7d7c5995bd4a9355ae32d11807b360d5d6bb15ebf9873622b3e24aad6c2f2da6

Analysis

max time kernel
143s
max time network
144s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe
Size

116KB
MD5

b8bea7e30d8308b1c7b1a4f925622d18
SHA1

aa6dbbe1d155e431af4fdbc5415163f4d716db9f
SHA256

7d7c5995bd4a9355ae32d11807b360d5d6bb15ebf9873622b3e24aad6c2f2da6
SHA512

1586127f8d6d6ee963320b3eea65c1329ccdfd495eac547ed60380e6cc06bc4315b38745d704e9c2da0f499153282d00cf946de79397c5477df994852ceafa8e
SSDEEP

1536:LznfWynDYXtilW2DTvOB0rnqm5CGmGXjKkAbcX+pCaFy5YzAT+/vpFvnjfZV3o:LzuOYdsmsnr2G1AbW+pp4r+frz3o

Score

7^/10

adware discovery stealer upx

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
1948	regsvr32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2416-1-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral1/memory/2416-28-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}	regsvr32.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\m.ico	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\m3.ico	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\s.ico	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dhofozr.dll	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\p.ico	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sf.ico	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\c.ico	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ios.dat	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430514672"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CBA6BAB1-60B7-11EF-BC3E-6A951C293183} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecca440099c424d92937bb9b1db2c9200000000020000000000106600000001000020000000d23f51b8133d044bc9761cb00bbf0f907cba9dab85c2bbcffbab89854f13c9c1000000000e80000000020000200000001980468122a9b7803ea291fb188b9ec5b5426df87877403b5c6073e8cd535e0220000000bf8e5930fe7d54991b68343a409f267c1e4599b48cd00e67406e69ebc4b473b54000000023bc9716f37aeb38b8cd9d41fbd30aa69a1b46da9ad6f5aa5d4cac90ef4a3958a52dc50c6687a67a6ca2a1fa119f1920cf5095f9ad8f4602a70ee810268a75ca	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0c06ea4c4f4da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecca440099c424d92937bb9b1db2c9200000000020000000000106600000001000020000000fa5197ec5ed2ecd56d621bc2a2e2fd0f0ca4416017501d48b66e181a087b7b54000000000e8000000002000020000000a88f6571fabd68827a0ab83331a897b2f99030ad55baf7f7ce6d1939a2c9db0f90000000a0ed7579f55e6a547c77026ffce7a1d379c45febbd104aa3d35c372f8e3c0a1272255c5818d7ab510111678268c18d86be8d616ad02b0fc41088c61a29fb17176844df8608c8ed3a624776335e684ea85b09816f790150ce50965eb43c27e2cd4fa73d7c64bf4e7a073faa9daf14d692a74172195f4e94f10c490d5ba4c1af30fc4bc0fbe02d74398bf331b29b5a9d1640000000f19c0d564e6fb3f6df1e6b52b4c250dc242f187666ae07f0bed01b0837f7fcd246bd92c666337b7a941d1ed1669e032554dac5c3305f80e60d288add0e9090f8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\ = "avb345 Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\ = "Imlobho"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\VersionIndependentProgID\ = "Lme34"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\InprocServer32\ = "C:\\Windows\\SysWow64\\dhofozr.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34\ = "GigaNet.com"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\ = "_ImlobhoEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34.1\CLSID\ = "{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\dhofozr.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\ = "_ImlobhoEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34\CLSID\ = "{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34.1\ = "GigaNet.com"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\ = "Imlobho"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\ProgID\ = "Lme34.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34\CurVer\ = "Lme34.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\ = "GigaNet.com"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34.1	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2080	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2080	iexplore.exe
2080	iexplore.exe
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE
2780	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 1948	2416	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe	29
PID 2416 wrote to memory of 1948	2416	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe	29
PID 2416 wrote to memory of 1948	2416	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe	29
PID 2416 wrote to memory of 1948	2416	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe	29
PID 2416 wrote to memory of 1948	2416	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe	29
PID 2416 wrote to memory of 1948	2416	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe	29
PID 2416 wrote to memory of 1948	2416	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe	29
PID 2416 wrote to memory of 2080	2416	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2080	2416	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2080	2416	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2080	2416	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe	30
PID 2080 wrote to memory of 2780	2080	iexplore.exe	31
PID 2080 wrote to memory of 2780	2080	iexplore.exe	31
PID 2080 wrote to memory of 2780	2080	iexplore.exe	31
PID 2080 wrote to memory of 2780	2080	iexplore.exe	31

