44d1380ee5312eee7e3b62a258d7ba23bca911940763235f0dd0bb3cd8a8fac9

Analysis

max time kernel
140s
max time network
119s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Size

851KB
MD5

fad3f6f075020e6dd85e9d4fc4cb912e
SHA1

8a473398ce701c5806e418d12790c46b5efcccd9
SHA256

44d1380ee5312eee7e3b62a258d7ba23bca911940763235f0dd0bb3cd8a8fac9
SHA512

fdd5dd5854cb143018fba3ec7161e561dae6be375144edccff9cccf171e05c4110d169212b04c98cdbeffaeccde266f94ee6b4261ea64451cb94eecd19ce02b2
SSDEEP

12288:MF6wGViGnvZGdkleLEg6YzltyP8idmUdxwer8czmz8CpknCT5xGhY38QTR:g6wyiGRl3Yz2mUdxwj0g8Rm3GhG1

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000500000001934d-13.dat	acprotect
behavioral1/files/0x0005000000019361-24.dat	acprotect
behavioral1/files/0x0003000000003e6e-33.dat	acprotect

Loads dropped DLL 7 IoCs

pid	Process
2708	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
2708	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
2708	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
2708	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
2708	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
2708	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
2708	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\lbpgmg.dll	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\tmpad.xml	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2708-15-0x0000000010000000-0x0000000010011000-memory.dmp	upx
behavioral1/files/0x000500000001934d-13.dat	upx
behavioral1/memory/2708-12-0x0000000000400000-0x00000000005F6000-memory.dmp	upx
behavioral1/files/0x0005000000019361-24.dat	upx
behavioral1/memory/2708-26-0x0000000000700000-0x000000000076D000-memory.dmp	upx
behavioral1/files/0x0003000000003e6e-33.dat	upx
behavioral1/memory/2708-35-0x0000000002B90000-0x0000000002BDE000-memory.dmp	upx
behavioral1/memory/2708-77-0x0000000000400000-0x00000000005F6000-memory.dmp	upx
behavioral1/memory/2708-78-0x0000000000700000-0x000000000076D000-memory.dmp	upx
behavioral1/memory/2708-82-0x0000000002B90000-0x0000000002BDE000-memory.dmp	upx
behavioral1/memory/2708-79-0x0000000000400000-0x00000000005F6000-memory.dmp	upx
behavioral1/memory/2708-83-0x0000000000400000-0x00000000005F6000-memory.dmp	upx
behavioral1/memory/2708-86-0x0000000000400000-0x00000000005F6000-memory.dmp	upx
behavioral1/memory/2708-89-0x0000000000400000-0x00000000005F6000-memory.dmp	upx
behavioral1/memory/2708-92-0x0000000000400000-0x00000000005F6000-memory.dmp	upx
behavioral1/memory/2708-95-0x0000000000400000-0x00000000005F6000-memory.dmp	upx
behavioral1/memory/2708-109-0x0000000000400000-0x00000000005F6000-memory.dmp	upx
behavioral1/memory/2708-112-0x0000000000400000-0x00000000005F6000-memory.dmp	upx
behavioral1/memory/2708-115-0x0000000000400000-0x00000000005F6000-memory.dmp	upx
behavioral1/memory/2708-118-0x0000000000400000-0x00000000005F6000-memory.dmp	upx
behavioral1/memory/2708-121-0x0000000000400000-0x00000000005F6000-memory.dmp	upx
behavioral1/memory/2708-124-0x0000000000400000-0x00000000005F6000-memory.dmp	upx
behavioral1/memory/2708-127-0x0000000000400000-0x00000000005F6000-memory.dmp	upx
behavioral1/memory/2708-130-0x0000000000400000-0x00000000005F6000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\QMDispatch.dll	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
File opened for modification	C:\Windows\QMDispatch.dll	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction.1\CLSID\ = "{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}\Programmable	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\Programmable	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\0\win32\ = "C:\\Windows\\QMDispatch.dll"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\TypeLib\Version = "1.0"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\ProxyStubClsid32	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\TypeLib\ = "{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\TypeLib\ = "{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\TypeLib	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32\ThreadingModel = "Apartment"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\HELPDIR	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\TypeLib\Version = "1.0"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\InprocHandler32	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction\CLSID	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}\VersionIndependentProgID\ = "QMDispatch.QMFunction"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}\TypeLib	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\ = "IQMFunction"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\ = "IQMFunction"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMCore.QMEngine	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction.1	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CurVer\ = "QMDispatch.QMRoutine.1"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID\ = "QMDispatch.QMRoutine.1"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\TypeLib\ = "{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\ = "QMCore.QMEngine"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\ProgID\ = "QMCore.QMEngine"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\TypeLib	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\TypeLib	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\InprocHandler32	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction.1\CLSID	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMRoutine Class"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction\ = "QMFunction Class"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}\ProgID	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine.1\CLSID	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\TypeLib\Version = "1.0"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\ = "IQMRoutine"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E59F1D5-1FBE-11D0-8FF2-00A0D10038BC}	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMFunction\CLSID\ = "{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}\ = "QMFunction Class"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\ProxyStubClsid32	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMCore.QMEngine\CLSID\ = "{EBEB87A4-E151-4054-AB45-A6E094C5334B}"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EF94624F-EAAE-47CA-BE5B-86FDBF0B2BBA}\InprocServer32	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\VersionIndependentProgID	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\FLAGS\ = "0"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5FD5723F-D6F6-4F31-A7D0-318E72D28E80}\1.0\0\win32	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E6AD2DF7-46DC-417F-AE61-D433C510416D}\ = "IQMRoutine"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine.1\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32\ = "C:\\Windows\\QMDISP~1.DLL"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DF4F905C-0961-4464-8460-DD2A1F274D1F}\ProxyStubClsid32	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A4-E151-4054-AB45-A6E094C5334B}\InprocHandler32\ = "ole32.dll"	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2708	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2708	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2708	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
2708	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
2708	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
2708	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
2708	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
2708	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
2708	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
2708	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
2708	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
2708	fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fad3f6f075020e6dd85e9d4fc4cb912e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\macroinfo.dat

Filesize
193B

MD5
1a40b5eec1752dfe3799e6501c635f3f

SHA1
7fd74892bd8a1ebf4cb54339d457519e6498f2c5

SHA256
44a6035c275021a4f6ebe9be731544974fbeccf464c16b62947311514340372a

SHA512
61dd589935f1673f3b7282c5df30c9f668c97f24c85a28134324f4ce7832b008a7d1431715d31160ad3c272d784d9900040f53dae6f35a21c1743995ff109e22

Download Submit
C:\Windows\QMDispatch.dll

Filesize
107KB

MD5
8e6e1a1d29ddc38e120afc606ce1d845

SHA1
5d9b8d4ccc4f74fd501a2ca377d858ee93252a7a

SHA256
1e8e62d6ea8233a6351f9e0a82e95fb0245281b7d32a2c788261d9feb08e71ac

SHA512
b5c06636ab42b1925f3bcf2a872c3cb0ab7876a0eb88ff6009e3eeea4d3c7f3007d8eef6ca2f5e4b769bf73dde69dca564978cd49f98b1f9bcba49e9258f4f31

Download Submit
C:\Windows\SysWOW64\lbpgmg.dll

Filesize
36KB

MD5
98e900c04b9ab84405b224af31b93b65

SHA1
3a7b1dfd8c5d57cce94fdf8f8b4dac3470833017

SHA256
a2e88bff39817950b89293b10c7775d113a07402625e21c16a23ed47d088a1c8

SHA512
a9627d29787cd57f878bab9f4883475378105232ff42a0ba653969413c15e68b5ab2b4ceb02918dc8e243822e5273825b2766d58ca4dbe90c3d252c2d96343a2

Download Submit
\Users\Admin\AppData\Local\Temp\MSSCRIPT.OCX

Filesize
100KB

MD5
656524b4401f21e2929b78ef4c36db27

SHA1
d91ff837d6ced5f0442fd0812b6c1079fe417906

SHA256
d493f101ccd1d8804c0981f4fc630718b267d7155bdb575d6f619497956ea44e

SHA512
d28b17c924fb5f172944c055a85003575300305eddbbc4c89460777108c87154622b39515ee1f994d713d790fe5b74a69c835bd00d0affc5292fa0150617c34c

Download Submit
\Users\Admin\AppData\Local\Temp\WinIo.dll

Filesize
60KB

MD5
c604a51bd265526800ddba9f0ef730df

SHA1
40804d3a9047b050f5dcd444c55ce3cd2c374d97

SHA256
b0423fa0bfa4efce8d60b13ba4a7e5f3a0e1ce5605767c0c3d4698fd940ead3e

SHA512
1e048ba803a8e778907b6050edff2aed81bf2237109d948fa779452c5f99ced1802a4fda082bf4420c29fb39b2a1996ef39653ea3af2262902e6433cfb87f8f5

Download Submit
\Users\Admin\AppData\Local\Temp\cooper.dll

Filesize
90KB

MD5
fe550544e19f6c293f4ed7e0d5e25618

SHA1
51960d9334ea7af42e55218c4446591ecb1f5606

SHA256
a29f8373ecc158f6bf9a8f038844859842c8823a03e2b950c8a9fd8ee292672f

SHA512
c3facbd6586912c4fa612b473d99f11f0cc6d1ca84bff9388049042d17b39496ffab092238b451ee77799f4b7c7cd3234ced18831e54397f54611c77d788dacd

Download Submit
\Users\Admin\AppData\Local\Temp\helper.dll

Filesize
20KB

MD5
87e96b9b1540adb0c01aa48947967666

SHA1
cf630e13f5ce321c54de09d6ed24792282b05aa3

SHA256
f02409b2e367afd0e585a2e1c6ac4d10790fab5292d8d1c2b866fe04fab28d4d

SHA512
0b0fd2d03eb7fb255e283b387b2dd08390ff1ce5f0d47ee5a698b809e73e1c4f484c6970817c64af00531ac938ea5f1970de2a2ccfca769f135adc011e96a3ce

Download Submit
memory/2708-77-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/2708-83-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/2708-26-0x0000000000700000-0x000000000076D000-memory.dmp

Filesize
436KB

Download
memory/2708-35-0x0000000002B90000-0x0000000002BDE000-memory.dmp

Filesize
312KB

Download
memory/2708-23-0x0000000000610000-0x0000000000621000-memory.dmp

Filesize
68KB

Download
memory/2708-44-0x0000000002AB0000-0x0000000002AB9000-memory.dmp

Filesize
36KB

Download
memory/2708-12-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/2708-15-0x0000000010000000-0x0000000010011000-memory.dmp

Filesize
68KB

Download
memory/2708-78-0x0000000000700000-0x000000000076D000-memory.dmp

Filesize
436KB

Download
memory/2708-82-0x0000000002B90000-0x0000000002BDE000-memory.dmp

Filesize
312KB

Download
memory/2708-79-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/2708-17-0x0000000000600000-0x0000000000610000-memory.dmp

Filesize
64KB

Download
memory/2708-86-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/2708-89-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/2708-92-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/2708-95-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/2708-109-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/2708-112-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/2708-115-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/2708-118-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/2708-121-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/2708-124-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/2708-127-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download
memory/2708-130-0x0000000000400000-0x00000000005F6000-memory.dmp

Filesize
2.0MB

Download