Overview
overview
7Static
static
3113f59a116...18.exe
windows7-x64
7113f59a116...18.exe
windows10-2004-x64
7Launch.exe
windows7-x64
3Launch.exe
windows10-2004-x64
3MenuOrange.dll
windows7-x64
6MenuOrange.dll
windows10-2004-x64
6OIExt.dll
windows7-x64
3OIExt.dll
windows10-2004-x64
3OrangeInside.exe
windows7-x64
3OrangeInside.exe
windows10-2004-x64
3OrangeInstaller.dll
windows7-x64
3OrangeInstaller.dll
windows10-2004-x64
3OrangeInstaller.dll
windows7-x64
3OrangeInstaller.dll
windows10-2004-x64
3Uninstall.exe
windows7-x64
7Uninstall.exe
windows10-2004-x64
7english.dll
windows7-x64
1english.dll
windows10-2004-x64
1french.dll
windows7-x64
1french.dll
windows10-2004-x64
1libcurld.dll
windows7-x64
3libcurld.dll
windows10-2004-x64
3content/or...ide.js
windows7-x64
3content/or...ide.js
windows10-2004-x64
3uninstall_NSIS.exe
windows7-x64
3uninstall_NSIS.exe
windows10-2004-x64
3Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-10-2024 01:21
Static task
static1
Behavioral task
behavioral1
Sample
113f59a116435802d085bf18bac06953_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
113f59a116435802d085bf18bac06953_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
Launch.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
Launch.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
MenuOrange.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
MenuOrange.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
OIExt.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
OIExt.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
OrangeInside.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral10
Sample
OrangeInside.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
OrangeInstaller.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
OrangeInstaller.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
OrangeInstaller.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral14
Sample
OrangeInstaller.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
Uninstall.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
Uninstall.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
english.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
english.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
french.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral20
Sample
french.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
libcurld.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
libcurld.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
content/orangeinside.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
content/orangeinside.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
uninstall_NSIS.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
uninstall_NSIS.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
113f59a116435802d085bf18bac06953_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
113f59a116435802d085bf18bac06953
-
SHA1
6eedf6a256d8d55e8e6873c301f8f730de11422c
-
SHA256
71bdc986994ff0ac066342f524ec84e994ad9240bf80f97759d102e31fbf660a
-
SHA512
6b45271fc43332062a8f96d721ec3e54f89008c96266f8df32f7590d2b83dfcef7bb3270fc8851221c5b3e3e6b4fd2f2c42d7ad4a1267c470da0d209d1b4279a
-
SSDEEP
49152:cnt7/imwzkPs8aUmayETXRBWPRhSwn1dxL2Ve:cndPsXUlyETBBWPbr1dl
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 3032 Uninstall_NSIS.exe 2636 Launch.exe 2484 orangeinside.exe -
Loads dropped DLL 8 IoCs
pid Process 2896 113f59a116435802d085bf18bac06953_JaffaCakes118.exe 3032 Uninstall_NSIS.exe 2896 113f59a116435802d085bf18bac06953_JaffaCakes118.exe 2896 113f59a116435802d085bf18bac06953_JaffaCakes118.exe 2896 113f59a116435802d085bf18bac06953_JaffaCakes118.exe 2636 Launch.exe 2484 orangeinside.exe 2484 orangeinside.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\orangeinside = "C:\\Users\\Admin\\AppData\\Roaming\\Orange\\OrangeInside\\one\\OrangeInside.exe" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}\ = "Menu Orange IE" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} 113f59a116435802d085bf18bac06953_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Uninstall_NSIS.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Launch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language orangeinside.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MenuIEOrange.DLL 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}\InprocServer32 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}\TypeLib 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{90A52F08-64AC-4DC6-9D7D-4516670275D3}\1.0\0 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C51F7E9-8542-4F25-A30F-2060157752E1} 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5A779DC0-837B-4590-AC42-C7C0847478C5}\InProcServer32\ = "C:\\Program Files (x86)\\Orange\\OrangeInstaller\\OrangeInstaller.ocx" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Orange.MenuIE\ = "OrangeMenu Object" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}\ProgID\ = "Orange.MenuIE.1" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}\Programmable 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Orange\\OrangeInside\\MenuOrange.dll" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38FB5F89-9641-413E-86EA-2F804A88762C} 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\OIShellExt 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{90A52F08-64AC-4DC6-9D7D-4516670275D3} 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Orange.MenuIE.1 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}\InprocServer32\ThreadingModel = "apartment" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C51F7E9-8542-4F25-A30F-2060157752E1}\ = "IPub" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38FB5F89-9641-413E-86EA-2F804A88762C}\ = "OIShellExt Class" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C51F7E9-8542-4F25-A30F-2060157752E1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\OIShellExt\ = "{38FB5F89-9641-413E-86EA-2F804A88762C}" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5A779DC0-837B-4590-AC42-C7C0847478C5} 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5A779DC0-837B-4590-AC42-C7C0847478C5}\InProcServer32 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5A779DC0-837B-4590-AC42-C7C0847478C5}\InProcServer32\ThreadingModel = "Apartment" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C51F7E9-8542-4F25-A30F-2060157752E1}\TypeLib\ = "{90A52F08-64AC-4DC6-9D7D-4516670275D3}" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38FB5F89-9641-413E-86EA-2F804A88762C}\InprocServer32\ThreadingModel = "Apartment" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\\{5A779DC0-837B-4590-AC42-C7C0847478C5}\\InProcServer32 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\OIShellExt\ = "{38FB5F89-9641-413E-86EA-2F804A88762C}" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Orange.MenuIE.1\CLSID\ = "{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{90A52F08-64AC-4DC6-9D7D-4516670275D3}\1.0\FLAGS 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{90A52F08-64AC-4DC6-9D7D-4516670275D3}\1.0\FLAGS\ = "0" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{90A52F08-64AC-4DC6-9D7D-4516670275D3}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\Orange\\OrangeInside" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C51F7E9-8542-4F25-A30F-2060157752E1}\TypeLib 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A2257177-F633-4E14-91ED-3691968986C4}\ = "OIExt" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\OIShellExt\ = "{38FB5F89-9641-413E-86EA-2F804A88762C}" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\ 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Orange.MenuIE.1\ = "OrangeMenu Object" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}\VersionIndependentProgID 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C51F7E9-8542-4F25-A30F-2060157752E1}\TypeLib 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C51F7E9-8542-4F25-A30F-2060157752E1}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C51F7E9-8542-4F25-A30F-2060157752E1}\TypeLib\ = "{90A52F08-64AC-4DC6-9D7D-4516670275D3}" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}\TypeLib\ = "{90A52F08-64AC-4DC6-9D7D-4516670275D3}" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A2257177-F633-4E14-91ED-3691968986C4} 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Orange.MenuIE.1\CLSID 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}\ProgID 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{90A52F08-64AC-4DC6-9D7D-4516670275D3} 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\OIShellExt 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{90A52F08-64AC-4DC6-9D7D-4516670275D3}\1.0\ = "Menu IE Orange" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{90A52F08-64AC-4DC6-9D7D-4516670275D3}\1.0\HELPDIR 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\OIExt.DLL\AppID = "{A2257177-F633-4E14-91ED-3691968986C4}" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{38FB5F89-9641-413E-86EA-2F804A88762C}\InprocServer32 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\Background\shellex\ContextMenuHandlers\OIShellExt\ = "{38FB5F89-9641-413E-86EA-2F804A88762C}" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Orange.MenuIE 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{90A52F08-64AC-4DC6-9D7D-4516670275D3}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Orange\\OrangeInside\\MenuOrange.dll" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5A779DC0-837B-4590-AC42-C7C0847478C5}\ 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\\{5A779DC0-837B-4590-AC42-C7C0847478C5} 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}\ = "OrangeMenu Object" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C51F7E9-8542-4F25-A30F-2060157752E1}\ProxyStubClsid32 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6C51F7E9-8542-4F25-A30F-2060157752E1}\TypeLib\Version = "1.0" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6C51F7E9-8542-4F25-A30F-2060157752E1}\ = "IPub" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\OIShellExt 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Orange.MenuIE\CLSID\ = "{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Orange.MenuIE\CurVer 113f59a116435802d085bf18bac06953_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}\VersionIndependentProgID\ = "Orange.MenuIE" 113f59a116435802d085bf18bac06953_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 3032 Uninstall_NSIS.exe 2636 Launch.exe 2484 orangeinside.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2896 wrote to memory of 3032 2896 113f59a116435802d085bf18bac06953_JaffaCakes118.exe 28 PID 2896 wrote to memory of 3032 2896 113f59a116435802d085bf18bac06953_JaffaCakes118.exe 28 PID 2896 wrote to memory of 3032 2896 113f59a116435802d085bf18bac06953_JaffaCakes118.exe 28 PID 2896 wrote to memory of 3032 2896 113f59a116435802d085bf18bac06953_JaffaCakes118.exe 28 PID 2896 wrote to memory of 3032 2896 113f59a116435802d085bf18bac06953_JaffaCakes118.exe 28 PID 2896 wrote to memory of 3032 2896 113f59a116435802d085bf18bac06953_JaffaCakes118.exe 28 PID 2896 wrote to memory of 3032 2896 113f59a116435802d085bf18bac06953_JaffaCakes118.exe 28 PID 2896 wrote to memory of 2636 2896 113f59a116435802d085bf18bac06953_JaffaCakes118.exe 29 PID 2896 wrote to memory of 2636 2896 113f59a116435802d085bf18bac06953_JaffaCakes118.exe 29 PID 2896 wrote to memory of 2636 2896 113f59a116435802d085bf18bac06953_JaffaCakes118.exe 29 PID 2896 wrote to memory of 2636 2896 113f59a116435802d085bf18bac06953_JaffaCakes118.exe 29 PID 2896 wrote to memory of 2636 2896 113f59a116435802d085bf18bac06953_JaffaCakes118.exe 29 PID 2896 wrote to memory of 2636 2896 113f59a116435802d085bf18bac06953_JaffaCakes118.exe 29 PID 2896 wrote to memory of 2636 2896 113f59a116435802d085bf18bac06953_JaffaCakes118.exe 29 PID 2636 wrote to memory of 2484 2636 Launch.exe 30 PID 2636 wrote to memory of 2484 2636 Launch.exe 30 PID 2636 wrote to memory of 2484 2636 Launch.exe 30 PID 2636 wrote to memory of 2484 2636 Launch.exe 30 PID 2636 wrote to memory of 2484 2636 Launch.exe 30 PID 2636 wrote to memory of 2484 2636 Launch.exe 30 PID 2636 wrote to memory of 2484 2636 Launch.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\113f59a116435802d085bf18bac06953_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\113f59a116435802d085bf18bac06953_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\AppData\Roaming\Orange\OrangeInside\Uninstall_NSIS.exeC:\Users\Admin\AppData\Roaming\Orange\OrangeInside\Uninstall_NSIS.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3032
-
-
C:\Users\Admin\AppData\Roaming\Orange\OrangeInside\install\Launch.exeC:\Users\Admin\AppData\Roaming\Orange\OrangeInside\install\Launch.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Users\Admin\AppData\Roaming\Orange\OrangeInside\one\orangeinside.exe"C:\Users\Admin\AppData\Roaming\Orange\OrangeInside\one\orangeinside.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2484
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Browser Extensions
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81KB
MD5f87056b4ec385d68412d7a4f057d4293
SHA1089e10226ca5845275f8dad9a52e52ce9d5c7be7
SHA25641cf3d8d7cf69bf9e0edfe7e3962dd2b15cc11ab4d72a92af75d9f6291d215e9
SHA512f0954fff3a646f513c190f716169630bb94b6da356c12c5916cab271714e16e53bb3d7ff305a97584921d75ef8cb8d964afeba3f9a278622a3f3f6d9cc3c2484
-
Filesize
81KB
MD5c1a93925d9fc0c56d4ac20edc4b72c63
SHA1caba2a33983a0ea48fcbba92bef28a45dc34b05c
SHA2568facd033a78ecaec8d99b042a2f704bdc4a6bd8d4ee808cc0b0735355ed476bb
SHA512f6ba6db75b2adbdb479bc2af3fcc270b36e674b39790ab6cfaebd0926b97d04bb99d419d16882042ca6da3548a775f43dcdde2dfb32780b1ac07300f4b831606
-
Filesize
130KB
MD5ea003b02904b3c61b52bcc037e166f71
SHA1effc5906a51aa2e2a569f111af1ccae289727c64
SHA2561570ffd79d5d274dee81d12d55f0307c8ad2be261d59e7a9975f7f254494dacf
SHA512a8ec001870d837bb06593b0c8807786d9549a430f0cf029101b7e8cfec05002a4295dded9593f166319287aba7598d21bc4392f93219ac9eb68baa7f3b1fa740
-
Filesize
89B
MD53cdbebf5fba2bcd4e12d1552353b71c6
SHA1e5796c0ad3b66aff9d3b29b708aa867baec7aa1c
SHA2564ece1b5f10f841214a6c517596027d8a9abea9635c9ff926a7b33d8a94dee34a
SHA51222debe335d0ea23424fafced232456320f463753c2f11c582abe79b8fc5d49a6c1437ec94f4d86e014a657aab3b1151858c1cc053b3b5933828537385cd3bec0
-
Filesize
424KB
MD53897f074eecec053c828ae72f47066cb
SHA1ecc4c35bf73464e0f8c6ead599535cb6f1ff03c6
SHA25698ae208fae21fa39cce9577fa3bad2883f9fd4c72ef570be500ec9ff24d4a2d3
SHA512848009801b7bb4bff39206a6ae15ea3fba05113682497c921b03c4f560ff57b53165f0ed1bee034adf2f379f6f7a201960b97991c1fb32ef0bcffb25f90710a8
-
Filesize
299KB
MD5b5a18af1d832237fff838778d9437465
SHA1bb39cea2463749871ae5414cdaa32431245e38c2
SHA256cb85eddcb8935d98b8723de463e76ec3221f20ae50abc5957d16ad3dbc0a3b4d
SHA51228d1d57ee7157c9c1925bae08232d9d6a4715c7f7e6248cda995e54c2d6d2aa18e656ab42ae4596160fff6b1d94a83e7784c0cff50ad42836322544e69dce18f
-
Filesize
186KB
MD5d597ec30e646421e6b1ec132de37b0a5
SHA172533f25c5adfe0cf0f73d928b7915c3fe9c46c9
SHA2562cc91f9eb2946b2d19414ce4901668f25af5404eee717e50b179997dc80ab5b5
SHA512332740d2c295e665f67f7f79cbe2130f1b473dadf8a522b2a3e46d1fd1585cd6f9fb35fcb9a13ce542eb7df14694716d5b22f16230d3ae3d97336fb0934a8a28
-
Filesize
149KB
MD5987ff0f9aa813dcef7379a288762a3ba
SHA11fbc51fab095fbfeaa70987ba8d6720672af7bcf
SHA256f9d307793ae540de348a0ca87c77536d4074a998abc1842f33d9797ba58ee52b
SHA512f3d263ce13e171697f1b8c595e5f1323c4be3151708749ab6ec68f6eb6a61c0ab66e89b5d47464784776f66f6390d70cc22a52e3aa4b6e3c8191d94a7a767820
-
Filesize
838KB
MD540d0ee34ee4cbdea7e211c321986a13b
SHA111d119b8f55726d31214c9258e5eb80c40a3a915
SHA25656371bc125d0d9e8dc8195c5c552a3e6f725a12a9cb4af7b951ae19c63cb3c43
SHA51296a8fad96d92b6b366dd22020d5910e3f66e3a311ba2eaae3dac2e8f00e7e8373b17b38df27d0218e6018a22b741b0e91c75db1e89bb34e72211bb31b4dd3d27
-
Filesize
193KB
MD5ef5d5d2f7561199d6f3180412f8142f2
SHA166a53ed6629d7179c45464584de70ef81f82aed0
SHA2561dc870fba5f9309088728c68127fa8d208841078db9aec53ce36e019bc353bfa
SHA512189afa172b9e7c42bf304a62954afe0966a0d465f8c7a691ec142ccd82f71249bc1f06864acd919bfd54416497da1e1c90075301443d9e1b25b5b2c43dd01e72