701b7caaea15c8b8143289789b8e8c60927d72beb0ae2993ade15db62c9e4f5f

Analysis

max time kernel
131s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27/09/2024, 06:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9e84684ca6f79d20ba858fec3a6482a_JaffaCakes118.exe
Size

8.7MB
MD5

f9e84684ca6f79d20ba858fec3a6482a
SHA1

c4730b2ecf0e0c6036561411c6271dc02bb222d0
SHA256

701b7caaea15c8b8143289789b8e8c60927d72beb0ae2993ade15db62c9e4f5f
SHA512

5c46824d2f135e3b7993aacfc0e145581fbafa73e91acc16eace341693ac5a18b1c60cfd95cc1639da7d543410450290f0a385955d52836e6e6dd262cc433774
SSDEEP

196608:ZdJVXbACSigYoWjL6xzQWvXF8xhls3QcWDTZ9OBCscEIAmhsRBB:ZdzXbACSigYo7B8xh3ZDTZhsTIAt

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000700000002364b-190.dat	acprotect
behavioral2/files/0x000700000002364c-193.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	f9e84684ca6f79d20ba858fec3a6482a_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
652	Allok Video Joiner.exe
2508	Allok Video Joiner.tmp

Loads dropped DLL 2 IoCs

pid	Process
2860	regsvr32.exe
2104	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\is-3RKSC.tmp	Allok Video Joiner.tmp
File created	C:\Windows\SysWOW64\is-UH1AS.tmp	Allok Video Joiner.tmp

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002364b-190.dat	upx
behavioral2/memory/2860-192-0x0000000010000000-0x0000000010018000-memory.dmp	upx
behavioral2/files/0x000700000002364c-193.dat	upx
behavioral2/memory/2104-195-0x0000000010000000-0x0000000010053000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Allok Video Joiner\is-QH7BU.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\Languages\is-NOOB9.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-1M4A8.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-NK7FI.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-HDHE3.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-T6231.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\Languages\is-977PR.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-L3LBR.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-IEDM0.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\Languages\is-JSFPK.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\Languages\is-JL9NE.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-5PN1T.tmp	Allok Video Joiner.tmp
File opened for modification	C:\Program Files (x86)\Allok Video Joiner\unins000.dat	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-GDDJC.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-62V0M.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-U3H8G.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-QMPEL.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-7GBVO.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-U8ABV.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-UI1FM.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-EV0PM.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\Languages\is-OMVON.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-2QABU.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-OPT3G.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-LEAIH.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-7RTHB.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-OH5HU.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\Languages\is-3AQCO.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\Languages\is-KQKHQ.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-Q0PB0.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\Languages\is-8U8FR.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-DDM05.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-VMD08.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\Languages\is-N0PS7.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\Languages\is-9EB49.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\Languages\is-0OD92.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-THVJO.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-02RGJ.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\Languages\is-SANOF.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-R87HL.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-LPC2T.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-TOGM2.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-RR984.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\Languages\is-HCC68.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-U98GF.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-6DUUS.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\unins000.dat	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\Languages\is-T6TT7.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-CRJH8.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-1KJGA.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-IL1A2.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-7KSEG.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-KMCEF.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-B2IMQ.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-OP9IK.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-BDRN1.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-K5MCU.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-ETREK.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\Languages\is-P5JUL.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\Languages\is-0R9EK.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\Languages\is-IKBBF.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-NQ185.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-01LK9.tmp	Allok Video Joiner.tmp
File created	C:\Program Files (x86)\Allok Video Joiner\is-B6D6N.tmp	Allok Video Joiner.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f9e84684ca6f79d20ba858fec3a6482a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allok Video Joiner.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Allok Video Joiner.tmp

Modifies registry class 50 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E41C6AFE-738D-4A56-957C-C352F41B3275}\CLSID = "{E41C6AFE-738D-4A56-957C-C352F41B3275}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E21BE468-5C18-43EB-B0CC-DB93A847D769}\ = "RealMedia Splitter"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E21BE468-5C18-43EB-B0CC-DB93A847D769}\CLSID = "{E21BE468-5C18-43EB-B0CC-DB93A847D769}"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{765035B3-5944-4A94-806B-20EE3415F26F}\FilterData = 02000000000060000000000000000000	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{238D0F23-5DC9-45A6-9BE2-666160C324DD}\FilterData = 0200000000004000020000000000000030706933000000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000060000000800000007669647300001000800000aa00389b71000000000000000000000000000000005956313200001000800000aa00389b71	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{941A4793-A705-4312-8DFC-C11CA05F397E}\FilterData = 020000000000400002000000000000003070693300000000000000000100000000000000000000003074793300000000e0000000f00000003170693308000000000000000900000000000000000000003074793300000000e0000000000100003174793300000000e0000000100100003274793300000000e0000000200100003374793300000000e0000000300100003474793300000000e0000000400100003574793300000000e0000000500100003674793300000000e0000000600100003774793300000000e0000000700100003874793300000000e0000000800100006175647300001000800000aa00389b710000000000000000000000000000000031345f3400001000800000aa00389b7132385f3800001000800000aa00389b714154524300001000800000aa00389b71434f4f4b00001000800000aa00389b71444e455400001000800000aa00389b715349505200001000800000aa00389b71ff00000000001000800000aa00389b715241414300001000800000aa00389b715241435000001000800000aa00389b71	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E41C6AFE-738D-4A56-957C-C352F41B3275}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E41C6AFE-738D-4A56-957C-C352F41B3275}\FriendlyName = "CyberLink QuickTime Source Filter"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E21BE468-5C18-43EB-B0CC-DB93A847D769}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{765035B3-5944-4A94-806B-20EE3415F26F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{238D0F23-5DC9-45A6-9BE2-666160C324DD}\ = "RealVideo Decoder"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{941A4793-A705-4312-8DFC-C11CA05F397E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{941A4793-A705-4312-8DFC-C11CA05F397E}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{765035B3-5944-4A94-806B-20EE3415F26F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E41C6AFE-738D-4A56-957C-C352F41B3275}\ = "QTSrc"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{941A4793-A705-4312-8DFC-C11CA05F397E}\FriendlyName = "RealAudio Decoder"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{238D0F23-5DC9-45A6-9BE2-666160C324DD}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E41C6AFE-738D-4A56-957C-C352F41B3275}\FilterData = 0200000000002000020000000000000030706933080000000000000001000000000000000000000030747933000000006000000070000000317069330800000000000000010000000000000000000000307479330000000080000000700000007669647300001000800000aa00389b71000000000000000000000000000000006175647300001000800000aa00389b71	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E21BE468-5C18-43EB-B0CC-DB93A847D769}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{765035B3-5944-4A94-806B-20EE3415F26F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{765035B3-5944-4A94-806B-20EE3415F26F}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E21BE468-5C18-43EB-B0CC-DB93A847D769}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E21BE468-5C18-43EB-B0CC-DB93A847D769}\FriendlyName = "RealMedia Splitter"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\Extensions\.mov	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{941A4793-A705-4312-8DFC-C11CA05F397E}\InprocServer32\ = "C:\\Windows\\SysWow64\\AVERM.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{238D0F23-5DC9-45A6-9BE2-666160C324DD}\CLSID = "{238D0F23-5DC9-45A6-9BE2-666160C324DD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E41C6AFE-738D-4A56-957C-C352F41B3275}\InprocServer32\ = "C:\\Windows\\SysWow64\\AVEQT.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E41C6AFE-738D-4A56-957C-C352F41B3275}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{765035B3-5944-4A94-806B-20EE3415F26F}\ = "RealMedia Source"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{941A4793-A705-4312-8DFC-C11CA05F397E}\ = "RealAudio Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{941A4793-A705-4312-8DFC-C11CA05F397E}\CLSID = "{941A4793-A705-4312-8DFC-C11CA05F397E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\Extensions\.mov\Source Filter = "{E41C6AFE-738D-4A56-957C-C352F41B3275}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{57428EC6-C2B2-44A2-AA9C-28F0B6A5C48E}\Source Filter = "{E436EBB5-524F-11CE-9F53-0020AF0BA770}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E21BE468-5C18-43EB-B0CC-DB93A847D769}\InprocServer32\ = "C:\\Windows\\SysWow64\\AVERM.dll"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E21BE468-5C18-43EB-B0CC-DB93A847D769}\FilterData = 020000000000600002000000000000003070693300000000000000000100000000000000000000003074793300000000500000006000000031706933080000000000000000000000000000000000000083eb36e44f52ce119f530020af0ba77000000000000000000000000000000000	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{238D0F23-5DC9-45A6-9BE2-666160C324DD}\FriendlyName = "RealVideo Decoder"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{57428EC6-C2B2-44A2-AA9C-28F0B6A5C48E}\0 = "0,4,,2E524D46"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{765035B3-5944-4A94-806B-20EE3415F26F}\InprocServer32\ = "C:\\Windows\\SysWow64\\AVERM.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{238D0F23-5DC9-45A6-9BE2-666160C324DD}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{238D0F23-5DC9-45A6-9BE2-666160C324DD}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{765035B3-5944-4A94-806B-20EE3415F26F}\FriendlyName = "RealMedia Source"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{765035B3-5944-4A94-806B-20EE3415F26F}\CLSID = "{765035B3-5944-4A94-806B-20EE3415F26F}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{941A4793-A705-4312-8DFC-C11CA05F397E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E41C6AFE-738D-4A56-957C-C352F41B3275}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Media Type\{E436EB83-524F-11CE-9F53-0020AF0BA770}\{57428EC6-C2B2-44A2-AA9C-28F0B6A5C48E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E21BE468-5C18-43EB-B0CC-DB93A847D769}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{238D0F23-5DC9-45A6-9BE2-666160C324DD}\InprocServer32\ = "C:\\Windows\\SysWow64\\AVERM.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{238D0F23-5DC9-45A6-9BE2-666160C324DD}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{941A4793-A705-4312-8DFC-C11CA05F397E}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E41C6AFE-738D-4A56-957C-C352F41B3275}\InprocServer32	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2508	Allok Video Joiner.tmp

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 652	3920	f9e84684ca6f79d20ba858fec3a6482a_JaffaCakes118.exe	89
PID 3920 wrote to memory of 652	3920	f9e84684ca6f79d20ba858fec3a6482a_JaffaCakes118.exe	89
PID 3920 wrote to memory of 652	3920	f9e84684ca6f79d20ba858fec3a6482a_JaffaCakes118.exe	89
PID 652 wrote to memory of 2508	652	Allok Video Joiner.exe	90
PID 652 wrote to memory of 2508	652	Allok Video Joiner.exe	90
PID 652 wrote to memory of 2508	652	Allok Video Joiner.exe	90
PID 2508 wrote to memory of 2860	2508	Allok Video Joiner.tmp	91
PID 2508 wrote to memory of 2860	2508	Allok Video Joiner.tmp	91
PID 2508 wrote to memory of 2860	2508	Allok Video Joiner.tmp	91
PID 2508 wrote to memory of 2104	2508	Allok Video Joiner.tmp	92
PID 2508 wrote to memory of 2104	2508	Allok Video Joiner.tmp	92
PID 2508 wrote to memory of 2104	2508	Allok Video Joiner.tmp	92

C:\Users\Admin\AppData\Local\Temp\f9e84684ca6f79d20ba858fec3a6482a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9e84684ca6f79d20ba858fec3a6482a_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Allok Video Joiner.exe
  "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Allok Video Joiner.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Users\Admin\AppData\Local\Temp\is-MR8M3.tmp\Allok Video Joiner.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-MR8M3.tmp\Allok Video Joiner.tmp" /SL5="$E025E,8706323,58880,C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Allok Video Joiner.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\AVEQT.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2860
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\AVERM.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4380,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4128 /prefetch:8
1⤵
PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Allok Video Joiner\Allok Video Joiner.exe

Filesize
440KB

MD5
897794490e8af876d78a25aeff678408

SHA1
9a569a63eba091e74a87c5f0ac9633f3fe9002f6

SHA256
0c334f64dec2a7b8710aa6b4cf6ab40b554e0f3e3803493bc475993854023fa4

SHA512
63309e2ccd94aead4fbd114626f7f4edb7f70879418589208dd49cee50d5b0eb79579e2ba27739e0af4bc0f2451c534d08ea364d6d937da62faa03ffdcbd4ab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Allok Video Joiner.exe

Filesize
8.5MB

MD5
c0e14a9c41cbf979acb4f9d7c4c5411e

SHA1
00c0b2ff93d0f4bec3ed3146eb70e6b53e34a742

SHA256
1f6b20215795d9eb7a18abc37c4a815123d50ac85a0a054d53f30d56c924301a

SHA512
4f85bb277beffb49625b85a872ad7d85be19f20033b1b383c8b204536bda3fba252ab18ddf135eb0e19e753f7a0d63d4c0130ad0817b583685147c90635697bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-MR8M3.tmp\Allok Video Joiner.tmp

Filesize
685KB

MD5
b87606f9e0ab4dafa086d13a2e756242

SHA1
01b7aefee78bbc2aa4ae57a15b00b6c661195c81

SHA256
c288150c6e89d69f4074f93965563a0cdaa719fa13c0613cea744ad1dc833a6f

SHA512
a64cf4ad27398cc3e3baa2bcb956359941557d5bffdf0a793eff6091ad46b10cd4200be18ff38b24049f34fc1e93d0e121ff463866217ae5ba9d5feca0f44202

Download Submit
C:\Windows\SysWOW64\AVEQT.dll

Filesize
28KB

MD5
23b8b59396a50388cd34ceee55a103ee

SHA1
41dfcc8f7b388eb456722832200aeb02a9f5c607

SHA256
b296f482a598fd83a59a65212aaeb99a2e007853773155b79dc473890186eb3d

SHA512
518f120cf217cf1f554eff6ff9174e896c2ca1efa910efa06a01aded5edc59add383ea6dd017d8e798b2bc28b93174db5218dd373739f3ffac05393a53a18832

Download Submit
C:\Windows\SysWOW64\AVERM.dll

Filesize
126KB

MD5
dc657cc8c152c77f22dbe14c7b96374d

SHA1
354c04376bffc07794e1f6a64d2db2df86f73561

SHA256
c58b812b7f688ca96adc65fd74281ddad9682417509280bb0f65b9c091d0908c

SHA512
89bf1cfe45b0d5848194f85fd52d4910c7cd9afff4b9a695b98a00053a9669f8a3668e0178b7ee1657f81c07bab495e5a41344e53b2aa3127c0160a1d3fe8659

Download Submit
memory/652-12-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/652-14-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/652-202-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2104-195-0x0000000010000000-0x0000000010053000-memory.dmp

Filesize
332KB

Download
memory/2508-22-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2508-201-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2860-192-0x0000000010000000-0x0000000010018000-memory.dmp

Filesize
96KB

Download