da4bba5e2279a86fbebc21b6bdb851e98cf0b7de3ca55aa0fd46175670231a0f

Analysis

max time kernel
135s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 05:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6808541a60db5b65164df9da5bc91c3_JaffaCakes118.exe
Size

809KB
MD5

b6808541a60db5b65164df9da5bc91c3
SHA1

c6011c36d4bc0cd3e159c01af356975c8fb4418e
SHA256

da4bba5e2279a86fbebc21b6bdb851e98cf0b7de3ca55aa0fd46175670231a0f
SHA512

fbe53b1f28b124b4aa33df8f892c9d6d062fb4691f4312b0b9df9000358d38a76310f176100b94eaf711033b9f3233ba07113052e70af50bfc8e3d4e800434b0
SSDEEP

24576:ztPdaPXHpBr7M8/6u5U3Pl1lVWp7NRsMKqj69j:RPdaPXHpBf0IsPl1lVgD5m

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3588	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
2120	regsvr32.exe

Loads dropped DLL 3 IoCs

pid	Process
3588	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
3588	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
2120	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
File opened (read-only)	\??\I:	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
File opened (read-only)	\??\K:	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
File opened (read-only)	\??\Q:	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
File opened (read-only)	\??\R:	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
File opened (read-only)	\??\X:	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
File opened (read-only)	\??\Y:	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
File opened (read-only)	\??\Z:	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
File opened (read-only)	\??\H:	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
File opened (read-only)	\??\J:	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
File opened (read-only)	\??\S:	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
File opened (read-only)	\??\T:	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
File opened (read-only)	\??\V:	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
File opened (read-only)	\??\W:	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
File opened (read-only)	\??\G:	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
File opened (read-only)	\??\L:	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
File opened (read-only)	\??\M:	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
File opened (read-only)	\??\N:	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
File opened (read-only)	\??\O:	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
File opened (read-only)	\??\P:	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
File opened (read-only)	\??\U:	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ = "Yontoo Layers"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\NoExplorer = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}	regsvr32.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll._tm	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
File opened for modification	C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll._tm	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
File opened for modification	C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Software\Microsoft\Internet Explorer\Recovery\Active	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{80922ee0-8a76-46ae-95d5-bd3c3fe0708d}	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ProgID\ = "YontooIEClient.Api.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\NumMethods	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\VersionIndependentProgID\ = "YontooIEClient.Api"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers\CLSID\ = "{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\InprocServer32\ = "C:\\Program Files (x86)\\Yontoo Layers Runtime\\YontooIEClient.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ = "ILayers"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ = "PSFactoryBuffer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api.1\CLSID\ = "{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\TypeLib\ = "{D372567D-67C1-4B29-B3F0-159B52B3E967}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers\CurVer\ = "YontooIEClient.Layers.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers.1\CLSID\ = "{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\ = "IApi"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\ProxyStubClsid32\ = "{10DE7085-6A1E-4D41-A7BF-9AF93E351401}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\InProcServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\ = "Yontoo Layers"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\TypeLib\ = "{D372567D-67C1-4B29-B3F0-159B52B3E967}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\NumMethods\ = "16"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\ = "ILayers"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Api.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\VersionIndependentProgID\ = "YontooIEClient.Layers"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10DE7085-6A1E-4D41-A7BF-9AF93E351401}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE9271F2-6EFD-44b0-A826-84C829536E93}\ = "2b4cef98-0b00-4967-a4ff-cf3c6d0836de"	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}\TypeLib\ = "{D372567D-67C1-4B29-B3F0-159B52B3E967}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\ = "IApi"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7770F7-832F-4BDF-B144-100EDDD0C3AE}\InprocServer32\ = "C:\\Program Files (x86)\\Yontoo Layers Runtime\\YontooIEClient.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers.1\ = "Yontoo Layers"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\YontooIEClient.Layers\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D372567D-67C1-4B29-B3F0-159B52B3E967}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1AD27395-1659-4DFF-A319-2CFA243861A5}\TypeLib	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3588	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
3588	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3588	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3588	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
2120	regsvr32.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3256 wrote to memory of 3588	3256	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118.exe	84
PID 3256 wrote to memory of 3588	3256	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118.exe	84
PID 3256 wrote to memory of 3588	3256	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118.exe	84
PID 3588 wrote to memory of 2120	3588	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe	89
PID 3588 wrote to memory of 2120	3588	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe	89
PID 3588 wrote to memory of 2120	3588	b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe	89

C:\Users\Admin\AppData\Local\Temp\b6808541a60db5b65164df9da5bc91c3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b6808541a60db5b65164df9da5bc91c3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3256
- C:\Users\Admin\AppData\Local\Temp\b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe
  "C:\Users\Admin\AppData\Local\Temp\b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe" /q2 "C:\Users\Admin\AppData\Local\Temp\b6808541a60db5b65164df9da5bc91c3_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Users\Admin\AppData\Local\Temp\B592E9DA\x86\regsvr32.exe
    "C:\Users\Admin\AppData\Local\Temp\B592E9DA\x86\regsvr32.exe" "C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll" /i:`` /r
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Yontoo Layers Runtime\YontooIEClient.dll

Filesize
190KB

MD5
bb9243af2da6b2cbbc73da1be2b1bea2

SHA1
9f9d8710b9591a10fbfcdcd603dd7a2eada75f51

SHA256
963ebd01b9d4e368b392bfa9d78682a5ae241ed0bb6ce34cd5134ad1c6e9fb63

SHA512
ebdb5bfc7b63db21cb190dde8d25578eed0154a84760c7a64dbbcdb6730987cdd29f825d395bf33e2f83a1c5b3a47529b46cde1a42a5c425552298f6e8b5b219

Download Submit
C:\Users\Admin\AppData\Local\Temp\B592E9DA\Setup.ico

Filesize
4KB

MD5
60e3ef9326e8c3f574a2c7b5a31fd895

SHA1
d3aa40f8de5c549e6abb189421d6cdcd75ac64f6

SHA256
5e8c38cabd089ecd573d953cf2ade243459d7c06aab7b9698975e10dd7f34689

SHA512
9a9be32fb1b4355f37766c5296139012d2fd931fb0db871307059cd0afc063a334165f34069a27ed8850889175e2f5f00be65ac2e8b9d22903754a043ae04906

Download Submit
C:\Users\Admin\AppData\Local\Temp\B592E9DA\_Setup.dll

Filesize
828KB

MD5
d054f3ee470d23944873b60a7d324cf4

SHA1
e9f8ab51e5d85d497024296b6c7b938aca99b020

SHA256
ae4c78a065c5ed25205315008c3038326377de13a60e2ba3b4cd65d4013b756c

SHA512
07569b8811b7f351f8152ef0c1aabc5a8565f98eeba21cd9ca1a27cbb2b0ee52d03493d759baad620d23b27c7f3151b91ce7ceda18f7499f686e7eb43aa3e4a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\B592E9DA\_Setupx.dll

Filesize
350KB

MD5
e927f64a8ed563b6a492770f2e7568eb

SHA1
fa93cbc3743e72d1330fb72049031808bbd0250b

SHA256
9a94a0c99d3e03159a0633479cd23b254ef67a7ae72f225dbef14ead43d1d89f

SHA512
e5f9a9116940de88cedab03c1075d69ae7aa21e3b702f6ec6e18782ced1d538d35ab7d741aaad0c80ec1c0eea0040a6aabcc97ffd7e716555f2efbd1b7f6afef

Download Submit
C:\Users\Admin\AppData\Local\Temp\B592E9DA\x86\regsvr32.exe

Filesize
6KB

MD5
761f21e3a3cf5a0cc5b6d4755e604883

SHA1
36472157f38ef7b33f2103829fc6e2f440266777

SHA256
e1aa5a2f561bb5e80e75d38924b2f587fff4ccf0099d586c4753988ea71eb856

SHA512
d3ba5047d3c4b9f837dcbab1f01b5d84d69e7ea34ffe30851c26b2ae0838f46bd279b031c6487d584885a378988cf47bc86c1286ce196d3fe75aaeb19342e634

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6808541a60db5b65164df9da5bc91c3_JaffaCakes118-0CB8.exe

Filesize
222KB

MD5
5a8222c703b4a34f2227a652a49a2827

SHA1
ba8b1c8f341219d608a0a5a2a2c8d63c19697d05

SHA256
17936188efac05a0ef9fd87a79b268445ce307dd37a6f9206d116f195ab049c9

SHA512
7b1c200cf96ebb5b660fb11a85e3daf908a6e4d984c90207b5afa2444703fc784897160cf05a4bc592ecd908bf09f8dbd9195a4c0c07f1caef04bbd7c6624d9d

Download Submit