577a902f8b8c7d0c261c963f646831ff32b22c7443905e780207370943006836

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/09/2024, 13:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d6660e6e89baf4cd6d941e175f922ded_JaffaCakes118.exe
Size

9.0MB
MD5

d6660e6e89baf4cd6d941e175f922ded
SHA1

8f6bdf15116430f0e8e21ca45f53b754123cffaa
SHA256

577a902f8b8c7d0c261c963f646831ff32b22c7443905e780207370943006836
SHA512

e2de27614b55e0022a0b6093129e82b9d9878f43a373c14afa7111fb7cd663e4c8ed7a3a76ef8204d40b8493d525cd40b28235fb1c4d13367308926f7d807335
SSDEEP

49152:Izrh20HcSyFeOJpl6IKxrrQwgTz4HhsH+oYTRayy2LFxK5e6JZp2c+xoj2Sj3:0rh2RTSfQwNHhluyra2U3

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2768	xa259451580.exe
2804	xa259453078.exe
1600	xa259453858.exe
2824	xa259454654.exe
2876	xa259455808.exe

Loads dropped DLL 25 IoCs

pid	Process
1388	d6660e6e89baf4cd6d941e175f922ded_JaffaCakes118.exe
2768	xa259451580.exe
2768	xa259451580.exe
2768	xa259451580.exe
2768	xa259451580.exe
2804	xa259453078.exe
2804	xa259453078.exe
2804	xa259453078.exe
2804	xa259453078.exe
1600	xa259453858.exe
1600	xa259453858.exe
1600	xa259453858.exe
1600	xa259453858.exe
2824	xa259454654.exe
2824	xa259454654.exe
2824	xa259454654.exe
2824	xa259454654.exe
2876	xa259455808.exe
2876	xa259455808.exe
2876	xa259455808.exe
1632	regsvr32.exe
548	regsvr32.exe
484	regsvr32.exe
1656	regsvr32.exe
1216	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 19 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{354F7AC6-83E5-3FAD-8919-2D0A6ACA14C0}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4F3692E2-EF52-35CE-B381-0F6F65CF5B19}\IExplore = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4F3692E2-EF52-35CE-B381-0F6F65CF5B19}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{354F7AC6-83E5-3FAD-8919-2D0A6ACA14C0}\IExplore = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7B8FFA6B-0AD2-3279-A22E-D56A8FB99857}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9628A2B0-CC39-3E7D-9D1B-051D5716AC50}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{4F3692E2-EF52-35CE-B381-0F6F65CF5B19}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B1522545-F063-3C9E-8E52-D17FDA8AF74A}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{354F7AC6-83E5-3FAD-8919-2D0A6ACA14C0}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7B8FFA6B-0AD2-3279-A22E-D56A8FB99857}\IExplore = "1"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7B8FFA6B-0AD2-3279-A22E-D56A8FB99857}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9628A2B0-CC39-3E7D-9D1B-051D5716AC50}\IExplore = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{B1522545-F063-3C9E-8E52-D17FDA8AF74A}\IExplore = "1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{9628A2B0-CC39-3E7D-9D1B-051D5716AC50}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	regsvr32.exe

Drops file in System32 directory 25 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\xa259453858.exe	xa259453078.exe
File opened for modification	C:\Windows\SysWOW64\xa259453562.exe	xa259451580.exe
File created	C:\Windows\SysWOW64\xa259454061.exe	xa259453078.exe
File created	C:\Windows\SysWOW64\xa259453562.exe	xa259451580.exe
File created	C:\Windows\SysWOW64\wr57619.dll	xa259451580.exe
File created	C:\Windows\SysWOW64\wr91387.dll	xa259453078.exe
File created	C:\Windows\SysWOW64\wr85664.dll	d6660e6e89baf4cd6d941e175f922ded_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\xa259456011.exe	xa259454654.exe
File created	C:\Windows\SysWOW64\xa259454966.exe	xa259453858.exe
File created	C:\Windows\SysWOW64\xa259455808.exe	xa259454654.exe
File created	C:\Windows\SysWOW64\xa259453078.exe	xa259451580.exe
File created	C:\Windows\SysWOW64\xwr91387.dll	xa259453078.exe
File opened for modification	C:\Windows\SysWOW64\xa259454966.exe	xa259453858.exe
File created	C:\Windows\SysWOW64\xwr40309.dll	xa259454654.exe
File opened for modification	C:\Windows\SysWOW64\xa259451783.exe	d6660e6e89baf4cd6d941e175f922ded_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xa259454654.exe	xa259453858.exe
File created	C:\Windows\SysWOW64\wr75602.dll	xa259453858.exe
File created	C:\Windows\SysWOW64\xwr75602.dll	xa259453858.exe
File created	C:\Windows\SysWOW64\wr40309.dll	xa259454654.exe
File created	C:\Windows\SysWOW64\xwr57619.dll	xa259451580.exe
File opened for modification	C:\Windows\SysWOW64\xa259454061.exe	xa259453078.exe
File created	C:\Windows\SysWOW64\xa259456011.exe	xa259454654.exe
File created	C:\Windows\SysWOW64\xa259451580.exe	d6660e6e89baf4cd6d941e175f922ded_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xa259451783.exe	d6660e6e89baf4cd6d941e175f922ded_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\xwr85664.dll	d6660e6e89baf4cd6d941e175f922ded_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6660e6e89baf4cd6d941e175f922ded_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xa259453078.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xa259454654.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xa259451580.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xa259453858.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xa259455808.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{544B0EE3-BE73-32D2-9ADF-CF16E2723AB3}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B67DE522-605E-3026-B090-08061EB11715}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\D.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9628A2B0-CC39-3E7D-9D1B-051D5716AC50}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B67DE522-605E-3026-B090-08061EB11715}\1.0\ = "LIB"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B6757C6-43A4-32D9-B141-307DB618408C}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{544B0EE3-BE73-32D2-9ADF-CF16E2723AB3}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\D\ = "D"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F3692E2-EF52-35CE-B381-0F6F65CF5B19}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBA685CD-52A9-379A-A7D5-796599F8AD91}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{354F7AC6-83E5-3FAD-8919-2D0A6ACA14C0}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81958E4E-1378-3ACB-9836-954C93E1E1D8}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0071438B-2A91-3899-9F89-1F04363C1467}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9628A2B0-CC39-3E7D-9D1B-051D5716AC50}\ProgID\ = "D.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B67DE522-605E-3026-B090-08061EB11715}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\D.1\CLSID\ = "{4F3692E2-EF52-35CE-B381-0F6F65CF5B19}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81958E4E-1378-3ACB-9836-954C93E1E1D8}\TypeLib\ = "{DBA685CD-52A9-379A-A7D5-796599F8AD91}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{904C3DBC-B756-35CB-B895-53EFEE84E263}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\D.1\CLSID\ = "{354F7AC6-83E5-3FAD-8919-2D0A6ACA14C0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\D\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CBBEEE90-853D-362E-80AC-EBF13BD44640}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6884360A-E56F-356A-AA29-D993892AD3AA}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F3692E2-EF52-35CE-B381-0F6F65CF5B19}\VersionIndependentProgID\ = "D"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\D.1\CLSID\ = "{9628A2B0-CC39-3E7D-9D1B-051D5716AC50}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\D	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0071438B-2A91-3899-9F89-1F04363C1467}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B67DE522-605E-3026-B090-08061EB11715}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{354F7AC6-83E5-3FAD-8919-2D0A6ACA14C0}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6884360A-E56F-356A-AA29-D993892AD3AA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F3692E2-EF52-35CE-B381-0F6F65CF5B19}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9628A2B0-CC39-3E7D-9D1B-051D5716AC50}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{544B0EE3-BE73-32D2-9ADF-CF16E2723AB3}\ = "IDOMPeek"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B67DE522-605E-3026-B090-08061EB11715}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6884360A-E56F-356A-AA29-D993892AD3AA}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBA685CD-52A9-379A-A7D5-796599F8AD91}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBA685CD-52A9-379A-A7D5-796599F8AD91}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{904C3DBC-B756-35CB-B895-53EFEE84E263}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{354F7AC6-83E5-3FAD-8919-2D0A6ACA14C0}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6884360A-E56F-356A-AA29-D993892AD3AA}\ = "IDOMPeek"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F3692E2-EF52-35CE-B381-0F6F65CF5B19}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{81958E4E-1378-3ACB-9836-954C93E1E1D8}\ = "IDOMPeek"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B67DE522-605E-3026-B090-08061EB11715}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{354F7AC6-83E5-3FAD-8919-2D0A6ACA14C0}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B5C18C20-C45C-3ED2-9F82-F75B524B70F8}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B8FFA6B-0AD2-3279-A22E-D56A8FB99857}\VersionIndependentProgID\ = "D"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B6757C6-43A4-32D9-B141-307DB618408C}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{544B0EE3-BE73-32D2-9ADF-CF16E2723AB3}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6884360A-E56F-356A-AA29-D993892AD3AA}\ = "IDOMPeek"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B5C18C20-C45C-3ED2-9F82-F75B524B70F8}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\xwr85664.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CBBEEE90-853D-362E-80AC-EBF13BD44640}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6B6757C6-43A4-32D9-B141-307DB618408C}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0071438B-2A91-3899-9F89-1F04363C1467}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9628A2B0-CC39-3E7D-9D1B-051D5716AC50}\ = "D"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\D\ = "D"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{81958E4E-1378-3ACB-9836-954C93E1E1D8}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\D.1\CLSID\ = "{7B8FFA6B-0AD2-3279-A22E-D56A8FB99857}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B8FFA6B-0AD2-3279-A22E-D56A8FB99857}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{81958E4E-1378-3ACB-9836-954C93E1E1D8}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\D\CLSID\ = "{354F7AC6-83E5-3FAD-8919-2D0A6ACA14C0}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7B8FFA6B-0AD2-3279-A22E-D56A8FB99857}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9628A2B0-CC39-3E7D-9D1B-051D5716AC50}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6884360A-E56F-356A-AA29-D993892AD3AA}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DBA685CD-52A9-379A-A7D5-796599F8AD91}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B5C18C20-C45C-3ED2-9F82-F75B524B70F8}	regsvr32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2876	xa259455808.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 2768	1388	d6660e6e89baf4cd6d941e175f922ded_JaffaCakes118.exe	31
PID 1388 wrote to memory of 2768	1388	d6660e6e89baf4cd6d941e175f922ded_JaffaCakes118.exe	31
PID 1388 wrote to memory of 2768	1388	d6660e6e89baf4cd6d941e175f922ded_JaffaCakes118.exe	31
PID 1388 wrote to memory of 2768	1388	d6660e6e89baf4cd6d941e175f922ded_JaffaCakes118.exe	31
PID 1388 wrote to memory of 2768	1388	d6660e6e89baf4cd6d941e175f922ded_JaffaCakes118.exe	31
PID 1388 wrote to memory of 2768	1388	d6660e6e89baf4cd6d941e175f922ded_JaffaCakes118.exe	31
PID 1388 wrote to memory of 2768	1388	d6660e6e89baf4cd6d941e175f922ded_JaffaCakes118.exe	31
PID 2768 wrote to memory of 2804	2768	xa259451580.exe	32
PID 2768 wrote to memory of 2804	2768	xa259451580.exe	32
PID 2768 wrote to memory of 2804	2768	xa259451580.exe	32
PID 2768 wrote to memory of 2804	2768	xa259451580.exe	32
PID 2768 wrote to memory of 2804	2768	xa259451580.exe	32
PID 2768 wrote to memory of 2804	2768	xa259451580.exe	32
PID 2768 wrote to memory of 2804	2768	xa259451580.exe	32
PID 2804 wrote to memory of 1600	2804	xa259453078.exe	33
PID 2804 wrote to memory of 1600	2804	xa259453078.exe	33
PID 2804 wrote to memory of 1600	2804	xa259453078.exe	33
PID 2804 wrote to memory of 1600	2804	xa259453078.exe	33
PID 2804 wrote to memory of 1600	2804	xa259453078.exe	33
PID 2804 wrote to memory of 1600	2804	xa259453078.exe	33
PID 2804 wrote to memory of 1600	2804	xa259453078.exe	33
PID 1600 wrote to memory of 2824	1600	xa259453858.exe	34
PID 1600 wrote to memory of 2824	1600	xa259453858.exe	34
PID 1600 wrote to memory of 2824	1600	xa259453858.exe	34
PID 1600 wrote to memory of 2824	1600	xa259453858.exe	34
PID 1600 wrote to memory of 2824	1600	xa259453858.exe	34
PID 1600 wrote to memory of 2824	1600	xa259453858.exe	34
PID 1600 wrote to memory of 2824	1600	xa259453858.exe	34
PID 2824 wrote to memory of 2876	2824	xa259454654.exe	35
PID 2824 wrote to memory of 2876	2824	xa259454654.exe	35
PID 2824 wrote to memory of 2876	2824	xa259454654.exe	35
PID 2824 wrote to memory of 2876	2824	xa259454654.exe	35
PID 2824 wrote to memory of 2876	2824	xa259454654.exe	35
PID 2824 wrote to memory of 2876	2824	xa259454654.exe	35
PID 2824 wrote to memory of 2876	2824	xa259454654.exe	35
PID 1388 wrote to memory of 1632	1388	d6660e6e89baf4cd6d941e175f922ded_JaffaCakes118.exe	36
PID 1388 wrote to memory of 1632	1388	d6660e6e89baf4cd6d941e175f922ded_JaffaCakes118.exe	36
PID 1388 wrote to memory of 1632	1388	d6660e6e89baf4cd6d941e175f922ded_JaffaCakes118.exe	36
PID 1388 wrote to memory of 1632	1388	d6660e6e89baf4cd6d941e175f922ded_JaffaCakes118.exe	36
PID 1388 wrote to memory of 1632	1388	d6660e6e89baf4cd6d941e175f922ded_JaffaCakes118.exe	36
PID 1388 wrote to memory of 1632	1388	d6660e6e89baf4cd6d941e175f922ded_JaffaCakes118.exe	36
PID 1388 wrote to memory of 1632	1388	d6660e6e89baf4cd6d941e175f922ded_JaffaCakes118.exe	36
PID 2768 wrote to memory of 548	2768	xa259451580.exe	37
PID 2768 wrote to memory of 548	2768	xa259451580.exe	37
PID 2768 wrote to memory of 548	2768	xa259451580.exe	37
PID 2768 wrote to memory of 548	2768	xa259451580.exe	37
PID 2768 wrote to memory of 548	2768	xa259451580.exe	37
PID 2768 wrote to memory of 548	2768	xa259451580.exe	37
PID 2768 wrote to memory of 548	2768	xa259451580.exe	37
PID 2804 wrote to memory of 484	2804	xa259453078.exe	38
PID 2804 wrote to memory of 484	2804	xa259453078.exe	38
PID 2804 wrote to memory of 484	2804	xa259453078.exe	38
PID 2804 wrote to memory of 484	2804	xa259453078.exe	38
PID 2804 wrote to memory of 484	2804	xa259453078.exe	38
PID 2804 wrote to memory of 484	2804	xa259453078.exe	38
PID 2804 wrote to memory of 484	2804	xa259453078.exe	38
PID 1600 wrote to memory of 1656	1600	xa259453858.exe	39
PID 1600 wrote to memory of 1656	1600	xa259453858.exe	39
PID 1600 wrote to memory of 1656	1600	xa259453858.exe	39
PID 1600 wrote to memory of 1656	1600	xa259453858.exe	39
PID 1600 wrote to memory of 1656	1600	xa259453858.exe	39
PID 1600 wrote to memory of 1656	1600	xa259453858.exe	39
PID 1600 wrote to memory of 1656	1600	xa259453858.exe	39
PID 2824 wrote to memory of 1216	2824	xa259454654.exe	40

C:\Users\Admin\AppData\Local\Temp\d6660e6e89baf4cd6d941e175f922ded_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6660e6e89baf4cd6d941e175f922ded_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Windows\SysWOW64\xa259451580.exe
  "C:\Windows\system32\xa259451580.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\xa259453078.exe
    "C:\Windows\system32\xa259453078.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\xa259453858.exe
      "C:\Windows\system32\xa259453858.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1600
    - - C:\Windows\SysWOW64\xa259454654.exe
        
        "C:\Windows\system32\xa259454654.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2824
      - C:\Windows\SysWOW64\xa259455808.exe
        
        "C:\Windows\system32\xa259455808.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2876
      - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\xwr40309.dll
        6⤵
        Loads dropped DLL
        Installs/modifies Browser Helper Object
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1216
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\xwr75602.dll
        5⤵
        Loads dropped DLL
        Installs/modifies Browser Helper Object
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1656
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\xwr91387.dll
      4⤵
      Loads dropped DLL
      Installs/modifies Browser Helper Object
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:484
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\xwr57619.dll
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:548
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\xwr85664.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wr57619.dll

Filesize
172KB

MD5
c95960c848e19c6888d2bd1b6b5b0d34

SHA1
56924de70f3f473783492fb4c7383897603467fc

SHA256
2c0a8606a89928fe84f7736b95c4413ab45f6bc6c9e7f9c09132766498e29fa3

SHA512
267bc9bc80e86dc1c6001ceba484e763a736b6c1b9069f14507e4649c1b78a87a3bb07bbb9790822a8f9493d30dfb15777133437aee647170f390908918b00c8

Download Submit
C:\Windows\SysWOW64\wr75602.dll

Filesize
172KB

MD5
bfe5f3a7ef7f48e157702678148e9565

SHA1
2bba75b77078009e17c2e070588130b7f52625cc

SHA256
4d5f552e368ac83510974353337cac7219b1251c40759951ba55794b18268e03

SHA512
f1ad13822a4e3e586ecd06808dd53be4c7f0fe117b6bb622642281bb6d9eba39136c2dadd6a671445c9b0f0cfba13a4f4e9fc6edc4d8934d396142862103d180

Download Submit
C:\Windows\SysWOW64\xa259451580.exe

Filesize
8.3MB

MD5
f34f2f9f940a1709a546f7eea1e11b68

SHA1
ed82a1aad924eed81f413a4e346b2eb68e2d3837

SHA256
493fd069100ec9e05229b61b8c273fed9c6aea01655dbcc65e625e87af1d9963

SHA512
36b991531ccdfcca9dbc5f17601cb28365e7ae1b329ce1fd0faa8d6db0f5bf037ba616758938853739f43e22c6530dec122149f9742b26bc4cd23afcbbd7801a

Download Submit
C:\Windows\SysWOW64\xa259453078.exe

Filesize
7.6MB

MD5
634094da117d131a67e96a6e507e64db

SHA1
806fc27110a135bd9773dd09937d5cd7a6dc0bf7

SHA256
e732a56df253424ecf61ff9aade658bf4348ad925fb971e13adb43f1f02b3ac9

SHA512
b8a7e9ef4dad4ec2da91d6d1cb4fa5b56b6c6d5e97b98eb8f6373be21e0bcde085f80e128f575d66a271ed8f7c26c270514bde99305ec50547d282f9b7bbc7f2

Download Submit
C:\Windows\SysWOW64\xa259453858.exe

Filesize
6.9MB

MD5
c0d53fcf8d604e3459930cc05b92eaaf

SHA1
d98d85f1f925d39b51cef9601a2d7421b0da2986

SHA256
bddf6cde34d044280d99e6a7893b466d0778404676e7ca22d0eece261e5533b2

SHA512
4307dd89fd1cac822b20d0333353a45f4b11a3dd7e8be9506242270e572ee09011b85c812940d50cb91e4520bd48902243d94c61320f46f5a79d4f34a7bbb9a6

Download Submit
C:\Windows\SysWOW64\xa259454654.exe

Filesize
6.2MB

MD5
aa7c95e580f9b69f7ba52c33243bea96

SHA1
5ead3c8e584c52f82e8b28864417897875d4a35e

SHA256
96c9925246f305955cc2a14d4b95263c62f66579db31a6b5277aaca667d7b83e

SHA512
9f0c0d779106fb76606ee7e69e51a1e7c21a66bc7179841103e160885e9641a349454e57d504b3546a8acf5ad1c29b95260d05d0995b7a1fc0c2427616d3e7d8

Download Submit
C:\Windows\SysWOW64\xa259455808.exe

Filesize
5.6MB

MD5
e7b263bfc7a6d9408da0a73e5f238029

SHA1
0e8f29e4719f4a99be8457afa883015ce900bed1

SHA256
33f55e2ff5f51aac63a95a758724cde569cc80a345c595c54288ac7f427f8a41

SHA512
13c3d5a205e27a062a74e2854d98bd9178dece0f046f160e492588542bfab8957170238a95624cf20aeb4b45b75c2a77ea033ca7bfc0a3737e6aedab9f156748

Download Submit
C:\Windows\SysWOW64\xwr85664.dll

Filesize
172KB

MD5
d99456ed51167ff086751a7f03e2dbc4

SHA1
fbc0d90faaf69ad29e76abe4a257683a0722ee35

SHA256
f307415a20fb94b129613d9502f8ab3bd0b87335ae588c873141b940ae86e91c

SHA512
f37020155d48aa6d172d285d8fd37762a615bdc230c0a880c06c660ec90fcbf5485b84a6b4545416f7a02333ac68d4a03fd40101c92419426975b52ae611d12f

Download Submit
\Windows\SysWOW64\xwr40309.dll

Filesize
172KB

MD5
4224c93b7dc30f7881cc7927d2cd3e15

SHA1
6b678a3f7d3956336655ff93d143f66f3d27e442

SHA256
a7ea8c592e1381246751db299d8301c11ce3a7d6bc0a145d8f06bcce3069bfc1

SHA512
ba2e23781bce810831b3bf9dbde93114c151199b7396c122f2060fb76e5b33c72bd64612fc952f69ccf62c0b03a50127ad64b83377a6df2149fed455229d368e

Download Submit
\Windows\SysWOW64\xwr91387.dll

Filesize
172KB

MD5
1b75b180c35ed85cc817c97e6b0c2573

SHA1
bfd79ab89e49cd65d54e28783c06ca2feb28ff40

SHA256
a2ece126cd4f9e81fee488174be73e8bd2726c9e43bab681a4a267649ecb4802

SHA512
1222ed57075a4d0052b5aeff68a0bc95b6016d11a817541a4088860d7fd5da7d6003b3133ccd3b9d363f495ae22b2df02e7ef1555033854153e1c5184a74cb2b

Download Submit