42364f85b5ec2fae3c816db3e0c10dab2ceac7d758e4f7ce1e8808e726083c61

Analysis

max time kernel
147s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 19:03

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
Size

1.3MB
MD5

b8c6fb755631b84a8f93828e490cfc04
SHA1

0af75f1ccd620d4f5a76be8f43acfa1693ed6a32
SHA256

42364f85b5ec2fae3c816db3e0c10dab2ceac7d758e4f7ce1e8808e726083c61
SHA512

a5d7093200eb752181535028c16f0561b13c3173e861d10635a4d3f63911dda0a34d43727f0ccadb43cf90f9026811e848935f6637003b90b6e39b9c0b499237
SSDEEP

24576:xqQP7+9H4mxLck1sIc/lmvAvkpBewJrPQmKYYBGPCqOe:xLPil4aLbbc/l/iQmGBGPChe

Score

7^/10

adware discovery persistence stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000012118-2.dat	acprotect
behavioral1/files/0x0006000000016c6a-50.dat	acprotect

Executes dropped EXE 1 IoCs

pid	Process
468	SecNotifier.exe

Loads dropped DLL 12 IoCs

pid	Process
1544	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
1544	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
1544	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
1544	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
1544	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
2560	regsvr32.exe
2560	regsvr32.exe
2560	regsvr32.exe
1544	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
1544	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
1544	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
1544	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000016c6a-50.dat	upx
behavioral1/memory/2560-53-0x0000000010000000-0x0000000010D71000-memory.dmp	upx
behavioral1/files/0x0006000000016ab4-60.dat	upx
behavioral1/memory/468-113-0x0000000000400000-0x0000000000433000-memory.dmp	upx
behavioral1/memory/468-114-0x0000000000400000-0x0000000000433000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SecNotifier = "C:\\Program Files (x86)\\Sucop\\SecPlugin\\SecNotifier.exe"	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C2EB616C-BFB0-4361-A02C-588F869A0E97}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C2EB616C-BFB0-4361-A02C-588F869A0E97}\ = "ntFilter"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	SecNotifier.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Sucop\SecPlugin\site4.lib	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sucop\SecPlugin\site3.lib	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sucop\SecPlugin\SecPlugin.dll	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sucop\SecPlugin\repurl.ini	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sucop\SecPlugin\resite.lib	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sucop\SecPlugin\sec_black.dat	regsvr32.exe
File created	C:\Program Files (x86)\Sucop\SecPlugin\uninst.exe	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sucop\SecPlugin\SecNotifier.exe	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sucop\SecPlugin\Alarm.dat	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sucop\SecPlugin\SScanner.dll	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sucop\SecPlugin\site.lib	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sucop\SecPlugin\site2.lib	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sucop\SecPlugin\sitew.lib	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sucop\SecPlugin\Ðí¿ÉÐÒé.txt	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sucop\SecPlugin\Ðí¿ÉÐÒé2.txt	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sucop\SecPlugin\!Éý¼¶¸Ä¶¯.txt	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sucop\SecPlugin\secnw.lib	regsvr32.exe
File created	C:\Program Files (x86)\Sucop\SecPlugin\update.ini	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
File created	C:\Program Files (x86)\Sucop\SecPlugin\sec_white.dat	regsvr32.exe
File created	C:\Program Files (x86)\Sucop\SecPlugin\phsite.lib	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SecNotifier.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000600000001752e-93.dat	nsis_installer_1
behavioral1/files/0x000600000001752e-93.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{B057BF9C-55B4-4AA4-938A-FE78617866B8}	regsvr32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout = 110000005c00000000000000340000001f0001005600000001000000a0060000a00f000005000000620400002600000002000000a1060000a00f000004000000a1000000a00f000003000000a00200000000000006000000e0040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000009cbf57b0b455a44a938afe78617866b80000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{B057BF9C-55B4-4AA4-938A-FE78617866B8} = "³©ÓÎÑ²¾¯"	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8D59834D-CDA7-43DE-835D-41F15A30CDE5}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20D43874-C0A6-4F58-A1D3-CFCC45487B13}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B057BF9C-55B4-4AA4-938A-FE78617866B8}\TypeLib\ = "{7B71B9D0-7A6B-4CD4-BFAD-A8852409A1D9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IESecPlugin.SpyOnIE.1\CLSID\ = "{C2EB616C-BFB0-4361-A02C-588F869A0E97}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20D43874-C0A6-4F58-A1D3-CFCC45487B13}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CD1FD41C-E4D1-4FDD-A218-5A71D0F300B6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D586660-7165-4330-BE35-9B60B7B40775}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F0C91C8-C64E-4380-A193-EBD3A4EDD91E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2F0C91C8-C64E-4380-A193-EBD3A4EDD91E}\ = "ISpyOnIE"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D1A8B27-E846-43EE-8227-108E21CC479D}\TypeLib\ = "{7B71B9D0-7A6B-4CD4-BFAD-A8852409A1D9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF67069F-FD0E-4312-85CF-F792FC2602C6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B71B9D0-7A6B-4CD4-BFAD-A8852409A1D9}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CCC7B491-7502-4C5B-BD03-A8B49F271965}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CD1FD41C-E4D1-4FDD-A218-5A71D0F300B6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B057BF9C-55B4-4AA4-938A-FE78617866B8}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B057BF9C-55B4-4AA4-938A-FE78617866B8}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C2EB616C-BFB0-4361-A02C-588F869A0E97}\ProgID\ = "IESecPlugin.SpyOnIE.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8D586660-7165-4330-BE35-9B60B7B40775}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D1A8B27-E846-43EE-8227-108E21CC479D}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D1A8B27-E846-43EE-8227-108E21CC479D}\InprocServer32\ = "C:\\Program Files (x86)\\Sucop\\SecPlugin\\SecPlugin.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF67069F-FD0E-4312-85CF-F792FC2602C6}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CCC7B491-7502-4C5B-BD03-A8B49F271965}\ = "ICIESCMenuBar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D1A8B27-E846-43EE-8227-108E21CC479D}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8D59834D-CDA7-43DE-835D-41F15A30CDE5}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF67069F-FD0E-4312-85CF-F792FC2602C6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B057BF9C-55B4-4AA4-938A-FE78617866B8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IESecPlugin.IESecExtern.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCC7B491-7502-4C5B-BD03-A8B49F271965}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D59834D-CDA7-43DE-835D-41F15A30CDE5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CD1FD41C-E4D1-4FDD-A218-5A71D0F300B6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CD1FD41C-E4D1-4FDD-A218-5A71D0F300B6}\ = "ITest"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B057BF9C-55B4-4AA4-938A-FE78617866B8}\ = "³©ÓÎÑ²¾¯"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IESecPlugin.HtmlFilter\CurVer\ = "IESecPlugin.HtmlFilter.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCC7B491-7502-4C5B-BD03-A8B49F271965}\ = "ICIESCMenuBar"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8D59834D-CDA7-43DE-835D-41F15A30CDE5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7B71B9D0-7A6B-4CD4-BFAD-A8852409A1D9}\1.0\0\win32\ = "C:\\Program Files (x86)\\Sucop\\SecPlugin\\SecPlugin.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B057BF9C-55B4-4AA4-938A-FE78617866B8}\Implemented Categories\{00021493-0000-0000-C000-000000000046}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CCC7B491-7502-4C5B-BD03-A8B49F271965}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20D43874-C0A6-4F58-A1D3-CFCC45487B13}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D586660-7165-4330-BE35-9B60B7B40775}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8D586660-7165-4330-BE35-9B60B7B40775}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8D586660-7165-4330-BE35-9B60B7B40775}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF67069F-FD0E-4312-85CF-F792FC2602C6}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF67069F-FD0E-4312-85CF-F792FC2602C6}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F0C91C8-C64E-4380-A193-EBD3A4EDD91E}\ = "ISpyOnIE"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F0C91C8-C64E-4380-A193-EBD3A4EDD91E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IESecPlugin.SpyOnIE\ = "SpyOnIE Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CCC7B491-7502-4C5B-BD03-A8B49F271965}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8D59834D-CDA7-43DE-835D-41F15A30CDE5}\TypeLib\ = "{7B71B9D0-7A6B-4CD4-BFAD-A8852409A1D9}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IESecPlugin.CIESCMenuBar.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B057BF9C-55B4-4AA4-938A-FE78617866B8}\Implemented Categories\{00021494-0000-0000-C000-000000000046}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IESecPlugin.HtmlFilter.1\ = "HtmlFilter Class"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D1A8B27-E846-43EE-8227-108E21CC479D}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2F0C91C8-C64E-4380-A193-EBD3A4EDD91E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{20D43874-C0A6-4F58-A1D3-CFCC45487B13}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C2EB616C-BFB0-4361-A02C-588F869A0E97}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF67069F-FD0E-4312-85CF-F792FC2602C6}\Programmable	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D1A8B27-E846-43EE-8227-108E21CC479D}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{20D43874-C0A6-4F58-A1D3-CFCC45487B13}\TypeLib\ = "{7B71B9D0-7A6B-4CD4-BFAD-A8852409A1D9}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IESecPlugin.CIESCMenuBar\ = "AstIESecury"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C2EB616C-BFB0-4361-A02C-588F869A0E97}\InprocServer32\ = "C:\\Program Files (x86)\\Sucop\\SecPlugin\\SecPlugin.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF67069F-FD0E-4312-85CF-F792FC2602C6}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF67069F-FD0E-4312-85CF-F792FC2602C6}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C2EB616C-BFB0-4361-A02C-588F869A0E97}\ = "³©ÓÎÑ²¾¯"	regsvr32.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\.Scsi0:	regsvr32.exe
File opened for modification	C:\.Scsi1:	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1544	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
1544	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1544	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
468	SecNotifier.exe
468	SecNotifier.exe
468	SecNotifier.exe
468	SecNotifier.exe
468	SecNotifier.exe
468	SecNotifier.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2560	1544	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe	31
PID 1544 wrote to memory of 2560	1544	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe	31
PID 1544 wrote to memory of 2560	1544	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe	31
PID 1544 wrote to memory of 2560	1544	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe	31
PID 1544 wrote to memory of 2560	1544	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe	31
PID 1544 wrote to memory of 2560	1544	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe	31
PID 1544 wrote to memory of 2560	1544	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe	31
PID 1544 wrote to memory of 468	1544	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe	32
PID 1544 wrote to memory of 468	1544	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe	32
PID 1544 wrote to memory of 468	1544	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe	32
PID 1544 wrote to memory of 468	1544	b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b8c6fb755631b84a8f93828e490cfc04_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Windows\SysWOW64\regsvr32.exe
  "regsvr32" /s "C:\Program Files (x86)\Sucop\SecPlugin\SecPlugin.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - NTFS ADS
  PID:2560
- C:\Program Files (x86)\Sucop\SecPlugin\SecNotifier.exe
  "C:\Program Files (x86)\Sucop\SecPlugin\SecNotifier.exe"
  2⤵
  - Executes dropped EXE
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Sucop\SecPlugin\!Éý¼¶¸Ä¶¯.txt

Filesize
1KB

MD5
d7391139ed7723be2a082531a442549a

SHA1
4c65aba96c518888d274f2821e916d53ca4212ec

SHA256
7c7eceedd993299cb64dc56047e19e0b3d3a0a0566e4acbfc77c8d9aea6ae025

SHA512
bb3b432f34413cc327309ea23df780b5435eeebbf0a5e2f050e486de1c9ed828489b4394626f55dbc3c6b13e787050cfc6b8910289ec7495e1bb2f487a5ea16c

Download Submit
C:\Program Files (x86)\Sucop\SecPlugin\Alarm.dat

Filesize
1KB

MD5
354e86de3119ad6d26743838d4786ca1

SHA1
ba6f2675cf0566fd3ce21b14ad0268829249db60

SHA256
938254ff117d96cd476a69c3a2a5289265f622e59d4a6dc24a147961eec8d5ac

SHA512
b2b4f33400f536001643112023cb96572c01190f7fa24c1008c64cb3ca6d4303839ca59c5b7426e6fb44ca75b3d4807b17472d7b2b1987d0a5e5978a167db39d

Download Submit
C:\Program Files (x86)\Sucop\SecPlugin\SScanner.dll

Filesize
141KB

MD5
180c2229dc3376802e18c24c0c51fb21

SHA1
e1aa86d2ca2933a05fc67c6dd43cd38a7ca70d87

SHA256
361f403bed95b7b7b2d6f92a11d26a6f226518af4c60bd7ca833af8946aafdd1

SHA512
8e1d3cdd2e2b69ab7a6f739efcabd95936138c7a1b6d54360fadec68ae91c8bcf447e64bb1a0c93d425dd28fca4716c85a848576fa02cd6bc828b2c047acfd31

Download Submit
C:\Program Files (x86)\Sucop\SecPlugin\SecNotifier.exe

Filesize
83KB

MD5
071dbc68ba4cac81149f0ea3e832db69

SHA1
31acb81777fae423c6397ee41296d0e4139884cc

SHA256
6500804164d8bc80812793ac8109c102f5c516514c5fa8d4f5caaf4e070e549f

SHA512
80a6236dd51578d9893a74b69607745a63c1249d14eccafcd471b7274883a5f0f046a3727138d419b2edfcf14d59984a64f86d035bd9356fb13e351eb64521dd

Download Submit
C:\Program Files (x86)\Sucop\SecPlugin\SecPlugin.dll

Filesize
459KB

MD5
ffedaf0c83ecb68ee735e674c2afd54a

SHA1
4904c90b2721616cf8cb1c258f1d190fca854364

SHA256
360578d4c9af0e32ca03309e8e5857172693a9319c2706d0c46c4428cfab7a31

SHA512
3e48448d666bcb8966525ff1a2892671fa4e0061a21d53639eec69c6f433d014e5b4384ba0719a0212b92255be2788f3ab0f6746bbd74fb45a26dbc77a8c8803

Download Submit
C:\Program Files (x86)\Sucop\SecPlugin\phsite.lib

Filesize
4KB

MD5
4a2d9d601499c532d8ce800d48698d0e

SHA1
a8192792c6fe9103ab405a8dce2a2acaaf3d025e

SHA256
dec8740764e46f1ae602c1e4d507a1d435afa17688848db87f179468a29a990b

SHA512
b7f839dde6b340320065431a7a4e9de15b69c77b3f79f745403c97cbe372943664f7ab88d3eaa8bd28c19f4520e9fdcae27b09a0c01ecf4049431f2c9ff541c3

Download Submit
C:\Program Files (x86)\Sucop\SecPlugin\repurl.ini

Filesize
233B

MD5
200414c91e29e03408ffafc3f5584101

SHA1
20549b7f03f7b33bd280d732f262e4d784438788

SHA256
4df850dd1a6036845aae907be9971bfadad3d123f4ae6c75ae3130fa80837a25

SHA512
75b39d68049cc9f3c6305b1fd281df3a97678b9afca1ee0e0c5b3fbdb79b07ec90b00ac9e15e67364d09601238f6c82aa06deaf0d3c7a9677bd902c6fd7f2093

Download Submit
C:\Program Files (x86)\Sucop\SecPlugin\resite.lib

Filesize
1KB

MD5
a5b09466b962aa0215869271cf114510

SHA1
5b7bd575f3b2ae8d5854648f5ac954d1301927a3

SHA256
657fead0e4ae67fd1b1a9f5bd8eaf49644679daa84f9082e8872af7d30877ceb

SHA512
ba7c3470f1117d869bf9ffb0b666cfbde106e73cec39eb317e99b5f3255810d5b4106e73256696059745730a8cb59cdac54a69db4e025160ec95ae8031c016b6

Download Submit
C:\Program Files (x86)\Sucop\SecPlugin\site.lib

Filesize
86KB

MD5
f826d2d14dbeebe7856aeb12b9d378f0

SHA1
1c5bef42df06c1145422b49fdeb6b664ccf78c1c

SHA256
50c97131976b2b7ad880553df3eb58745ec8415fe4aca0613d4b7f85e9650ca2

SHA512
9a3605a307986de04cafa055277df60e4922be08b63aba44a18ded33e47fb533f781ae4dc345261b7e0b652b51fd0289d37e9aa4a8b1bbb6e0fb1aa277ee344f

Download Submit
C:\Program Files (x86)\Sucop\SecPlugin\site2.lib

Filesize
92KB

MD5
5cd9ea3f3f1e2983d7727fe8d35a2594

SHA1
ddccc2948a9e5553369543c9bef629269e99c209

SHA256
bbd71ac07e8203b09a3e02788d0181e3220537b2b7845e863c523b494ed92350

SHA512
52507847e5cdba4cc9f654e76692c562176d6c40845353192bc974014ecce0fe5fde32e25154281d63d739b23f17a3af68bf82e65a82bb370def85cd648216d8

Download Submit
C:\Program Files (x86)\Sucop\SecPlugin\site3.lib

Filesize
116KB

MD5
93aa78f29c213d915ed2a567cd612c00

SHA1
1131990454a40964687ce4ab15bc6f7cc4084b64

SHA256
2141c9331524af8fe41540ab7e0cdd3a04b9290999ebc1765800d2ee7f7400d1

SHA512
f0d25033f9b60656bda411b7a05e49254f2217e86fe18a249142db157f671f576f561cc32476829993af9a304a7332daa85c7d1939605ce241f79fdcf1ac1292

Download Submit
C:\Program Files (x86)\Sucop\SecPlugin\site4.lib

Filesize
63KB

MD5
f8ea1d864a81bd97bb92f2aa127767d3

SHA1
b583eb893f27cde8e7eabc2444a2c855a3be453c

SHA256
c1d1119c7370254da6d98ec57fca0075f51bdcd9f9d567dec73c4a1c586be231

SHA512
fdb87cb16e55bc7c9ba1e8b1fb61556fc9286cb8bbda99ae157c9fbc9ccd4d09e94be134d8e004c42bf13a60776b5707bf35b91d58378a791bdcc95323c2bf67

Download Submit
C:\Program Files (x86)\Sucop\SecPlugin\sitew.lib

Filesize
1KB

MD5
b1153b0e34219067ed6894d8531faa22

SHA1
03a716fb0d198a41485adcfc42a33393ca8899c5

SHA256
fb8c6e7982bec19d2c488cb1e0519ef8c14b8d4b6aaf31490b1c1f28e6e779ef

SHA512
250c771735edcaa81360110be9ed4b56b3a4906d3ec866b25f5fa5fd75c570e8deb41e38f29cd90ad67c916423584f5fdbfe1edb5f7faa46e2cf8e786b4bf7d3

Download Submit
C:\Program Files (x86)\Sucop\SecPlugin\uninst.exe

Filesize
82KB

MD5
e2e9b260e23057ec74bc0a219cc546f8

SHA1
9cd5cdb63078ff2f2ce357f6942595939a21ec0d

SHA256
163c639cb5c8524aeccc1776da234eea883d8280afc7a0bf8c5302e02df2d244

SHA512
78df4d4ecbae381674c6934fcfac4f58c82bcd20cc6d391d218e5525195643cbfbaa758800b9a7d64bf07e48edda93cfcccfdf87330de9d3634a6cfae886224b

Download Submit
C:\Program Files (x86)\Sucop\SecPlugin\update.ini

Filesize
118B

MD5
43415a54a6f2dcb38f61439a656f416b

SHA1
a646e64bece41ddf0c7ed151ef07594d3c9f42b6

SHA256
eeb1e11c30295987e942fd6585d35a16e5358a99d68993b1a23b24c603f8afe0

SHA512
b9ced64c3c624cd2d3258a3c20477bd820798df4815251c572ab835becc872f6e66ab83aae9fed28887c0950699bb316a1eb624eb78b91c3c8af1cb9b4ad341f

Download Submit
C:\Program Files (x86)\Sucop\SecPlugin\Ðí¿ÉÐÒé.txt

Filesize
1KB

MD5
f5b5fdda97429a55c29a2e60d050a51e

SHA1
e436cd4cdf563b3bd934bf83cc304ecd2825ea2b

SHA256
eabadf7e94aed29d3d46e6185670ce69369463fc06414dc6602281c126b09463

SHA512
37efeee5c8279f14e640147b828283c96b2ff602cf30ee84295affb4df34aabc0d09e81a531de8f36b59a9e7509498d55b053d2e25b1c2ab4885bc9c418b889e

Download Submit
C:\Program Files (x86)\Sucop\SecPlugin\Ðí¿ÉÐÒé2.txt

Filesize
404B

MD5
af2eae0e7677d407d2f2b45fc8d1e8d4

SHA1
cc83415f7890c07671906f7c882f26fbb9456863

SHA256
a4e1181c95123590f596520ed4d92fd12520c0e18bcd8bdadb0fb85bc8271d4d

SHA512
165b00d02f77069ef57a4b0024554f1fe72c582a904f08be82b24109a9aace103544446783096bc05f05a8aa3e7cf2c3072334c808a9cd020aded96a01c61b7a

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE6D9.tmp\KillProcDLL.dll

Filesize
32KB

MD5
83142eac84475f4ca889c73f10d9c179

SHA1
dbe43c0de8ef881466bd74861b2e5b17598b5ce8

SHA256
ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729

SHA512
1c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE6D9.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE6D9.tmp\UserInfo.dll

Filesize
4KB

MD5
1e8e11f465afdabe97f529705786b368

SHA1
ea42bed65df6618c5f5648567d81f3935e70a2a0

SHA256
7d099352c82612ab27ddfd7310c1aa049b58128fb04ea6ea55816a40a6f6487b

SHA512
16566a8c1738e26962139aae893629098dc759e4ac87df3e8eb9819df4e0e422421836bb1e4240377e00fb2f4408ce40f40eee413d0f6dd2f3a4e27a52d49a0b

Download Submit
\Users\Admin\AppData\Local\Temp\nsoE6D9.tmp\services.dll

Filesize
7KB

MD5
89408795f143525890bbda9281c42f45

SHA1
bd9f08641cbe86d18c985cea5325dc2ad8525aa6

SHA256
065564c3d7e19e7dea083fb9a426dfdfeabba6ca3a7587bee938f75db5753114

SHA512
ba11a243b97326f6cd12f7f6f8b81e67f7e8f55b5dcf63a7e705813f85c9af1866891770077514051ce153527b074dcba2881b94bdb1925dedc81354e9a84cd6

Download Submit
\Users\Admin\AppData\Local\Temp\nxlE688.tmp

Filesize
172KB

MD5
685f1cbd4af30a1d0c25f252d399a666

SHA1
6a1b978f5e6150b88c8634146f1406ed97d2f134

SHA256
0e478c95a7a07570a69e6061e7c1da9001bccad9cc454f2ed4da58824a13e0f4

SHA512
6555ad6b4f4f26105ca8aad64501d74519a3e091f559b4b563d6ffb20a2ddfcde65e4fe94971a9bc65e86db577f2548ca00f9920d341c8ea808b04c0947d61d9

Download Submit
memory/468-113-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/468-114-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1544-111-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1544-91-0x0000000000480000-0x0000000000490000-memory.dmp

Filesize
64KB

Download
memory/1544-112-0x0000000000330000-0x00000000003A3000-memory.dmp

Filesize
460KB

Download
memory/1544-4-0x0000000000330000-0x00000000003A3000-memory.dmp

Filesize
460KB

Download
memory/1544-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1544-90-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2560-53-0x0000000010000000-0x0000000010D71000-memory.dmp

Filesize
13.4MB

Download
memory/2560-76-0x00000000008F0000-0x0000000000963000-memory.dmp

Filesize
460KB

Download
memory/2560-73-0x00000000028B0000-0x00000000029B0000-memory.dmp

Filesize
1024KB

Download
memory/2560-74-0x00000000028B0000-0x00000000029B0000-memory.dmp

Filesize
1024KB

Download
memory/2560-72-0x00000000028B0000-0x00000000029B0000-memory.dmp

Filesize
1024KB

Download
memory/2560-71-0x0000000002BB0000-0x0000000002E13000-memory.dmp

Filesize
2.4MB

Download
memory/2560-70-0x0000000002BB0000-0x0000000002E13000-memory.dmp

Filesize
2.4MB

Download
memory/2560-51-0x00000000008F0000-0x0000000000963000-memory.dmp

Filesize
460KB

Download