4469c8bd3106c4e2b8d0cdcbda551a0e89b276a0e1a3c2e8756f26b6d582823f

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Size

1.3MB
MD5

ec00624c1d780862b85b48a4ad97ef13
SHA1

946ee3a53f9627a2f90ba6c52d71254866b416ea
SHA256

4469c8bd3106c4e2b8d0cdcbda551a0e89b276a0e1a3c2e8756f26b6d582823f
SHA512

2e42b086fc6bf2febdd1daae579a94c92ae3f96d61adcb94cfc9f373dd3223e67f919b930c645b8de48a9919bb86da6b6fbd1cccbfd6bc381875dd3c888369df
SSDEEP

24576:Mq16OvhtKrdGEDtNUAYRQXyh5Asanl0jCI1YYOIqM:MI6OvhYjXwQiHAsanl4CcpOIqM

Score

8^/10

adware discovery evasion persistence privilege_escalation stealer upx

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2192	netsh.exe
2232	netsh.exe
2244	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
2024	EhStorShell32.exe
2780	api-ms-win-core-datetime-l1-1-032.exe
668	EhStorShell32.exe
1204	lsass.exe

Loads dropped DLL 10 IoCs

pid	Process
2276	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
2276	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
2276	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
2780	api-ms-win-core-datetime-l1-1-032.exe
2780	api-ms-win-core-datetime-l1-1-032.exe
2780	api-ms-win-core-datetime-l1-1-032.exe
668	EhStorShell32.exe
2024	EhStorShell32.exe
2024	EhStorShell32.exe
1204	lsass.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2276-6-0x0000000010000000-0x0000000010087000-memory.dmp	upx
behavioral1/memory/2276-9-0x0000000010000000-0x0000000010087000-memory.dmp	upx
behavioral1/memory/2276-85-0x0000000010000000-0x0000000010087000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RTHDBPL = "C:\\Users\\Admin\\AppData\\Roaming\\SysWin\\lsass.exe"	EhStorShell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RTHDBPL = "C:\\Users\\Admin\\AppData\\Roaming\\SysWin\\lsass.exe"	lsass.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1636C370-396A-4354-B9B8-A85252207479}	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\EhStorShell32.exe	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-032.exe	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\2144381788	api-ms-win-core-datetime-l1-1-032.exe
File opened for modification	C:\Windows\SysWOW64\857ebc2b1289S.manifest	api-ms-win-core-datetime-l1-1-032.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	api-ms-win-core-datetime-l1-1-032.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-032.dll	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\2144381788	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-032.exe	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\857ebc2b1289P.manifest	api-ms-win-core-datetime-l1-1-032.exe
File opened for modification	C:\Windows\SysWOW64\857ebc2b1289C.manifest	api-ms-win-core-datetime-l1-1-032.exe
File opened for modification	C:\Windows\SysWOW64\857ebc2b1289O.manifest	api-ms-win-core-datetime-l1-1-032.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2728	2276	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	api-ms-win-core-datetime-l1-1-032.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EhStorShell32.exe

System Time Discovery 1 TTPs 3 IoCs

Adversary may gather the system time and/or time zone settings from a local or remote system.

discovery

System Time Discovery

T1124

pid	Process
2244	netsh.exe
2192	netsh.exe
2232	netsh.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 70c336166a395443b9b8a85252207479	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Jatudurvec	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 70c336166a395443b9b8a85252207479	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	api-ms-win-core-datetime-l1-1-032.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	api-ms-win-core-datetime-l1-1-032.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	api-ms-win-core-datetime-l1-1-032.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Jatudurvec\CLSID	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	api-ms-win-core-datetime-l1-1-032.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D02D62D3-F7FC-45DA-8ADC-687D53106C59}	api-ms-win-core-datetime-l1-1-032.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D02D62D3-F7FC-45DA-8ADC-687D53106C59}\ea-46-17-3d-55-f3	api-ms-win-core-datetime-l1-1-032.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	api-ms-win-core-datetime-l1-1-032.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-46-17-3d-55-f3\WpadDecision = "0"	api-ms-win-core-datetime-l1-1-032.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D02D62D3-F7FC-45DA-8ADC-687D53106C59}\WpadDecision = "0"	api-ms-win-core-datetime-l1-1-032.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D02D62D3-F7FC-45DA-8ADC-687D53106C59}\WpadNetworkName = "Network 3"	api-ms-win-core-datetime-l1-1-032.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	api-ms-win-core-datetime-l1-1-032.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	api-ms-win-core-datetime-l1-1-032.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Jatudurvec\CLSID\ = "{ca6f303b-dd04-46d7-84ec-1e9e8e860a29}"	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Jatudurvec\CLSID\ = "{ca6f303b-dd04-46d7-84ec-1e9e8e860a29}"	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	api-ms-win-core-datetime-l1-1-032.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Jatudurvec\CLSID	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Jatudurvec	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	api-ms-win-core-datetime-l1-1-032.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-46-17-3d-55-f3\WpadDecisionReason = "1"	api-ms-win-core-datetime-l1-1-032.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-46-17-3d-55-f3\WpadDetectedUrl	api-ms-win-core-datetime-l1-1-032.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D02D62D3-F7FC-45DA-8ADC-687D53106C59}\WpadDecisionTime = 10f83c2ac70adb01	api-ms-win-core-datetime-l1-1-032.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Jatudurvec\CLSID	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Jatudurvec\CLSID\ = "{ca6f303b-dd04-46d7-84ec-1e9e8e860a29}"	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	api-ms-win-core-datetime-l1-1-032.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\857ebc2b = " "	api-ms-win-core-datetime-l1-1-032.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	api-ms-win-core-datetime-l1-1-032.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D02D62D3-F7FC-45DA-8ADC-687D53106C59}\WpadDecisionReason = "1"	api-ms-win-core-datetime-l1-1-032.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-46-17-3d-55-f3\WpadDecisionTime = 309833ddc60adb01	api-ms-win-core-datetime-l1-1-032.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Jatudurvec	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	api-ms-win-core-datetime-l1-1-032.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D02D62D3-F7FC-45DA-8ADC-687D53106C59}\WpadDecisionTime = 309833ddc60adb01	api-ms-win-core-datetime-l1-1-032.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-46-17-3d-55-f3	api-ms-win-core-datetime-l1-1-032.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	api-ms-win-core-datetime-l1-1-032.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-46-17-3d-55-f3\WpadDecisionTime = 10f83c2ac70adb01	api-ms-win-core-datetime-l1-1-032.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 70c336166a395443b9b8a85252207479	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	api-ms-win-core-datetime-l1-1-032.exe
Key created	\REGISTRY\USER\S-1-5-20	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	api-ms-win-core-datetime-l1-1-032.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Jatudurvec\CLSID	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Software\Jatudurvec\CLSID	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1636C370-396A-4354-B9B8-A85252207479}	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1636C370-396A-4354-B9B8-A85252207479}\InprocServer32\ = "C:\\Windows\\SysWow64\\api-ms-win-core-localization-l1-2-032.dll"	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1636C370-396A-4354-B9B8-A85252207479}\InprocServer32\ThreadingModel = "Both"	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Jatudurvec\CLSID\ = "{ca6f303b-dd04-46d7-84ec-1e9e8e860a29}"	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ca6f303b-dd04-46d7-84ec-1e9e8e860a29}	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Software\Jatudurvec	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler\ = "{13ed2767-bed9-4ca4-b7ab-bdb6efb0de79}"	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jatudurvec\CLSID	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Software	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1636C370-396A-4354-B9B8-A85252207479}\InprocServer32	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Jatudurvec	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Software\Jatudurvec\CLSID	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Software\Jatudurvec\CLSID\ = "{ca6f303b-dd04-46d7-84ec-1e9e8e860a29}"	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2276	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2024	2276	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2024	2276	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2024	2276	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2024	2276	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2192	2276	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe	31
PID 2276 wrote to memory of 2192	2276	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe	31
PID 2276 wrote to memory of 2192	2276	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe	31
PID 2276 wrote to memory of 2192	2276	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe	31
PID 2276 wrote to memory of 2232	2276	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe	33
PID 2276 wrote to memory of 2232	2276	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe	33
PID 2276 wrote to memory of 2232	2276	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe	33
PID 2276 wrote to memory of 2232	2276	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe	33
PID 2276 wrote to memory of 2244	2276	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe	35
PID 2276 wrote to memory of 2244	2276	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe	35
PID 2276 wrote to memory of 2244	2276	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe	35
PID 2276 wrote to memory of 2244	2276	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe	35
PID 2276 wrote to memory of 2728	2276	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe	38
PID 2276 wrote to memory of 2728	2276	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe	38
PID 2276 wrote to memory of 2728	2276	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe	38
PID 2276 wrote to memory of 2728	2276	ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe	38
PID 2780 wrote to memory of 668	2780	api-ms-win-core-datetime-l1-1-032.exe	39
PID 2780 wrote to memory of 668	2780	api-ms-win-core-datetime-l1-1-032.exe	39
PID 2780 wrote to memory of 668	2780	api-ms-win-core-datetime-l1-1-032.exe	39
PID 2780 wrote to memory of 668	2780	api-ms-win-core-datetime-l1-1-032.exe	39
PID 2024 wrote to memory of 1204	2024	EhStorShell32.exe	40
PID 2024 wrote to memory of 1204	2024	EhStorShell32.exe	40
PID 2024 wrote to memory of 1204	2024	EhStorShell32.exe	40
PID 2024 wrote to memory of 1204	2024	EhStorShell32.exe	40

C:\Users\Admin\AppData\Local\Temp\ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ec00624c1d780862b85b48a4ad97ef13_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\EhStorShell32.exe
  "C:\Windows\system32\EhStorShell32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Roaming\SysWin\lsass.exe
    "C:\Users\Admin\AppData\Roaming\SysWin\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:1204
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\api-ms-win-core-datetime-l1-1-032.exe" enable=yes profile=domain
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - System Time Discovery
  PID:2192
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\api-ms-win-core-datetime-l1-1-032.exe" enable=yes profile=private
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - System Time Discovery
  PID:2232
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\api-ms-win-core-datetime-l1-1-032.exe" enable=yes profile=public
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  - System Time Discovery
  PID:2244
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 448
  2⤵
  - Program crash
  PID:2728

C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-032.exe
C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-032.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2780
- C:\ProgramData\EhStorShell32.exe
  schutz
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Time Discovery

T1124

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\2144381788

Filesize
30B

MD5
90ca5942cdd993fce1046f8191c5f879

SHA1
d74bf53e52828c19fddf0bc50b7becfed93c3e56

SHA256
5dad00e4f7580287d44cc208f2c9f33c72588ef67372542a46fe3463fd9f997a

SHA512
ec1eed82925beecddce72f8738ed816d63a33bd3c9604609d9fa0698de60db498db0e7e4c2c000f268c29eb28d72901b5dde8ea9778f5958b592a5ec5fc962cb

Download Submit
C:\Windows\SysWOW64\2144381788

Filesize
118B

MD5
722d026470208e71c7ce0ba7cc4fbaf2

SHA1
7c7613b1b6e2de644a351933a69d783cf2e016b0

SHA256
108f30f335d91f75197eb7dd79e68b39d244c344322598fd71e5494d8ea9b9ec

SHA512
e5dd6c4f20d60fafdf85ff68c38e3b3c92998d72d775b9a742979aeb95590ea4134f663a02661d94909537690cc234e43f55a11ebf88ab491f8c037ca34977f8

Download Submit
C:\Windows\SysWOW64\api-ms-win-core-datetime-l1-1-032.exe

Filesize
1.3MB

MD5
ec00624c1d780862b85b48a4ad97ef13

SHA1
946ee3a53f9627a2f90ba6c52d71254866b416ea

SHA256
4469c8bd3106c4e2b8d0cdcbda551a0e89b276a0e1a3c2e8756f26b6d582823f

SHA512
2e42b086fc6bf2febdd1daae579a94c92ae3f96d61adcb94cfc9f373dd3223e67f919b930c645b8de48a9919bb86da6b6fbd1cccbfd6bc381875dd3c888369df

Download Submit
\ProgramData\api-ms-win-core-localization-l1-2-032.dll

Filesize
247KB

MD5
65bcd2d2ff57d04733dd079973f479ce

SHA1
6af5f0f6f5c8d38a18d2a3bdf6a20ece35df1a17

SHA256
67dbd9f69d51ae72be853f891a18fedda0000c4b9f4efdbe01175150a7dbd74e

SHA512
34ad71e6e3b3065f2fa983e9900bd561cae0259624591e95eff9ad8d2574a9aadc4470dd11e3bcc2d4eabcdf2539c3824794c95d920e7e283c490f6ccf3cf8c2

Download Submit
\Windows\SysWOW64\EhStorShell32.exe

Filesize
188KB

MD5
2e2a6c6c55526c3c2e62142e863d0194

SHA1
02309278b67fae93844da49deb70b0629658fb55

SHA256
4169f47911156dab859213538d8b4ca318cf242904b300a7f5ad7714bbd04fc7

SHA512
4e4672c3aea152d5a37b29d8936acf04b8101894bf9feb796bbf74aff36bff27925ad456bc1fd6022ee2c6615b9bf1f43d2885b1efdce4b6c8cfb45f539173bf

Download Submit
\Windows\SysWOW64\api-ms-win-core-localization-l1-2-032.dll

Filesize
406KB

MD5
bdc2100bf483c462b31357c808997dbb

SHA1
27f9d9dec0f3025ed7f9576797a9e037e46332bc

SHA256
5c7e82fd885c32b9bbdf617f44baf9ecf49aedafc59cf287822cfe6c57b46988

SHA512
f723e3f1fb26fee9c8c0ad91ad5b38906a45042d734bd5b5a488cd28115a468b14a5f0c0fbe777a0953f5885137de115c214a154ea5743311f5d21e79123df51

Download Submit
memory/668-89-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1204-90-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1204-82-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2024-77-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2024-31-0x0000000000220000-0x000000000024C000-memory.dmp

Filesize
176KB

Download
memory/2024-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2276-8-0x000000001005B000-0x0000000010086000-memory.dmp

Filesize
172KB

Download
memory/2276-85-0x0000000010000000-0x0000000010087000-memory.dmp

Filesize
540KB

Download
memory/2276-0-0x0000000001D90000-0x0000000001E87000-memory.dmp

Filesize
988KB

Download
memory/2276-9-0x0000000010000000-0x0000000010087000-memory.dmp

Filesize
540KB

Download
memory/2276-6-0x0000000010000000-0x0000000010087000-memory.dmp

Filesize
540KB

Download
memory/2276-83-0x0000000001D90000-0x0000000001E87000-memory.dmp

Filesize
988KB

Download
memory/2276-84-0x000000001005B000-0x0000000010086000-memory.dmp

Filesize
172KB

Download
memory/2276-1-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2276-86-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2276-5-0x0000000000220000-0x000000000026A000-memory.dmp

Filesize
296KB

Download
memory/2780-88-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/2780-87-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2780-41-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/2780-108-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download