C:\Users\Admin\AppData\Local\Temp\b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\dhofozr.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1948
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://09021030408721.cn/bind2.php?id=3912976
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2080 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
236aa171633839be10668ee40bd11472

SHA1
f6885791277c67abafbc64797ee64b9da59aed70

SHA256
9575385a87451e94bb465221f132b4483c54c0e8eaff1cbff59fb4495bb21478

SHA512
1e8fa70de384af1f56cc77ab49bd1db9c7419e7f2ac4d497f1377921a7d078d86674efe26f090a0a8d19bf90733dcab915a1df538d5a631560f99a1642f55bbf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b28ccd772269f1db005d855994b43232

SHA1
24003b5dacd5087b98af9ae819215f7f0e2da6c5

SHA256
c6605b75ff0f13ad1a028caacb32cd31c00a773a8446d18b647e0bff7fc4fb58

SHA512
8f8be02ac3e8fae5ca62081031081479574ea802312ebb258220ffef151fad38bc707508852d94bed0384470c610dedfa57e57e9498ad48e0ac7bb3a334d8d28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9eaea400596e7cbf1cce4b54a21bf3f8

SHA1
52ea23f9617b0086977ce32112acdb70fcde5432

SHA256
58d6d224e553b3d7a240504bcc9a5ee78b6c368204f3868e8dc67141e0b4ee90

SHA512
63e427a3df925d94f950e9ca5b71ad9bca7fd45e356aff8a7262809dceba31c57d6123b14da2d0509f1c0bf17d05d9c51769a2a41b753a7da3ecffd31cfdfe11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d04aefc689c6e4c8726f57afdea3b36

SHA1
f0b1cb7f8f52e65cbee3eeddcc2a227105612dc3

SHA256
91deffe608e8e41d97d7759f7422aa16196f9c3a67899d6568c56b2496df7707

SHA512
781c2f6570b1aeb096bc5b5a70f4812239a38e195905920a7f57e46aedeadd74e4007236bb410c5b65b14c4b5e147eebb8c4c1d9d24b156d41d86c78dd90423d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d8fc89b9c0ee7b326800f36c16b3f61

SHA1
61b6eee93f13d17e09103b26e2c57355d8f1e304

SHA256
8233a4e9552b06a448e822221232dafb227894f5f3be79ab88e9e56e79db1cfc

SHA512
f7d92d8790d0e331b6e6e2b2003e652816e1ae58977ea3c9d72a8bcc8937865776a58d1a131c0eabdcb2d23228e4e4f8b0d55011f557469e578150394fe2d331

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f80fc15ede9792d3f3ef0db4f4c70ef1

SHA1
1a2c1df2c7ae2e84468a1cd04ffdead32de57393

SHA256
7ea87e2de9f44d426bbef7009eb8e896154cba05956a398c2b07df9c2405aa45

SHA512
6cd912286e90c3c14149b13d108c72a1a4bee2f8bc461ef5f483ebcf9835f3346a1fa6ae34f93e5b1479b8624d07d3b2025a8064479294bb0013dd3157d67c3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ebccbd8c2d92a19e68bb006e05e77dc0

SHA1
93f6796ede12fe4321b702043639bc9b65b2c49c

SHA256
1fbbc67130074f9c1108160b347dfe2fb108e8e2ebb7b14f06d9ccddd070bc70

SHA512
e53c2ec25e45dd54bd490da9a45b7c3cbf6026958170d07086129af0f5f814600e5a55a2d9aae2203de0e235371855e24b300ba655999775083fe6f9aa50bd94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96def7008e691dbb898bd6aaea27f85a

SHA1
5473d328b9ef5510fec973ba48d98b3c02c6a57b

SHA256
be7b9bb845e8094a5d0e13a790aa2617f336c07dd00ff5d769ea831de59f1192

SHA512
562eb1a7d71c75daecd69151c26ee54cc7e44670e5fcc74ffccfc2ee5d3a59b32b78935adaab70bb0a04bf053547c35dbe8f4df83a8cf571d5699cb7793765eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7839c11bde394f3e06a903f6edf608cb

SHA1
c87a4c18285cecac6f1097b60e105f248e7768a3

SHA256
40f7a9db235e4a358153854d43446b59618243aebc8e7e8fa9b6108e17912cd3

SHA512
51a8cbc0586122e12d34c1c83f4cd7d1cade32d2f4d5b6bf8a3144d6299fa546ffb22ef48d1376297e1fd55a98a5ebb391a653dbf244e0b241cd16191270cbd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef9efca8a830739caa193d4cf89595f9

SHA1
f3ed05c4ec0dd70d70829555a6f090c66bd602db

SHA256
9542a3737878ccdce63487185ac884c1c9049ffefffac7c8603bbb6ad46ce921

SHA512
1ff7ab15ed391eaa72d0c139d4df70964fad76c16db05789ac47ccf0706730c116b20919cb7f7f4b0f4915f8183c98c02e9bb5bd96d00d916adfddf5ab1d9ced

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98042a45a3fc7bc2d729ac55711cd423

SHA1
b907ca693c74aa43e088c340ed62242e41354219

SHA256
59f260588181f75fc1ea5914faf2db67a9cb3658650e6570d2660c652f197f44

SHA512
3a7c7a9e76f74e404d0ef4bfd5a9e7ec878e0fbf6f82ea5a4262bac22e36d94c2b7ce7426d7489a3feda29cfe03a4aaec5db939521feb4bea416ed6de69fefc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cdf1eb40b821124b45469b6271c41c9

SHA1
57fec786b249d20c09682418aadb46a28cc3ef9a

SHA256
e448f41cc1733fec65ff7f04625798d429454d562c05549142f5573e4e796a3a

SHA512
8d94f4ca9463bfa69aee3f9ad38845892a7728858e5cff5c69cd1d5eb0e4db965998182b7dd589ec1c4abfb9447fb848998f1c05dfd57e7784dabccdc42b70bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82baccdf2aaf9d626970af85e888f62c

SHA1
f14cbed227a5d4400510dc51ce812559dd46a825

SHA256
1a18f997d49940bf799b5188c00bdd4ef777b88d242faf3b5960dac8e855ac73

SHA512
8cdcfe5ecc5031938e20ecb7cb06c25b5b08259994a4a749262a405b1caa9419b10c53503a41f5aa3992ef62208d62042c40e94c73f444c1cc168cea2cb05baf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4b94db016c5b732f16d31fef364268a

SHA1
ee7fe34ce34015fac4a28447d22203bf2f97be74

SHA256
67372a8fa22cc2ccbce86a6580243add6e4377779998c3ee45a9d41224bd6f56

SHA512
da61dc6e6d66e59e5adce61349ebd0e08e967bbb94d1aa7c560f8b0941ca6c03c9fbf006932395734b675285573a631bde38866c06b0957e89d070ad68a71a25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d9406b3c9e565076f6839b8cc7480ee

SHA1
4e7d77b83cfe1f7c5dd6c8a735b77fc923547c24

SHA256
e5f0e18d536ffa9dc3e3d0558b07731524bc8ae1f83b35a18ceb4c47a394586b

SHA512
37feb1faca655a8a49139bff7dab49b486c686642e7423203a38dd4a31e3aedda602e992a0b5cf9e6c81a4b702a7baf0a8c05f3e42c5e0d97beb22f2ef2ea347

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d72daf5855c30b03ddb997ae5710cb9

SHA1
185fea08e31d4d597a4df52f4c5d6a572a9dc79b

SHA256
b4390a5d44fc18f8979c63d552107ea3f0b6a29cc30808ace46802e10d73bec6

SHA512
367701fb6421a205842bab4eecdb4c4795daed1a24f00b4f26536ea123cd56821da3bdbb2ff2e5c21769b73bb3a847b49ea96c0f7b1e292fb9b942016f9de4be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3159d785e108aee610b4b8827beb3b6f

SHA1
c92379394a116ebbfe275a3d69b646f85c82c5ab

SHA256
9bda556ecc9a8c9ccf9c783c341fbc453bd1368073620a2bf8b95a9b12559f9f

SHA512
8828bf7e3e5bdf4b1583ee17893ae6f41b58e945969937f4f1c9c703b7dfb99543bfdacf4add7b1afc213e003de4109d87d2c5eb8ca01c4b98ce698f66125080

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5035.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar50B5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\dhofozr.dll

Filesize
164KB

MD5
56fb7a171b218af14937349598f96d31

SHA1
3b0e5d1026ca129375564e6d7fa4a7f307246799

SHA256
07dedbace9a4cde3ffa11ab6a1b6f8966d24db3d6fdebf08ac72c9d838c1790f

SHA512
af1c4515cbd9d30fb0a7abfbb6dba2dab350503c10a9394f3e6c681505e3a969cfa5476d94aaf46b11f486f70ed7c2f6f73d94ddf6d2c1bd02ecf5feed4bb490

Download Submit
memory/2416-28-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2416-1-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads