c1d6dbb531b4d85df214ed975a5340f93fe43c53b93e1a12381ac370e4db5187

Analysis

max time kernel
141s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-09-2024 23:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe
Size

47KB
MD5

ce2b5b8d68abf090181e46b3a3d01091
SHA1

d5e71aca912fb415e66890417322aad41ae1a3f9
SHA256

c1d6dbb531b4d85df214ed975a5340f93fe43c53b93e1a12381ac370e4db5187
SHA512

13bdc16b8170d03a4289e73fa27b23a22e8520970dfeb043255fce849aca0888d3050f0dc660a8b797b5a23db9503ae6498024d0a34abf599773a50aa39e5cc3
SSDEEP

768:rmNnDSb5J3a0N1DZKRkC4beGLJ8tRWX+mMKqRxXGFT0nEW:SO1W4qzcjFqPGFA

Score

7^/10

adware discovery evasion execution persistence stealer trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2304	ZEO8EZUJX8K.EXE

Loads dropped DLL 1 IoCs

pid	Process
2304	ZEO8EZUJX8K.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{636CE42E-32FE-5C59-379B-23A34BCC4051}	regsvr32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\RFOORJHPV\7THSDF1PRW.EXE	ZEO8EZUJX8K.EXE
File opened for modification	C:\Program Files\RFOORJHPV\7THSDF1PRW.EXE	ZEO8EZUJX8K.EXE
File created	C:\Program Files\RFOORJHPV\UO93XZ.EXE	ZEO8EZUJX8K.EXE
File opened for modification	C:\Program Files\RFOORJHPV\UO93XZ.EXE	ZEO8EZUJX8K.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\FDONSZUYCQS.txt	ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe
File created	\??\c:\windows\fdonszuycqs.dll	ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZEO8EZUJX8K.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Play_Animations = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{97EFC6B7-C73A-423E-8458-82C589CA7E3B}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\SCRIPTHOSTENCODE	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{636CE42E-32FE-5C59-379B-23A34BCC4051}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ASP.HostEncode	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile\SCRIPTHOSTENCODE	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{636CE42E-32FE-5C59-379B-23A34BCC4051}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWOW64\\jscript.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\ = "Thunder 1.0 Type Library"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\ = "JScript Language"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\PROGID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\PROGID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID	regsvr32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2672	reg.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1120	ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe
1120	ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe
1120	ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe
1120	ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe
1120	ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe
2304	ZEO8EZUJX8K.EXE
2304	ZEO8EZUJX8K.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 2304	1120	ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe	29
PID 1120 wrote to memory of 2304	1120	ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe	29
PID 1120 wrote to memory of 2304	1120	ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe	29
PID 1120 wrote to memory of 2304	1120	ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe	29
PID 1120 wrote to memory of 2836	1120	ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe	30
PID 1120 wrote to memory of 2836	1120	ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe	30
PID 1120 wrote to memory of 2836	1120	ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe	30
PID 1120 wrote to memory of 2836	1120	ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe	30
PID 1120 wrote to memory of 2836	1120	ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe	30
PID 1120 wrote to memory of 2836	1120	ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe	30
PID 1120 wrote to memory of 2836	1120	ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe	30
PID 1120 wrote to memory of 2756	1120	ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe	31
PID 1120 wrote to memory of 2756	1120	ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe	31
PID 1120 wrote to memory of 2756	1120	ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe	31
PID 1120 wrote to memory of 2756	1120	ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe	31
PID 2756 wrote to memory of 2332	2756	cmd.exe	33
PID 2756 wrote to memory of 2332	2756	cmd.exe	33
PID 2756 wrote to memory of 2332	2756	cmd.exe	33
PID 2756 wrote to memory of 2332	2756	cmd.exe	33
PID 2756 wrote to memory of 2332	2756	cmd.exe	33
PID 2756 wrote to memory of 2332	2756	cmd.exe	33
PID 2756 wrote to memory of 2332	2756	cmd.exe	33
PID 2756 wrote to memory of 2748	2756	cmd.exe	34
PID 2756 wrote to memory of 2748	2756	cmd.exe	34
PID 2756 wrote to memory of 2748	2756	cmd.exe	34
PID 2756 wrote to memory of 2748	2756	cmd.exe	34
PID 2756 wrote to memory of 2912	2756	cmd.exe	35
PID 2756 wrote to memory of 2912	2756	cmd.exe	35
PID 2756 wrote to memory of 2912	2756	cmd.exe	35
PID 2756 wrote to memory of 2912	2756	cmd.exe	35
PID 2756 wrote to memory of 2180	2756	cmd.exe	36
PID 2756 wrote to memory of 2180	2756	cmd.exe	36
PID 2756 wrote to memory of 2180	2756	cmd.exe	36
PID 2756 wrote to memory of 2180	2756	cmd.exe	36
PID 2756 wrote to memory of 2180	2756	cmd.exe	36
PID 2756 wrote to memory of 2180	2756	cmd.exe	36
PID 2756 wrote to memory of 2180	2756	cmd.exe	36
PID 2756 wrote to memory of 2924	2756	cmd.exe	37
PID 2756 wrote to memory of 2924	2756	cmd.exe	37
PID 2756 wrote to memory of 2924	2756	cmd.exe	37
PID 2756 wrote to memory of 2924	2756	cmd.exe	37
PID 2756 wrote to memory of 2924	2756	cmd.exe	37
PID 2756 wrote to memory of 2924	2756	cmd.exe	37
PID 2756 wrote to memory of 2924	2756	cmd.exe	37
PID 2756 wrote to memory of 2820	2756	cmd.exe	38
PID 2756 wrote to memory of 2820	2756	cmd.exe	38
PID 2756 wrote to memory of 2820	2756	cmd.exe	38
PID 2756 wrote to memory of 2820	2756	cmd.exe	38
PID 2756 wrote to memory of 2980	2756	cmd.exe	39
PID 2756 wrote to memory of 2980	2756	cmd.exe	39
PID 2756 wrote to memory of 2980	2756	cmd.exe	39
PID 2756 wrote to memory of 2980	2756	cmd.exe	39
PID 2756 wrote to memory of 2972	2756	cmd.exe	40
PID 2756 wrote to memory of 2972	2756	cmd.exe	40
PID 2756 wrote to memory of 2972	2756	cmd.exe	40
PID 2756 wrote to memory of 2972	2756	cmd.exe	40
PID 2756 wrote to memory of 2652	2756	cmd.exe	41
PID 2756 wrote to memory of 2652	2756	cmd.exe	41
PID 2756 wrote to memory of 2652	2756	cmd.exe	41
PID 2756 wrote to memory of 2652	2756	cmd.exe	41
PID 2756 wrote to memory of 2644	2756	cmd.exe	42
PID 2756 wrote to memory of 2644	2756	cmd.exe	42
PID 2756 wrote to memory of 2644	2756	cmd.exe	42
PID 2756 wrote to memory of 2644	2756	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ce2b5b8d68abf090181e46b3a3d01091_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120
- C:\ZEO8EZUJX8K.EXE
  C:\ZEO8EZUJX8K.EXE FDONSZUYCQS
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2304
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "c:\windows\fdonszuycqs.dll"
  2⤵
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2836
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\HVB33DABNBS.BAT
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s itss.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2332
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2748
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2912
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s jscript.dll
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2180
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s scrrun.dll
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2924
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2820
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2980
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2972
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2652
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s vbscript.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2644
- - C:\Windows\SysWOW64\reg.exe
    reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2672
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s msvidctl.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HVB33DABNBS.BAT

Filesize
1KB

MD5
8ad83a51d415c7d5d2beaf01d8083b23

SHA1
700fa9f0d42671a9086d02113eb892daab20e0b5

SHA256
39548db3192c9be6caa33eb253fcfa311d0e80f72e91162f1fa303f147caaacd

SHA512
23a34ded9eb7ae0813eb213a1441a3f1d03ee924a1131f874a2af00427f129896fb3287f71955fe106004f2e728a43bedea68d4a97c338b5f0aed5df187bb172

Download Submit
C:\Program Files\RFOORJHPV\7THSDF1PRW.EXE

Filesize
47KB

MD5
ce2b5b8d68abf090181e46b3a3d01091

SHA1
d5e71aca912fb415e66890417322aad41ae1a3f9

SHA256
c1d6dbb531b4d85df214ed975a5340f93fe43c53b93e1a12381ac370e4db5187

SHA512
13bdc16b8170d03a4289e73fa27b23a22e8520970dfeb043255fce849aca0888d3050f0dc660a8b797b5a23db9503ae6498024d0a34abf599773a50aa39e5cc3

Download Submit
C:\Windows\FDONSZUYCQS.txt

Filesize
47KB

MD5
76a9fcaf6429b229b8f1be2de1cdbfe5

SHA1
14798a06b0c083c5097cc764c2664755acd0b0ac

SHA256
5035b6f3ec6f6581c3641455bc0cd4f48ec64c82ae6b3f53700420fa2359eefb

SHA512
56e82755c14e62752baf5b9e480831293c235beb53b9f99ee6e7346b9a47de137197a900880ee8cb11773cdc4e447f72ff73e7592962fbb405c2b01f6c740c3f

Download Submit
C:\ZEO8EZUJX8K.EXE

Filesize
10KB

MD5
f2da5ae8487e3f7572e325334e54cf61

SHA1
45036bae670a2253c038092ec0cdf6ad34e13021

SHA256
1d87765c85931b53cede519163ed1de17e824584552f8d9747bdb5623dd640f2

SHA512
c611a49edf753110572133128a84d107b95f55fcb31b9ded1e86241651ee3e5033e2a637127caf857d60aeb3e2e902d8ca3ef7db34a3742a995a1316b2fa30e0

Download Submit
\??\c:\windows\fdonszuycqs.dll

Filesize
28KB

MD5
82ac13500b978fdb07c73e504a871498

SHA1
5e8478e261b48d63ca460bee85dde9cf62688407

SHA256
fd8f4a34328e6299045a455777b74f2f0ccf4fdca8899f66d1ee10d2a15284bc

SHA512
7620fd5885eea7f9a9d3a4f22f36470439cf01bfbd31eff6e06beec7d2b4b951080533572e2b9a5fa42c4c7cafe1c09ae000d4d2ca3ee7282a1b050248d8902e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads