dc8600c52c86559104730cf12a9ac7d1d7f9aacd50ca64045199b6db3c276ac3

Analysis

max time kernel
120s
max time network
127s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
05/10/2024, 00:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Size

190KB
MD5

156a08d24fbaa32b3b91ac5e5071c389
SHA1

6a3a222b14c5f759c4f778e3933ab1918189b851
SHA256

dc8600c52c86559104730cf12a9ac7d1d7f9aacd50ca64045199b6db3c276ac3
SHA512

7e9c75f7fb34e45994d1d061be453cd866ee4c028c6a1c23ea58b46e11dd6961a942dba934dbe81b8ee60a286ac9ffe9121422a121de9c77680c54064381723e
SSDEEP

3072:mjK/dnbCaI9/YYT/2qDcrePy7JRQxbnlOcaSXqK4Ftue9/SJKhdG3luhntgWm6aF:mjK/5CfRD2TeaVmmS6tuW/2BuxtiF

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434248794"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 009acad3ba16db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb00000000000200000000001066000000010000200000004cc5e021090201a463b2141172c14f90ff5e3a3315f5b8994582a19cd56d4b67000000000e80000000020000200000004a16806264cdfaab793e3117bcb187140f49894c8981666ce2d14b54fe8887bf2000000029351455210c5fc1db63268e06451a229c5858fccdfa336ef58ef1ea26c51f824000000018fa0f412383aff583590e276b6ac151c3090546aea1a6e160e427ab68096f9a037cd625c3543bbf7b25e56ba1e020c1462b16a2602320de41d4b479c19d5a69	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FD807CC1-82AD-11EF-A1CA-D22B03723C32} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e337bacba951544a9a832c52e69bfb0000000000020000000000106600000001000020000000f87cef6747b7d3843d818eb3128148939d246498db4714bbe5ed90e6f5aedbac000000000e800000000200002000000070b3b94f5eac98c174243f020ad03cefabc9389fdc01a9dccc2a370680b582fc90000000ef68257c15119915b5c85763dec26df321184eb3dd77a9b89580c3040317647213c05dbaefea2fb8ee64e4fcd2d392f16325f5674120b82d126331d54ec6b68c3bad0aa9a5cc18d6c74f71c8329730cd75ac797da68927c00a3ea636fd21dab336e86e54b2dfb5a22cfb686e3eb059fddb191a2091323c6175be759e24e070c9701806b0550f2c5e3576863da48464e4400000007a63e075dd368bdb329ea6d399e5edbb8afe12add1b32441f1e1682cbe79a2d14f6906793d43ba970f7d0d1259cb924de8ee88df364a1ab242584140455d4729	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80CFBE22-7CED-4A89-B601-AAD10F00C88A}\TypeLib\ = "{777A3083-06F7-4AD3-940E-82D5BAA2C5DA}"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A52FC39D-429C-4371-AFE7-07122D128B94}\Version	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68C01328-523A-48CE-A249-A5D057309121}	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68C01328-523A-48CE-A249-A5D057309121}	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EBF9144-C525-42FF-B499-C496C909FD83}\Version\ = "1.0"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\runapp.veMisc	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{777A3083-06F7-4AD3-940E-82D5BAA2C5DA}\1.0\0	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2BD2E3C-E05F-49D8-A0AC-A7DB58DED9B8}\TypeLib\ = "{777A3083-06F7-4AD3-940E-82D5BAA2C5DA}"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D7DA33DE-2392-4663-A99D-D4F13F7C7839}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D7DA33DE-2392-4663-A99D-D4F13F7C7839}\TypeLib	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE9E3A8C-FA3E-487D-81A8-DC26C1D113B9}\ = "IveApi"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EBF9144-C525-42FF-B499-C496C909FD83}\Version	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\runapp.veMisc\	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\runapp.veMisc\Clsid\ = "{80CFBE22-7CED-4A89-B601-AAD10F00C88A}"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{777A3083-06F7-4AD3-940E-82D5BAA2C5DA}\1.0\FLAGS\ = "0"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A52FC39D-429C-4371-AFE7-07122D128B94}\TypeLib	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\runapp.veFile\Clsid	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{125F2A7A-A23A-46AD-BE0B-50B1C7CE2CC7}\Version\ = "1.0"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A52FC39D-429C-4371-AFE7-07122D128B94}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68C01328-523A-48CE-A249-A5D057309121}\ = "IveMisc"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{68C01328-523A-48CE-A249-A5D057309121}\TypeLib\Version = "1.0"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2BD2E3C-E05F-49D8-A0AC-A7DB58DED9B8}	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2BD2E3C-E05F-49D8-A0AC-A7DB58DED9B8}\ProxyStubClsid32	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2BD2E3C-E05F-49D8-A0AC-A7DB58DED9B8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68C01328-523A-48CE-A249-A5D057309121}\TypeLib\ = "{777A3083-06F7-4AD3-940E-82D5BAA2C5DA}"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A52FC39D-429C-4371-AFE7-07122D128B94}\	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{777A3083-06F7-4AD3-940E-82D5BAA2C5DA}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{125F2A7A-A23A-46AD-BE0B-50B1C7CE2CC7}\ProgID\ = "runapp.veFile"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{777A3083-06F7-4AD3-940E-82D5BAA2C5DA}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68C01328-523A-48CE-A249-A5D057309121}\ = "IveMisc"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EBF9144-C525-42FF-B499-C496C909FD83}\ProgID	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80CFBE22-7CED-4A89-B601-AAD10F00C88A}\ProgID	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2BD2E3C-E05F-49D8-A0AC-A7DB58DED9B8}\ = "IveFile"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D7DA33DE-2392-4663-A99D-D4F13F7C7839}	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE9E3A8C-FA3E-487D-81A8-DC26C1D113B9}\TypeLib\ = "{777A3083-06F7-4AD3-940E-82D5BAA2C5DA}"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2BD2E3C-E05F-49D8-A0AC-A7DB58DED9B8}\TypeLib\Version = "1.0"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D7DA33DE-2392-4663-A99D-D4F13F7C7839}\TypeLib	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D7DA33DE-2392-4663-A99D-D4F13F7C7839}\ = "IveApp"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D7DA33DE-2392-4663-A99D-D4F13F7C7839}\TypeLib\Version = "1.0"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE9E3A8C-FA3E-487D-81A8-DC26C1D113B9}\TypeLib\Version = "1.0"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\runapp.veMisc\Clsid	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{125F2A7A-A23A-46AD-BE0B-50B1C7CE2CC7}\ = "veObjects Object"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{777A3083-06F7-4AD3-940E-82D5BAA2C5DA}	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\runapp.veFile\ = "veObjects Object"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D7DA33DE-2392-4663-A99D-D4F13F7C7839}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68C01328-523A-48CE-A249-A5D057309121}\TypeLib\Version = "1.0"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE9E3A8C-FA3E-487D-81A8-DC26C1D113B9}	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\runapp.veApi\Clsid\ = "{9EBF9144-C525-42FF-B499-C496C909FD83}"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D7DA33DE-2392-4663-A99D-D4F13F7C7839}\ProxyStubClsid32	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{125F2A7A-A23A-46AD-BE0B-50B1C7CE2CC7}\Version	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{68C01328-523A-48CE-A249-A5D057309121}\TypeLib	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE9E3A8C-FA3E-487D-81A8-DC26C1D113B9}\ProxyStubClsid32	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EBF9144-C525-42FF-B499-C496C909FD83}\LocalServer32	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{80CFBE22-7CED-4A89-B601-AAD10F00C88A}\Version\ = "1.0"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A52FC39D-429C-4371-AFE7-07122D128B94}\TypeLib\ = "{777A3083-06F7-4AD3-940E-82D5BAA2C5DA}"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\runapp.veFile	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2BD2E3C-E05F-49D8-A0AC-A7DB58DED9B8}	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DE9E3A8C-FA3E-487D-81A8-DC26C1D113B9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE9E3A8C-FA3E-487D-81A8-DC26C1D113B9}\TypeLib	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EBF9144-C525-42FF-B499-C496C909FD83}\ProgID\ = "runapp.veApi"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{125F2A7A-A23A-46AD-BE0B-50B1C7CE2CC7}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\runapp.veFile\Clsid\ = "{125F2A7A-A23A-46AD-BE0B-50B1C7CE2CC7}"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D7DA33DE-2392-4663-A99D-D4F13F7C7839}\TypeLib\ = "{777A3083-06F7-4AD3-940E-82D5BAA2C5DA}"	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2BD2E3C-E05F-49D8-A0AC-A7DB58DED9B8}\ProxyStubClsid32	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2156	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2156	iexplore.exe
2156	iexplore.exe
2412	IEXPLORE.EXE
2412	IEXPLORE.EXE
2412	IEXPLORE.EXE
2412	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2156	2152	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe	28
PID 2152 wrote to memory of 2156	2152	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe	28
PID 2152 wrote to memory of 2156	2152	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe	28
PID 2152 wrote to memory of 2156	2152	156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe	28
PID 2156 wrote to memory of 2412	2156	iexplore.exe	29
PID 2156 wrote to memory of 2412	2156	iexplore.exe	29
PID 2156 wrote to memory of 2412	2156	iexplore.exe	29
PID 2156 wrote to memory of 2412	2156	iexplore.exe	29

C:\Users\Admin\AppData\Local\Temp\156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\156a08d24fbaa32b3b91ac5e5071c389_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://galleries.pinballpublishernetwork.com/86429ac7be/854291c5be1d/index.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
680c1782b42cc0921c3121842f57df3b

SHA1
ce402d2b1669ad2d3ea0a8f56fdab793493fcad2

SHA256
7c1a2647a6532ea56e13ca07a3c8fbf2d359e38b2f99d9036448b0cc67ae12d6

SHA512
3c3218d12cb4563937c535d3dfdb5b2caaaecd020c8ddb5bfabe36d356da2683cd791de01859a99d2045310b673028eda2933c06281af65a8d67c467ddd729bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cb938dde3898c962ab66b1afd25a078

SHA1
efe87f6f408d60044c05f337e2be33661c723517

SHA256
c9923d9a5666f606d7381f116e7e22ed5df5e82829205d3a1e9754b45a40ef9f

SHA512
0c4ea5fab5e89a724b4cf0ac8da24fd2e37c6c7cfdb07c585c74b29e1fde8b49366d9d849cc1e41fe9eb758d52b00c5504a907513f23a4d213e4c4574bc7bd2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3037964075b559a869b4336592ce7e9

SHA1
93a6f261123b77d4a2a960f8aa959c8f97f453c5

SHA256
9e11f0ce01ca618fa0b9c3c713c8e2a89778d326f56064f6f0086c09b05f6bb3

SHA512
e9a498e710a77312ddf2df0388c87bc2a454a899bb8d7b2e3365889bb4b962485e6639a3d994de2af37d67013bfc8cb2877a38e667581cfd33b3b8e56efc2c1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e4f5660cc8a8d3e37f726f282fec786

SHA1
1e843f85d4cc185128d5677ab59af0fd02d6bd60

SHA256
24b6b21cac8c5f7c9ebee1d1866c141fdca27ef6894cacaf554345da474e6d81

SHA512
bb55d56707ca1aa46f51abbbd13fa5feccd4fa75f7c995342f84961ef1c7fc032f7cfd00390ebaa5877f49b6d21f7723291650232b6b1128746d886c05bb9fda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7eddc1150628442441f206ad58028359

SHA1
fe319a5101a8fac8ebbc7b60f879761fb62932b7

SHA256
651e2035f96046579a0c38cb3a842dacb63b29f420ed85099fb7bcadb684c9f5

SHA512
c2fb5a276292ff9a5019aac2d747abbcf0307fc890574ed17969c5b547feeb7cb6ea170ed03d972e16bc6e97ef6eb3437e1280a3f8b47fc296fca209a5be5d8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2dc5f547968e6dfdfe777ca9849d065e

SHA1
afb471408614785288435f81fea43743cd93b60f

SHA256
4eda5f519edca5d67ca3b5812221522c33190437e786a38cc36af6347882dac1

SHA512
ed6055da9a843b73dffb8ccf86999650c8fbcae7a9ab587cb26a3dc7008daa885dee44953988fe62ac2e8089527d59a66c69334196dd3e37bc4a09f6cdb1d2d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
592af97dfa5f21a0efc49fd1eac9268c

SHA1
5f7be115d99968aecd2dcb3a89668cf6d0f4eb78

SHA256
d00a93303e1eb123a1c940625aa5521400d51ad0a00bb603dc3e7e1d7b72069f

SHA512
6a75d110b287d5860d8c12ee85706398591e89b3b839df28131406b00e20ee4a3ef805fd9dc10b7f74c6cfba45bbd489f39721582b6e25d7f7cef24ef5d39d53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8a64747d1e3645931840ecf88ba6cde

SHA1
f240e05dcedf53ea1294dfe2a8d33af707e96b29

SHA256
bb73c4ea1a7678b7972097aa85fd90958ff8c329e3c6204e7c33e36feb934364

SHA512
ee3fedfc4f45bee1d629ce36c9988ee1b63e30137d7b84b714e7110d04f4bdab4c6d0321356d4f4f94ac9996e9eb55cea81f627e2ef620e31d990108030e11c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
add90a5b4a392c62632d11251896fe28

SHA1
237be19705af782dc30499febbdcc8d9dfe9036f

SHA256
f83ac8712a749d56ccedca08935c08338767d4a0abdbf2d695b6c960114256d3

SHA512
86f40970fcc17e8414b1408fb0e87899e9f2920db02a8417f1cb914b7302b0cea2cb3bf0f6f2bbb09b8746f4bdb894d682d56d9d1b7a09592665f0a447b17121

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dceae33c9a415f87c6a961146f0fbfd0

SHA1
e22da1626e7b7aaadedbee5d4ba24ec5a5d3c858

SHA256
20f0dc036832a158717a7383f8728a449301f89a830997beb8a1d98f7303764f

SHA512
dfb91be7cbc6b8d252e6c934373b3dc4e350cac2eee2a0b0170c4cd3acd2b6c228e88ff3c2768c7daa2de5802dcd3f0f7027cadecb3a61ccf0e03ea0076d9d16

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d42a7b30aae0e5ff61b74f4ac9485cad

SHA1
db19e1fca78f468582bf7135a32ae08cf6e08376

SHA256
acdcd1e2741127c3d54d748aff9e0277629e9254656bdca8cdadb3f03b731f65

SHA512
bdc0d643bf0fb8ecf38be13e97c2d05c4148e7a73f24770196dc5fe3a1817f5fd8bb0a35d069093165ad00773f11e6b129684b7ada17a7997cb35d38fc0a122a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72e84bbf0a8b65b048bef8b48ba5b398

SHA1
5df2a20065c6b9cc07d2eb7695fa16e98349b71b

SHA256
4d9e32363e200f8099e6838b9ed5ff4721bc2341e47b6d22387b19a77b2b32ee

SHA512
fb33a356073a61487dad07d26b6fe310ffe04e4993d61d57288a5cd5185ce25047847bcd7d791586681b517382c08e0172f6542d9d6d773354258008d8b4b448

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6505f984d9a67f9500e9fbbf8f6c646

SHA1
5087f9234f3b5d32df0aef7afab801f72886099d

SHA256
e3603ac6d4e39f3df7efc585f333828091b562bfcf103cd0a95f7f57593e09de

SHA512
8fa36b9806edb25e1af71e4d1ed462dfed2aeb683446dd8585d505d772f4b23b83dd5c25b27cb607076fb0e142677b415f44d69201ea3f8f04e9c898d3780be1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a73070780cd1c975c1b2941862cae9e

SHA1
9a1adf023436a1bc461fa401fe8bd58ffcf2b19f

SHA256
ac47d2bc7d4d0407fe30e7b3410d2c181029dbd89a6d005bf2db752c661071ff

SHA512
fe74a8ad5053f19e2de8329eddeab82d50a656f3d54ea30b309e112706d13f2ce653bfb25135aa98eabb59e58c6f5f71ca13ed5c7eb00cc22c2c6314e4e6dda1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7684aaa413233da4b19bccce3a65a65b

SHA1
a7919647d2804a93a9eb2f1ef3676f935018e05e

SHA256
ee363d110eb3c694e08c11bd2fb4954c4dc1a1f1eb771246c5233f1cfd1e05f3

SHA512
66da9902c9379dc80d2b797b21e871aa1530cd18412d8d7c3b1d4060c3fe4c700f7fc10bd99434cc1bdff76294bcbb02b320d16e752cb5ea4ee09dbf5e2c5621

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a128225375d013eb1e7d38954035dc7

SHA1
f0f87bc4f08382736e5519c5eb90543f215aadc1

SHA256
509d28de4bd4dc2cb569d0ac74fb92462de808afbe7cdf389eef0702e0c96c50

SHA512
42f18c236ea1724836330df286c3ded93b12979889eebaa7ed075f0a041bec5b39ccecc3dcfaa587fb8fb37e10b4f2d6620c0664f3ea3c2065f5f1464ac56476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83aba529059227a66e7ce6eb6e11a2ba

SHA1
c97bcf6fc82f69c7d88fad3dbf0d217a4722a264

SHA256
3fe49fe10d560a768a794fe44f33e7ebe9a50d1c3bc4795daf900396f45b9732

SHA512
a044b8cc304729f04ddd9944a1eac7922f1b4e838371482a7e23b8bb879a57ee609c83ff65af8eaeb4283808b3260983cea406b39e43396f1fd37780ea1fb9d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2a9581ba957c1ad84e29e07c3a2d9af

SHA1
ed4c6f4207afd80eb2d9ec18bf5e3b9a558cc545

SHA256
47e83a9ebcb986779b9473c447c2c240823dd0dc7291cf003abb8d099d743a9b

SHA512
e43149dfc844895e5cc3707f5672100523a39ad92c13dba32bc2acce57495983fa790aabcb2882b84dfc06b5e43f13117e9d7a810c7bb499230b21f0e9e58178

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38975d5a384c46a3644712bd23b7cb8b

SHA1
75429723a6d42eb62f6aa7d095c90bd73cdb5816

SHA256
66770bf53a2561a94bebf6d9963022e7d34bf5dc950b01b548eca427683fcb44

SHA512
dae117b7a680cd2c9a5cef17fe22fb04ddbcbd056ed9890c45cbbde693d4999673e86a27d15ecb7a05c08df9e49578c5f3be9ffe9282192e11d1b7dbd7f95eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAFF1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB081.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2152-6-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2152-0-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2152-1-0x0000000000400000-0x00000000004B4000-memory.dmp

Filesize
720KB

Download
memory/2152-2-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2152-3-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download