0e36eb0d6f2b882a23358d5fdd98c812c8139d64bf26a4cee2a2d43b2a43d4f9

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23/08/2024, 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe
Size

20KB
MD5

bd02dd4aeb54e99962d72649846388e7
SHA1

45e4bee4b2dfddfab1f8de0b9cdc564617a1b561
SHA256

0e36eb0d6f2b882a23358d5fdd98c812c8139d64bf26a4cee2a2d43b2a43d4f9
SHA512

ff804b2c036b08191e5b157c34ddcb1a0aa57c354b82f7cf65e180f235b1037d03da99be7d5b842733445c6fc0e6f66cd618fd10fe07e26b04ceb92d68b56f1b
SSDEEP

192:1l5E3krTuntKy0peHDfCpHfBv+I4QwXt9V+jqu0G5KDJBf:1M3PnQoHDCpHf4I4Qwdc0G5KDJZ

Score

8^/10

discovery

Malware Config

Signatures

Drops file in Drivers directory 39 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gm.dls	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\afunix.sys	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\winlogon.exe	winlogon.exe
File created	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\fr-FR\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	winlogon.exe
File opened for modification	C:\Windows\SysWOW64\drivers\gmreadme.txt	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Msvbvm60.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\uk-UA\NdisImPlatform.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\ja-JP\wfplwfs.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\UMDF\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\es-ES	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\de-DE\ndiscap.sys.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\drivers\it-IT\NdisImPlatform.sys.mui	AE 0124 BE.exe

Manipulates Digital Signatures 2 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wintrust.dll	AE 0124 BE.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	AE 0124 BE.exe

Executes dropped EXE 4 IoCs

pid	Process
4532	winlogon.exe
1872	AE 0124 BE.exe
2232	winlogon.exe
3376	winlogon.exe

Loads dropped DLL 3 IoCs

pid	Process
1872	AE 0124 BE.exe
2232	winlogon.exe
3376	winlogon.exe

Drops desktop.ini file(s) 57 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.19041.1_none_905c6a851ca62951\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.19041.1_none_2f07a4cad3dec315\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Media\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_10.0.19041.1_none_bbf8ad8ff53c9b5b\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.19041.1_none_d9f53b39b3834744\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.19041.1_none_b2014b56ea660ec9\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-programfilesx86_31bf3856ad364e35_10.0.19041.1_none_3870d3554f39ac78\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.19041.1_none_148b41803c849a3c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.19041.1_none_923716ddadd939c8\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.19041.1_none_0b090bb5ae01dd1a\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-sounds_31bf3856ad364e35_10.0.19041.1_none_cd0389b654e71da2\Desktop.ini	AE 0124 BE.exe

Drops autorun.inf file 1 TTPs 28 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	D:\Autorun.inf	winlogon.exe
File opened for modification	\??\H:\Autorun.inf	winlogon.exe
File opened for modification	\??\J:\Autorun.inf	winlogon.exe
File opened for modification	\??\P:\Autorun.inf	winlogon.exe
File opened for modification	\??\Y:\Autorun.inf	winlogon.exe
File opened for modification	C:\Autorun.inf	winlogon.exe
File opened for modification	\??\R:\Autorun.inf	winlogon.exe
File opened for modification	\??\T:\Autorun.inf	winlogon.exe
File opened for modification	\??\A:\Autorun.inf	winlogon.exe
File opened for modification	\??\E:\Autorun.inf	winlogon.exe
File opened for modification	\??\I:\Autorun.inf	winlogon.exe
File opened for modification	\??\Q:\Autorun.inf	winlogon.exe
File opened for modification	\??\Z:\Autorun.inf	winlogon.exe
File opened for modification	\??\O:\Autorun.inf	winlogon.exe
File opened for modification	\??\U:\Autorun.inf	winlogon.exe
File opened for modification	F:\Autorun.inf	winlogon.exe
File opened for modification	\??\G:\Autorun.inf	winlogon.exe
File opened for modification	\??\N:\Autorun.inf	winlogon.exe
File opened for modification	\??\W:\Autorun.inf	winlogon.exe
File opened for modification	\??\K:\Autorun.inf	winlogon.exe
File opened for modification	\??\L:\Autorun.inf	winlogon.exe
File opened for modification	\??\S:\Autorun.inf	winlogon.exe
File opened for modification	\??\V:\Autorun.inf	winlogon.exe
File opened for modification	\??\X:\Autorun.inf	winlogon.exe
File opened for modification	\??\B:\Autorun.inf	winlogon.exe
File opened for modification	\??\M:\Autorun.inf	winlogon.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf	AE 0124 BE.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\es-ES\WSDPrint.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\umbus.inf_amd64_b78a9c5b6fd62c27\umbus.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\netwlv64.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\sv-SE\SyncRes.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\ja-JP\netdacim.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx-Shared-WCF-HttpActivation~31bf3856ad364e35~amd64~~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TFTP-Client-Opt-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\LogFiles\SAM	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_c62e9f8067f98247\Amd64\STDNAMES.GPD	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\Remove.Microsoft.AppV.AppvClientWmi.mof	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\sxs.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\dplaysvr.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Networking.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\ipoib6x.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\IEAdvpack.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\amcompat.tlb	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PeerDist-Client-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\eappgnui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-Guest-Gated-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1202.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0214~31bf3856ad364e35~amd64~~10.0.19041.153.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\migration\es-ES\ShMig.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Embedded-UnifiedWriteFilterCSP-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\battery.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\umbus.inf_amd64_b78a9c5b6fd62c27	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\Licenses\Volume\Professional\license.rtf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\es-ES\iai2c.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\en-US\ActionCenterCPL.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\it-IT\htable.xsl	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\net9500-x64-n650f.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\fr-FR\netpgm.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\de-DE\usbxhci.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\c_printer.inf_amd64_cfb2c47c5677c442\c_printer.PNF	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\avc.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\rtvdevx64.INF_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Storage-VirtualDevice-SMB-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-RemoteFX-HyperV-Integration-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Host-Guardian-Deployment-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Keywords\{A5A7C794-3D59-41DF-915F-19ACDA526FC9}2052.bin	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\objsel.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\es-ES\wscenter.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\ja-JP\c_fssystemrecovery.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\NetworkItemFactory.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\dsregtask.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\uiccspb.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\it-IT\NdisImPlatformMp.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\mdmlocalmanagement.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\vcruntime140_clr0400.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ir50_qcoriginal.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Security.Credentials.UI.CredentialPicker.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\es-ES\objsel.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\msmpeg2enc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_1_for_KB4552925~31bf3856ad364e35~amd64~~10.0.1.3176.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\de-DE\wlangpui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\it-IT\DevicePairingFolder.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\ja-JP\winsrv.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\spp\tokens\skus\csvlk-pack\csvlk-pack-Volume-CSVLK-5-ul-phn-rtm.xrm-ms	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\msctfuimanager.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\dc1-controller.inf_amd64_63236b4ab51ad398\dc1-controller.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VID-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\fr-FR\WABSyncProvider.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\wbem\de-DE\cli.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_RegistryResource\es-ES\MSFT_RegistryResource.strings.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\fr-FR\PSDSCxMachine.strings.psd1	AE 0124 BE.exe
File opened for modification	C:\Windows\SysWOW64\provisioningcommandscsp.dll	AE 0124 BE.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-SecureStartup-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_srpuxnativesnapin.resources_31bf3856ad364e35_10.0.19041.1_es-es_06822c1750491d6c	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-rasmontr_31bf3856ad364e35_10.0.19041.1266_none_f756413118cadb53\rasmontr.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..-provider.resources_31bf3856ad364e35_10.0.19041.1_en-us_b12272852ae8ea37\wmipdfs.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-b..iagnostic.resources_31bf3856ad364e35_10.0.19041.1_fi-fi_0bc0c6751faa809f.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-s..edpc-accountmanager_31bf3856ad364e35_10.0.19041.153_none_196bf4f8f4d3bbec.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\x86_microsoft-windows-b..re-bootmanager-pcat_31bf3856ad364e35_10.0.19041.1288_none_dbd2bd89b002cded.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-i..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_it-it_84d064b5dfd3d68e.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_hyperv-vmdynmem.resources_31bf3856ad364e35_10.0.19041.1_en-us_3b4d471b734cce4b	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-a..ence-inventory-core_31bf3856ad364e35_10.0.19041.264_none_470a1ec78ca1eb5d	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..hangehost.resources_31bf3856ad364e35_10.0.19041.1_es-es_6fad3c482ccb983a\DataExchangeHost.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-m..oyment-languagepack_31bf3856ad364e35_10.0.19041.1_en-us_9248d4671274db95.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-printing-powershell_31bf3856ad364e35_10.0.19041.1_none_0c93bd5546c725bf\MSFT_PrintJob.types.ps1xml	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.AddIn.resources\v4.0_4.0.0.0_de_b77a5c561934e089	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-Printing-PrintToPDF-Opt-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-speechengine-onecore_31bf3856ad364e35_10.0.19041.746_none_bc3036e3312c41cb\spsreng_onecore.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_windows-defender-ui.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_6780aa477aba5664\shellext.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-d..usmanager.resources_31bf3856ad364e35_10.0.19041.1_de-de_8d2f207ea69ed2e3\DeviceDisplayStatusManager.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\INF\wfcvsc.inf	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-i..henticationbinaries_31bf3856ad364e35_10.0.19041.1_none_00499f6f2f9dc384\authanon.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-msdt.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_92d25bdd97f13163\msdt.exe.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..iacontrol.resources_31bf3856ad364e35_10.0.19041.1_es-es_aca3f3e6fce4a535	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-s..rity-ntlm.resources_31bf3856ad364e35_10.0.19041.1_en-us_1e060bde0bc59c10.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_system.speech_31bf3856ad364e35_4.0.15805.0_none_6356eb3c615539f4.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-devices-wifidirect_31bf3856ad364e35_10.0.19041.264_none_7f5c9c725416139f.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-com-base_31bf3856ad364e35_10.0.19041.1288_none_82b5dd00dbb53a5c\f\combase.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-e..collector.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_0d6b7a57b854af60\wecsvc.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_3efe39982df48a49	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c..lter-html.resources_31bf3856ad364e35_7.0.19041.1_de-de_ae4ab0e99dcf0323\xmlfilter.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-ie-behaviors_31bf3856ad364e35_11.0.19041.746_none_68c98dc0aeb278f1.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-c..atemanagersnapindll_31bf3856ad364e35_10.0.19041.1_none_0b1194ef4ae9fd52.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_lsi_sas.inf_31bf3856ad364e35_10.0.19041.1_none_5f9a81f80313be75	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\4c8219dc8cbbd73205eda4be67164be8fcdc236c7246b5fdad8de0e9f0dda0b2.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-m..erience-parser-task_31bf3856ad364e35_10.0.19041.1_none_80036e190af52e7c.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-wow64-legacy_31bf3856ad364e35_10.0.19041.1023_none_6aeab5d4bd0371a8\instnm.exe	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.ConfigCI.Commands.Resources\v4.0_10.0.0.0_ja_31bf3856ad364e35	AE 0124 BE.exe
File opened for modification	C:\Windows\servicing\Packages\Microsoft-Windows-ConfigCI-Onecore-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1081.mum	AE 0124 BE.exe
File opened for modification	C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\js\appLaunchers\OobeEnableDriverUpdate.js	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-deviceconfidence_31bf3856ad364e35_10.0.19041.746_none_6368f387693a8795\f	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-feedsbs.resources_31bf3856ad364e35_11.0.19041.1_it-it_bf074021ac98aeaf\msfeedsbs.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.19041.844_none_d9eb415c5b9dbe4e\Square71x71Logo.contrast-white_scale-200.png	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_netserv.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_650632054116420e\Netserv.inf_loc	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-wmpnssui.resources_31bf3856ad364e35_10.0.19041.1_en-us_fd2eb2c293eeae07\wmpnssui.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\diagnostics\system\Keyboard\en-US	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-dataexchange-api_31bf3856ad364e35_10.0.19041.264_none_c64e6022c8244394\r\DataExchange.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..cementmanifests-net_31bf3856ad364e35_10.0.19041.1_none_6d60b01ac2c12eee\IPv4IPv6CoexistenceMigration-net-Replacement.man	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\516da84ba3fbf9b78c4d1068a0427dbce975feb3bfbc0558b32e0c7e7320e698.cat	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-r..-agilevpn.resources_31bf3856ad364e35_10.0.19041.1_de-de_2c4b545e91e24985.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-devicecenter.resources_31bf3856ad364e35_10.0.19041.1_de-de_713a47c7e555a7bb.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-u..d-library.resources_31bf3856ad364e35_10.0.19041.1_uk-ua_d15312afb9f69513.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-com-oleui.resources_31bf3856ad364e35_10.0.19041.1_de-de_d50fa17c907d03b5\oledlg.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-profsvc-mof.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_72fea16405b406f3\UserProfileConfigurationWmiProvider.mfl	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-recoverydrive_31bf3856ad364e35_10.0.19041.1237_none_9d556cf140e198b4\r	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-v..lient-wmiv2provider_31bf3856ad364e35_10.0.19041.1_none_b6e04df4280ebfac\vpnclientpsprovider.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-w..t-snapins.resources_31bf3856ad364e35_10.0.19041.1_de-de_e5e0fa2af98330d3\wbemcntl.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\5c1b7b73113a6f079ae59ad2eb210951\mscorlib.ni.dll	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..shape-rll.resources_31bf3856ad364e35_10.0.19041.1_it-it_1a1844e17ef0a5e2	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_systemresource-wind..tscontrol.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_c29160c69762894c	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-g..ce-modern.resources_31bf3856ad364e35_10.0.19041.1_it-it_8a141e1b356b1a59\locationframework.dll.mui	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-securestartup_31bf3856ad364e35_10.0.19041.1_none_231f03a42d7583a9.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-t..ingengine.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_a841fd6a3048ab2d.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-i..-wow64-setupdll0009_31bf3856ad364e35_10.0.19041.1_none_a3d36f774fd097b9.manifest	AE 0124 BE.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Build.Tasks.v4.0.resources	AE 0124 BE.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-certutil_31bf3856ad364e35_10.0.19041.1_none_75cabfc3071adb42	AE 0124 BE.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AE 0124 BE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winlogon.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001bc9387f4f791b45af7c7e57591307f100000000020000000000106600000001000020000000db2ac1028f226394e850139b87df7f5a75515687a117343c349d9cef7cc2ded6000000000e80000000020000200000006854c103caae7e1191d387fe8f1a7fa99ad97a70c8c7a0c8ad834af70f9a84972000000036c978b44ea2b587e0f5396bdfb51b4b3d8030b9e24305d907311a1204d0d0c840000000766dc97799271dec16d2f07b9e9545158eb48c7be3e17da083f71187fd7d39facbf31a77a611866f0e97c86bdd23381d14dfec4782ba9317fea0eba103512a8a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31126937"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001bc9387f4f791b45af7c7e57591307f100000000020000000000106600000001000020000000130d0df85c0efa2e6b7537caeec1518f31fc59d18cdd3f65322318b1ce845abe000000000e800000000200002000000039a8619190b17405c83803aaae9f9e332fd5eca7afe49d0a939f25d9ce4c685e200000008b6c378f4fc27aa43abeaff0ded976fffc2b47461694d10a085be2957634208740000000421b3273ac1267e8d30ed456469f176bda02c851de0a82048673e4f7814b231c25c8702b4d97a85b480eed4a28758abad9ac24dea6e81b06a17bb8707294b7b8	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31126937"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431209310"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{EB9BABAE-618C-11EF-BB4F-D6586EC96307} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3220942132"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3220942132"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3233598311"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31126937"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 108aa2c099f5da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00b6a9c099f5da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000_Classes\Local Settings	bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	AE 0124 BE.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
228	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4744	bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe
228	iexplore.exe
228	iexplore.exe
3492	IEXPLORE.EXE
3492	IEXPLORE.EXE
4532	winlogon.exe
1872	AE 0124 BE.exe
2232	winlogon.exe
3376	winlogon.exe
3492	IEXPLORE.EXE
3492	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 228	4744	bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe	85
PID 4744 wrote to memory of 228	4744	bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe	85
PID 228 wrote to memory of 3492	228	iexplore.exe	86
PID 228 wrote to memory of 3492	228	iexplore.exe	86
PID 228 wrote to memory of 3492	228	iexplore.exe	86
PID 4744 wrote to memory of 4532	4744	bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe	87
PID 4744 wrote to memory of 4532	4744	bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe	87
PID 4744 wrote to memory of 4532	4744	bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe	87
PID 4532 wrote to memory of 1872	4532	winlogon.exe	88
PID 4532 wrote to memory of 1872	4532	winlogon.exe	88
PID 4532 wrote to memory of 1872	4532	winlogon.exe	88
PID 4532 wrote to memory of 2232	4532	winlogon.exe	89
PID 4532 wrote to memory of 2232	4532	winlogon.exe	89
PID 4532 wrote to memory of 2232	4532	winlogon.exe	89
PID 1872 wrote to memory of 3376	1872	AE 0124 BE.exe	90
PID 1872 wrote to memory of 3376	1872	AE 0124 BE.exe	90
PID 1872 wrote to memory of 3376	1872	AE 0124 BE.exe	90

C:\Users\Admin\AppData\Local\Temp\bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bd02dd4aeb54e99962d72649846388e7_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Windows\AE 0124 BE.gif
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:228
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:228 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3492
- C:\Windows\SysWOW64\drivers\winlogon.exe
  "C:\Windows\System32\drivers\winlogon.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks computer location settings
  - Executes dropped EXE
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\AE 0124 BE.exe
    "C:\Windows\AE 0124 BE.exe"
    3⤵
    - Drops file in Drivers directory
    - Manipulates Digital Signatures
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Windows\SysWOW64\drivers\winlogon.exe
      "C:\Windows\System32\drivers\winlogon.exe"
      4⤵
      Drops file in Drivers directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3376
- - C:\Windows\SysWOW64\drivers\winlogon.exe
    "C:\Windows\System32\drivers\winlogon.exe"
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
c7e3b23826b88f278d1e288a4470605e

SHA1
57dfb4622f47d230bb3b7de93a1233fe63a371d0

SHA256
8a4a36c919799e5e243666866a97a65df2744184d27fb070858e7391b806ace9

SHA512
caec881ca9294c6d5d6f35dd502c615459bd86abfc91c6695cff34b17b637d210e7bb456f5311a78cf01d55a76a994c602205bf8d0b4c30302e4ba7bab31e447

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
0ecb2098875ab1db453d3c89dd5200f4

SHA1
281cd7558b977b03c5a7459e6ff7e4dda5d0f2a9

SHA256
43e378d27b09e8d6d85e92ab1cbf4de87898047be74fe36870e38aa4bd61a66f

SHA512
c6af70bddb8a53383725bb69f2916c0c6f6c4c0724f7e11713a9db5a0d5398dba07e86dbea9755cfa332b0add7704e51a6af891aade1e6184f44de08a4cff75b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8WYVOD7\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
20KB

MD5
cb6939883139c3e42d3929c5ad9d2835

SHA1
837b47e4fb2965f496f615139bb0f977a76f8e72

SHA256
7a592adb0f88f8b0e2e02dc63c6d4a1515e2306418c71967284fd40c5b93d98f

SHA512
e739ac2a7d1bb3a9fe72fa3f25d56cf9f4e8fdc053a64761dd7cf882228652e74635e3e8a20fe792f6deb7b0c0030bb621ae0af43032c32aa0984ad76c697204

Download Submit
C:\Windows\AE 0124 BE.gif

Filesize
40KB

MD5
e8e58247e82ab01f6b632d8312ef1c98

SHA1
c5bc58b2572a0747b8320e094eb45f356619b54a

SHA256
1139c2f8ced9d3cc2bb625f50f6f16d2e89aef9680a229e3e2f6b7c680212503

SHA512
0dc880625ed703c2ba204b967b77260e45eaa33a44876ea0fdc91c8d72ef7ad66dab2f552ab392e889f1078406a96e236777537d45518f34b54e1eb7592d67d7

Download Submit
C:\Windows\Msvbvm60.dll

Filesize
1.4MB

MD5
25f62c02619174b35851b0e0455b3d94

SHA1
4e8ee85157f1769f6e3f61c0acbe59072209da71

SHA256
898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

SHA512
f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

Download Submit
C:\Windows\SysWOW64\drivers\winlogon.exe

Filesize
40KB

MD5
f825399e1fe984d85e4883b67fc01eee

SHA1
ac8e3d8e53482cdb0ed7fceeabb4a3bbc2d1f96f

SHA256
651ece11587162fbfbce9005128e320b3f6319310aedbb5721837e74225ed936

SHA512
c43ce49bb75a8dbb8397c71420a86b0d0ae05b991fc56a19f9b3139719cab1dd42d65d8a1ea8388d475c039ef847c7a5b85c98d4b6904f2f4278b2f64afa35bc

Download Submit
\??\c:\B1uv3nth3x1.diz

Filesize
25B

MD5
589b6886a49054d03b739309a1de9fcc

SHA1
0ec1dff7a03f13dea28eea5e754d5b0e5e1dc308

SHA256
564815feb9c5bdadb145cd0d16738c4e5fbc6a46cf65c62ac6a985c43d1939e8

SHA512
4b6f567398863aba39eec00e9f071364b79d5c29867b93fb968725e10e33a9bfff60f8ab6acceae44e715a35ec7139d12da06c33fa074b6be02ff5357c53c0eb

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads