1212e177454b1ffa0e50e35281f6061133b6707faada829852a408020fbba615

Analysis

max time kernel
130s
max time network
145s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20-08-2024 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe
Size

38KB
MD5

ad7957ed9393e8548de6f18b2a665103
SHA1

61236345a9758b9f751ac00d7b99ddd7c8d3e34e
SHA256

1212e177454b1ffa0e50e35281f6061133b6707faada829852a408020fbba615
SHA512

f54a8881e04e0c84c4b40ca28441b4bff3610716557fc74ae85365f06989ec97abb01a70a593f53ad1c7bbf9ba72c6ecc92344b6932f7b7a7d367e1ff59265fb
SSDEEP

768:ecNnfawyp9q44b54VaSpalGg/o+pBBr8tyJ7OoW3KcW19:eA7ypI4qOCzJfJU3u9

Score

7^/10

adware discovery evasion execution persistence stealer trojan

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
2712	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4D5CFEFD-B746-58EA-C282-C970A5E9E068}	regsvr32.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\0P96AZVT6F\308C0AP.EXE	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe
File opened for modification	C:\Program Files\0P96AZVT6F\308C0AP.EXE	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\BXRRMKYSBYCQOG.txt	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe
File created	C:\Windows\BXRRMKYSBYCQOG.dll	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 30 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Play_Animations = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Play_Animations = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D5CFEFD-B746-58EA-C282-C970A5E9E068}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D5CFEFD-B746-58EA-C282-C970A5E9E068}\TypeLib\ = "{97EFC6B7-C73A-423E-8458-82C589CA7E3B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript.Encode"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4D5CFEFD-B746-58EA-C282-C970A5E9E068}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\ = "JScript Language"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ = "JScript Compact Profile (ECMA 327)"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{4D5CFEFD-B746-58EA-C282-C970A5E9E068}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ = "C:\\Windows\\SysWOW64\\jscript.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\ = "JScript Language"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\ = "JScript Language"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript Author"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript	regsvr32.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
2780	reg.exe
3000	reg.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2712	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe
2712	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe
2712	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe
2712	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe
2712	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2436	2712	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2436	2712	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2436	2712	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2436	2712	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2436	2712	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2436	2712	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2436	2712	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe	31
PID 2712 wrote to memory of 2364	2712	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe	32
PID 2712 wrote to memory of 2364	2712	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe	32
PID 2712 wrote to memory of 2364	2712	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe	32
PID 2712 wrote to memory of 2364	2712	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe	32
PID 2712 wrote to memory of 1636	2712	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe	33
PID 2712 wrote to memory of 1636	2712	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe	33
PID 2712 wrote to memory of 1636	2712	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe	33
PID 2712 wrote to memory of 1636	2712	ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe	33
PID 1636 wrote to memory of 2900	1636	cmd.exe	36
PID 1636 wrote to memory of 2900	1636	cmd.exe	36
PID 1636 wrote to memory of 2900	1636	cmd.exe	36
PID 1636 wrote to memory of 2900	1636	cmd.exe	36
PID 1636 wrote to memory of 2900	1636	cmd.exe	36
PID 1636 wrote to memory of 2900	1636	cmd.exe	36
PID 1636 wrote to memory of 2900	1636	cmd.exe	36
PID 2364 wrote to memory of 2924	2364	cmd.exe	37
PID 2364 wrote to memory of 2924	2364	cmd.exe	37
PID 2364 wrote to memory of 2924	2364	cmd.exe	37
PID 2364 wrote to memory of 2924	2364	cmd.exe	37
PID 2364 wrote to memory of 2924	2364	cmd.exe	37
PID 2364 wrote to memory of 2924	2364	cmd.exe	37
PID 2364 wrote to memory of 2924	2364	cmd.exe	37
PID 1636 wrote to memory of 2780	1636	cmd.exe	38
PID 1636 wrote to memory of 2780	1636	cmd.exe	38
PID 1636 wrote to memory of 2780	1636	cmd.exe	38
PID 1636 wrote to memory of 2780	1636	cmd.exe	38
PID 2364 wrote to memory of 3000	2364	cmd.exe	39
PID 2364 wrote to memory of 3000	2364	cmd.exe	39
PID 2364 wrote to memory of 3000	2364	cmd.exe	39
PID 2364 wrote to memory of 3000	2364	cmd.exe	39
PID 1636 wrote to memory of 2732	1636	cmd.exe	40
PID 1636 wrote to memory of 2732	1636	cmd.exe	40
PID 1636 wrote to memory of 2732	1636	cmd.exe	40
PID 1636 wrote to memory of 2732	1636	cmd.exe	40
PID 1636 wrote to memory of 2732	1636	cmd.exe	40
PID 1636 wrote to memory of 2732	1636	cmd.exe	40
PID 1636 wrote to memory of 2732	1636	cmd.exe	40
PID 2364 wrote to memory of 2760	2364	cmd.exe	41
PID 2364 wrote to memory of 2760	2364	cmd.exe	41
PID 2364 wrote to memory of 2760	2364	cmd.exe	41
PID 2364 wrote to memory of 2760	2364	cmd.exe	41
PID 2364 wrote to memory of 2760	2364	cmd.exe	41
PID 2364 wrote to memory of 2760	2364	cmd.exe	41
PID 2364 wrote to memory of 2760	2364	cmd.exe	41
PID 1636 wrote to memory of 2500	1636	cmd.exe	42
PID 1636 wrote to memory of 2500	1636	cmd.exe	42
PID 1636 wrote to memory of 2500	1636	cmd.exe	42
PID 1636 wrote to memory of 2500	1636	cmd.exe	42
PID 2364 wrote to memory of 2996	2364	cmd.exe	43
PID 2364 wrote to memory of 2996	2364	cmd.exe	43
PID 2364 wrote to memory of 2996	2364	cmd.exe	43
PID 2364 wrote to memory of 2996	2364	cmd.exe	43
PID 1636 wrote to memory of 2744	1636	cmd.exe	44
PID 1636 wrote to memory of 2744	1636	cmd.exe	44
PID 1636 wrote to memory of 2744	1636	cmd.exe	44
PID 1636 wrote to memory of 2744	1636	cmd.exe	44
PID 2364 wrote to memory of 2504	2364	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ad7957ed9393e8548de6f18b2a665103_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\BXRRMKYSBYCQOG.dll"
  2⤵
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2436
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\GSNX1DDCN.BAT" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s msvidctl.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2924
- - C:\Windows\SysWOW64\reg.exe
    reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3000
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s itss.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2760
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2996
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2504
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s vbscript.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2948
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s scrrun.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2832
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s jscript.dll
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2656
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2764
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2740
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2908
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1524
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\GSNX1DDCN.BAT
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s msvidctl.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2900
- - C:\Windows\SysWOW64\reg.exe
    reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2780
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s itss.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2732
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2500
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2744
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s vbscript.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2932
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s scrrun.dll
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2840
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s jscript.dll
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2652
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2792
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1316
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2632
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2040
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GSNX1DDCN.BAT

Filesize
1KB

MD5
39738ae0a11bb14a55dc0b4c915dd712

SHA1
4dbba6ec5c40a5ba477ed53af9b1a6a43d67c1ed

SHA256
8bbeab6abb20ca78e75ca611e0617b2d5364df2742f0bb6011fdd7b56b07a533

SHA512
87b2e24aa2446cfae60e1266d37e2696a6d633bd056c64be15b90d38fb1573e88d35dbcb4ebafef5ea58def118fbeb3a8979a0d918a7b95c247b998a842c181a

Download Submit
C:\Windows\BXRRMKYSBYCQOG.dll

Filesize
28KB

MD5
6bac5f7e22a8ff799e0f1c4f8d7b457f

SHA1
a6d290d7eed0aebdca77607e4e1bf170b73c1c21

SHA256
e59bcdf77a7167979f63b3a0e26320c30d469d8e26a2197ae8f15f1726c747f6

SHA512
368a2f7dc137c6766867c2b04dc6017228a43238748b061bd36c18b25a60d0ad943b4d4b0598fc40bd568b9ab274dd87e49a518a1e9149ccd0284b28b408b40c

Download Submit
C:\Windows\BXRRMKYSBYCQOG.txt

Filesize
38KB

MD5
feac69776b79259a45af2f2098c778c8

SHA1
3f6a7f1673078d306f439b17f983837917f5b707

SHA256
1d296e72810ea2d3c74f48f2fc9242416f3a4353201cb61bd5a29dbb2cc52b1c

SHA512
671d58071f0c8778a41689b9ad34426c940dad0d282025a1f1e0b2ae4a15b0c5b4c036c19c76099375f06a0e40503a0f9eb34ebe21133b4586c101ae3158366f

Download Submit
\Program Files\0P96AZVT6F\308C0AP.EXE

Filesize
38KB

MD5
ad7957ed9393e8548de6f18b2a665103

SHA1
61236345a9758b9f751ac00d7b99ddd7c8d3e34e

SHA256
1212e177454b1ffa0e50e35281f6061133b6707faada829852a408020fbba615

SHA512
f54a8881e04e0c84c4b40ca28441b4bff3610716557fc74ae85365f06989ec97abb01a70a593f53ad1c7bbf9ba72c6ecc92344b6932f7b7a7d367e1ff59265fb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads