044aaa8dffba8d21859c767d80d0009f7ab660e65a172af26d2d0995b3b31a38

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 19:33 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Size

117KB
MD5

ee486714f834b548d16a9cf7a3fc45d3
SHA1

14ad963eb18e3b42621b00af7e10f91a60ee9f01
SHA256

044aaa8dffba8d21859c767d80d0009f7ab660e65a172af26d2d0995b3b31a38
SHA512

a5078fbcf815bf6fe610fd4001379cfce9bd99dcbd7c86dcd3308a3bc74b55393baa9b55e738d3b0e963fa4ae20723ff66c638c5c974fe58e916b7299601b7ce
SSDEEP

3072:0ABZvFX9H4XRWhOsmFIWjYde+3qnNOxd4:0ABZPH4XgSXYdnuN2d4

Score

10^/10

adware defense_evasion discovery evasion stealer

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "1"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe

Deletes itself 1 IoCs

pid	Process
1400	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2348	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B0ADD5F7-31E2-49CA-911D-A1E4E6AF83C5}	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dkvoh.dll	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\RCXBEBD.tmp	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D276833-5C1E-47B9-8ED2-EBAC9D308783}\ProxyStubClsid	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0ADD5F7-31E2-49CA-911D-A1E4E6AF83C5}\InprocServer32\ThreadingModel = "Apartment"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C182BD72-2128-4184-8572-AA9F6D6645FC}\TypeLib	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C182BD72-2128-4184-8572-AA9F6D6645FC}\TypeLib\ = "{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D276833-5C1E-47B9-8ED2-EBAC9D308783}\ProxyStubClsid32	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54EBEF48-8B26-4861-99EB-1D63CE5770C1}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54EBEF48-8B26-4861-99EB-1D63CE5770C1}\TypeLib\ = "{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0ADD5F7-31E2-49CA-911D-A1E4E6AF83C5}\ProgID\ = "xqrw.max"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0ADD5F7-31E2-49CA-911D-A1E4E6AF83C5}\TypeLib	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C182BD72-2128-4184-8572-AA9F6D6645FC}\TypeLib	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D276833-5C1E-47B9-8ED2-EBAC9D308783}	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D276833-5C1E-47B9-8ED2-EBAC9D308783}\TypeLib	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18586E54-8DC5-49FA-9CC5-5421B75EBBDE}	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18586E54-8DC5-49FA-9CC5-5421B75EBBDE}\ProgID\ = "xqrw.vxhu"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18586E54-8DC5-49FA-9CC5-5421B75EBBDE}\VERSION	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xqrw.vxhu\ = "xqrw.vxhu"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xqrw.max\ = "xqrw.max"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}\11d.0\FLAGS\ = "0"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}\11d.0\HELPDIR	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D276833-5C1E-47B9-8ED2-EBAC9D308783}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18586E54-8DC5-49FA-9CC5-5421B75EBBDE}\ProgID	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C182BD72-2128-4184-8572-AA9F6D6645FC}	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D276833-5C1E-47B9-8ED2-EBAC9D308783}	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18586E54-8DC5-49FA-9CC5-5421B75EBBDE}\ = "xqrw.vxhu"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0ADD5F7-31E2-49CA-911D-A1E4E6AF83C5}\TypeLib\ = "{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D276833-5C1E-47B9-8ED2-EBAC9D308783}\TypeLib	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54EBEF48-8B26-4861-99EB-1D63CE5770C1}\TypeLib	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18586E54-8DC5-49FA-9CC5-5421B75EBBDE}\InprocServer32\ = "C:\\Windows\\SysWow64\\dkvoh.dll"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18586E54-8DC5-49FA-9CC5-5421B75EBBDE}\TypeLib\ = "{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\xqrw.max\Clsid\ = "{B0ADD5F7-31E2-49CA-911D-A1E4E6AF83C5}"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0ADD5F7-31E2-49CA-911D-A1E4E6AF83C5}\ = "xqrw.max"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C182BD72-2128-4184-8572-AA9F6D6645FC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C182BD72-2128-4184-8572-AA9F6D6645FC}\ProxyStubClsid32	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C182BD72-2128-4184-8572-AA9F6D6645FC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C182BD72-2128-4184-8572-AA9F6D6645FC}\ProxyStubClsid32	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54EBEF48-8B26-4861-99EB-1D63CE5770C1}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54EBEF48-8B26-4861-99EB-1D63CE5770C1}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}\11d.0\ = "xqrw"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C182BD72-2128-4184-8572-AA9F6D6645FC}\TypeLib\ = "{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54EBEF48-8B26-4861-99EB-1D63CE5770C1}\ProxyStubClsid32	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xqrw.vxhu	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D276833-5C1E-47B9-8ED2-EBAC9D308783}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}\11d.0	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}\11d.0\0\win32	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D276833-5C1E-47B9-8ED2-EBAC9D308783}\TypeLib\ = "{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xqrw.max\Clsid	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D276833-5C1E-47B9-8ED2-EBAC9D308783}\TypeLib\Version = "11d.0"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54EBEF48-8B26-4861-99EB-1D63CE5770C1}\ = "__vxhu"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54EBEF48-8B26-4861-99EB-1D63CE5770C1}\TypeLib\ = "{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54EBEF48-8B26-4861-99EB-1D63CE5770C1}\ = "vxhu"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0ADD5F7-31E2-49CA-911D-A1E4E6AF83C5}\VERSION\ = "285.0"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{54B4E8E7-15D2-41B3-B23F-BFDF414D02B3}\11d.0\0	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C182BD72-2128-4184-8572-AA9F6D6645FC}\ = "_max"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D276833-5C1E-47B9-8ED2-EBAC9D308783}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54EBEF48-8B26-4861-99EB-1D63CE5770C1}	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54EBEF48-8B26-4861-99EB-1D63CE5770C1}\ = "__vxhu"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C182BD72-2128-4184-8572-AA9F6D6645FC}\ = "max"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C182BD72-2128-4184-8572-AA9F6D6645FC}\TypeLib\Version = "11d.0"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D276833-5C1E-47B9-8ED2-EBAC9D308783}\ProxyStubClsid32	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54EBEF48-8B26-4861-99EB-1D63CE5770C1}	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{18586E54-8DC5-49FA-9CC5-5421B75EBBDE}\InprocServer32\ThreadingModel = "Apartment"	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0ADD5F7-31E2-49CA-911D-A1E4E6AF83C5}	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B0ADD5F7-31E2-49CA-911D-A1E4E6AF83C5}\VERSION	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeBackupPrivilege	2348	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Token: SeSecurityPrivilege	2348	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Token: SeBackupPrivilege	2348	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Token: SeSecurityPrivilege	2348	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Token: SeSecurityPrivilege	2348	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Token: SeBackupPrivilege	2348	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Token: SeSecurityPrivilege	2348	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Token: SeBackupPrivilege	2348	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Token: SeSecurityPrivilege	2348	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Token: SeBackupPrivilege	2348	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Token: SeSecurityPrivilege	2348	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Token: SeBackupPrivilege	2348	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
Token: SeSecurityPrivilege	2348	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2348	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 1400	2348	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe	30
PID 2348 wrote to memory of 1400	2348	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe	30
PID 2348 wrote to memory of 1400	2348	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe	30
PID 2348 wrote to memory of 1400	2348	ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe"
1⤵
- Modifies firewall policy service
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\ee486714f834b548d16a9cf7a3fc45d3_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\dkvoh.dll

Filesize
396KB

MD5
cd2f7590c4dfd86078c44d2745095732

SHA1
b12ab7991950ffac4b591192a89325f4dce9988d

SHA256
7ba71d2a331417be5c5b267782d90ebe65b66834c73b0ea08f226bebf3efb5d0

SHA512
f4516f96d95d362d7c046898f754d15bd356014934b2141e1f11bd07dbad6952377a99d3105463ac5ee8a5194bf255c51184c9f30d675dbe962fa2a5ce0674ff

Download Submit
memory/2348-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2348-0-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2348-15-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.