.exe
File created	C:\Windows\message.htm	spoollb.exe
File created	C:\Windows\mstorvil\McAfee Personal Firewall Plus 2004 Crack.exe	spoollb.exe
File opened for modification	C:\Windows\mstorvil\BearShare Pro 4.3.0 Crack.exe	spoollb.exe
File opened for modification	C:\Windows\mstorvil\FormsColorChart.html	spoollb.exe
File opened for modification	C:\Windows\mstorvil\FormsFormTemplate.html	spoollb.exe
File created	C:\Windows\mstorvil\Macromedia Contribute 2 Crack.exe	spoollb.exe
File opened for modification	C:\Windows\mstorvil\FormsMacroTemplate.html	spoollb.exe
File created	C:\Windows\mstorvil\FormsPreviewTemplateRTL.html	spoollb.exe
File created	C:\Windows\mstorvil\FormsPrintTemplateRTL.html	spoollb.exe
File opened for modification	C:\Windows\mstorvil\Microsoft Office System Professional V2003 Keygen.exe	spoollb.exe
File created	C:\Windows\mstorvil\Macromedia Studio MX 2004 AllApps Crack.exe	spoollb.exe
File created	C:\Windows\mstorvil\CLNTWRAP.HTM	spoollb.exe
File opened for modification	C:\Windows\mstorvil\FormsBlankPage.html	spoollb.exe
File created	C:\Windows\mstorvil\FormsImageTemplate.html	spoollb.exe
File opened for modification	C:\Windows\mstorvil\Sophos AntiVirus v3.74 Keygen.exe	spoollb.exe
File opened for modification	C:\Windows\mstorvil\NHL 2004 Keygen.exe	spoollb.exe
File created	C:\Windows\mstorvil\NetObjects Fusion v7.5 Crack.exe	spoollb.exe
File opened for modification	C:\Windows\mstorvil\	spoollb.exe
File opened for modification	C:\Windows\mstorvil\TVTool v8.31 Crack.exe	spoollb.exe
File created	C:\Windows\mstorvil\FormsColorChart.html	spoollb.exe
File created	C:\Windows\mstorvil\FormsMacroTemplate.html	spoollb.exe
File opened for modification	C:\Windows\mstorvil\FormsVersion1Warning.htm	spoollb.exe
File created	C:\Windows\mstorvil\TVTool v8.31 Crack.exe	spoollb.exe
File created	C:\Windows\mstorvil\McAfee SpamKiller 2004 Keygen.exe	spoollb.exe
File opened for modification	C:\Windows\mstorvil\FormsViewTemplate.html	spoollb.exe
File created	C:\Windows\mstorvil\OSPP.HTM	spoollb.exe
File opened for modification	C:\Windows\spoollb.exe	ad30a145446053746e47121f02acb1c2_JaffaCakes118.exe
File opened for modification	C:\Windows\svchost.exe	spoollb.exe
File opened for modification	C:\Windows\mstorvil\Macromedia Studio MX 2004 AllApps Keygen.exe	spoollb.exe
File created	C:\Windows\mstorvil\FormsHomePage.html	spoollb.exe
File opened for modification	C:\Windows\mstorvil\Macromedia Contribute 2 Crack.exe	spoollb.exe
File created	C:\Windows\mstorvil\FormsBrowserUpgrade.html	spoollb.exe
File opened for modification	C:\Windows\mstorvil\FormsPrintTemplate.html	spoollb.exe
File created	C:\Windows\mstorvil\FormsViewTemplate.html	spoollb.exe
File opened for modification	C:\Windows\mstorvil\FormsViewFrame.html	spoollb.exe
File opened for modification	C:\Windows\mstorvil\NetObjects Fusion v7.5 Crack.exe	spoollb.exe
File created	C:\Windows\spoollb.exe	ad30a145446053746e47121f02acb1c2_JaffaCakes118.exe
File created	C:\Windows\spoollb.exe	spoollb.exe
File opened for modification	C:\Windows\mstorvil\McAfee SpamKiller 2004 Keygen.exe	spoollb.exe
File created	C:\Windows\mstorvil\FormsBlankPage.html	spoollb.exe
File created	C:\Windows\mstorvil\FormsPreviewTemplate.html	spoollb.exe
File opened for modification	C:\Windows\mstorvil\FormsImageTemplate.html	spoollb.exe
File opened for modification	C:\Windows\mstorvil\McAfee VirusScan Home Edition 2004 Keygen.exe	spoollb.exe
File created	C:\Windows\mstorvil\Macromedia Studio MX 2004 AllApps Keygen.exe	spoollb.exe
File opened for modification	C:\Windows\mstorvil\McAfee Personal Firewall Plus 2004 Crack.exe	spoollb.exe
File opened for modification	C:\Windows\mstorvil\FormsHomePage.html	spoollb.exe
File created	C:\Windows\spoollb.exe	spoollb.exe
File created	C:\Windows\mstorvil\Microsoft Office System Professional V2003 Keygen.exe	spoollb.exe
File created	C:\Windows\mstorvil\FormsDoNotTrust.html	spoollb.exe
File created	C:\Windows\mstorvil\FormsVersion1Warning.htm	spoollb.exe
File created	C:\Windows\mstorvil\Sophos AntiVirus v3.74 Keygen.exe	spoollb.exe
File created	C:\Windows\svchost.exe	ad30a145446053746e47121f02acb1c2_JaffaCakes118.exe
File created	C:\Windows\mstorvil\BearShare Pro 4.3.0 Crack.exe	spoollb.exe
File opened for modification	C:\Windows\mstorvil\McAfee VirusScan Home Edition 2004 Crack.exe	spoollb.exe
File opened for modification	C:\Windows\mstorvil\Macromedia Studio MX 2004 AllApps Crack.exe	spoollb.exe
File created	C:\Windows\mstorvil\FormsViewFrame.html	spoollb.exe
File opened for modification	C:\Windows\mstorvil\FormsBrowserUpgrade.html	spoollb.exe
File opened for modification	C:\Windows\mstorvil\FormsPreviewTemplate.html	spoollb.exe
File opened for modification	C:\Windows\mstorvil\	ad30a145446053746e47121f02acb1c2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2736 2728 WerFault.exe spoollb.exe

pid	pid_target	process	target process
2736	2728	WerFault.exe	spoollb.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ad30a145446053746e47121f02acb1c2_JaffaCakes118.exespoollb.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad30a145446053746e47121f02acb1c2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	spoollb.exe

Modifies data under HKEY_USERS 45 IoCs

Processes:

spoollb.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Shared\OfficeUILanguage = "1033"	spoollb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	spoollb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0	spoollb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources	spoollb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\UISnapshot = 31003000330033000000	spoollb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Shared	spoollb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	spoollb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\InfoPathChangeInstallLanguage = "No"	spoollb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	spoollb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	spoollb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\PublisherChangeInstallLanguage = "No"	spoollb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\LangTuneUp = "OfficeCompleted"	spoollb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages	spoollb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\14.0\Common\LanguageResources	spoollb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	spoollb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\HelpFallback = 30003b0031003000330033000000	spoollb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\HelpLanguage = "1033"	spoollb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\AccessChangeInstallLanguage = "No"	spoollb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages\1033 = "On"	spoollb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\UIFallback = 30003b0031003000330033000000	spoollb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\XLChangeInstallLanguage = "No"	spoollb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	spoollb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT	spoollb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	spoollb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	spoollb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\InstallLanguage = "1033"	spoollb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WordChangeInstallLanguage = "No"	spoollb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\OutlookChangeInstallLanguage = "No"	spoollb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\OneNoteChangeInstallLanguage = "No"	spoollb.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	spoollb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WinXPLanguagePatch = "1"	spoollb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\SharePointDesignerChangeInstallLanguage = "No"	spoollb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\ProjectChangeInstallLanguage = "No"	spoollb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	spoollb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion	spoollb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{40DD6E20-7C17-11CE-A804-00AA003CA9F6} {000214FC-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000c039d85897f2da01	spoollb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common	spoollb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WordMailChangeInstallLanguage = "No"	spoollb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\PPTChangeInstallLanguage = "No"	spoollb.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\WebDesignerChangeInstallLanguage = "No"	spoollb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office	spoollb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\UILanguage = "1033"	spoollb.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Office\14.0\Common\LanguageResources\PreviousInstallLanguage = "1033"	spoollb.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem	spoollb.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	spoollb.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

spoollb.exe

pid process

2728 spoollb.exe

pid	process
2728	spoollb.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

ad30a145446053746e47121f02acb1c2_JaffaCakes118.exespoollb.exe

description	pid	process	target process
PID 2168 wrote to memory of 3028	2168	ad30a145446053746e47121f02acb1c2_JaffaCakes118.exe	spoollb.exe
PID 2168 wrote to memory of 3028	2168	ad30a145446053746e47121f02acb1c2_JaffaCakes118.exe	spoollb.exe
PID 2168 wrote to memory of 3028	2168	ad30a145446053746e47121f02acb1c2_JaffaCakes118.exe	spoollb.exe
PID 2168 wrote to memory of 3028	2168	ad30a145446053746e47121f02acb1c2_JaffaCakes118.exe	spoollb.exe
PID 2728 wrote to memory of 2736	2728	spoollb.exe	WerFault.exe
PID 2728 wrote to memory of 2736	2728	spoollb.exe	WerFault.exe
PID 2728 wrote to memory of 2736	2728	spoollb.exe	WerFault.exe
PID 2728 wrote to memory of 2736	2728	spoollb.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\ad30a145446053746e47121f02acb1c2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ad30a145446053746e47121f02acb1c2_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168

C:\Windows\spoollb.exe
"C:\Windows\spoollb.exe" -i
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in Windows directory
PID:3028

C:\Windows\spoollb.exe
C:\Windows\spoollb.exe -s
1⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 988
2⤵
- Program crash
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\mstorvil\CLNTWRAP.HTM

Filesize
88KB

MD5
388645bbf8db204febe3babc9bdeffa2

SHA1
dc1eaa32224028fe0cfbacf20ed16f5ccb12779b

SHA256
ae023d3b0edb15d3f8282cff2d6587bb6805abd0be330e129061628a61420fb2

SHA512
9de36a056ecc42e7b81fcf252961814a040e163d0256c7a23a1383f32771f643a5a8262a22dfc06fdccb55bd3776d19088fe260c2b5b166e5199e2eefcce1dfc

Download Submit
C:\Windows\spoollb.exe

Filesize
64KB

MD5
ad30a145446053746e47121f02acb1c2

SHA1
b8fed7c6f8d4717c245807639314c8a2d3f63082

SHA256
0213911d2c7c14b6b76ddc7b4afe22fb6c7d66d256bbd51e1a7cdc106ebe4d8f

SHA512
6ae6fd66f78f96cf3b011c4617aa4c3dd47212915689808401cd6a33f6fbe416cec83713e9662c48c3313fe8aa9764ddd4c51f8a897819e3425ed28d00ba9633

Download Submit
C:\torvil.log

Filesize
4KB

MD5
32f28a09c0cdd081658a4a57e44761c4

SHA1
54920c0f9c65cb1e7876e62f0527489771134197

SHA256
6ef6fcad6f7ba954604cdf607623102c870bcff875ee11b3d0138d69b78e596d

SHA512
edcfc95a26c0876b80a4b688c8902e415689c0343791a065181859a6b66dbd2a239ea96b4043787349a358afd2e4dd91974d14e181ca511f0f87115e5d786f69

Download Submit
C:\torvil.log

Filesize
774B

MD5
3fe91747ca5318f5881c7722f01843fe

SHA1
29330d9fb9469b3f10a1aa951e324127f1508d56

SHA256
c095b05b96960abf26b5936ab2c9958c1a4ae4c5aaa8591a9f24671ff5235634

SHA512
64dd31795dfbfd5d0576392810604f8bd613e88ea5537f3b93ed1a0fca925bd3362872c17adb8b928a7019692f67c9082cb78490e7b63bf697bdbd4d0e1cff78

Download Submit
memory/2168-528-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/2728-577-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/2728-1793-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/2728-1891-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/2728-1910-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/2728-1945-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/2728-1947-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download
memory/3028-10-0x0000000000400000-0x0000000000521000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads