6ef13ddae106a2203e94dae126c05bc4e19ce2ab99243fae78157cc48c62b995

Analysis

max time kernel
146s
max time network
144s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 01:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
Size

480KB
MD5

0849e5ddcdd4c3ab2d35e55d4c824edc
SHA1

7b12f01349ea7be1aae8285741befa3719778038
SHA256

6ef13ddae106a2203e94dae126c05bc4e19ce2ab99243fae78157cc48c62b995
SHA512

cab50953e46159391d5700d32455e00787fff851c3ab989629c188d0958d46187c7acfac7b6370b381bfa3ddcbae45e1e5e4c0f2bd889b55bad3f944490c88af
SSDEEP

6144:9Nc4Jjvl/4vUzQ2+edERhTZN0lQBoJDxJsdupHe5YezOZTWKxQUjPLxE4SvZe:9dlswF+edERzilQ6Hmd6JuWPgvs

Score

8^/10

adware bootkit discovery persistence stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	4f43.exe

Executes dropped EXE 3 IoCs

pid	Process
2700	4f43.exe
2896	4f43.exe
3052	4f43.exe

Loads dropped DLL 19 IoCs

pid	Process
2908	regsvr32.exe
2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
2700	4f43.exe
2700	4f43.exe
2700	4f43.exe
2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
2896	4f43.exe
2896	4f43.exe
2896	4f43.exe
3052	4f43.exe
3052	4f43.exe
3052	4f43.exe
3052	4f43.exe
2576	rundll32.exe
2576	rundll32.exe
2576	rundll32.exe
2576	rundll32.exe
3052	4f43.exe
3052	4f43.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{089F0B02-4464-46d7-8DDC-1587E54B0CEC}	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	4f43.exe
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 59 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\54k3.dlltmp	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\6xd3.exe	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\db33.exe	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\5d3c.dlltmp	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4533.dlltmp	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\5d3c.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\33db.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\3d7cd	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\bd4c.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\66bb.exe	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\8bo3.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\5b3c.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b6bd.dlltmp	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\3c4b.dlltmp	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\43b5.exe	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\66bd.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4533.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\6cd3.exe	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\d6xb.dlltmp	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b6bd.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\6cf5.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\3bmd.dlltmp	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\cbu4.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\df9grd	4f43.exe
File opened for modification	C:\Windows\SysWOW64\5b43.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\3c4b.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\-82-10810411	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\4b46.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\54h4.dlltmp	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4cy5.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fg89fd	4f43.exe
File opened for modification	C:\Windows\SysWOW64\46eb.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\54k3.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\dcy5.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\66bd.dlltmp	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\364c.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\6cf5.dlltmp	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bb3c.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\d6xb.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\3c8n.exe	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\6b5b.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b3l3.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\6bc5.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b44r.exe	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\6s3b.exe	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b366.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b366.dlltmp	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\4f43.exe	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bb3c.dlltmp	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bs43.exe	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b6r4.exe	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\54h4.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bb65.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\bb65.dlltmp	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\338b.exe	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\3bmd.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b535.exe	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\b3b6.dll	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe

Drops file in Windows directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\436b.bmp	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\5cb5.exe	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\bd64.bmp	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\3b35.txt	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\bbc4.bmp	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\d536.txt	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\bcb3.exe	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\dprc.rm	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\4336.bmp	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\b365.exe	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\334b.bmp	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\4cdb.exe	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\3bcb.bmp	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\348b.txt	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\6cb3.exe	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\4536.txt	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\cdb3.txt	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\5cb3.bmp	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\6538.bmp	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\5bcb.exe	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\3cb3.exe	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\6b35.txt	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\4bd5.exe	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\bbcb.bmp	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\bcd3.bmp	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\cddb.txt	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\3b64.exe	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\63cd.txt	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\dcmc.rm	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\c6b3.txt	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\5d44.exe	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\5538.bmp	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\3b46.txt	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
File opened for modification	C:\Windows\c633.txt	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f43.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f43.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4f43.exe

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke\CurVer\ = "IEHpr.Invoke.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{089F0B02-4464-46d7-8DDC-1587E54B0CEC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{089F0B02-4464-46d7-8DDC-1587E54B0CEC}\InprocServer32\ = "C:\\Windows\\SysWow64\\66bd.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{089F0B02-4464-46d7-8DDC-1587E54B0CEC}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AF4C2B05-E769-4AA7-B34C-9B61189E09B7}\ = "IInvoke"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF4C2B05-E769-4AA7-B34C-9B61189E09B7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{089F0B02-4464-46d7-8DDC-1587E54B0CEC}\ = "Invoke Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{089F0B02-4464-46d7-8DDC-1587E54B0CEC}\VersionIndependentProgID\ = "IEHpr.Invoke"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56AF8E67-AD10-4FF9-9655-943F1837F83E}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AF4C2B05-E769-4AA7-B34C-9B61189E09B7}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{089F0B02-4464-46d7-8DDC-1587E54B0CEC}\TypeLib\ = "{56AF8E67-AD10-4ff9-9655-943F1837F83E}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56AF8E67-AD10-4FF9-9655-943F1837F83E}\1.0\ = "Flash ocx 2.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke.1\ = "Invoke Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56AF8E67-AD10-4FF9-9655-943F1837F83E}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF4C2B05-E769-4AA7-B34C-9B61189E09B7}\ = "IInvoke"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke.1\CLSID\ = "{089F0B02-4464-46d7-8DDC-1587E54B0CEC}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke\ = "Invoke Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{089F0B02-4464-46d7-8DDC-1587E54B0CEC}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56AF8E67-AD10-4FF9-9655-943F1837F83E}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56AF8E67-AD10-4FF9-9655-943F1837F83E}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56AF8E67-AD10-4FF9-9655-943F1837F83E}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF4C2B05-E769-4AA7-B34C-9B61189E09B7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF4C2B05-E769-4AA7-B34C-9B61189E09B7}\TypeLib\ = "{56AF8E67-AD10-4FF9-9655-943F1837F83E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke\CLSID\ = "{089F0B02-4464-46d7-8DDC-1587E54B0CEC}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHpr.Invoke\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{089F0B02-4464-46d7-8DDC-1587E54B0CEC}\ProgID\ = "IEHpr.Invoke.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56AF8E67-AD10-4FF9-9655-943F1837F83E}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AF4C2B05-E769-4AA7-B34C-9B61189E09B7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AF4C2B05-E769-4AA7-B34C-9B61189E09B7}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AF4C2B05-E769-4AA7-B34C-9B61189E09B7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{089F0B02-4464-46d7-8DDC-1587E54B0CEC}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{089F0B02-4464-46d7-8DDC-1587E54B0CEC}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56AF8E67-AD10-4FF9-9655-943F1837F83E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56AF8E67-AD10-4FF9-9655-943F1837F83E}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AF4C2B05-E769-4AA7-B34C-9B61189E09B7}\TypeLib\ = "{56AF8E67-AD10-4FF9-9655-943F1837F83E}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF4C2B05-E769-4AA7-B34C-9B61189E09B7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF4C2B05-E769-4AA7-B34C-9B61189E09B7}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF4C2B05-E769-4AA7-B34C-9B61189E09B7}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{089F0B02-4464-46d7-8DDC-1587E54B0CEC}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{089F0B02-4464-46d7-8DDC-1587E54B0CEC}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{56AF8E67-AD10-4FF9-9655-943F1837F83E}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\66bd.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AF4C2B05-E769-4AA7-B34C-9B61189E09B7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 2704	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2704	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2704	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2704	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2704	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2704	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2704	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2348	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2348	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2348	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2348	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2348	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2348	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2348	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2140	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	32
PID 2416 wrote to memory of 2140	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	32
PID 2416 wrote to memory of 2140	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	32
PID 2416 wrote to memory of 2140	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	32
PID 2416 wrote to memory of 2140	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	32
PID 2416 wrote to memory of 2140	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	32
PID 2416 wrote to memory of 2140	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	32
PID 2416 wrote to memory of 2752	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	33
PID 2416 wrote to memory of 2752	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	33
PID 2416 wrote to memory of 2752	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	33
PID 2416 wrote to memory of 2752	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	33
PID 2416 wrote to memory of 2752	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	33
PID 2416 wrote to memory of 2752	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	33
PID 2416 wrote to memory of 2752	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	33
PID 2416 wrote to memory of 2740	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	34
PID 2416 wrote to memory of 2740	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	34
PID 2416 wrote to memory of 2740	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	34
PID 2416 wrote to memory of 2740	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	34
PID 2416 wrote to memory of 2740	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	34
PID 2416 wrote to memory of 2740	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	34
PID 2416 wrote to memory of 2740	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	34
PID 2416 wrote to memory of 2816	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	35
PID 2416 wrote to memory of 2816	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	35
PID 2416 wrote to memory of 2816	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	35
PID 2416 wrote to memory of 2816	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	35
PID 2416 wrote to memory of 2816	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	35
PID 2416 wrote to memory of 2816	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	35
PID 2416 wrote to memory of 2816	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	35
PID 2416 wrote to memory of 2820	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	36
PID 2416 wrote to memory of 2820	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	36
PID 2416 wrote to memory of 2820	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	36
PID 2416 wrote to memory of 2820	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	36
PID 2416 wrote to memory of 2820	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	36
PID 2416 wrote to memory of 2820	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	36
PID 2416 wrote to memory of 2820	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	36
PID 2416 wrote to memory of 2860	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	37
PID 2416 wrote to memory of 2860	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	37
PID 2416 wrote to memory of 2860	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	37
PID 2416 wrote to memory of 2860	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	37
PID 2416 wrote to memory of 2860	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	37
PID 2416 wrote to memory of 2860	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	37
PID 2416 wrote to memory of 2860	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	37
PID 2416 wrote to memory of 2876	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	38
PID 2416 wrote to memory of 2876	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	38
PID 2416 wrote to memory of 2876	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	38
PID 2416 wrote to memory of 2876	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	38
PID 2416 wrote to memory of 2876	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	38
PID 2416 wrote to memory of 2876	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	38
PID 2416 wrote to memory of 2876	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	38
PID 2416 wrote to memory of 2976	2416	0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe	39

C:\Users\Admin\AppData\Local\Temp\0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0849e5ddcdd4c3ab2d35e55d4c824edc_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\3c4b.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2704
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\b366.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2348
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\bb3c.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2140
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\4533.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2752
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\bb65.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2740
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\5d3c.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2816
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\6cf5.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2820
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\54k3.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2860
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\3bmd.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2876
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\d6xb.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2976
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\54h4.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2812
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\b6bd.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2768
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /u /s "C:\Windows\system32\66bd.dll"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2736
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Windows\system32\66bd.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2908
- C:\Windows\SysWOW64\4f43.exe
  C:\Windows\system32\4f43.exe -i
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2700
- C:\Windows\SysWOW64\4f43.exe
  C:\Windows\system32\4f43.exe -s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2896
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32 C:\Windows\system32\dcy5.dll, Always
  2⤵
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:2576

C:\Windows\SysWOW64\4f43.exe
C:\Windows\SysWOW64\4f43.exe
1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\enpa3ml\4.dll

Filesize
124KB

MD5
42a070042a0d378cdca371e4a9e34431

SHA1
6d18c8e84410b5f9b73f14b6583312e1c3ddaa95

SHA256
b993c251c80bf19ba7039383288548c6080fa4d7d08dc1a33c87eedacd1588cd

SHA512
f81ed25f23f3e6ad0087584a3caf4ff7cef175438509d1e43848e305ef1ad077b9928ebe74440f136241c92f7ed616582aefb2b236bf53a08d50bfc2884c5818

Download Submit
C:\Users\Admin\AppData\Local\Temp\enpa3ml\b.dll

Filesize
64KB

MD5
402d203bf685bce04851d0d12bdc1ac0

SHA1
f833665398279d7532b66e055bbfc5abdc51f792

SHA256
cd78c2e3cec32fb95d329dad6bcb95fa97e90a0b6da47ab783964d93366c1e1c

SHA512
00d31ac8a0d8354d64fb26400eb0b686bcdb9f167c34dd2d04160bf8ec5f7f32f1367ef1d5fa3726e87cbaac84f19676d5ab8d4bb955d1eddbbe033878ed69b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\enpa3ml\p.dll

Filesize
716KB

MD5
8bb32dae7358d42ca2b9027665ed5cdd

SHA1
6f194b170145f1aadd6e3991274b054c0d19513d

SHA256
5ef7dc667f61ab729f76cdfa373414e0aa5361987fcacfee524d2db2710fab05

SHA512
73ada84ab602965ece179f8c6a3130fa190a8f24969197b016f681b1e6484a2e2560eb33387327426b74d48dc01a420ff45d4e6d4b0c0ee979afbe37da2c4992

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads