9944af15f62c4b09b32368bc0a149d2bae0ea18e24e63186dd94e008d8e4cbcf

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 03:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Size

1.3MB
MD5

d36da428c608443404cb5a99c6935f1a
SHA1

72e4094aece52cfc8f17c73ed8111791502c434a
SHA256

9944af15f62c4b09b32368bc0a149d2bae0ea18e24e63186dd94e008d8e4cbcf
SHA512

68f419810b5cdb6d734fc7234260ac0eb8c8ec427b62580a7d3525e092cafd1ad5f0449fa916a9ff5a56187999d7711f4ab677e901f57e8ddb09f6c281d46172
SSDEEP

24576:Y0KdgGRbotxLExLd3pA0UK4M60wnhH2WP+bFK87mFWvMA3pmn:Y0K+GRbotxwNtqj5M6xhWi+5J7m66

Score

8^/10

adware discovery evasion persistence privilege_escalation stealer upx

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2880	netsh.exe
2892	netsh.exe
2644	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
2916	EhStorShell32.exe
2840	helppaneproxy32.exe
568	EhStorShell32.exe
3004	lsass.exe

Loads dropped DLL 11 IoCs

pid	Process
2888	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
2888	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
2888	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
2840	helppaneproxy32.exe
2348	WerFault.exe
2840	helppaneproxy32.exe
2840	helppaneproxy32.exe
568	EhStorShell32.exe
2916	EhStorShell32.exe
2916	EhStorShell32.exe
3004	lsass.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2888-9-0x0000000010000000-0x0000000010087000-memory.dmp	upx
behavioral1/memory/2888-6-0x0000000010000000-0x0000000010087000-memory.dmp	upx
behavioral1/memory/2888-78-0x0000000010000000-0x0000000010087000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RTHDBPL = "C:\\Users\\Admin\\AppData\\Roaming\\SysWin\\lsass.exe"	EhStorShell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RTHDBPL = "C:\\Users\\Admin\\AppData\\Roaming\\SysWin\\lsass.exe"	lsass.exe

Installs/modifies Browser Helper Object 2 TTPs 5 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0D89599F-5277-4BB8-987E-D190B0656A6d}	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	helppaneproxy32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D00199B7-8BC0-EA47-EADE-1C468C1F27FC}	helppaneproxy32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D00199B7-8BC0-EA47-EADE-1C468C1F27FC}\NoExplorer = "1"	helppaneproxy32.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\277096403	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HelpPaneProxy32.exe	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\HelpPaneProxy32.exe	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\ea2a30a41109C.manifest	helppaneproxy32.exe
File opened for modification	C:\Windows\SysWOW64\ea2a30a41109O.manifest	helppaneproxy32.exe
File opened for modification	C:\Windows\SysWOW64\ea2a30a41109S.manifest	helppaneproxy32.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-032.dll	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\EhStorShell32.exe	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\277096403	helppaneproxy32.exe
File opened for modification	C:\Windows\SysWOW64\ea2a30a41109P.manifest	helppaneproxy32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	helppaneproxy32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2348	2888	WerFault.exe	28

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EhStorShell32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	helppaneproxy32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EhStorShell32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 9f59890d7752b84b987ed190b0656a6d	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	helppaneproxy32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DF8F4544-6CFE-4185-B019-63260A8BBB79}	helppaneproxy32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DF8F4544-6CFE-4185-B019-63260A8BBB79}\WpadDecisionReason = "1"	helppaneproxy32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Koqqnveiam\CLSID	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Koqqnveiam	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	helppaneproxy32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00be000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	helppaneproxy32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-c0-0b-98-eb-85\WpadDecisionTime = 508c46469f01db01	helppaneproxy32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	helppaneproxy32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	helppaneproxy32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DF8F4544-6CFE-4185-B019-63260A8BBB79}\WpadNetworkName = "Network 3"	helppaneproxy32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-c0-0b-98-eb-85	helppaneproxy32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Koqqnveiam\CLSID\ = "{85d8c116-b6c6-4dbe-82e9-ec1581dffd2b}"	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DF8F4544-6CFE-4185-B019-63260A8BBB79}\WpadDecision = "0"	helppaneproxy32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DF8F4544-6CFE-4185-B019-63260A8BBB79}\ee-c0-0b-98-eb-85	helppaneproxy32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-c0-0b-98-eb-85\WpadDecisionReason = "1"	helppaneproxy32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Koqqnveiam	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Koqqnveiam\CLSID\ = "{85d8c116-b6c6-4dbe-82e9-ec1581dffd2b}"	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DF8F4544-6CFE-4185-B019-63260A8BBB79}\WpadDecisionTime = 501e5cf99e01db01	helppaneproxy32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	helppaneproxy32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-c0-0b-98-eb-85\WpadDetectedUrl	helppaneproxy32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00be000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	helppaneproxy32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Koqqnveiam\CLSID	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Koqqnveiam\CLSID\ = "{85d8c116-b6c6-4dbe-82e9-ec1581dffd2b}"	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Koqqnveiam\CLSID	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	helppaneproxy32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	helppaneproxy32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	helppaneproxy32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-c0-0b-98-eb-85\WpadDecisionTime = 501e5cf99e01db01	helppaneproxy32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ee-c0-0b-98-eb-85\WpadDecision = "0"	helppaneproxy32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Koqqnveiam\CLSID	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 9f59890d7752b84b987ed190b0656a6d	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\ea2a30a4 = " "	helppaneproxy32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	helppaneproxy32.exe
Key created	\REGISTRY\USER\.DEFAULT	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 9f59890d7752b84b987ed190b0656a6d	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	helppaneproxy32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	helppaneproxy32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DF8F4544-6CFE-4185-B019-63260A8BBB79}\WpadDecisionTime = 508c46469f01db01	helppaneproxy32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Koqqnveiam	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	helppaneproxy32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	helppaneproxy32.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D89599F-5277-4BB8-987E-D190B0656A6d}\InprocServer32\ = "C:\\Windows\\SysWow64\\api-ms-win-core-localization-l1-2-032.dll"	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D00199B7-8BC0-EA47-EADE-1C468C1F27FC}\InProcServer32	helppaneproxy32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D00199B7-8BC0-EA47-EADE-1C468C1F27FC}\InProcServer32\ = "C:\\ProgramData\\api-ms-win-core-localization-l1-2-032.dll"	helppaneproxy32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Koqqnveiam\CLSID	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Koqqnveiam	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Software\Koqqnveiam\CLSID	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Software\Koqqnveiam\CLSID	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{85d8c116-b6c6-4dbe-82e9-ec1581dffd2b}	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler\ = "{a0e15eb8-f69e-43a9-b13a-10f4dad7bd55}"	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D89599F-5277-4BB8-987E-D190B0656A6d}\InprocServer32\ThreadingModel = "Both"	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D00199B7-8BC0-EA47-EADE-1C468C1F27FC}	helppaneproxy32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Koqqnveiam\CLSID\ = "{85d8c116-b6c6-4dbe-82e9-ec1581dffd2b}"	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Software\Koqqnveiam	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D89599F-5277-4BB8-987E-D190B0656A6d}	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D00199B7-8BC0-EA47-EADE-1C468C1F27FC}\InProcServer32\ThreadingModel = "Apartment"	helppaneproxy32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Software	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\Software\Koqqnveiam\CLSID\ = "{85d8c116-b6c6-4dbe-82e9-ec1581dffd2b}"	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D89599F-5277-4BB8-987E-D190B0656A6d}\InprocServer32	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D00199B7-8BC0-EA47-EADE-1C468C1F27FC}\ = "9a5960f1"	helppaneproxy32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2888	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2888 wrote to memory of 2916	2888	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe	29
PID 2888 wrote to memory of 2916	2888	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe	29
PID 2888 wrote to memory of 2916	2888	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe	29
PID 2888 wrote to memory of 2916	2888	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe	29
PID 2888 wrote to memory of 2880	2888	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2880	2888	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2880	2888	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2880	2888	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe	30
PID 2888 wrote to memory of 2892	2888	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe	32
PID 2888 wrote to memory of 2892	2888	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe	32
PID 2888 wrote to memory of 2892	2888	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe	32
PID 2888 wrote to memory of 2892	2888	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe	32
PID 2888 wrote to memory of 2644	2888	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe	34
PID 2888 wrote to memory of 2644	2888	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe	34
PID 2888 wrote to memory of 2644	2888	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe	34
PID 2888 wrote to memory of 2644	2888	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe	34
PID 2888 wrote to memory of 2348	2888	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe	37
PID 2888 wrote to memory of 2348	2888	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe	37
PID 2888 wrote to memory of 2348	2888	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe	37
PID 2888 wrote to memory of 2348	2888	d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe	37
PID 2840 wrote to memory of 568	2840	helppaneproxy32.exe	38
PID 2840 wrote to memory of 568	2840	helppaneproxy32.exe	38
PID 2840 wrote to memory of 568	2840	helppaneproxy32.exe	38
PID 2840 wrote to memory of 568	2840	helppaneproxy32.exe	38
PID 2916 wrote to memory of 3004	2916	EhStorShell32.exe	39
PID 2916 wrote to memory of 3004	2916	EhStorShell32.exe	39
PID 2916 wrote to memory of 3004	2916	EhStorShell32.exe	39
PID 2916 wrote to memory of 3004	2916	EhStorShell32.exe	39

C:\Users\Admin\AppData\Local\Temp\d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d36da428c608443404cb5a99c6935f1a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\SysWOW64\EhStorShell32.exe
  "C:\Windows\system32\EhStorShell32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Roaming\SysWin\lsass.exe
    "C:\Users\Admin\AppData\Roaming\SysWin\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:3004
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\helppaneproxy32.exe" enable=yes profile=domain
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2880
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\helppaneproxy32.exe" enable=yes profile=private
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2892
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\helppaneproxy32.exe" enable=yes profile=public
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2644
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 564
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2348

C:\Windows\SysWOW64\helppaneproxy32.exe
C:\Windows\SysWOW64\helppaneproxy32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840
- C:\ProgramData\EhStorShell32.exe
  schutz
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\277096403

Filesize
80B

MD5
02f314b0009f32d69bc4cd03e8b9c937

SHA1
f7671bdb17c21f36431c2771661872bc7336781f

SHA256
84a62a14c26835ea57d15cb25e9093b26cada1c070bae3ce398d2481d6c38e2f

SHA512
9e73786f09fe2b168d22e6c6edf82962e8ba8681405aaa064e43110ad22d4168b9f247839890fa41824ead6d7edf740d388bb690084cdb54613b1d17ce054915

Download Submit
C:\Windows\SysWOW64\277096403

Filesize
112B

MD5
f6ad6831336989167c7a79203a86fa1d

SHA1
fa939fa42cd73bcac20c7052e670981ca695201f

SHA256
8ccad00278aebf3a3d8b3f4386b62a65c42562e9e43d9dd3fadd6a0284cc6003

SHA512
9a6cfbfb01aee209ca0254b1abae9cddb67fd22de5334452620aa72ee967a8d2adb9e7755b58038dcc6e97481858b8e319b2adabac772aa935faf9399c40cdce

Download Submit
C:\Windows\SysWOW64\HelpPaneProxy32.exe

Filesize
1.3MB

MD5
d36da428c608443404cb5a99c6935f1a

SHA1
72e4094aece52cfc8f17c73ed8111791502c434a

SHA256
9944af15f62c4b09b32368bc0a149d2bae0ea18e24e63186dd94e008d8e4cbcf

SHA512
68f419810b5cdb6d734fc7234260ac0eb8c8ec427b62580a7d3525e092cafd1ad5f0449fa916a9ff5a56187999d7711f4ab677e901f57e8ddb09f6c281d46172

Download Submit
\ProgramData\api-ms-win-core-localization-l1-2-032.dll

Filesize
246KB

MD5
c1164e3a20e832a7006d896b7d050850

SHA1
99606e072e64fdee71b4ce7c6794cbba09fd739b

SHA256
f0be9c4207cff39b10c20dfe2e23e7d6799193d9a85d6bb39430e92d33bf2ce2

SHA512
0bbb2c47862856fe6a19d4a417c0c18b6654cb58839dd8276f3c5d07871ef55d13035277870a369231a0e2aafe16d69617ad41717960dbc3979adf4f8b73e2bc

Download Submit
\Windows\SysWOW64\EhStorShell32.exe

Filesize
170KB

MD5
f4db65a72b18f7b06d574913f4ba867f

SHA1
ebb491a5537a546022d218028bbdee809cbb9ac4

SHA256
0ca0d9337520e91c27c1e2cf2281f6c27e375296e2fcbc4e218f6b5e8075434b

SHA512
936a046d840104c91b222e0011f9c7a566e8a7f23c1d1c8c9b24c971d7daef6b4c331feaaa4b34eaaf3ae7f77e3be48521b9bf27ae26ae4d7c21beafd581ceb4

Download Submit
\Windows\SysWOW64\api-ms-win-core-localization-l1-2-032.dll

Filesize
399KB

MD5
54460353b0f8fa4dd69f8de000449ad5

SHA1
5fa6dec3963de50ade6f3101d729b67d34e8b19c

SHA256
3d11d6affa24707d5e3ec4033911eb2fd4505061708569024c39ad859380491d

SHA512
31bac7d383c0d3721521d2b3531ca37e10799b536570c625fcc7f5f7e24986d72f803ec11fbcf6dcbe6d9392c281251c0ad06a72c70998e52d9a8e35ec4a819a

Download Submit
memory/568-82-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2840-102-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/2840-81-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/2840-80-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2840-33-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/2888-6-0x0000000010000000-0x0000000010087000-memory.dmp

Filesize
540KB

Download
memory/2888-8-0x000000001005A000-0x0000000010085000-memory.dmp

Filesize
172KB

Download
memory/2888-1-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2888-5-0x00000000002A0000-0x00000000002E8000-memory.dmp

Filesize
288KB

Download
memory/2888-9-0x0000000010000000-0x0000000010087000-memory.dmp

Filesize
540KB

Download
memory/2888-76-0x0000000000550000-0x0000000000641000-memory.dmp

Filesize
964KB

Download
memory/2888-77-0x000000001005A000-0x0000000010085000-memory.dmp

Filesize
172KB

Download
memory/2888-78-0x0000000010000000-0x0000000010087000-memory.dmp

Filesize
540KB

Download
memory/2888-79-0x0000000000400000-0x000000000054E000-memory.dmp

Filesize
1.3MB

Download
memory/2888-0-0x0000000000550000-0x0000000000641000-memory.dmp

Filesize
964KB

Download
memory/2916-25-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2916-24-0x0000000000230000-0x000000000025C000-memory.dmp

Filesize
176KB

Download
memory/2916-68-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3004-75-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3004-83-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download