f52242e5b0cf6b9c7910f6da65e1be52296747b12ef6ffbf49bc5df880d97945

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 00:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe
Size

93KB
MD5

bda06e36463d41a1aee9f4f42f944bf8
SHA1

9cacb4d9f6aa451340e86f81939b277f9a86282d
SHA256

f52242e5b0cf6b9c7910f6da65e1be52296747b12ef6ffbf49bc5df880d97945
SHA512

b36d37b0cd30463ceff9ecd10386dc5e253326fec03558de0f20997f1e36b2d40d1f260f2bcf38b81f0852f596c6ade2309ce53a1ea49ebb09b9d3f3e204978f
SSDEEP

1536:qrZNNGgxsVd3uYaFBYZFHwiLUOx6yotbSutXufomvVOLCgYbln5e5AY8k+ahG16E:q87Vd3uVYZZwiLJlmPIALCZXlYz7zXI

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2788	2A7A4.exe
2848	2A7A4.exe
888	F1CE1.exe

Loads dropped DLL 8 IoCs

pid	Process
2724	bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe
2724	bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe
2848	2A7A4.exe
2848	2A7A4.exe
888	F1CE1.exe
888	F1CE1.exe
888	F1CE1.exe
888	F1CE1.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\490XZ60J.txt	F1CE1.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\MXRDMZJH.txt	F1CE1.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QPQWK913.htm	F1CE1.exe
File opened for modification	C:\Windows\SysWOW64\2A7A4.exe	bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\F1CE1.exe	2A7A4.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\8EKDHNLP.txt	F1CE1.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\MC8JEVR1.txt	F1CE1.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	F1CE1.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\MXRDMZJH.txt	F1CE1.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\MC8JEVR1.txt	F1CE1.exe
File opened for modification	C:\Windows\SysWOW64\MSWINSCK.OCX	2A7A4.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\8EKDHNLP.txt	F1CE1.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\490XZ60J.txt	F1CE1.exe

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2A7A4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2A7A4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	F1CE1.exe

Modifies data under HKEY_USERS 24 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	F1CE1.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	F1CE1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	F1CE1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	F1CE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3672FCC5-B714-4182-93C1-9663ACBBD70B}\c2-1a-9c-06-72-ed	F1CE1.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	F1CE1.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	F1CE1.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	F1CE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3672FCC5-B714-4182-93C1-9663ACBBD70B}	F1CE1.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3672FCC5-B714-4182-93C1-9663ACBBD70B}\WpadDecisionReason = "1"	F1CE1.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3672FCC5-B714-4182-93C1-9663ACBBD70B}\WpadDecision = "0"	F1CE1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3672FCC5-B714-4182-93C1-9663ACBBD70B}\WpadNetworkName = "Network 3"	F1CE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-1a-9c-06-72-ed	F1CE1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	F1CE1.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3672FCC5-B714-4182-93C1-9663ACBBD70B}\WpadDecisionTime = e0305a21baf5da01	F1CE1.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-1a-9c-06-72-ed\WpadDecisionReason = "1"	F1CE1.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-1a-9c-06-72-ed\WpadDecisionTime = e0305a21baf5da01	F1CE1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	F1CE1.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	F1CE1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	F1CE1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	F1CE1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	F1CE1.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\c2-1a-9c-06-72-ed\WpadDecision = "0"	F1CE1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	F1CE1.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ = "Microsoft WinSock Control, version 6.0"	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\ = "Microsoft Winsock Control 6.0"	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX"	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS\ = "2"	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\0\win32	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ = "IMSWinsockControl"	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ThreadingModel = "Apartment"	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\ = "Microsoft WinSock Control, version 6.0"	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1\ = "132497"	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0	F1CE1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX"	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\VersionIndependentProgID	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ProgID\ = "MSWinsock.Winsock.1"	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\ = "0"	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED4-2438-11CF-A3DB-080036F12502}	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock.1\CLSID	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Version\ = "1.0"	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Programmable	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\Version = "1.0"	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\HELPDIR\	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\InprocServer32	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Control	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\ToolboxBitmap32\ = "C:\\Windows\\SysWOW64\\MSWINSCK.OCX, 1"	F1CE1.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD897-BB45-11CF-9ABC-0080C7E7B78D}	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\ = "Microsoft WinSock Control, version 6.0"	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus\1	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer\ = "MSWinsock.Winsock.1"	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}\1.0\FLAGS	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD892-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\TypeLib\ = "{248DD890-BB45-11CF-9ABC-0080C7E7B78D}"	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CurVer	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\MiscStatus	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{248DD896-BB45-11CF-9ABC-0080C7E7B78D}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	F1CE1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{248DD890-BB45-11CF-9ABC-0080C7E7B78D}	F1CE1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	F1CE1.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2724	bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe
2788	2A7A4.exe
2848	2A7A4.exe
888	F1CE1.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2788	2724	bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2788	2724	bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2788	2724	bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe	30
PID 2724 wrote to memory of 2788	2724	bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2452	2788	2A7A4.exe	31
PID 2788 wrote to memory of 2452	2788	2A7A4.exe	31
PID 2788 wrote to memory of 2452	2788	2A7A4.exe	31
PID 2788 wrote to memory of 2452	2788	2A7A4.exe	31
PID 2724 wrote to memory of 2820	2724	bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe	33
PID 2724 wrote to memory of 2820	2724	bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe	33
PID 2724 wrote to memory of 2820	2724	bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe	33
PID 2724 wrote to memory of 2820	2724	bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe	33
PID 2452 wrote to memory of 2892	2452	cmd.exe	34
PID 2452 wrote to memory of 2892	2452	cmd.exe	34
PID 2452 wrote to memory of 2892	2452	cmd.exe	34
PID 2452 wrote to memory of 2892	2452	cmd.exe	34
PID 2820 wrote to memory of 2832	2820	cmd.exe	36
PID 2820 wrote to memory of 2832	2820	cmd.exe	36
PID 2820 wrote to memory of 2832	2820	cmd.exe	36
PID 2820 wrote to memory of 2832	2820	cmd.exe	36
PID 2892 wrote to memory of 2748	2892	net.exe	37
PID 2892 wrote to memory of 2748	2892	net.exe	37
PID 2892 wrote to memory of 2748	2892	net.exe	37
PID 2892 wrote to memory of 2748	2892	net.exe	37
PID 2832 wrote to memory of 2696	2832	net.exe	38
PID 2832 wrote to memory of 2696	2832	net.exe	38
PID 2832 wrote to memory of 2696	2832	net.exe	38
PID 2832 wrote to memory of 2696	2832	net.exe	38
PID 2848 wrote to memory of 2588	2848	2A7A4.exe	40
PID 2848 wrote to memory of 2588	2848	2A7A4.exe	40
PID 2848 wrote to memory of 2588	2848	2A7A4.exe	40
PID 2848 wrote to memory of 2588	2848	2A7A4.exe	40
PID 2588 wrote to memory of 2752	2588	cmd.exe	42
PID 2588 wrote to memory of 2752	2588	cmd.exe	42
PID 2588 wrote to memory of 2752	2588	cmd.exe	42
PID 2588 wrote to memory of 2752	2588	cmd.exe	42
PID 2752 wrote to memory of 2996	2752	net.exe	43
PID 2752 wrote to memory of 2996	2752	net.exe	43
PID 2752 wrote to memory of 2996	2752	net.exe	43
PID 2752 wrote to memory of 2996	2752	net.exe	43
PID 2848 wrote to memory of 888	2848	2A7A4.exe	44
PID 2848 wrote to memory of 888	2848	2A7A4.exe	44
PID 2848 wrote to memory of 888	2848	2A7A4.exe	44
PID 2848 wrote to memory of 888	2848	2A7A4.exe	44

C:\Users\Admin\AppData\Local\Temp\bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bda06e36463d41a1aee9f4f42f944bf8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\2A7A4.exe
  C:\Windows\system32\2A7A4.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "net start 2A7A4"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2452
  - - C:\Windows\SysWOW64\net.exe
      net start 2A7A4
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2892
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 start 2A7A4
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "net start 2A7A4"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\net.exe
    net start 2A7A4
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start 2A7A4
      4⤵
      System Location Discovery: System Language Discovery
      PID:2696

C:\Windows\SysWOW64\2A7A4.exe
C:\Windows\SysWOW64\2A7A4.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "net start 2A7A4"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\net.exe
    net start 2A7A4
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 start 2A7A4
      4⤵
      System Location Discovery: System Language Discovery
      PID:2996
- C:\Windows\SysWOW64\F1CE1.exe
  C:\Windows\system32\F1CE1.exe eee
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
\Windows\SysWOW64\2A7A4.exe

Filesize
93KB

MD5
bda06e36463d41a1aee9f4f42f944bf8

SHA1
9cacb4d9f6aa451340e86f81939b277f9a86282d

SHA256
f52242e5b0cf6b9c7910f6da65e1be52296747b12ef6ffbf49bc5df880d97945

SHA512
b36d37b0cd30463ceff9ecd10386dc5e253326fec03558de0f20997f1e36b2d40d1f260f2bcf38b81f0852f596c6ade2309ce53a1ea49ebb09b9d3f3e204978f

Download Submit
\Windows\SysWOW64\F1CE1.exe

Filesize
104KB

MD5
ba6117bcfcdec0c687a189abb3e9c010

SHA1
abb223c5f68c164a6f0def4cbe73868b57b04827

SHA256
4178559c18459ea2364ac131e3d1d4e6d434c700915df96b2a0575c0ceeb4467

SHA512
86934c150a03fc2f0951756f4bda02e8a534aec348b21f25a5a0575d45517f15489e33950df120d73f5bd644ce44750cc5a53f5922b243184921cb6feb225b9f

Download Submit
memory/2724-0-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2724-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2724-12-0x0000000000340000-0x0000000000386000-memory.dmp

Filesize
280KB

Download
memory/2724-19-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2788-13-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2788-17-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2848-23-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2848-41-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download