e41b5d008a4b4b25ae30088ceeeed2f66acee51c9bf1fe0659de6eb2185a04f4

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03-10-2024 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
Size

84KB
MD5

10145d4291d70e76c990f3df2c70b105
SHA1

875d54922a25a7f945c5dca80ff49c805ecb4349
SHA256

e41b5d008a4b4b25ae30088ceeeed2f66acee51c9bf1fe0659de6eb2185a04f4
SHA512

ad802a9bbdeb09e101f5717c62b45770fb6ad4d707c4343d0ceea5019d49565f2c37d384bd2fad2a9f139bd070d042f63cc073082b460bf7e646d780572c64b1
SSDEEP

1536:xBKUAfjncl5yQHmFB25xTX4yOH5XSaP+V9KOOUS5yUNE0BmLr55p/EK+CnJnOJ:xAU6n8Rm6vPk2Ps3E5jp/8CJn0

Score

10^/10

discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\system32\\HideFyles\\ctfmom.exe"	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, C:\\Windows\\system32\\HideFyles\\ctfmom.exe, C:\\Windows\\system32\\antav\\av.exe"	ctfmom.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Executes dropped EXE 1 IoCs

pid	Process
2748	ctfmom.exe

Loads dropped DLL 2 IoCs

pid	Process
2300	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
2300	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\SPOLSV = "C:\\Windows\\system32\\HideFyles\\apointy.exe"	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe

Drops file in System32 directory 62 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\LogFilesHide04\12.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\28.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\antav	ctfmom.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\30.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\42.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\46.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\51.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\21.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\24.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\47.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\11.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\45.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\02.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\06.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\13.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\33.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\48.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\25.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\26.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\38.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\44.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\05.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\09.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\03.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\18.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\22.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\23.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\50.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\32.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\49.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\arq.bat	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\04.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\14.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\29.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\39.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\43.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\16.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\sair.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\HideFyles\	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HideFyles\inuus	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\41.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\antav\nameversion	ctfmom.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\01.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\07.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\08.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\34.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\35.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\19.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\20.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\27.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\31.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\LogFilesHide04	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\10.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\36.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\37.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HideFyles\apointy.exe	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\HideFyles\apointy.exe	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\HideFyles\ctfmom.exe	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\15.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\17.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\LogFilesHide04\40.log	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\HideFyles\ctfmom.exe	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmom.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90d8a785c215db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000b7c46edb3146abaadf80a9a62579bebd1474ea27cc9558afb43cbec161be080e000000000e80000000020000200000005266f7abccd8931b47b8c69e15ac1b144cbd202bb08b2cebafa1187da6b92309200000005d670ebe68259e8dd4e314478682b96184e3c6ff8aa3b1c86ca68400fb7371f54000000097a43538a48f54182767454bb1c315b82af35f53b9cc776e917f95abea118285dd02a4a0e55b2a8a06bc90b99c20b9bf33b6389402f02cd17105a6515078c7a7	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{B0040D71-81B5-11EF-A9B2-6AA32409C124} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004961a9603b5d8740891a04601e8b8fb900000000020000000000106600000001000020000000ea445d14f7bdebb4ff16c2192c38f729245a76ea391d7191fdbde5a2d76be4be000000000e800000000200002000000040f422a99cebcfc65033b49bb2940c9d7d17e735593609f24f4ad876783ce63990000000d6507871c3d87807e41626a3e8881e557895b92e58c06ee413a907a4e276c421b3a43b65e7da67dacaea5d673324fd9e7992c79538bc3cf4ad8d371c86d88fe4f3099c0d9f1be9aaac6797bd4a72fdfdada8915eaa1aeb75a2479c08904e5cb048b497bb9a695042be86d60ee41564e4aa0c26a7e2eb9afb99cd5fb9189d947455e6ecb3237f6dd443805d5e016581e540000000b0d892222d1abb2bbe67a061a2bbe066a3986a56268bab9373587b092566fc42fb4cdebd9efbfdfa3deea1e1ece248d2de56ca56bd99b956e834ac718ddc666b	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434142148"	iexplore.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2676	reg.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2300	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
2300	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
2300	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
2300	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
2300	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
2300	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
2300	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
2300	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
2748	ctfmom.exe
2748	ctfmom.exe
2748	ctfmom.exe
2748	ctfmom.exe
2748	ctfmom.exe
2748	ctfmom.exe
2748	ctfmom.exe
2748	ctfmom.exe
2748	ctfmom.exe
2748	ctfmom.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2668	iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2300	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
2300	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
2300	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
2668	iexplore.exe
2668	iexplore.exe
2384	IEXPLORE.EXE
2384	IEXPLORE.EXE
2748	ctfmom.exe
2748	ctfmom.exe
2748	ctfmom.exe
2384	IEXPLORE.EXE
2384	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2688	2300	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe	30
PID 2300 wrote to memory of 2688	2300	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe	30
PID 2300 wrote to memory of 2688	2300	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe	30
PID 2300 wrote to memory of 2688	2300	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe	30
PID 2688 wrote to memory of 2676	2688	cmd.exe	32
PID 2688 wrote to memory of 2676	2688	cmd.exe	32
PID 2688 wrote to memory of 2676	2688	cmd.exe	32
PID 2688 wrote to memory of 2676	2688	cmd.exe	32
PID 2668 wrote to memory of 2384	2668	iexplore.exe	34
PID 2668 wrote to memory of 2384	2668	iexplore.exe	34
PID 2668 wrote to memory of 2384	2668	iexplore.exe	34
PID 2668 wrote to memory of 2384	2668	iexplore.exe	34
PID 2300 wrote to memory of 2748	2300	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe	35
PID 2300 wrote to memory of 2748	2300	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe	35
PID 2300 wrote to memory of 2748	2300	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe	35
PID 2300 wrote to memory of 2748	2300	10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10145d4291d70e76c990f3df2c70b105_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\arq.bat
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\reg.exe
    REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 1 /f
    3⤵
    - Disables RegEdit via registry modification
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2676
- C:\Windows\SysWOW64\HideFyles\ctfmom.exe
  C:\Windows\system32\HideFyles\ctfmom.exe
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2748

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2668 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
39798f4eb92678efb6af0e72a90d85d7

SHA1
8db2b867b4e0112deb6e5d41328ab08b29aa00c6

SHA256
0290e1f3d992d597ddc976ec720d913046ae969cb2ffe04f825b35affc84d07c

SHA512
9c54a4f81c895ef2dba777e5c4958b3d7fc6ef72f06bdfcb73a4354ee7e90590f684c4973d11361e7b0725d0039f19ae691c6ac7b03e09412e048eff210fc258

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42f87fd77370b2ac38180400cf56704c

SHA1
442525cdbc48b5ea00bd1d057a3e4eeebb939d3c

SHA256
c7774c0c88e41ff0442552cfcc3b820abba95cbb332a2015f0f6264c0fdd004e

SHA512
faa9cdc54298c08ec166fd17f91ae1fe42388de53c773e7547bdf6389b8f548abac7e4b3a850e9f71d5e085f2ca00083e698def541d93d7857f787b3c5452fcb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02c5aa2711ec79cc8f742728c14ce93e

SHA1
891ba8676a9eed4b9d807c5649cc67f34766e95c

SHA256
bbad02b1c1b2cafd9e63698853fb553a39c828d54d8ac04e855150d56ae4181d

SHA512
314d580123c525174cc70440a2af9c2714293e12cbe7099eabf412b9cd6d75c43637e56fa0d7d608a5c2c61ea4dafbe73bd8d097912dda63a653d8fbd1a2db13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c678c10cba736aab510cdfb7078d8bba

SHA1
7f7028225a85a6d091f8ffbcd0d42a53aee50340

SHA256
b2acd54db1bdcdd5b6d4cb5a44834bc8446730293ac29d601c4185515f705887

SHA512
cff4599aa2cda2e951f039a0f95c88c9725fe45307ad7cfc090ac898e4d8cd3f013a6c08b307e33ac6cb0cee3239f1331863469e2eb3974e4aa4c091f517169b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
068627409f5c1c127d3064b22200e71f

SHA1
b2cb62701e66ed326cfe8df894675fc90f5f9704

SHA256
aca2ba298ae6cf134ecfc4e33b47c8af24e40294c9eac2a344530ff00a297fa8

SHA512
8c83e5126946c1bb9375f6f06044669c69acabd39dea8e75c38adb63823aa51c016fe1cb36b813cc7aa0d714ecfcc6d1a1cdc0bc0e5dbb33f8b65d443da7ed0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5afe22a61aa99ce3c46307e7e8785331

SHA1
3e291ad951ef10760be098b96b93021e54187f4e

SHA256
17376429840f99db4a9b12c95b8b40c5932f9cbf79ed72325fd97843bc540013

SHA512
1358a884d70a549fe8544052c65b8ed304dcc70f5d8dde44b16a0624cae47e6805493399f4e881c1cef74d1278f680ea3e6a6e6b99ff7d96cec8367410ee995d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3506e402453df263a787c69aad4f254d

SHA1
5e1b1a168a026d92452e6abdbf6c7b1f6ff7e633

SHA256
f8546beff53676e6a285cf1ff2c5e57e38fdd62941eaffa1923422eb7a4ae09e

SHA512
bfe043dd6ec95c68b5c0e1184d03f2b658c4198421d0c2d3aa36a15f745783ad5d9c8c5f4861d3af54deac43070fcb1e9eb6f941c0d7c19bc6da4f5dec90c923

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83089a19c3d86b77ab87150906a60efe

SHA1
97de4b9ba7de3dde0c6c332455c22ca4998345e1

SHA256
81b5fb9a45adedcada5244651dcc00835dcec8693c7ed43d4d5cf9249f63c1c9

SHA512
beb42e7872aecc847b7af8d8468f3d170f6953bac055a8ac22db8df7caf5cb3ee3d61b41c96b690ce8d55e9107933af4c3a19f1e8678d352f204a319257b58ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc7f44b540199adf568f2bf2bcc712db

SHA1
3480f600e51e05303743541e83504c6a5b752c32

SHA256
012ca11151cd179bdff698ec6e91e9cabc861b224a356bbf0c6a4eb649eede15

SHA512
7b22d5dbcba062350c0b6bea8c03fd7a9eef0f53df32c72bb8affaa95922a10e0855c24b14cec10ab5009a1c1f6a5e02869052b492fe04f2dad1bad0b113f528

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cce7b84cdacd761967df4be8a661cbb9

SHA1
94d9ce6f450b5e3deae44f3cf598fb0bd1258a9d

SHA256
3e1477cc6f6a17cc49b019158f5c7d30e4b83f63e351c6485ecc980f6096571b

SHA512
4ebb262b2e63326ff8a4cad6a8d0bc2a3772d2616fff32765c04c382b351b09f2dbd644f259a291e60ba593245bd9dfc7f6ef3efe850f46f5c1c0eeb5fe028b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9703adc404aa73b874f7aa52a1d91c13

SHA1
1faa617512e491a4a2a663178a3fba1e744d0d8c

SHA256
df687a9bd4acb47bd8bbd3215adad721e2993d0b3a150ef43826646d7f1628a6

SHA512
e6172d6f694268967e9ee845f64ada737b6ac546d405d1b7f35b471c614fa3628f9db32974794f524a22a29d0ab26ff091cfc682413a34d00b45698f0e9bae46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d2f50891bab945e4f6abb4a1f9324bc

SHA1
ca0649f7058465bf96d25e6715332d7f747c0c2f

SHA256
cc8308d8c194520a2e1a75437e5a8cb28037c33ad0919c4aad0c61f9c8ad57e7

SHA512
074aa6cb3a96aef5f9f8e28e1a4455f18a5287c3f003a43102269ec572fcaa5b7fc6be324ffe7d8a8b826d29bf9405808b7e1ac2973cb3cc59edbce640987947

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e71fda8008cf61c2c7b290728cdecc2

SHA1
a7da680b32090a5d4777d6731509546d57f358d6

SHA256
f4e361c3cb43fb4e3517c3f19162b4f4a02411857d525428079b17db76b5a785

SHA512
3c6f9d1ec9fa2b7545ec8837314aec1caab36222b187f4d85093bd865a9e5becd0a7dc120f875c1f4adcee580e235dc1626019c7556f446fedf0ffb4ac86e3e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce226d1a04f734db7c19e3b18957bccd

SHA1
8b01b4eb38e9fdaede13170c8c4183e4d2b3bad0

SHA256
c66a48b6ef42199575eb8e35a0a12cc2c72ccf729235b80ee76a5e58d14b1a61

SHA512
8ab879f2691c2200b547a01cbc467eb322ce6fa77f20084d82a8669165adde7b61f795293a5ad88f7494f816f3e50d48ac7164aabe5b982a12fc3f42043bc43f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6160077be1d1c300f07620a8af2436ed

SHA1
c5a2ba9e728a8510eed6583c906883cce31af422

SHA256
2906d011d6d6fb2ae04e41a539a41e9a351ad202b386cab8c30f668a87a5ec2a

SHA512
78d8109126e3c668fd53c5a6375e4c73f4938033ccad86d51726840e35d6e54f3b3b0e357cca72e4a304ea371211b6d0c03f1cf69f016afad848f501e5d25f96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1eefc83e362de2fc8a94ccb7ccfe355

SHA1
5e8f4e42809b49395e6a647af24899e4cfcd3880

SHA256
20ba6db23d368bd479bcd704ec1d081c3f178978e741f4a5d68a2fbfd0e28094

SHA512
3ab59c36ee79404280a0e356dbe3d84acbad5f2247c3c79309ffab16fbae0b49e09c142dd4a32051b3ba8e9d846b3ce8fa9c8d5aab3bb6add67b34c9d212ad6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a4cc65dc266ba81a939668009ad7539

SHA1
060fec6157487ac7457c97f4d331dcbf23d607ae

SHA256
03c567bd3c77e56a4275a59f4ed912d1320e70e91cb32c7e15161783683c3a2d

SHA512
6b9ebf2310597be71e3c861448d4f2f1b893e9864a7f309a358fe9fa9e26129e1640118aa86062e78be0e7aeb80f61e5ec09e992d2a47d1308f9b9dce388cda2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1f056fcd49027b49b222c2e8539d591

SHA1
18b0a32b061b74a0681dd732fa55b08f098f043d

SHA256
6b0ed15f1cf673da3d6763edec3ef4857808e6baa34b2602027ba85798ac9dfd

SHA512
9b377f2f0a4615112b304f10b0fc3e4289311567d4964688af1ac399653413d223f27ef9e2c0800d198c96668e5476cd89d88dfd193f0853561fca7964add6dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a628c1cb132726997809618c71a8831

SHA1
ad52c6c8a25f34a265df703bb501792d4c3dbc33

SHA256
52155ca53ebf4b4a21b1f9529f25408880ec85ed5061f33098c46c00af3e9443

SHA512
4f2d0a70c77f06e5fe14a01ac033c14a6d7d7a8319ad451655c1e7cceb9ed3343772b1e0e76160c55f2f433d8dd66d118ee3cba66ec0fe5b5ff056599ce3ee57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea4013fe27f1fb198aa6bbd6de51afce

SHA1
87b5cf7993551369b36f091481c2a9ce35e97f59

SHA256
5c0c7f7192a65ae25ce43cecc931a8345d46ee6255766f8a7b07515c68414cd8

SHA512
2f8f9a4052349190fb438335e05989f54418f5318bd46e5ec92135078c4b1668ec40b61e90a74a7b34e66a880178fc0be06a066c97d511d47e98b34dc01f9fa6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25f7fe92e75d10b963f099c380c0ca52

SHA1
c2a43107aad6e2f6c88087f68797a945af03aa24

SHA256
a6c3494e7bfefcdbc4a008a9ea5ffbc67e3c461da1db5c7c95de5fa219e43331

SHA512
b700f7f761b0636c2964d80ddeaf9067667d0a7e4373e30a3a2ffe3389ef2d67f012b93995783972c2431e7944c88cfc31dc5e74004fd85b1123df2563dbf5fe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
3b3d5c749d34ef97ea05ff3f11b6232c

SHA1
2c0749e3c57d7d83f600e877ec7e0d482ba080c7

SHA256
78e6e93922239ff43a70df3e47d9283d7411344e9b082fb02d12bd20df987c1a

SHA512
acdb1e470b319dc263333b6d17fc414be2af1f80eefc703309d7d197e39635ee9ee0f7bcf98ab2f23b749154fccfabe13fcdaac56dbe7480ad7f5abf00d568f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\pzrzu69\imagestore.dat

Filesize
419KB

MD5
3469f01c9e55b74133f5803039571ee0

SHA1
ef3e3950bc9ed238b1b35807966bdd8d7eacea32

SHA256
d7000dc68434b59a79628266f016e5b583e909a6859b7cb974a2cdfa6d2fe202

SHA512
e839b4c58f3f09cd1913f2ceed43c6cc388a69a2d9cc69df1262eb40e80933317dd513ff476cccc0202ce2759c60d9f2169e9b8ea1c64a58ab37e7baa731091d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BDDDRHWK\iground1078[1].png

Filesize
419KB

MD5
6651272a7fe4b6547b5710e679df2f8d

SHA1
686a243dabe734db566aff6f44e4974de5669993

SHA256
97b27010e30ba6855fd1bb384066b28e2fb37b8d845808dd291929e032d010e7

SHA512
c4785885183f5c7701da8308ff766ead5ee604f33d123aa23a03f896ad1c3caba6f53725fec84b910e6bd2f9133ac51f4a6cb6d2f1cb52a45a4a04535b41c6c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEB3A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEB3D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\HideFyles\ctfmom.exe

Filesize
84KB

MD5
10145d4291d70e76c990f3df2c70b105

SHA1
875d54922a25a7f945c5dca80ff49c805ecb4349

SHA256
e41b5d008a4b4b25ae30088ceeeed2f66acee51c9bf1fe0659de6eb2185a04f4

SHA512
ad802a9bbdeb09e101f5717c62b45770fb6ad4d707c4343d0ceea5019d49565f2c37d384bd2fad2a9f139bd070d042f63cc073082b460bf7e646d780572c64b1

Download Submit
C:\Windows\SysWOW64\LogFilesHide04\05.log

Filesize
26B

MD5
5be20fa2500878b0789c20e7c4ee5114

SHA1
8ffa467281946fde01a5add82006146423302076

SHA256
b07fd4684ea337d49388fbf72a68c430851ede803e7eb48dc301c3d7085ffc3d

SHA512
9be58471ba2d22abbda9cacf78d8ca7e0facba105134700263d13c2c9138d08e09011e317c71f26df5b5318cbe2bfc69a6f5b65fb43bcb947868034fbcbcb44c

Download Submit
C:\Windows\SysWOW64\arq.bat

Filesize
119B

MD5
9f08b6d102fd194ec2f3ce202a2de949

SHA1
13520089e21c5793990e608a2471ec6743200449

SHA256
d57b5b62148a2dc2aae12fa74bd0d1d12e9fade7880c0e939ecb0fb0fc9d3024

SHA512
d559d9c1b54d83e1eb12bec5dd29cc7e07b22de83a722d0b4103014e39be5afac2f08c7bb5b24f25fe3ba65e38e8d438d00d8aa4a07ee3791b1641e0945a3403

Download Submit