c49f0320eeab8dd644ba344a2039b4de48a26ef77c05eb069721477f0cd182ba

Analysis

max time kernel
145s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21/08/2024, 11:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe
Size

1.8MB
MD5

b33e75eee001379c213f4b9a80863791
SHA1

b8e7e5be463293023b141ee13fd2a73c3c224731
SHA256

c49f0320eeab8dd644ba344a2039b4de48a26ef77c05eb069721477f0cd182ba
SHA512

dc6c532fbf796704c4e53d4db775b2e7b33a6189ce157878fbef558a19346ec0d95beb927a8232485f74847c05b80f58aca25658d9548e5ddc18b0d01cff64ee
SSDEEP

49152:y0GAdYjF3hm9Y74R+rVuFhi9xj+wj2z4ThqYe:hdophmlR8LxjPRThDe

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ = "Adobe Flash Player"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ComponentID = "Flash"	install_flash_player_active_x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\IsInstalled = 01000000	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Version = "9.0.115.0"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Locale = "EN"	install_flash_player_active_x.exe

Executes dropped EXE 2 IoCs

pid	Process
2576	install_flash_player_active_x.exe
2496	BlinkxBroadbandTV.exe

Loads dropped DLL 22 IoCs

pid	Process
2012	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe
2012	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe
2012	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe
2012	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe
2012	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe
2576	install_flash_player_active_x.exe
2576	install_flash_player_active_x.exe
2576	install_flash_player_active_x.exe
2576	install_flash_player_active_x.exe
2576	install_flash_player_active_x.exe
2576	install_flash_player_active_x.exe
2576	install_flash_player_active_x.exe
2576	install_flash_player_active_x.exe
2576	install_flash_player_active_x.exe
2576	install_flash_player_active_x.exe
2576	install_flash_player_active_x.exe
2012	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe
2012	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe
2496	BlinkxBroadbandTV.exe
2496	BlinkxBroadbandTV.exe
2496	BlinkxBroadbandTV.exe
2496	BlinkxBroadbandTV.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000018bec-17.dat	upx
behavioral1/memory/2496-114-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/2496-181-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/2496-191-0x0000000000400000-0x0000000000502000-memory.dmp	upx
behavioral1/memory/2496-192-0x0000000000400000-0x0000000000502000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\install.log	install_flash_player_active_x.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\Flash9e.ocx	install_flash_player_active_x.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil9e.exe	install_flash_player_active_x.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash9e.ocx	install_flash_player_active_x.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil9e.exe	install_flash_player_active_x.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\uninstall_activeX.exe	install_flash_player_active_x.exe

Drops file in Program Files directory 15 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\blinkx Brasil\data\cache\b0ae7ce38b503333856acd0a31e8bc1e.dat	BlinkxBroadbandTV.exe
File created	C:\Program Files (x86)\blinkx Brasil\data\brasilbbtv.bmp	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\blinkx Brasil\data\brasilbbtv.bmp	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe
File created	C:\Program Files (x86)\blinkx Brasil\BlinkxBroadbandTV.exe	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe
File created	C:\Program Files (x86)\blinkx Brasil\data\logs\version.txt	BlinkxBroadbandTV.exe
File created	C:\Program Files (x86)\blinkx Brasil\data\logs\boot.txt	BlinkxBroadbandTV.exe
File created	C:\Program Files (x86)\blinkx Brasil\data\cache\b0ae7ce38b503333856acd0a31e8bc1e.head	BlinkxBroadbandTV.exe
File created	C:\Program Files (x86)\blinkx Brasil\data\bbtvconfig.ini	BlinkxBroadbandTV.exe
File opened for modification	C:\Program Files (x86)\blinkx Brasil\data\bbtvconfig.ini	BlinkxBroadbandTV.exe
File created	C:\Program Files (x86)\blinkx Brasil\data\cache\e26e214b331a5d920db868009b376fa8.txt	BlinkxBroadbandTV.exe
File created	C:\Program Files (x86)\blinkx Brasil\data\cache\b0ae7ce38b503333856acd0a31e8bc1e.txt	BlinkxBroadbandTV.exe
File created	C:\Program Files (x86)\blinkx Brasil\data\brazil.ini	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe
File created	C:\Program Files (x86)\blinkx Brasil\uninstall.exe	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe
File created	C:\Program Files (x86)\blinkx Brasil\data\cache\e26e214b331a5d920db868009b376fa8.head	BlinkxBroadbandTV.exe
File created	C:\Program Files (x86)\blinkx Brasil\data\cache\e26e214b331a5d920db868009b376fa8.dat	BlinkxBroadbandTV.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install_flash_player_active_x.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BlinkxBroadbandTV.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral1/files/0x0005000000019d9d-32.dat	nsis_installer_1

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	BlinkxBroadbandTV.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	BlinkxBroadbandTV.exe

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}	install_flash_player_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\SysWow64\\Macromed\\Flash"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil9e.exe"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}	install_flash_player_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0"	install_flash_player_active_x.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.swf	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID	install_flash_player_active_x.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\ = "Shockwave Flash"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8\ = "Shockwave Flash Object"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1\ = "131473"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID\ = "ShockwaveFlash.ShockwaveFlash"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl\Content Type = "application/futuresplash"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9e.ocx"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\ = "Macromedia Flash Paper"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\ = "Macromedia Flash Factory Object"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib\ = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ = "Shockwave Flash Object"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\Flash9e.ocx"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\ProxyStubClsid32	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\ = "Shockwave Flash Object"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.1\CLSID	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\TypeLib	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib\Version = "1.0"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\FlashUtil9e.exe"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS\ = "0"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl\ = "ShockwaveFlash.ShockwaveFlash"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{D4304BCF-B8E9-4B35-BEA0-DC5B522670C2}\Elevation	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\ = "FlashBroker"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\ = "0"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"	install_flash_player_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib\ = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{2E4BB6BE-A75F-4DC0-9500-68203655A2C4}\TypeLib	install_flash_player_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7	install_flash_player_active_x.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2496	BlinkxBroadbandTV.exe
2496	BlinkxBroadbandTV.exe
2496	BlinkxBroadbandTV.exe
2496	BlinkxBroadbandTV.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2576	2012	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe	30
PID 2012 wrote to memory of 2576	2012	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe	30
PID 2012 wrote to memory of 2576	2012	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe	30
PID 2012 wrote to memory of 2576	2012	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe	30
PID 2012 wrote to memory of 2576	2012	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe	30
PID 2012 wrote to memory of 2576	2012	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe	30
PID 2012 wrote to memory of 2576	2012	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe	30
PID 2012 wrote to memory of 2496	2012	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe	32
PID 2012 wrote to memory of 2496	2012	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe	32
PID 2012 wrote to memory of 2496	2012	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe	32
PID 2012 wrote to memory of 2496	2012	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe	32
PID 2012 wrote to memory of 2496	2012	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe	32
PID 2012 wrote to memory of 2496	2012	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe	32
PID 2012 wrote to memory of 2496	2012	b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b33e75eee001379c213f4b9a80863791_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Users\Admin\AppData\Local\Temp\install_flash_player_active_x.exe
  "C:\Users\Admin\AppData\Local\Temp\install_flash_player_active_x.exe" /s
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:2576
- C:\Program Files (x86)\blinkx Brasil\BlinkxBroadbandTV.exe
  "C:\Program Files (x86)\blinkx Brasil\BlinkxBroadbandTV.exe" /lang=brazil /logo=brasilbbtv /title=blinkx_Brasil
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:2496

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x534
1⤵
PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\blinkx Brasil\data\bbtvconfig.ini

Filesize
274B

MD5
d5cac5dd8756c44609d871a6e767f036

SHA1
46d0a39eb63355c0e071247ea3179601e6656103

SHA256
af29080e1cad8657d91af580edeb1de55f9ea7612c8fcc552e55dabc15f65aa4

SHA512
a3856bf8e37c192cf2e860b1b332655f11cdfd3b60c79797501cb0599dc41192b2d11211ac68e24a19201a0e7b8e023df804461a66ec7f1709f4c676a6168d81

Download Submit
C:\Program Files (x86)\blinkx Brasil\data\bbtvconfig.ini

Filesize
339B

MD5
a4b2dcc9fcff678709138b0aef555b85

SHA1
231a88a98846fefbc90645c3ff2d4b7aff776bb0

SHA256
e1cfefae4d0da5a457854b410214ba2fe6100ff3bf7e5312cd5d95fec81dfac6

SHA512
5ee0c3269e9ebbabbbf8b262eda4f418214c26d37f1b1f9d4e113fe6d7055287477c4b5c1a71f4fa072b74c5038ad235c00552d06e493498d449c99a0fb17252

Download Submit
C:\Program Files (x86)\blinkx Brasil\data\bbtvconfig.ini

Filesize
339B

MD5
aadd812992f22f0f3fd2e22b3d6be3c0

SHA1
0f1c23f29fcd11ccd3de105ba75a06db7e68e089

SHA256
c7752d4310b938a053e43996b197de25aa6fe1d2279d4294fc353024edb37c3f

SHA512
3f42e173618e9219278355995fe89062077e1e53196842b147ebfe2c4b3e2f8ec10db68942dd44a55a994c7885092b9116b97f0614519e1097ac7f2f0b497f19

Download Submit
C:\Program Files (x86)\blinkx Brasil\data\brasilbbtv.bmp

Filesize
357KB

MD5
9c27b71279f826ecb99daa45018e31b7

SHA1
f06c5513d4bb03f7c82c95b933b3de3262febe7e

SHA256
5eb3c565fa232b318e5a8981e3eb6d1690fbe9afd9545d6213156db5f72c0fbd

SHA512
7a501c15a9c8caf16da05e0ed5324827337557d16d44c4db353702b033565148f320899951bd7cdf473d5630516bb643113ce9dfb39f835e8871d50e56d1faba

Download Submit
C:\Program Files (x86)\blinkx Brasil\data\brazil.ini

Filesize
737B

MD5
c72fb83dfbbc6a6c725b3054b0cd6bae

SHA1
9bf31161614d8898882ac1311941831a1c8e5c2a

SHA256
656a4eddf489232a643753ed288151624b14b8f4ccf36af93dbc3a13576ba5d2

SHA512
4807377f25af9d8422fc4ba7a39af015234a088860242fc9a44ed88cec996b1c1c263b31cfb3f22466c842a3c5959f4155255395e555e8baff00d0677984dd5f

Download Submit
\Program Files (x86)\blinkx Brasil\BlinkxBroadbandTV.exe

Filesize
350KB

MD5
bd2f6416721df0b07d02350359f9f669

SHA1
2292c9d37e8b2a8c4a4c6249363c22dcc739a573

SHA256
b41362bcbb5aed2fa09709964994075b9c59ac7d3dd926b1ee94c96dc61759e4

SHA512
2a044cfeaa79fb4f3fb624052bed3cd78033c59f044e38c80779ec138a2229ec0a260d021761df7121a00a266829aca6f5974da6d60cb6dfa77076de7647d6d2

Download Submit
\Users\Admin\AppData\Local\Temp\install_flash_player_active_x.exe

Filesize
1.5MB

MD5
4c223aa3e559e2e88da3bb43f3604d20

SHA1
a6d0f099262e9e7b9289b8a7bdcfa550821584ef

SHA256
3896ac00208eebea9f62aacf09ccd7324fe86048bfbb20740b72c3874615878b

SHA512
5f0c9721ad857990ae6d9420080cee0d39df70a15e07520f59682cf1a137409923e3ab4e8c0f2c27b280cdb0ce936223adda167236131981aff35830beda69bc

Download Submit
\Users\Admin\AppData\Local\Temp\nsoDE8D.tmp\AdvSplash.dll

Filesize
6KB

MD5
c152aaed8394cc372b720190af65f73a

SHA1
ac6c786c054193187d1fa63712538b5cd8219cb4

SHA256
db15e55dee9f7798e72a6947f3d6abe09fb6fbfc122b11ac7d425dc159cab50c

SHA512
0e3cf9be421ba729a0597f274b1fbdc4880a45af84d85ba215700e415ed195752a12f2ee68d510d2dca449e131c449e4783ab2c4ff870e0d33859c919bb9175e

Download Submit
\Users\Admin\AppData\Local\Temp\nsoDE8D.tmp\System.dll

Filesize
10KB

MD5
4fbb4a2cd711fc1fe84f3dc30c491dc9

SHA1
888e01ae6e64e7326f88df9a30587f699eab154a

SHA256
c3b05f4faf5e8903d5b4cb4a8ce4bbf2e8144725b98d8787d51c117b6efa9bc2

SHA512
92dcf99672a5935065df6492e27abb653679f1db6dcddfde87cd14260c94a870327826b23cc2f338381b3eb53d07c1a3867806f6ff94533db5195b895a856847

Download Submit
\Users\Admin\AppData\Local\Temp\nszEFDC.tmp\NSISArray.dll

Filesize
17KB

MD5
2b8574f6a8f5de9042baa43c069d20ba

SHA1
07959da0c6b7715b51f70f1b0aea1f56ba7a4559

SHA256
38654eef0ee3715f4b1268f4b4176a6b487a0a9e53a27a4ec0b84550ea173564

SHA512
f034f71b6a18ee8024d40acd3c097d95c8fd8e128d75075cc452e71898c1c0322f21b54bd39ca72d053d7261ffbab0c5c1f820602d52fc85806513a6fe317e88

Download Submit
\Users\Admin\AppData\Local\Temp\nszEFDC.tmp\System.dll

Filesize
10KB

MD5
16ae54e23736352739d7ab156b1965ba

SHA1
14f8f04bed2d6adc07565d5c064f6931b128568f

SHA256
c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc

SHA512
15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f

Download Submit
\Users\Admin\AppData\Local\Temp\nszEFDC.tmp\UserInfo.dll

Filesize
4KB

MD5
68d73a95c628836b67ea5a717d74b38c

SHA1
935372db4a66f9dfd6c938724197787688e141b0

SHA256
21a373c52aaecce52b41aebe6d0224f53760fc3e5c575e821175eee3a1f7f226

SHA512
0e804deab4e647213132add4173c1d2c554c628816f56e21e274a40e185d90254e29c8bfc6fbfdfea2a492d43d23c0bfa4b276252a3f5e1993ab80ff832c4914

Download Submit
\Users\Admin\AppData\Local\Temp\nszEFDC.tmp\fpinstall.dll

Filesize
8KB

MD5
071b6233c92f69ffa1c24243328c3b94

SHA1
bb583c00e87cdc65e6254c7148d37afc1bbb3095

SHA256
5f6c63cb0ba539d692c5461730f057d0ec6c60639d772fbdc3753c3c6e746c43

SHA512
7fc2db406350488ee86ccffe1e99a91e0f509ef0429063336bf6f96aab07127df352db77fe9d00ddc3aa2db7886dfbac08b6acf6a5c647859956111ca47c24f1

Download Submit
\Windows\SysWOW64\Macromed\Flash\Flash9e.ocx

Filesize
2.8MB

MD5
d3c50535c26190fead7785a03499c0ac

SHA1
6a72eea0f62b60d71cfb9da60cab6d178b1fb78f

SHA256
01ff419547aefb8e32715d3873540c058533ac6b0d301b1f98868aa6a17616a5

SHA512
55b299bcad2c7c7506f8eef0aceaf8764aa0e19e9907ff79b7e3f108d81a5d6566211dc6e9cbd29d7f1bef8f5daad9bb888ec345aa21899ab28b45394dbc21f3

Download Submit
memory/2012-29-0x0000000001F80000-0x0000000001F90000-memory.dmp

Filesize
64KB

Download
memory/2012-108-0x0000000003600000-0x0000000003702000-memory.dmp

Filesize
1.0MB

Download
memory/2012-109-0x0000000003600000-0x0000000003702000-memory.dmp

Filesize
1.0MB

Download
memory/2012-19-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/2012-179-0x00000000006B0000-0x00000000006C0000-memory.dmp

Filesize
64KB

Download
memory/2012-180-0x0000000001F80000-0x0000000001F90000-memory.dmp

Filesize
64KB

Download
memory/2012-188-0x0000000003600000-0x0000000003702000-memory.dmp

Filesize
1.0MB

Download
memory/2496-114-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2496-115-0x00000000002E0000-0x00000000003E2000-memory.dmp

Filesize
1.0MB

Download
memory/2496-181-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2496-191-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2496-192-0x0000000000400000-0x0000000000502000-memory.dmp

Filesize
1.0MB

Download
memory/2576-63-0x0000000004860000-0x0000000004CA9000-memory.dmp

Filesize
4.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads