30d4940ae984a469b34119d4570ede5283827ed1468f16ebd8b4b3123134d249

Analysis

max time kernel
150s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 00:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Size

135KB
MD5

eebbdb0969ff448ab6d66fe6ec67356c
SHA1

61e8bd4ec03a3160292572a285bc59fc1efead94
SHA256

30d4940ae984a469b34119d4570ede5283827ed1468f16ebd8b4b3123134d249
SHA512

ee88b03f198ff1a8995ee5613ead35cbf6db024474d5c363983be6699f2e450df8ad317430c4c99fcb2d98fe46d8954eac305853baf226e3705cac7ec5b136f7
SSDEEP

3072:PUHsyO/2TTNIwJQcCZ+5k0oJEF0ilyoCo6kkAwn8Z:sH42TnqcMek05Fb8/k1r

Score

10^/10

discovery persistence upx

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Player Protocol = "{1644B915-C16A-4296-8BFC-AD51A75BAE1D}"	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	wpnccr32.exe

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,wpnccr32.exe"	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2900	wpnccr32.exe

Loads dropped DLL 1 IoCs

pid	Process
2900	wpnccr32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3352-0-0x0000000000400000-0x000000000044A000-memory.dmp	upx
behavioral2/memory/3352-107-0x0000000000400000-0x000000000044A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Player Internet = "C:\\Windows\\system32\\wpnccr32.exe"	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Player Internet = "C:\\Windows\\system32\\wpnccr32.exe"	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Player Internet = "C:\\Windows\\system32\\wpnccr32.exe"	wpnccr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Player Internet = "C:\\Windows\\system32\\wpnccr32.exe"	wpnccr32.exe

Drops file in System32 directory 28 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\testtest.exe	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\esdslgin.mir	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wpnccr32.ocx	wpnccr32.exe
File opened for modification	C:\Windows\SysWOW64\hgakheg.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dot3prov.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wpnccr32.exe	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\weblt47.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\twcjhtsy.dll	wpnccr32.exe
File opened for modification	C:\Windows\SysWOW64\etwrsw32.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\tapitask.exe	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\sesslsid.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msvclz32.exe	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\testtest.exe	wpnccr32.exe
File created	C:\Windows\SysWOW64\wpnccr32.exe	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\etwrsw32.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sesslsid.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dot3prov.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\netbprov.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\vyerxhvm.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\msdtpla.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\netctvwr.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\hgakheg.dll	wpnccr32.exe
File opened for modification	C:\Windows\SysWOW64\twcjhtsy.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\winrctrs.exe	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\kbdsswb7.tbl	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\windserv.exe	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fontfo32.dll	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\twcjhtsy.dll	wpnccr32.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wpnccr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60f0cf7fbd0bdb01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2135279227"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132605"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132605"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AD64BAF5-77B0-11EF-AC6B-62A6B307388A} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433643588"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31132605"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60d2d47fbd0bdb01	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132605"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AAB87913-77B0-11EF-AC6B-62A6B307388A} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132605"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2137466555"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2163560623"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132605"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea125702b7698d479b1c3c8e0190d45f0000000002000000000010660000000100002000000010a59778eb563226f9b75e0a68479cf1ec63cd212a9e2f7f3a7092e94146caa9000000000e8000000002000020000000c4066bc54b75aab15a58e82a85328e80612fac0015f8209e93985f82be1f5733200000009259ef8a70a9aaffb030321a2d975956452a2c7ec971fe528bd74f92c20f52ec40000000d5ac44bbf505e1b7fa3d6b08b3730c12b69c4740c7b550a7d976b22542cfee540c00c9be2734fd634e2b4e473ee1cead855a439ba06b2bb72adbbc31843fe11e	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132605"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2176841894"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1644B915-C16A-4296-8BFC-AD51A75BAE1D}	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1644B915-C16A-4296-8BFC-AD51A75BAE1D}\InProcServer32\ = "C:\\Windows\\SysWow64\\etwrsw32.dll"	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1644B915-C16A-4296-8BFC-AD51A75BAE1D}\InProcServer32	wpnccr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1644B915-C16A-4296-8BFC-AD51A75BAE1D}\InProcServer32\ = "C:\\Windows\\SysWow64\\etwrsw32.dll"	wpnccr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1644B915-C16A-4296-8BFC-AD51A75BAE1D}\InProcServer32	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3352	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
3352	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeBackupPrivilege	3352	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Token: SeSecurityPrivilege	3352	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
Token: SeDebugPrivilege	3352	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4572	IEXPLORE.EXE
3164	IEXPLORE.EXE
4856	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4572	IEXPLORE.EXE
4572	IEXPLORE.EXE
2264	IEXPLORE.EXE
2264	IEXPLORE.EXE
3164	IEXPLORE.EXE
3164	IEXPLORE.EXE
1260	IEXPLORE.EXE
1260	IEXPLORE.EXE
4856	IEXPLORE.EXE
4856	IEXPLORE.EXE
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3352 wrote to memory of 4572	3352	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	82
PID 3352 wrote to memory of 4572	3352	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	82
PID 4572 wrote to memory of 2264	4572	IEXPLORE.EXE	83
PID 4572 wrote to memory of 2264	4572	IEXPLORE.EXE	83
PID 4572 wrote to memory of 2264	4572	IEXPLORE.EXE	83
PID 3352 wrote to memory of 3484	3352	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	84
PID 3352 wrote to memory of 3484	3352	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	84
PID 3352 wrote to memory of 1096	3352	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	85
PID 3352 wrote to memory of 1096	3352	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	85
PID 3352 wrote to memory of 2900	3352	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	86
PID 3352 wrote to memory of 2900	3352	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	86
PID 3352 wrote to memory of 2900	3352	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	86
PID 2900 wrote to memory of 3164	2900	wpnccr32.exe	87
PID 2900 wrote to memory of 3164	2900	wpnccr32.exe	87
PID 3352 wrote to memory of 4636	3352	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	88
PID 3352 wrote to memory of 4636	3352	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	88
PID 3164 wrote to memory of 1260	3164	IEXPLORE.EXE	89
PID 3164 wrote to memory of 1260	3164	IEXPLORE.EXE	89
PID 3164 wrote to memory of 1260	3164	IEXPLORE.EXE	89
PID 3352 wrote to memory of 4828	3352	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	90
PID 3352 wrote to memory of 4828	3352	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	90
PID 3352 wrote to memory of 4828	3352	eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe	90
PID 2900 wrote to memory of 532	2900	wpnccr32.exe	91
PID 2900 wrote to memory of 532	2900	wpnccr32.exe	91
PID 2900 wrote to memory of 4856	2900	wpnccr32.exe	95
PID 2900 wrote to memory of 4856	2900	wpnccr32.exe	95
PID 4856 wrote to memory of 2812	4856	IEXPLORE.EXE	96
PID 4856 wrote to memory of 2812	4856	IEXPLORE.EXE	96
PID 4856 wrote to memory of 2812	4856	IEXPLORE.EXE	96
PID 2900 wrote to memory of 944	2900	wpnccr32.exe	97
PID 2900 wrote to memory of 944	2900	wpnccr32.exe	97

C:\Users\Admin\AppData\Local\Temp\eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eebbdb0969ff448ab6d66fe6ec67356c_JaffaCakes118.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3352
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "C:\Users\Admin\AppData\Local\Temp\tmp852E.tmp"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4572 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2264
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "C:\Users\Admin\AppData\Local\Temp\tmp85EA.tmp"
  2⤵
  - Modifies Internet Explorer settings
  PID:3484
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "C:\Users\Admin\AppData\Local\Temp\tmp8639.tmp"
  2⤵
  - Modifies Internet Explorer settings
  PID:1096
- C:\Windows\SysWOW64\wpnccr32.exe
  "C:\Windows\system32\wpnccr32.exe"
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2900
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "C:\Users\Admin\AppData\Local\Temp\tmp9143.tmp"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3164 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1260
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "C:\Users\Admin\AppData\Local\Temp\tmp91C1.tmp"
    3⤵
    PID:532
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "http://www.easy-free-sex.biz/"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4856 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2812
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "http://www.easy-free-sex.biz/"
    3⤵
    - Modifies Internet Explorer settings
    PID:944
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "C:\Users\Admin\AppData\Local\Temp\tmp9186.tmp"
  2⤵
  - Modifies Internet Explorer settings
  PID:4636
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tmp91B6.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
ed05e58945ed7a2c9b1cdfc86642b6ed

SHA1
57c72c87f05d91b39f235af6688c13c8d9749c67

SHA256
c4e101f22a067b19a4629a48e893f9cd842b9a709a979208c9c5bb06724124ab

SHA512
853107d0ed6191d3a79e2e31d2b41873ccc67ac8bddaeb4ba902cc27342a5bbb127ed98828fa499e1f898d6304da2a05b93457490873f44b5987df780801ef8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
871e85f203c08ba48431dec9413366b2

SHA1
a2b5a05bb1a23e90c7a94032b3443d1934a2409d

SHA256
67c4be5770d2d5b0a36dbeb299ced41298470d7eeb1539b94f25a50c2501bc72

SHA512
38bb6a98112fe6098da41bee78c177cceb5534cc00daca416650e6928795eae224f6e04f6ad3805f27f83c4a1e47d8fbc1508bb7414563b4f37c72eaa86143d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AAB87913-77B0-11EF-AC6B-62A6B307388A}.dat

Filesize
5KB

MD5
332b6bcdb19041d3d7d9c4c22d40651f

SHA1
946e5fcc8ca8468666e6985d2ab90c1dd6bbcfdd

SHA256
970f4eddfa7f768768dacad5403bf0c0b00262b7751e01469ff0850770d8aaa0

SHA512
60f7c204a132e9a48f8e8272d9f6e931ec873ac122bbe78fc2250566ca45046e3041e2b558fd02a8f3f17f0d5e5189009a5af01d5fd31e43aa619b2e0e2142bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{AC908A23-77B0-11EF-AC6B-62A6B307388A}.dat

Filesize
5KB

MD5
f715df684320c434aae387882299e5d0

SHA1
5ee0ccf847e8a637d8c23c929ec8bce3c38e5942

SHA256
d883a0e71bedfc8b0bb7add2cf7e151b78682ce6157443761c2a88a9d00fe2fe

SHA512
fabb7886967094249e09ff60b64859a71dcc76690eda88a027aac30fef16d11b843723f0008b46a2acd1a4d9d18b7793d63a55c31bb5f02b7bddb35424c46727

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\02PT5J1W\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp852E.tmp

Filesize
329B

MD5
0d7531acdaf7f5577b118bbbd6a82e2f

SHA1
48a8881aec7b35981a00f1951e1ec387a6eefb17

SHA256
758589404b2d55f4640b617816dedb613decceba92cf9e4ce38cfeb117be354f

SHA512
b390609796d28b402d9bb8e0f02174cee9862169602139392aafe82c8c5f968fa359af525dd538c676381ac2b6b2023d2ab72b30c715a37c22775f940f581595

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9143.tmp

Filesize
442B

MD5
11919d4be6573fa86778220f8c235f5f

SHA1
9fd4fe1088d23bf7bff1c6209fccdba7ff5150b1

SHA256
b3fca75b6f1744455839fec36788873ba6d4700ee79b0beecae902214d98829e

SHA512
ed1d993402778a941f24009877bfdc470398fb9fc7fe4889d0b56a194cb019da094915fa10b9349f922f5af41dc0274d7b1dc9854b5b105fe5a59821ce2843bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp91B6.bat

Filesize
257B

MD5
ba9ac1bfd7bf6e1886e18242097fba6f

SHA1
dc593a36da9631144cf6e9c661e6b465de3787a5

SHA256
7633796219a64851aff6b3f370586671311528fe7858db35d841814093d0477b

SHA512
0ae5e41d1749718b776f4346441c1545e12ea453fe52c31f733f36f7c35918cfd18e2162952db806dbc088aa62b7675303f7ed659e5ddc7c452eaf9bfeca1618

Download Submit
C:\Windows\SysWOW64\dot3prov.dll

Filesize
28KB

MD5
87dcc98f4e537f1193a82eeef6c9d921

SHA1
2716449bef74f716aa055c3515395153259088b8

SHA256
acb025529583cb03574acf0741386003ffab7cc8174e2537c08c91c0e29fa073

SHA512
cc80cdb7d6cb974fdf6d5d39ee48e4ddb157970c62a9196ba1dcc9bd57216e8ae83f62100ded38357dd1df1cc42d855badf0a9311a3b7d36e831b0729dfd6a8d

Download Submit
C:\Windows\SysWOW64\hgakheg.dll

Filesize
4KB

MD5
2021e934dab44895244b7567c6bd4adf

SHA1
75412009c45485260f78f7c18a65fadcfe956975

SHA256
4d0668ec7da71b90b54c6a92eb90ada546c3935e710fc700f87d197882dc2489

SHA512
6685bc551ebe98eb5ffe4a6b694fcb58e8340e2a1adbc7755b689626364969b49b8ca502983525b2c5407d12c600163f6510c74ea301ec6cffcf387dce0b49bd

Download Submit
C:\Windows\SysWOW64\hgakheg.dll

Filesize
1KB

MD5
f944b111c62d25cb8ac28ca5497cfd1a

SHA1
3676f34853f9647b907e8c4605c12f40ba40c69a

SHA256
9c7ad99bdd36ad9f2be7fd9b5de5ce33205c25a8c3646e8aa554e2644eaac8ed

SHA512
d7562b70eb63491cf0a20fe508d8cda2c3528c1ad96c549f92f1ee3368034cdcf36e77a49e168b86ecbd4b2bf633f7887a717137ee8bf512e3541138546714a4

Download Submit
C:\Windows\SysWOW64\hgakheg.dll

Filesize
3KB

MD5
0f753e519a7fee08a5ec17f262ef6d10

SHA1
47383c267701a2f3406d6cbebbf8c0e71cedb36c

SHA256
ac05a0199cb76996b6c7f80a8dcfdf77507c5d87ea8b8bd6a8a64e948acda66a

SHA512
cf9f3ef515b026636c7eb907617d74b628cef5d601be7ad17e7a5036e8132c985a5017f1894064067b6c0841cd81b2871482c2ae0d62b398f7e41a95818ab703

Download Submit
C:\Windows\SysWOW64\wpnccr32.exe

Filesize
150KB

MD5
ca0c96fdd8c4cfba22fbea596eb39784

SHA1
556c5f4b5d2a42035a567a3bbc455de47c19b96c

SHA256
405c6302fdded13db9468e1e5fa2b34772908ca062b8002b6c9c0432acec0a38

SHA512
2484a25ae2dfcbadb97d353617b79ba9d19bb79d9fd15b5ed3f522b637fdb9f8432c93733b6c9f8891eae33e7f07e0e6aa9cabf277f491e8eff4263c9d0d7c8a

Download Submit
memory/2900-82-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2900-98-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/2900-206-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2900-207-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/3352-107-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/3352-0-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download