Overview
overview
7Static
static
704576b7a01...18.exe
windows7-x64
704576b7a01...18.exe
windows10-2004-x64
7$PLUGINSDI...nt.dll
windows7-x64
3$PLUGINSDI...nt.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...te.dll
windows7-x64
3$PLUGINSDI...te.dll
windows10-2004-x64
3$PLUGINSDI...de.dll
windows7-x64
3$PLUGINSDI...de.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDI...on.dll
windows7-x64
5$PLUGINSDI...on.dll
windows10-2004-x64
5enumerate_gt.dll
windows7-x64
6enumerate_gt.dll
windows10-2004-x64
6enumerate_gtu.exe
windows7-x64
3enumerate_gtu.exe
windows10-2004-x64
3enumst.exe
windows7-x64
3enumst.exe
windows10-2004-x64
3uninstall.exe
windows7-x64
7uninstall.exe
windows10-2004-x64
7$PLUGINSDI...nt.dll
windows7-x64
3$PLUGINSDI...nt.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/10/2024, 04:17
Behavioral task
behavioral1
Sample
04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/DLLWebCount.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/DLLWebCount.dll
Resource
win10v2004-20240910-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/IEKill.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/IEKill.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/SelfDelete.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/SelfDelete.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/UnProtectMode.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/UnProtectMode.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral16
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$PLUGINSDIR/version.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
$PLUGINSDIR/version.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
enumerate_gt.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
enumerate_gt.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
enumerate_gtu.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
enumerate_gtu.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
enumst.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
enumst.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
uninstall.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
uninstall.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$PLUGINSDIR/DLLWebCount.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
$PLUGINSDIR/DLLWebCount.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$PLUGINSDIR/IEKill.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
$PLUGINSDIR/IEKill.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral32
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe
-
Size
772KB
-
MD5
04576b7a014c6acec68b3f4a227cfb62
-
SHA1
88e1edb9b1a26b76fcb3680f38e67df7f18b660b
-
SHA256
3936e2b4367d153f30faea901bfce5f3b362d1ca8b38a395735f73301a4982dc
-
SHA512
18a1f70116dca66ac69364c48ef7e6e612c1f569ebc4afd67bc37a824810c1ae9c617452aef57f44216969e786a4d08f8b6f5dca65895e8a73a2908fb41e264b
-
SSDEEP
12288:9XeCPMdwydEJNFZrmEHsNMitgSqNqDQ4GOoeaS5HDH6V:9XpGjynZ6EH4MipnQ4GzeHT6V
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x00060000000186ea-56.dat acprotect -
Deletes itself 1 IoCs
pid Process 3032 cmd.exe -
Executes dropped EXE 2 IoCs
pid Process 2776 enumerate_gtu.exe 2908 enumst.exe -
Loads dropped DLL 25 IoCs
pid Process 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 2776 enumerate_gtu.exe 2776 enumerate_gtu.exe 2776 enumerate_gtu.exe 2908 enumst.exe 2908 enumst.exe 2908 enumst.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Enumerate_gt = "\"C:\\Program Files (x86)\\enumerate\\gt\\enumerate_gtu.exe\" subcmd" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E2ACBBE7-29CB-4E8C-A210-57ED185FF6A9} 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E2ACBBE7-29CB-4E8C-A210-57ED185FF6A9}\ = "Enumerate Top Search - GT" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{E2ACBBE7-29CB-4E8C-A210-57ED185FF6A9}\NoExplorer = "1" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe -
resource yara_rule behavioral1/files/0x00060000000186ea-56.dat upx behavioral1/memory/1640-53-0x00000000005F0000-0x0000000000602000-memory.dmp upx -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files (x86)\enumerate\gt\enumerate_gt.dll 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe File created C:\Program Files (x86)\enumerate\gt\enumerate_gtu.exe 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe File created C:\Program Files (x86)\enumerate\gt\enumst.exe 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe File created C:\Program Files (x86)\enumerate\gt\uninstall.exe 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language enumst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language enumerate_gtu.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{75AE2228-E06B-4955-8C3F-BF0D5636DC50} 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{75AE2228-E06B-4955-8C3F-BF0D5636DC50}\AppName = "enumerate_gtu.exe" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{75AE2228-E06B-4955-8C3F-BF0D5636DC50}\AppPath = "C:\\Program Files (x86)\\enumerate\\gt\\" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{75AE2228-E06B-4955-8C3F-BF0D5636DC50}\Policy = "3" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe -
Modifies registry class 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C2FE67D-274D-4443-9E7A-09BFDE40E507}\ = "Ienumerate_gt_smsplusSO" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_smsplus.enumerate_gt_smspl 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_smsplus.enumerate_gt_smspl\CurVer\ = "enumerate_gt_smsplus.enumerate_gt_sms.1" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2ACBBE7-29CB-4E8C-A210-57ED185FF6A9}\InprocServer32\ThreadingModel = "Apartment" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E2489BF-424D-4DA6-A55A-0FF31B60580F}\1.0\FLAGS 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C2FE67D-274D-4443-9E7A-09BFDE40E507}\TypeLib\ = "{5E2489BF-424D-4DA6-A55A-0FF31B60580F}" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\enumerate_gt_smsplus.DLL 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2ACBBE7-29CB-4E8C-A210-57ED185FF6A9}\VersionIndependentProgID 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E2489BF-424D-4DA6-A55A-0FF31B60580F}\1.0\0\win32 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C2FE67D-274D-4443-9E7A-09BFDE40E507} 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2ACBBE7-29CB-4E8C-A210-57ED185FF6A9}\TypeLib 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2ACBBE7-29CB-4E8C-A210-57ED185FF6A9}\TypeLib\ = "{5E2489BF-424D-4DA6-A55A-0FF31B60580F}" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E2489BF-424D-4DA6-A55A-0FF31B60580F}\1.0 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E2489BF-424D-4DA6-A55A-0FF31B60580F}\1.0\HELPDIR 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_smsplus.enumerate_gt_smspl\ = "enumerate_gt_smsplusSO Class" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2ACBBE7-29CB-4E8C-A210-57ED185FF6A9} 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2ACBBE7-29CB-4E8C-A210-57ED185FF6A9}\ = "Enumerate Top Search - GT" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2ACBBE7-29CB-4E8C-A210-57ED185FF6A9}\InprocServer32\ = "C:\\Program Files (x86)\\enumerate\\gt\\enumerate_gt.dll" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C2FE67D-274D-4443-9E7A-09BFDE40E507}\TypeLib\Version = "1.0" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C2FE67D-274D-4443-9E7A-09BFDE40E507}\ = "Ienumerate_gt_smsplusSO" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C2FE67D-274D-4443-9E7A-09BFDE40E507}\ProxyStubClsid32 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C2FE67D-274D-4443-9E7A-09BFDE40E507}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C2FE67D-274D-4443-9E7A-09BFDE40E507}\ProxyStubClsid32 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2ACBBE7-29CB-4E8C-A210-57ED185FF6A9}\VersionIndependentProgID\ = "enumerate_gt_smsplus.enumerate_gt_smspl" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2ACBBE7-29CB-4E8C-A210-57ED185FF6A9}\AppID = "{67C768EB-B67B-47DD-A53E-3E4C3FB30A4A}" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E2489BF-424D-4DA6-A55A-0FF31B60580F}\1.0\ = "enumerate_gt_smsplus 1.0 Çü½Ä ¶óÀ̺귯¸®" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C2FE67D-274D-4443-9E7A-09BFDE40E507} 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{67C768EB-B67B-47DD-A53E-3E4C3FB30A4A} 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\enumerate_gt_smsplus.DLL\AppID = "{67C768EB-B67B-47DD-A53E-3E4C3FB30A4A}" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_smsplus.enumerate_gt_sms.1 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_smsplus.enumerate_gt_sms.1\ = "enumerate_gt_smsplusSO Class" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C2FE67D-274D-4443-9E7A-09BFDE40E507}\TypeLib\ = "{5E2489BF-424D-4DA6-A55A-0FF31B60580F}" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_smsplus.enumerate_gt_sms.1\CLSID 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2ACBBE7-29CB-4E8C-A210-57ED185FF6A9}\ProgID\ = "enumerate_gt_smsplus.enumerate_gt_sms.1" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C2FE67D-274D-4443-9E7A-09BFDE40E507}\TypeLib 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E2489BF-424D-4DA6-A55A-0FF31B60580F}\1.0\0 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E2489BF-424D-4DA6-A55A-0FF31B60580F}\1.0\0\win32\ = "C:\\Program Files (x86)\\enumerate\\gt\\enumerate_gt.dll" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E2489BF-424D-4DA6-A55A-0FF31B60580F}\1.0\HELPDIR\ 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C2FE67D-274D-4443-9E7A-09BFDE40E507}\TypeLib 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_smsplus.enumerate_gt_sms.1\CLSID\ = "{E2ACBBE7-29CB-4E8C-A210-57ED185FF6A9}" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_smsplus.enumerate_gt_smspl\CLSID 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2ACBBE7-29CB-4E8C-A210-57ED185FF6A9}\InprocServer32 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E2489BF-424D-4DA6-A55A-0FF31B60580F} 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_smsplus.enumerate_gt_smspl\CurVer 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2ACBBE7-29CB-4E8C-A210-57ED185FF6A9}\ProgID 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C2FE67D-274D-4443-9E7A-09BFDE40E507}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C2FE67D-274D-4443-9E7A-09BFDE40E507}\TypeLib\Version = "1.0" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{67C768EB-B67B-47DD-A53E-3E4C3FB30A4A}\ = "enumerate_gt_smsplus" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\enumerate_gt_smsplus.enumerate_gt_smspl\CLSID\ = "{E2ACBBE7-29CB-4E8C-A210-57ED185FF6A9}" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E2ACBBE7-29CB-4E8C-A210-57ED185FF6A9}\Programmable 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{5E2489BF-424D-4DA6-A55A-0FF31B60580F}\1.0\FLAGS\ = "0" 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2664 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeRestorePrivilege 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Token: SeBackupPrivilege 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe Token: SeRestorePrivilege 2776 enumerate_gtu.exe Token: SeBackupPrivilege 2776 enumerate_gtu.exe Token: SeRestorePrivilege 2908 enumst.exe Token: SeBackupPrivilege 2908 enumst.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2776 enumerate_gtu.exe 2776 enumerate_gtu.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2776 enumerate_gtu.exe 2776 enumerate_gtu.exe 2908 enumst.exe 2908 enumst.exe -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1640 wrote to memory of 2672 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 30 PID 1640 wrote to memory of 2672 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 30 PID 1640 wrote to memory of 2672 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 30 PID 1640 wrote to memory of 2672 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 30 PID 1640 wrote to memory of 2672 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 30 PID 1640 wrote to memory of 2672 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 30 PID 1640 wrote to memory of 2672 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 30 PID 2672 wrote to memory of 2664 2672 cmd.exe 32 PID 2672 wrote to memory of 2664 2672 cmd.exe 32 PID 2672 wrote to memory of 2664 2672 cmd.exe 32 PID 2672 wrote to memory of 2664 2672 cmd.exe 32 PID 2672 wrote to memory of 2664 2672 cmd.exe 32 PID 2672 wrote to memory of 2664 2672 cmd.exe 32 PID 2672 wrote to memory of 2664 2672 cmd.exe 32 PID 1640 wrote to memory of 2776 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 33 PID 1640 wrote to memory of 2776 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 33 PID 1640 wrote to memory of 2776 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 33 PID 1640 wrote to memory of 2776 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 33 PID 1640 wrote to memory of 2776 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 33 PID 1640 wrote to memory of 2776 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 33 PID 1640 wrote to memory of 2776 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 33 PID 1640 wrote to memory of 2908 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 34 PID 1640 wrote to memory of 2908 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 34 PID 1640 wrote to memory of 2908 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 34 PID 1640 wrote to memory of 2908 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 34 PID 1640 wrote to memory of 2908 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 34 PID 1640 wrote to memory of 2908 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 34 PID 1640 wrote to memory of 2908 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 34 PID 1640 wrote to memory of 3032 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 36 PID 1640 wrote to memory of 3032 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 36 PID 1640 wrote to memory of 3032 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 36 PID 1640 wrote to memory of 3032 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 36 PID 1640 wrote to memory of 3032 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 36 PID 1640 wrote to memory of 3032 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 36 PID 1640 wrote to memory of 3032 1640 04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe 36
Processes
-
C:\Users\Admin\AppData\Local\Temp\04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\04576b7a014c6acec68b3f4a227cfb62_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\cmd.execmd /C schtasks /Create /F /TN "enumerategt" /SC ONLOGON /TR "'C:\Program Files (x86)\enumerate\gt\enumerate_gtu.exe' schcmd" /rL HIGHEST2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /F /TN "enumerategt" /SC ONLOGON /TR "'C:\Program Files (x86)\enumerate\gt\enumerate_gtu.exe' schcmd" /rL HIGHEST3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2664
-
-
-
C:\Program Files (x86)\enumerate\gt\enumerate_gtu.exe"C:\Program Files (x86)\enumerate\gt\enumerate_gtu.exe" Updatecmd2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2776
-
-
C:\Program Files (x86)\enumerate\gt\enumst.exe"C:\Program Files (x86)\enumerate\gt\enumst.exe" Updatecmd2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2908
-
-
C:\Windows\SysWOW64\cmd.execmd /c \DelUS.bat2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:3032
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
228B
MD52f7d6e64573ec70030498e9969325fee
SHA1f1e092b089b73d1259e66f3167b6576baea8c5ba
SHA2564d5f49940a6b72280f6f4237e402bda36e23d95963de795b706c2f5931ba8591
SHA512e6e57e0a7b6f0786b2f22476804f99fedd5520ca6942f70ee8b62291c1db08977cffa6e5bce285342878b662682940f82229c52aabe233a1c35ea4733fb59c55
-
Filesize
208KB
MD50dacbcaf284cfb0f11b60f191f90535f
SHA197bf9d11e479f35e284d1c1d7043200036c08cd7
SHA256dea16761751ae38e3f4f1861f4211c9700d5921b5c5519fcc5466f096e31f670
SHA512274cb9c7f5871474235ec9b30af727d0ebc5759071d66b6295f3f0c9c2de16102e1f980f7ccb02c50daeb7464c91c51b124cfe2ccc67efc977f3627490afc26c
-
Filesize
956KB
MD5ef8736ba45eb1248c9809136ca3c4b7c
SHA17fd63e869937785bf0caf0c7d64e5108c70f6028
SHA256bc27293e97e91e44d8c928021729dd02446fc075f20ed015fd1ab6fcaed8b1b0
SHA5123c4e83fa964271f538e9853a43533ba17e32811e2824b59184b797657b78208999f4db65ab61db613649c8863caa8680b4c78ffc3482127e14d3132c0751c27b
-
Filesize
1.2MB
MD5cb7c5835e42807f7a83d082e4402059a
SHA1abb037e995dbd0de63daaf4ae7b54a1f6b4d4f44
SHA256958b1b2437e6c16aae901c0d011b7d14973d3d5c3680568c70725a384b2da0f5
SHA5127b80c908bbba69ace4fcd9aff8c59a7300e5d1fdddd24a1a412dfce9a959f5bd59ad3e4337ba4ec5f5d0ce53572d5ea235610aabd52455fbfb4e5801ee88f710
-
Filesize
32KB
MD5248536afcb6f59c1797f079a0da15b63
SHA17fa238f871b357c66168728ab1bb38addcfba3f8
SHA2569c5f4eeadc9c2881bc02b45d757b35d3bfd2dc7d917d2e8fde2917fabf48908f
SHA512b82accc8530650ebae8d4f8752002c2d23ab7b29e958e6c14731ad186a0fcdbbab937723a540de62d58f4659580843191fd53cb415e07167d7b55cd174a79652
-
Filesize
28KB
MD5090f0ab18996feae6c0a62d83b2149c6
SHA15292898561ad88630088ae22fb877dfc7146ee77
SHA256914536dd97645de7789666da5dc03d02f4fbe0593214678e6e1982a02a8a1c4d
SHA5122fccda2cb95583fdb184b7edaa7ae088ca484e06d020159bf9776e36b660c6672812b7e821b111fa52d63ad5e2ce70602dc117edc2eba3c46029653c5ef5ffc6
-
Filesize
32KB
MD583142eac84475f4ca889c73f10d9c179
SHA1dbe43c0de8ef881466bd74861b2e5b17598b5ce8
SHA256ae2f1658656e554f37e6eac896475a3862841a18ffc6fad2754e2d3525770729
SHA5121c66eab21f0c9e0b99ecc3844516a6978f52e0c7f489405a427532ecbe78947c37dac5b4c8b722cc8bc1edfb74ba4824519d56099e587e754e5c668701e83bd1
-
Filesize
24KB
MD5ddc0d6806073a5b034104c88288ca762
SHA19663cc10c496f05d6167e19c3920245040e5e431
SHA2562f4767da9dc7e720d910d32d451674cd08b7892ca753ec5c10b11fe85e12f06b
SHA512545ca797a397cfcbd9b5d3bd2da2e3219ba7a294e541831655c5763a7f17480fd0b990d0c2e58ba8c71f81d85472b2da6d079b8211b44c40c8c36d21168ec054
-
Filesize
200KB
MD5d37323d733078a8da425ad71a51d1462
SHA17061f1f388c6fa0159d614ded01251da4e4b7e4b
SHA256e1a0b1168a87ac0d140b3a394efda23148a8907093898e0a2549079009d318e3
SHA512f7e0780aa18785c1402d7233b67fabb61cefa8568e71cd4ca37405eafc7a340053836b16fdebc2ce351b7ddeac28d17a43091904ba443269cac1e7e4f46bd929
-
Filesize
6KB
MD5acc2b699edfea5bf5aae45aba3a41e96
SHA1d2accf4d494e43ceb2cff69abe4dd17147d29cc2
SHA256168a974eaa3f588d759db3f47c1a9fdc3494ba1fa1a73a84e5e3b2a4d58abd7e
SHA512e29ea10ada98c71a18273b04f44f385b120d4e8473e441ce5748cfa44a23648814f2656f429b85440157988c88de776c6ac008dc38bf09cbb746c230a46c69fe
-
Filesize
22KB
MD5fbe588b15eb1bd86defade69f796b56f
SHA12f63cf44039addddb22c2c0497673b49e6b3ad7a
SHA25631144e8b156fe87317073c48a09abcb033fda8dbdd96986c4abea8c00c00355f
SHA512e1a9e29e4c62e77a2ec2c539344f0b5a8cd67ca3fd8dfefb0b0666a992eb2fabadb0034d439c4adbbdffd9c9439f23ee5757fac0ed669d3c9db48f50c677143d