e3f09a4f585512b2d597b0aacef5e95887aedc1c68556d4c8880113cab94144e

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
06-09-2024 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe
Size

4.8MB
MD5

d02a7aeeb68e9490f46067f2e73aad91
SHA1

46c23758adf8e8ba15f31851ba53040224e187ab
SHA256

e3f09a4f585512b2d597b0aacef5e95887aedc1c68556d4c8880113cab94144e
SHA512

921a8f73e25988056185b1cbbc8b413e6e1669ceeab418f4323d67900ffa8d8383a584c68166a9d557429a02160dd2af180c76927f181cb6462644cdc1e33d45
SSDEEP

98304:Ct6xS/jD6laC1GUqLQuZyM0vyGkt50rsI6NQ3giOvo7avbH0rT:CVKlaCjqLJ4M06Ga5DI6NQ3svbH+

Score

8^/10

discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 6 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ComponentID = "Flash"	install_flash_player_10_active_x.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\IsInstalled = 01000000	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Version = "10.0.22.87"	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Locale = "EN"	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11CF-96B8-444553540000}\ = "Adobe Flash Player"	install_flash_player_10_active_x.exe

Executes dropped EXE 2 IoCs

pid	Process
1448	d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe
2824	install_flash_player_10_active_x.exe

Loads dropped DLL 11 IoCs

pid	Process
1732	d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe
1448	d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe
2824	install_flash_player_10_active_x.exe
2824	install_flash_player_10_active_x.exe
2824	install_flash_player_10_active_x.exe
2824	install_flash_player_10_active_x.exe
2824	install_flash_player_10_active_x.exe
2824	install_flash_player_10_active_x.exe
2824	install_flash_player_10_active_x.exe
2824	install_flash_player_10_active_x.exe
2824	install_flash_player_10_active_x.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Macromed\Flash\Flash10b.ocx	install_flash_player_10_active_x.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10b.exe	install_flash_player_10_active_x.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\Flash10b.ocx	install_flash_player_10_active_x.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\FlashUtil10b.exe	install_flash_player_10_active_x.exe
File created	C:\Windows\SysWOW64\Macromed\Flash\uninstall_activeX.exe	install_flash_player_10_active_x.exe
File opened for modification	C:\Windows\SysWOW64\Macromed\Flash\install.log	install_flash_player_10_active_x.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install_flash_player_10_active_x.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0008000000019080-19.dat	nsis_installer_1
behavioral1/files/0x000500000001a05a-64.dat	nsis_installer_1

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppName = "FlashUtil10b.exe"	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}	install_flash_player_10_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}\Compatibility Flags = "0"	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}	install_flash_player_10_active_x.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\Policy = "3"	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}\AppPath = "C:\\Windows\\SysWow64\\Macromed\\Flash"	install_flash_player_10_active_x.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.9	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mfp\Content Type = "application/x-shockwave-flash"	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-shockwave-flash\Extension = ".swf"	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ = "IShockwaveFlash"	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.swf\ = "ShockwaveFlash.ShockwaveFlash"	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ = "Shockwave Flash Object"	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0"	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CurVer	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS\ = "0"	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory.1\CLSID	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0"	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\ = "0"	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib\ = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\CLSID	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.5\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash\CurVer\ = "ShockwaveFlash.ShockwaveFlash.10"	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID\ = "ShockwaveFlash.ShockwaveFlash.10"	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl\ = "ShockwaveFlash.ShockwaveFlash"	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib\Version = "1.0"	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{DDF4CE26-4BDA-42BC-B0F0-0E75243AD285}\ProxyStubClsid32	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID\ = "{D27CDB70-AE6D-11cf-96B8-444553540000}"	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.4\ = "Shockwave Flash Object"	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mfp\ = "MacromediaFlashPaper.MacromediaFlashPaper"	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MacromediaFlashPaper.MacromediaFlashPaper\ = "Macromedia Flash Paper"	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.8	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/futuresplash\CLSID = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.3	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.7	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx, 1"	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.6\CLSID	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sor\Content Type = "text/plain"	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash.10\CLSID\ = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.spl\Content Type = "application/futuresplash"	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.sol\Content Type = "text/plain"	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\FlashFactory.FlashFactory\CLSID	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ShockwaveFlash.ShockwaveFlash	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32\ = "C:\\Windows\\SysWow64\\Macromed\\Flash\\Flash10b.ocx"	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib	install_flash_player_10_active_x.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable	install_flash_player_10_active_x.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1\ = "131473"	install_flash_player_10_active_x.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}	install_flash_player_10_active_x.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1448	1732	d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1448	1732	d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1448	1732	d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1448	1732	d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1448	1732	d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1448	1732	d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1448	1732	d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe	30
PID 1448 wrote to memory of 2824	1448	d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe	32
PID 1448 wrote to memory of 2824	1448	d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe	32
PID 1448 wrote to memory of 2824	1448	d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe	32
PID 1448 wrote to memory of 2824	1448	d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe	32
PID 1448 wrote to memory of 2824	1448	d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe	32
PID 1448 wrote to memory of 2824	1448	d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe	32
PID 1448 wrote to memory of 2824	1448	d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Screentime\STF1\d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Screentime\STF1\d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe" /l=393752
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Users\Admin\AppData\Local\Screentime\STF2\install_flash_player_10_active_x.exe
    "C:\Users\Admin\AppData\Local\Screentime\STF2\install_flash_player_10_active_x.exe" /s
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Screentime\STF1\d02a7aeeb68e9490f46067f2e73aad91_JaffaCakes118.exe

Filesize
4.3MB

MD5
d503c4f7d744989ca7b3798d7a9bd6e2

SHA1
f3392fd54890838d58bfad4dfb5101bc8f9f7990

SHA256
7e9acac11fd3549311f853015ba87cd8e0942725f652a5727b5e5278dd51437a

SHA512
0e113f39ef291d69cdd18bab30a3a8010ebcbff3a0f6635284a9ef3dbf01e6fe4bf2f4f503b797f101efede0740798c73f4f338c13a9409f7abec7ab00e37340

Download Submit
C:\Windows\SysWOW64\Macromed\Flash\uninstall_activeX.exe

Filesize
86KB

MD5
cc7630e03441eb523e7bedbadf0da6c5

SHA1
7f6d7a926bb21ac93c8ffa61651f09ed9a29cac1

SHA256
bbeb0b46d18a9317200d47c9c9444c38c6e0e9c9eb09480d5a7bcf94490c3935

SHA512
017c9e48eed4b32d61f508fd07f6a8c0aa897cec452f6790281363a91fb3af9383b8aaa4da71660e099bc0e3c6b030c31eab06ad39e81753731cef1337fee307

Download Submit
\Users\Admin\AppData\Local\Screentime\STF2\install_flash_player_10_active_x.exe

Filesize
1.8MB

MD5
c41b29f0fee117ced47248cc7fecad11

SHA1
86745020a25edc9695a1a6a4d59eae375665a0b3

SHA256
594d0d699566fbbec4e733ba0c603cb6e6f6fc3cb8901eeb715a037c99c4c38f

SHA512
8734722bcdc97dedaa3fd31e2ced14748b54bca5847f0b0ed2fbb4a7dfe463a47a11d10e9a2dc85f4e2f883be1b4b4cf56038099624c7c37a6b313db5bf6b25b

Download Submit
\Users\Admin\AppData\Local\Temp\nseE082.tmp\NSISArray.dll

Filesize
17KB

MD5
2b8574f6a8f5de9042baa43c069d20ba

SHA1
07959da0c6b7715b51f70f1b0aea1f56ba7a4559

SHA256
38654eef0ee3715f4b1268f4b4176a6b487a0a9e53a27a4ec0b84550ea173564

SHA512
f034f71b6a18ee8024d40acd3c097d95c8fd8e128d75075cc452e71898c1c0322f21b54bd39ca72d053d7261ffbab0c5c1f820602d52fc85806513a6fe317e88

Download Submit
\Users\Admin\AppData\Local\Temp\nseE082.tmp\System.dll

Filesize
10KB

MD5
16ae54e23736352739d7ab156b1965ba

SHA1
14f8f04bed2d6adc07565d5c064f6931b128568f

SHA256
c11ffa087c6848f3870e6336d151f0ba6298c0e1e30ccddf2da25a06d36a61fc

SHA512
15dbfcdc5dc34cb20066120045e3250f8df9e50b91de043f2ada33ac0235907d98668e248828a7ed9c75e25dfb5103b7248867530ce73ee36f6a35c30b4afa9f

Download Submit
\Users\Admin\AppData\Local\Temp\nseE082.tmp\UserInfo.dll

Filesize
4KB

MD5
68d73a95c628836b67ea5a717d74b38c

SHA1
935372db4a66f9dfd6c938724197787688e141b0

SHA256
21a373c52aaecce52b41aebe6d0224f53760fc3e5c575e821175eee3a1f7f226

SHA512
0e804deab4e647213132add4173c1d2c554c628816f56e21e274a40e185d90254e29c8bfc6fbfdfea2a492d43d23c0bfa4b276252a3f5e1993ab80ff832c4914

Download Submit
\Users\Admin\AppData\Local\Temp\nseE082.tmp\fpinstall.dll

Filesize
8KB

MD5
071b6233c92f69ffa1c24243328c3b94

SHA1
bb583c00e87cdc65e6254c7148d37afc1bbb3095

SHA256
5f6c63cb0ba539d692c5461730f057d0ec6c60639d772fbdc3753c3c6e746c43

SHA512
7fc2db406350488ee86ccffe1e99a91e0f509ef0429063336bf6f96aab07127df352db77fe9d00ddc3aa2db7886dfbac08b6acf6a5c647859956111ca47c24f1

Download Submit
\Windows\SysWOW64\Macromed\Flash\Flash10b.ocx

Filesize
3.7MB

MD5
8afc17155ed5ab60b7c52d7f553d579c

SHA1
fc3087d8acb839e4cfcf14c9982c0e4d8a1c7109

SHA256
a7f7cd44461e11d1b8be467bd4e4a22ae05b6df29260cc0b9d43a6314fe2a375

SHA512
b22b3d280a7d8bb6c5131c98c7270010d5aabeeaf8092596d5e8f024d1820cf4c0bfa42d6ed1f2a6cbb82ab4d0f3d48ef873c4edf307078e51618decc1eeff92

Download Submit
memory/1448-7-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1448-88-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/1448-14-0x0000000000400000-0x00000000004F5000-memory.dmp

Filesize
980KB

Download
memory/1448-15-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1732-12-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1732-13-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/1732-0-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads