174bfeae6fd9727394db8589004b3697300f31c0901f1405489e002e1b24db03

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

afe4b586a33de273005809d401822359_JaffaCakes118.exe
Size

655KB
MD5

afe4b586a33de273005809d401822359
SHA1

3fdd9692f0732ad49e33782129b957a3354c78eb
SHA256

174bfeae6fd9727394db8589004b3697300f31c0901f1405489e002e1b24db03
SHA512

16a350599722381de330a191f3f91dd3d0ba3c73fae7892df858f04e762f4342c730b1851d3b6026c9fba7e710356f8924057aef5b543cd19462dd08438c9fef
SSDEEP

12288:Xck0M41v5UJzb/ef6nyai9hbogwa7ht7z1sjACmAw18sarRgK:XctMeAz7utogh7hpz1scB1aV

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2396	OnKeySvr_hkbea.exe

Loads dropped DLL 16 IoCs

pid	Process
2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe
2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe
2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe
2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe
2396	OnKeySvr_hkbea.exe
2396	OnKeySvr_hkbea.exe
2396	OnKeySvr_hkbea.exe
2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe
2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe
2600	regsvr32.exe
2644	regsvr32.exe
2664	regsvr32.exe
2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe
2664	regsvr32.exe
2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe
2396	OnKeySvr_hkbea.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OnKeySvr_hkbea.exe = "C:\\Windows\\system32\\OnKeySvr_hkbea.exe"	afe4b586a33de273005809d401822359_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ie7_tdr.reg	afe4b586a33de273005809d401822359_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ie6_tdr.reg	afe4b586a33de273005809d401822359_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OnKeyDev01_hkbea.dll	afe4b586a33de273005809d401822359_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OnKeySvr_hkbea.exe	afe4b586a33de273005809d401822359_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Root.reg	afe4b586a33de273005809d401822359_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OnKeyCloseSvr.vbs	afe4b586a33de273005809d401822359_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetSignRes_E.dll	afe4b586a33de273005809d401822359_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OnKeyToken_hkbea.dll	afe4b586a33de273005809d401822359_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OnKeyP11_hkbea.dll	afe4b586a33de273005809d401822359_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OnKeyCSP_hkbeas.dll	afe4b586a33de273005809d401822359_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OnKeyCsp_hkbea.dll	afe4b586a33de273005809d401822359_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\TdrCOM_User.dll	afe4b586a33de273005809d401822359_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ie7_tdr.reg	afe4b586a33de273005809d401822359_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ie6_tdr.reg	afe4b586a33de273005809d401822359_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Root.reg	afe4b586a33de273005809d401822359_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OnKeyTools_hkbea.exe	afe4b586a33de273005809d401822359_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\OnKeyPinpad_hkbea.dll	afe4b586a33de273005809d401822359_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\OnKeyPinpad_hkbea.dll	afe4b586a33de273005809d401822359_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\safeInput4bea.dll	afe4b586a33de273005809d401822359_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetSignRes_C.dll	afe4b586a33de273005809d401822359_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\NetSign20.dll	afe4b586a33de273005809d401822359_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\HKBEA\unInstall.exe	afe4b586a33de273005809d401822359_JaffaCakes118.exe
File created	C:\Program Files (x86)\HKBEA\OnKeyTools_hkbea.exe	afe4b586a33de273005809d401822359_JaffaCakes118.exe
File created	C:\Program Files (x86)\HKBEA\hkbea.ico	afe4b586a33de273005809d401822359_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	afe4b586a33de273005809d401822359_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OnKeySvr_hkbea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SafeSetInput.Submit.1\ = "Submit Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C18DF7A0-8662-11D3-9285-0080ADB811C5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECCBA952-80E5-11D3-9285-0080ADB811C5}\ = "IsafeInput"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{454E34B5-B609-4ED5-970F-CB1F3BF8576F}\ = "IInfoSecNetSign"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECCBA956-80E5-11D3-9285-0080ADB811C9}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECCBA956-80E5-11D3-9285-0080ADB811C9}\verb	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3CD7F74-93C9-4BC4-B892-CCDF1514F714}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECCBA952-80E5-11D3-9285-0080ADB811C5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{454E34B5-B609-4ED5-970F-CB1F3BF8576F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECCBA956-80E5-11D3-9285-0080ADB811C9}\ToolboxBitmap32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECCBA956-80E5-11D3-9285-0080ADB811C9}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B3B938C4-4190-4F37-8CF0-A92B0A91CC77}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{67AFB7BA-BDBE-47FD-BE57-CF061A4B3D7E}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\safeSetInput.safeInput.1\ = "safeInput Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\safeSetInput.safeInput.1\Insertable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B3B938C4-4190-4F37-8CF0-A92B0A91CC77}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetSign.InfoSecNetSign2.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECCBA956-80E5-11D3-9285-0080ADB811C9}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C18DF7A0-8662-11D3-9285-0080ADB811C5}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECCBA952-80E5-11D3-9285-0080ADB811C5}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{454E34B5-B609-4ED5-970F-CB1F3BF8576F}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECCBA956-80E5-11D3-9285-0080ADB811C9}\MiscStatus	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ECCBA946-80E5-11D3-9285-0080ADB811C5}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6013035-56C1-4B7E-8633-BF8C75A1EF28}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{67AFB7BA-BDBE-47FD-BE57-CF061A4B3D7E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ECCBA946-80E5-11D3-9285-0080ADB811C5}\1.0\ = "safeSetInput 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0629A1D4-EA02-41C7-8F41-9E39E7F3A370}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ECCBA946-80E5-11D3-9285-0080ADB811C5}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B3B938C4-4190-4F37-8CF0-A92B0A91CC77}\Insertable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AB9D6864-CAE2-41A4-A2EF-53BAA60D9508}\1.0\ = "NetSign 2.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ECCBA954-80E5-11D3-9285-0080ADB811C5}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1E6968EC-76B6-41A8-A658-68882F85FFAD}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECCBA956-80E5-11D3-9285-0080ADB811C9}\ = "safeInput Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECCBA956-80E5-11D3-9285-0080ADB811C9}\ProgID\ = "safeSetInput.safeInput.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetSign.InfoSecNetSign2.1\CLSID\ = "{B3B938C4-4190-4F37-8CF0-A92B0A91CC77}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SafeSetInput.Submit.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6013035-56C1-4B7E-8633-BF8C75A1EF28}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECCBA954-80E5-11D3-9285-0080ADB811C5}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECCBA956-80E5-11D3-9285-0080ADB811C9}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580D222-DDAE-49DB-B212-1E2BCF5913F7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0629A1D4-EA02-41C7-8F41-9E39E7F3A370}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{534EAD6E-D2BF-4D3E-96CA-0387577374BA}\TypeLib\ = "{ECCBA946-80E5-11D3-9285-0080ADB811C5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECCBA956-80E5-11D3-9285-0080ADB811C9}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\safeInput4bea.dll, 101"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{454E34B5-B609-4ED5-970F-CB1F3BF8576F}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECCBA956-80E5-11D3-9285-0080ADB811C9}\verb\2\ = "&About,0,2"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SafeSetInput.Submit	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3CD7F74-93C9-4BC4-B892-CCDF1514F714}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B3B938C4-4190-4F37-8CF0-A92B0A91CC77}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C18DF7A0-8662-11D3-9285-0080ADB811C5}\TypeLib\ = "{ECCBA946-80E5-11D3-9285-0080ADB811C5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECCBA956-80E5-11D3-9285-0080ADB811C9}\Insertable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A3CD7F74-93C9-4BC4-B892-CCDF1514F714}\TypeLib\ = "{46F80E18-FA4A-4225-BC81-DE7BEA05E464}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECCBA952-80E5-11D3-9285-0080ADB811C5}\TypeLib\ = "{ECCBA946-80E5-11D3-9285-0080ADB811C5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{67AFB7BA-BDBE-47FD-BE57-CF061A4B3D7E}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SafeSetInput.Submit\ = "Submit Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C18DF7A0-8662-11D3-9285-0080ADB811C5}\TypeLib\ = "{ECCBA946-80E5-11D3-9285-0080ADB811C5}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\BEATdrUserCom.DLL	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ECCBA956-80E5-11D3-9285-0080ADB811C9}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SafeSetInput.Submit\CurVer\ = "SafeSetInput.Submit.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B3B938C4-4190-4F37-8CF0-A92B0A91CC77}\TypeLib\ = "{AB9D6864-CAE2-41A4-A2EF-53BAA60D9508}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1E6968EC-76B6-41A8-A658-68882F85FFAD}\TypeLib\ = "{ECCBA946-80E5-11D3-9285-0080ADB811C5}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4B3893E0-A055-47DF-9896-2FBFB39A63B1}\ = "BEATdrUserCom"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0629A1D4-EA02-41C7-8F41-9E39E7F3A370}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B3B938C4-4190-4F37-8CF0-A92B0A91CC77}\MiscStatus\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ECCBA954-80E5-11D3-9285-0080ADB811C5}\TypeLib	regsvr32.exe

Runs .reg file with regedit 2 IoCs

pid	Process
2788	regedit.exe
2700	regedit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2788	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2788	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2788	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2788	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2700	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2700	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2700	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2700	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	31
PID 2092 wrote to memory of 2396	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	32
PID 2092 wrote to memory of 2396	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	32
PID 2092 wrote to memory of 2396	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	32
PID 2092 wrote to memory of 2396	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	32
PID 2092 wrote to memory of 2644	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	33
PID 2092 wrote to memory of 2644	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	33
PID 2092 wrote to memory of 2644	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	33
PID 2092 wrote to memory of 2644	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	33
PID 2092 wrote to memory of 2644	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	33
PID 2092 wrote to memory of 2644	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	33
PID 2092 wrote to memory of 2644	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	33
PID 2092 wrote to memory of 2600	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	34
PID 2092 wrote to memory of 2600	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	34
PID 2092 wrote to memory of 2600	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	34
PID 2092 wrote to memory of 2600	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	34
PID 2092 wrote to memory of 2600	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	34
PID 2092 wrote to memory of 2600	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	34
PID 2092 wrote to memory of 2600	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	34
PID 2092 wrote to memory of 2664	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	35
PID 2092 wrote to memory of 2664	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	35
PID 2092 wrote to memory of 2664	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	35
PID 2092 wrote to memory of 2664	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	35
PID 2092 wrote to memory of 2664	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	35
PID 2092 wrote to memory of 2664	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	35
PID 2092 wrote to memory of 2664	2092	afe4b586a33de273005809d401822359_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\afe4b586a33de273005809d401822359_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\afe4b586a33de273005809d401822359_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /S C:\Windows\system32/Root.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2788
- C:\Windows\SysWOW64\regedit.exe
  regedit.exe /S C:\Windows\system32/ie6_tdr.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:2700
- C:\Windows\SysWOW64\OnKeySvr_hkbea.exe
  C:\Windows\system32/OnKeySvr_hkbea.exe /instrootcert
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2396
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s /i TdrCom_User.dll
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2644
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s /i safeInput4bea.dll
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2600
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s /i NetSign20.dll
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\NetSign20.dll

Filesize
265KB

MD5
f221226df4c526b87749ce4a74c4e3d0

SHA1
e9fceedb9832840fe3dda88646ece0da2099a329

SHA256
a62cb15a4925525afe10ddb49bc45de191641d66b8250366f2cbc5911a34c91f

SHA512
318b6add6570ac1c5788b2bf3e4756bd3ba16e1a0dd3528623bf302018c66f367a55fccf0eaf575097a8543f4462e345ab7917bf56d0307e6d19935d3a25969e

Download Submit
C:\Windows\SysWOW64\OnKeyCsp_HKBEA.dll

Filesize
76KB

MD5
acf48e954545272a2da906596e3810b9

SHA1
ba1138bdfbff28e29bdaa5fa9d1fc7872cbe44d3

SHA256
738cc797c48f1c7112e9be886ce81e337f5737f82fce5da9aa1f3d690eca8be1

SHA512
5efefc73fb3450b468cde0e25496e43f1773aaad7e4654d393122e5ebd57e983b6b216c73e7f87b838e1a88b0d9d8c619461e641aec60dc4eb24a291c6862a40

Download Submit
C:\Windows\SysWOW64\OnKeyDev01_hkbea.dll

Filesize
84KB

MD5
5252f4e53bb0acad2f33b73d2034e38a

SHA1
7e7c9e723203545703ad57a4f9b982fd125cb289

SHA256
11b88811419b63a0fba67bdf86b02e1710a2848f8043bf880c861860db5594fd

SHA512
5a3e0b235306ca4d1863eb7e6248520e825d60bd707cfd98b4c71c4765a2074686a49f1582fe552080d9f7b3be12758683f4860486f56550c6385d6d452a2aaf

Download Submit
C:\Windows\SysWOW64\OnKeyPinpad_hkbea.dll

Filesize
256KB

MD5
f48f22901cb45e61f48eb204cdcb09f8

SHA1
5272425d0a2d4b8f80dc816a7952ff94801f3fbb

SHA256
91f0c6b57d1bc2ef4dfb31d22fb96443dd8ce6629612bf0eb47f48b2a4c3747e

SHA512
fec934dfd18e4f95ee7b69bdaafc38873c2fe86a5cabad60b5b1473f20ef7cd1b10adc1e874c432baf175f415375b1e7d8a9aa56fd560c8b34494d642e1dd86f

Download Submit
C:\Windows\SysWOW64\OnKeyToken_hkbea.dll

Filesize
444KB

MD5
12f311ee75e4f0979cfff4196ccbe744

SHA1
d0ee376512685e1a3485400a2f25558795bd2a6e

SHA256
101e5ceb65dcfb72dc523f0c6033ba92b4f5b830e851385545ac6c45788800b2

SHA512
0c80163c09b5f8e559eb568cd9dfd5e65548c207116cfc5417ca2d130288d1770709f7b5bdebf521a1b1272ecaa378ab71e286ae58e9f0f68013b1d0c9e6df00

Download Submit
C:\Windows\SysWOW64\Root.reg

Filesize
35KB

MD5
25a7556809db97dad3155a842ef49e3f

SHA1
0b43e369151527e709082438b4b61505d4440b10

SHA256
a4ea8df068ae208e28c3d5752bd6f7429d5adb2b0c067a78d6289661a3028950

SHA512
71ad7af43863fd1de6134071b3c1a3213d80e669ed335b9231cddc3815af518f13368585e6d37c8294afb99248ca6f62388bba07ebd41c92382b3ce0e330056f

Download Submit
C:\Windows\SysWOW64\TdrCom_User.dll

Filesize
101KB

MD5
4fc98298e7df827e95375d118a89f042

SHA1
0433546a4533d7dde8060019acde2c6e8c6a913c

SHA256
aff37309467e62efed2c830d83800c4ce7e46151d9d85618f131de5032ab89bf

SHA512
0143641dc2dd3e49cdb32f2fac11c22c426729afb123ad6657ad7ee4ec5e9fedde36928b7ab5bf7ab7f858ca9aebb238cce6a59ad3705d09c453b40bb9559055

Download Submit
C:\Windows\SysWOW64\ie6_tdr.reg

Filesize
1KB

MD5
809498df9db2c8a33b5bc547844f8a0e

SHA1
6d49d0c2c716b3a54ed6717297f4d9ad0f6875b4

SHA256
1d44587f5c6b1ecb7afeab2aeb136467c4dbbfd744643ef505077841c287f655

SHA512
5c673525b8169a4d5ed584f388c54d9443e0fb823338171a0db3c8edb7fbf51d3b076182a707b63fb87ac83066e7fea5387a89043ea88276082c1faca9a48f1e

Download Submit
C:\Windows\SysWOW64\safeInput4bea.dll

Filesize
165KB

MD5
30329d49d185257d393e75053af92863

SHA1
993ce2e43f2e3a4a8849a1ca8e1eaf496a33c078

SHA256
920eca0c9a3fa4f35785c0bec02ac8ba2b337ba3d11bb888b8771631298d3ab5

SHA512
0c04baae62ff20930f8475b82f30e7f63ecd3c7924980e792088cd25c1320accdd1c5b8eddf0d2562bbe61d87bd7b5a8b0a548f2648447d710d874ab1d24841d

Download Submit
\Program Files (x86)\HKBEA\OnKeyTools_hkbea.exe

Filesize
380KB

MD5
67cf4d210be05a6cd27b701862f45073

SHA1
784ea84b460e1f3e7b499be6cb2f4c89fd7ead56

SHA256
88e71939be71ffe61240183af69742dbbcababb14867ecd06bb4b9097f201ee3

SHA512
cd05b48cfaf367c33048b1d641b49b81b7ab1252551775ec0889c738cb32238cd9e2d48c63bbbc73237d888af314c04ab519ba2d84731ed8726fc3b6dfd4e6e5

Download Submit
\Program Files (x86)\HKBEA\unInstall.exe

Filesize
47KB

MD5
5a00c374fe3dabd89a4536f96103b716

SHA1
1547fe7a1cd33a59e41f6825bd82e10b86369774

SHA256
baba92e2b42edb6ef7aaa47645c203c13d55a2b00b7b20f44a2fe5014ed030b0

SHA512
63dcbb2ba0c210784a89767abb6403bfa5968b82617900ec635c8fd76ce3060cae336ace283a6a58056d7d0a1ebb3617f1abcb3fff7d6bf62014beceaec85ad3

Download Submit
\Users\Admin\AppData\Local\Temp\nso7976.tmp\System.dll

Filesize
9KB

MD5
ae182dc797cd9ad2c025066692fc041b

SHA1
7ee5f057be9febfa77f698a1b12213a5bbdd4742

SHA256
b214f6d6c4d27f749105f7e8846a7c2d475dbcc966876370b5a7dab6e4b8a471

SHA512
2a9a200d067df47638a86f4f058c6d78fb59bd064c65650cae5022a62a3714e33f93f6af1dd599fda180d5af18f432835a1f909807f4fb459aa9d6c24e3fbab7

Download Submit
\Users\Admin\AppData\Local\Temp\nso7976.tmp\UserInfo.dll

Filesize
4KB

MD5
a379ffb9785b333e5da4dee69dfd8f27

SHA1
7f1eeda2db94481e134ac09f0f8c7531b84e9890

SHA256
e09e0cea3d7624a438fe4e02df230e995dcddcd9909080d883b107a7137b471e

SHA512
c868a9b6038bfdb40aff1c067fbfdddad58fdae798c282a0bfb59133329be1744544041a71dd1ae222ed5d6e4e4c1801a11e7caeef7a4dfda416520ef2b10f38

Download Submit
\Windows\SysWOW64\NetSignRes_E.dll

Filesize
21KB

MD5
8465e976980151d15f3ee517b28c66e0

SHA1
bd8dce04083e1883caa8bec5d8ec11c6cfc20e0f

SHA256
e68c3e8d595ebf35a481174e7e21da36c3cc05aa66ddec7fb800fd0b53dd2551

SHA512
53c71cab01ae90bc2e7874e5d01ada56517493d95c194c24afede8d7595e873b65450e80d8c28069b51414cab5b38e5164ddd64002e96deb88c1489bc7b89bde

Download Submit
\Windows\SysWOW64\OnKeySvr_hkbea.exe

Filesize
44KB

MD5
20f5d1f7ba08533c92401165be344d18

SHA1
c3d6076a230a0d80615f7a02dd6b60e978b0957a

SHA256
2c6e443d77b5f58a88f08d358c315f6f69dbded467036ed8304cb6f3a30172e9

SHA512
7c366f66f473ed614b08fcbf3089b7f5dd01f660b61d2fb81caf59ef0e5f0158d7c736b06e7df77b18d3195792cabe4b356c3267a8ed7ed40f4fbb06eccf8c04

Download Submit
memory/2396-46-0x00000000002E0000-0x00000000002F4000-memory.dmp

Filesize
80KB

Download
memory/2396-49-0x0000000000350000-0x0000000000393000-memory.dmp

Filesize
268KB

Download
memory/2396-79-0x0000000000300000-0x0000000000316000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads