ede146de35d9d583dd91c2085cdd65770ce5ec7364d41c661eb3814b8ce82827

Analysis

max time kernel
140s
max time network
134s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Size

2.4MB
MD5

dfcac422c9ad3540ae45a3b241593ef8
SHA1

652cdfdaded52d5c96db6c4851b01e0a8febcaea
SHA256

ede146de35d9d583dd91c2085cdd65770ce5ec7364d41c661eb3814b8ce82827
SHA512

9a100089aadef8f17c78325d2bbb1063a0a234dccb65bf63591e93f1ce505bf5463c2d504c4c9258e11f3b3ce150f22e011730dacf0da5bb732ff4ecfbfde4be
SSDEEP

49152:Aid4fd8ZgLa/0rUExktiLc6rS9ZL414+JE:Ag4KmLacrUE+tiLTW9QPE

Score

6^/10

adware discovery persistence stealer

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\IDMan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe /onboot"	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{0055C089-8582-441B-A0BF-17B458C2A3A8}\ = "IDM Helper"	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 56 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MenuExt\Download FLV video content with IDM\contexts = "243"	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000cc6dcd1e034a4dfb7150cfd03727fae603791e76d09a5f6779e6f742a030e8f8000000000e8000000002000020000000b3b75685e429528beb5303848e4c7f65ead55fc1aaf00474a07c669b42546b1e20000000cfabfbeb7dd25b3c8dcb6a33f2edf8cd70602695834794577ef0e47f0500048140000000efb878da57750eab70556d2df6dc93d0d35bdbbdf1287dd6d6bfbf068f4093404cc6fe3f790ddaea8d55278c552abd63b2145b3d4e389d7295c5aff569d5297c	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432463077"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\contexts = "243"	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0e38e227d06db01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEExt.htm"	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MenuExt\Download all links with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEGetAll.htm"	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4B24D781-7270-11EF-A7C1-EA7747D117E6} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MenuExt\Download FLV video content with IDM\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IEGetVL.htm"	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\Policy = "3"	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppName = "dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe"	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}\AppName = "dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe"	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000a2c55e0826a38185b2015cc3013ba160d50c8fdb06989e6de8acb738fcd49ce8000000000e80000000020000200000005c7c66789b1b70ae7bb3ecdc751cf4229bdab63ab9540a42a454f1fa6232c7fb900000005c12e80099a3dcc4242854fbd16bb558614045ed3229bba8e46833f22310332d9ed87d30cf30530131d61dfc0f8a9ec2577609d55a76627223a9f21e8092155e04ad2ee39011fb0e26d4ad24745b6dc05de7a7c283a19bd0a5334763fc120ce3b16e9206df1ad30dbfa7eff7f6a33870752dfc7eff86b263dd986103b84c9a7d81075490dfb79fee77a89418e9717081400000001930edff36a224e7cc220be6542b2cd7bc58a8a54ce460b1c10ed4a584033d040c6aee9b922e4732519e2391d3793e85a5bdc2ef2e3fc191b121004e9e148133	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4}	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\Policy = "3"	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MenuExt\Download FLV video content with IDM	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{19129CDA-AFC0-4330-99BC-C5A834F89006}\AppPath = "C:\\Users\\Admin\\AppData\\Local\\Temp"	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\MenuExt\Download with IDM\contexts = "243"	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\ = "IDMan.CIDMLinkTransmitter"	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\http\	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\CLSID\{D5B91409-A8CA-4973-9A0B-59F713D25671}	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID\ = "{AC746233-E9D3-49CD-862F-068F7B7CCCA4}"	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}\Model = "257"	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\ftp\	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\CLSID	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Wow6432Node\CLSID\{6DDF00DB-1234-46EC-8356-27E7B2051192}\Therad = "1"	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IDMan.CIDMLinkTransmitter\CLSID	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AC746233-E9D3-49CD-862F-068F7B7CCCA4}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe"	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\https\	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeRestorePrivilege	2508	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2508	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
1260	iexplore.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2508	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2508	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
2508	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
1260	iexplore.exe
1260	iexplore.exe
2692	IEXPLORE.EXE
2692	IEXPLORE.EXE
2508	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
2508	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
2508	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
2692	IEXPLORE.EXE
2692	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 1260	2508	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe	30
PID 2508 wrote to memory of 1260	2508	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe	30
PID 2508 wrote to memory of 1260	2508	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe	30
PID 2508 wrote to memory of 1260	2508	dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe	30
PID 1260 wrote to memory of 2692	1260	iexplore.exe	31
PID 1260 wrote to memory of 2692	1260	iexplore.exe	31
PID 1260 wrote to memory of 2692	1260	iexplore.exe	31
PID 1260 wrote to memory of 2692	1260	iexplore.exe	31

C:\Users\Admin\AppData\Local\Temp\dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dfcac422c9ad3540ae45a3b241593ef8_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.internetdownloadmanager.com/welcome.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1260
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1260 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e73af7d0f5ada94f075ae2d8e30e62d9

SHA1
b779cfff32b72e6ffffd95d1ad046b959d1ff144

SHA256
64107a33b3d6d9d500d6c60944dd153ff0a643b7bc9c16271151e9edc1245414

SHA512
e029dbe425947cfc55a799d7a2d3b6aa2141ebfead7738a5f7b921e8e956885ba75e9d18c66170f7caa6faed13f766ba940aa53881f5af2b78b83ceea97a0ed4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d3ec64c5cf15e0e983366cde83000b0

SHA1
6527135fd20980653fdc98b8808f8fba667630ee

SHA256
89a90a07be8ed44e924364f0e6b566ffa57101fec9a0b9902e92d17db856d4a8

SHA512
bac7ccc95228c7a80e9e207c26fa2697b122a7e0eb105dfd7d491cf1011f556c7fc396b33dcd7b3387c2aaf55bacf7b51db21ed3217c58f0745aaf9d08147907

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
703677efaf0ae9ff9168aa9684519077

SHA1
2fe5170b4859713ed470cd967e716b60f62ff745

SHA256
691e32479bfeb047e62341cf0e28999a1e9803e7f6a26a3af1118ffc067b605d

SHA512
5dc328fa6e309ed1fd4853d4f44735d59fdd7063116e35aab52d6cf8f2f01928342e2247b954359fe8b116578855a98eccf90aaed72f9e4e0906adc6de672fbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
137811a0de11e9210c64f5e74803574d

SHA1
f4ec0b0aa8f5fa6b0f59bfa37485aec7ca19be00

SHA256
5e70d65cb5df212048e857d160365c84520c8619b399582092ef02cfeab9ee24

SHA512
3596d8ecd150806925ed1b7476c75f3150bbd360ca960ebbee4445c2a73c16fac34292031e5687c4b19017cc05200436f5c8549fc712f9a80204b991af5bd3d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cd6755dcd7470c606086f4695cc6ba8

SHA1
af35a03256866b453e86d3ae561ca7ef1408835e

SHA256
604841c0202257abc54c5820f03a00c4dcca19acab353a073c43005f493d56da

SHA512
4874d8a24f62292972f907db506a6116180e67f72b498b294eda760702ad743accad1d4648eb647ecc827f92fce243fd8666fc8ff4fedbabbed157aec58c426e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13e4bafed52256e91a415416fb56fe60

SHA1
5d9b61099fbe52aafba0f21134cad00c97c29a4f

SHA256
d0cd23d620fb602bfd47ebe129ed5656d89f16006d09777c4a4c65a422ecc423

SHA512
513f59a45c8d90d4e0163dd165c2213c5e3157d2113bac4739bf11fd0f97695a78876d75f20803c999d0fd7b55da2bc2fd398d113c631f8979ce9e161cf93380

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81b5889134637c3d657bc0f10e1e08c6

SHA1
9cf66f4b666d16ee9f9f90a066bdf4daa8b065d7

SHA256
631d27a49d1a56e82e2ad671f93edf8afce121e232c785a188df6b52ad48d2da

SHA512
11941c9e6fff44de5e90ffb5c7c3a91b812ac874abc9201684385e797a00ae7abe780c8662c675f083e7941b2ac2f28b7a5653c7bb696897867eb75c8b2aaf26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1dd18d8463cf128f06fac3b2dac817d

SHA1
c8f7a1c1bf62fdabde7dad8accd3757de44db4e6

SHA256
d884d282a57856a02ffadd975535254181990df0deca70a7a92585e0f74fb3dc

SHA512
2fa2b84704d5f0317ddf5f4a0024ba0b2af06b19cae22225616550f2a5c9ffda63f80db2cdd8a5dffa7f315f03ecad28c845d180b89300482391b21e721bfa72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22c18b1208d086894353b6c607164eb3

SHA1
3dc017a051ea9fe370afc890bb3f13822aa09bc5

SHA256
3853d1e6ea9393b77b5c0da036387e07f607f7a1d3d5bfcb3ac34ea60469a001

SHA512
a58f5536fff1dc212cae4335201acc92b6f27273c9f89a8d901e0fbb7033619175f7bec3f89caea64a45a9ca32e67f5740b5c47eaa0d74777a28b10bf739c1d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc9e867fdf14b19449237bd6910af6dc

SHA1
6efe5c0c2c9b3ec46b9356f04c8e020e38877364

SHA256
c6222fbff4045781496d5e42c4662f24839c099446c6c55c034882335f2ea1bb

SHA512
58f4138daa4aa8afd1307347511a47ce886a30bcac87a7895442ef49a747689570fd6138c3625c21a030457c0eb23115db439bd7e7ef7ccd6be5620a1438d3d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a60a8665361bd71701813fe457a37d5f

SHA1
47f4949e21b13ed90b6718f7b787113c9e5f839c

SHA256
3fc80e2a18a925d02353c0c5fb8a79097533dcffac6729b275420552163ce376

SHA512
a603a8f54764613fdff7f062d18e47a161c9709dc60ef53eed23a24d757688af7c2d23a8a6485cffc8226d212ef0d634b6d80f2bb8e5e8695d19b3bcce6e7a95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62eadd4914de2ebdeed1cb9faaa9c5e3

SHA1
cde759cd586c1321ac2e2908005e73dbb33eacce

SHA256
06d76954440f50376b9af3f5867dde5c0cdbfe72a5bcb0918f0e311292e231ef

SHA512
6dd2c93b10507097518b8268d5f1193e551981e9d550b901867033ddcc01726f2c44fb4b48fcc7da111692d4a8ffe6a55c48120b0c5a1290d270696641072793

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5073d24cfbb212c039976cf82342581

SHA1
01d1eee394c50b7f5862efcee30cdb614181c4d0

SHA256
20c6cec0e04593682b840f600c51175f3513c142c160bf0e5c06eafad2fb6162

SHA512
dafcaf25d26729bf86e75f7d8aea245314f582f83dd1d4cbfe4bbe3e36895be3c49bfca7d403cfe0638528e189ce5a4323298d5adebbc1b418bf34986a9db590

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
195b588ff70b528c6b6a3284d5041c6d

SHA1
a9b0a730e31377fd72bd05a9e8f91660d2f8c0f5

SHA256
4f99be2f818cc93aeea7e0dcd4221ae568ee4ccae6ef84c3f18455706adcea6c

SHA512
d32f173a435830e1dae5f6aacc4ff7c1d00f69cd2761a5b7decb3560c1e049c1a07869917941134e84498b10020c57b1d709ce19ba5b7d3d9b9fb88d38698dc1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
620fa37dc6854adee2bf341d43f3e9fb

SHA1
51f853e5d16aaa4099db83876cdfacc740a7212e

SHA256
7733dd29259db40ae23a28ef68d7039e12beefad7d53ed0d18873e68a2e44408

SHA512
0be572fdf4373e199264b558a60134cc1edf5c7ffc58ab59acc306860109de9d464877370a47bba854363ce54b9a6cdad04994d0ef3771c5f79cf9c5d0d621d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b18171e2611ec8b24531670ba21dd9e0

SHA1
fd12c46f331cd7a0df4218b1c3035f59a500419d

SHA256
6f7cf80cf6b3d6816510a0bab3136b1e4d8e962cb4149c5d3b3ca5028a0c5e7d

SHA512
7c7835336615be522ed4bcdae2b51b75c674314a1404a598140be38a8d9c8c24f384502537f828f74be50f33d32d759c3d248a528f27898141057c99b537c6d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e84c9fa3e03c5bea4b78bf836d1fa20

SHA1
cfffb79bb8c7452cb19d210d15d367826e272a4f

SHA256
700464b74d3b9e1e3ad69ba9580f863205ce74a4e3a52504b128e2a39084ef92

SHA512
04a54bdf842c169223dd7c8ccc8b10f67f910a66820992473b9f832c908c9c5620b26bcff3164af9f2831889b06a81b58d4502e53ef6b32963a79ea42093bd4c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f980d86bbacee1f5adf6640d3326ee07

SHA1
e4c2d406f678312e0e6ef32b9b2c9d5847c7c930

SHA256
8b97409591efabd1ba642ddf73fac5cfb33a9af9b80451d89f84a364153acbdd

SHA512
df3d9464d61d8d8189c27964c2dc6b74e0728f8fdfb559a50f73f85fad2aabc95425bf969b6d231556a39ec1c4c9b0ab93353461ff3a206008f4fe3dc5e135bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2685f002e3e949327b561ca2873eab3f

SHA1
76cdcc72084398fd4dd2a0db7c91d39dccff300b

SHA256
e81679204b45a5260e3e434f9ed0131059c1daae5db67d4e58bf648a8d4f104d

SHA512
b73379e31a42170fe4d03d91f2fb0724ea92a298b9667f5261328bdea9f8497c12f3eeb894128b6e9b8d2f394e3ffc697dae6f9b370cffefe6c671d955e9de6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35cb7458d23280cad90979550a0441ad

SHA1
daed816501bcd1c55b9de5cc7c10ca4ee893e4a9

SHA256
f0dd2fb306d52d8cb679079bced5eb14d72f923bc8878f46eb7f9116c2611c23

SHA512
05b5e4e0eb9623647cbd6cbf215828f65a89a824acd62e145a31e60cb1cf461748833aff61941b4c498de11be01af1906fa8dbb9a7813ec71cab6b62077d510c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB119.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB13B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\DwnlData\Admin\Uninstall_2\Uninstall_2.log

Filesize
360B

MD5
37ad7a0d1b417e9ffb1ed4c4d58917e0

SHA1
62ccb63ed62a75d7efe2fd4eef744e868668a5af

SHA256
206c70eb080893a3cd7d13461f439312822515f4984db0f047cc305045040e4b

SHA512
072c02cc0a6ca501aabb24f1424d3a70a237d06ae8f10136b3c27a3e10ea59d77271d85674da83379d3d42bdf05ce286dfeeb2fcfe261f6b6dfc42bd027918e3

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\DwnlData\Admin\Uninstall_2\Uninstall_2.log

Filesize
778B

MD5
cb32e1045b3ced05d40500d84c4179dc

SHA1
61a3e07a73443f4b3682ea0c5e6cec25abc718a4

SHA256
e3784e693b43bcb37aaddfbba45fd194d4787f53c95c9514794a8beb302a0d0f

SHA512
a6680e207ee4f9cc0b1bb8c8b3a661be71c92430ec9f220efe8da442ad30210d593d2fb32ffefa202daed21861092bba5c5e499349c32fa6819e1cbf4baf8d87

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\DwnlData\Admin\Uninstall_2\Uninstall_2.log

Filesize
1KB

MD5
8363d87d71dc0c270d5d3e717ebb5077

SHA1
a90631af9aae296da07e16a7a482cb13c27663df

SHA256
decfb9e6a975c94b4d9c33164c5f4348dfe1a5cb651b09d2765cbb4a39661b8c

SHA512
2b8084ae22de5b6e76ece9314f6da13492cbbefeaea0b837d0116518b4b352135b6ffa62e57407a5135cbf9b9ed5f214fe700c16475008919dfd2c9b15278543

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\DwnlData\Admin\idmmbc_1\idmmbc_1.log

Filesize
301B

MD5
52ee70fe04413c473e883bce9c313771

SHA1
a8b85447c51fab8bfe6e80c89ebc14433d8e155c

SHA256
34059dee47ca01b1d2fba64f8496f46fac61d6f9d7a08de2ef9706c51bc46b56

SHA512
ed4c1df18d25a509d5c2e968d3c71634def0dbb66933cff57d9fea3ab5b582bb297a5f5961e7840de6d3edc123e3a90647a769835c59175efca1e91595c52316

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\DwnlData\Admin\idmmbc_1\idmmbc_1.log

Filesize
884B

MD5
b797a4c45532f5f2f584ad81753c40a7

SHA1
85e4e64a09143cdb8ff6773033c5071ff85ecdb9

SHA256
84933b652c10fffbec31c3201eb184ccea0529ac4056ff2c0da0ba1f392f6c19

SHA512
a8b80f7d95ee288b7fa3682f58d22290a305a736b793fa4a66512eefa6c914ab990009b6d0c7bac404d778353ca6684cc3db4f1956fad411206941ed9ae1bea8

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\DwnlData\Admin\idmmbc_1\idmmbc_1.log

Filesize
1KB

MD5
e91a5ebe699d47a4ee8708edc69590b7

SHA1
d9b01d410be1a9d499e05914d840b382d6127aba

SHA256
c11be6a26d08ba0ca5272f22d31bfed2c2c0558dfd6487e3993d3a2ccbbaa1cc

SHA512
a9475e394ceb0ec46040bc1bce1018d52ee312a0d83ffa9b328724bb579e605c94004ddc9db3a37b861b2767d739aedb28dad66d8b8f481f40107ad64076b710

Download Submit
C:\Users\Admin\AppData\Roaming\IDM\DwnlData\Admin\idmmbc_1\idmmbc_1.log

Filesize
1KB

MD5
93f186654231fa5f36917bc2498289e7

SHA1
8314c8f9b53482999443d67bca78fcc9d10774ec

SHA256
71a9fc56e434a813863f1ea3175e0d8aa846796cf5835feb78991b7c9e610bdf

SHA512
4d63103f113deaf091decd7f8c5da24631df5c7c2037eebbc78bc2bac341cfc4b1a2da46b76cc07748b49e8a9be73f0ff2e87bdde74d10646c3d72fd2809c0e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\JLMM0Z7R.txt

Filesize
101B

MD5
5adb7a5427031c5a34b6a44c09d575e9

SHA1
5feed2932d0e44090195823412aa65f842d0f7e9

SHA256
87bca736f8286293cbd8695c666868f2da480aa41f31997027854eeb4924b9fa

SHA512
8e2645cb769548e54b83e198c4b4c510ceeab4332c5af1eb84a52029faf412f29893898c4a118a4cf8e858e03210a6caa46aec985a5efa203f1cb1027e33ea5f

Download Submit
memory/2508-0-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download
memory/2508-1267-0x0000000000400000-0x0000000000676000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads