af6bbab59c56d5088f97e2bc417100a0c0081d6e40020b5db342df47b60ffdd3

Analysis

max time kernel
149s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-10-2024 23:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
Size

4.9MB
MD5

2759fc3e04ec20fddaa801c3ed9f402f
SHA1

39027ba18c138ce47223fb4c5804593593af1e95
SHA256

af6bbab59c56d5088f97e2bc417100a0c0081d6e40020b5db342df47b60ffdd3
SHA512

ff3cd5f8e72607a6aceb41e64945c65d88105643c5bd4fe51cd1657908b5a86f5d6f93dd91b606a004afd82d7a1f7cebfe760ada8dba5d4277617cf3e048a0ef
SSDEEP

98304:AVMyTpUxdICi112FZLLhIScRnOp+ONsizbKTW8rfXaq:AV/9Ie31C5IJcp/NnyKq

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1436	nsE4B5.tmp
4572	7za.exe
1548	WackyBirdHunter.exe

Loads dropped DLL 64 IoCs

pid	Process
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Wacky Bird Hunter\eula.rtf	7za.exe
File created	C:\Program Files (x86)\Wacky Bird Hunter\eula.txt	7za.exe
File opened for modification	C:\Program Files (x86)\Wacky Bird Hunter\aminstall.dll	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wacky Bird Hunter\WackyBirdHunter.exe:{964FC97A-1EFE-A44D-6745-C45C3232E896}	WackyBirdHunter.exe
File created	C:\Program Files (x86)\Wacky Bird Hunter\7za.exe	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wacky Bird Hunter\WackyBird.lvl	7za.exe
File opened for modification	C:\Program Files (x86)\Wacky Bird Hunter\WackyBird.lvl	7za.exe
File created	C:\Program Files (x86)\Wacky Bird Hunter\Readme.rtf	7za.exe
File created	C:\Program Files (x86)\Wacky Bird Hunter\Readme.txt	7za.exe
File created	C:\Program Files (x86)\Wacky Bird Hunter\WackyBirdHunter.exe	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wacky Bird Hunter\Uninstall.exe	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wacky Bird Hunter\data-01.7z	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Wacky Bird Hunter\Readme.rtf	7za.exe
File opened for modification	C:\Program Files (x86)\Wacky Bird Hunter\eula.txt	7za.exe
File opened for modification	C:\Program Files (x86)\Wacky Bird Hunter\Readme.txt	7za.exe
File opened for modification	C:\Program Files (x86)\Wacky Bird Hunter\WackyBirdHunter.exe:{964FC97A-1EFE-A44D-6745-C45C3232E896}	WackyBirdHunter.exe
File opened for modification	C:\Program Files (x86)\Wacky Bird Hunter\7za.exe	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Wacky Bird Hunter\data-01.7z	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wacky Bird Hunter\eula.rtf	7za.exe
File opened for modification	C:\Program Files (x86)\Wacky Bird Hunter\WackyBirdHunter.exe	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wacky Bird Hunter\aminstall.dll	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Wacky Bird Hunter\install.log	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nsE4B5.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7za.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WackyBirdHunter.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe

Modifies registry class 52 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CEF5F861-6AC5-7651-C90D-E54C33DB4075}\Implemented Categories\{5B592E69-7E55-ACAC-3DD5-982FEDBF0AA5}	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7EE3F7-2ABF-CE25-597E-1E39FA3C2C13}\Implemented Categories	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E16B740-80F2-7BE3-9DA4-E2E59F112505}	WackyBirdHunter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E16B740-80F2-7BE3-9DA4-E2E59F112505}\InProcServer32\ThreadingModel = "Free"	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8F96F4E-4270-603F-AD14-87520E2F7E46}\Implemented Categories	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CEF5F861-6AC5-7651-C90D-E54C33DB4075}\Implemented Categories	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CEF5F861-6AC5-7651-C90D-E54C33DB4075}\Implemented Categories\{5956FC69-87CF-78F6-0912-18E45D457878}	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CEF5F861-6AC5-7651-C90D-E54C33DB4075}\InProcServer32	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CEF5F861-6AC5-7651-C90D-E54C33DB4075}\Implemented Categories\{5A98DBC4-CE11-60E6-443A-255C4300348D}	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E16B740-80F2-7BE3-9DA4-E2E59F112505}\InProcServer32	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E16B740-80F2-7BE3-9DA4-E2E59F112505}\Implemented Categories\{6E72B7FA-FFB1-1D94-00FC-027E9090DF6B}	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E16B740-80F2-7BE3-9DA4-E2E59F112505}\Implemented Categories\{6ADD4B43-5BC9-AEEC-C3B4-BBA3CA295F7D}	WackyBirdHunter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8F96F4E-4270-603F-AD14-87520E2F7E46}\ = "Typed Data Thumbnail Handler"	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8F96F4E-4270-603F-AD14-87520E2F7E46}\Implemented Categories\{4C16523C-9D6A-2340-2061-7B46745074FC}	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CEF5F861-6AC5-7651-C90D-E54C33DB4075}\Implemented Categories\{5DDA11CF-CE63-0B78-DB37-DD74542F59B3}	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7EE3F7-2ABF-CE25-597E-1E39FA3C2C13}\Implemented Categories\{5BC1D220-DCA5-6A6C-CB27-FD625A4F82AB}	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7EE3F7-2ABF-CE25-597E-1E39FA3C2C13}\Implemented Categories\{588C3F1E-4CD4-5CE1-6EC6-0162E4AA2B34}	WackyBirdHunter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E16B740-80F2-7BE3-9DA4-E2E59F112505}\InProcServer32\ = "%systemroot%\\SysWow64\\oobe\\SetupCleanupTask.dll"	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E16B740-80F2-7BE3-9DA4-E2E59F112505}\Implemented Categories\{6903BE44-A39B-5181-BBE1-51085F530C05}	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8F96F4E-4270-603F-AD14-87520E2F7E46}\Implemented Categories\{4E2370B5-CD49-38F9-8955-357F57233570}	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8F96F4E-4270-603F-AD14-87520E2F7E46}\Implemented Categories\{48CB03D1-8A16-0FA0-EDD7-88B362EA9543}	WackyBirdHunter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CEF5F861-6AC5-7651-C90D-E54C33DB4075}\InProcServer32\ThreadingModel = "Apartment"	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7EE3F7-2ABF-CE25-597E-1E39FA3C2C13}\Implemented Categories\{5EF17278-9812-4C13-D397-80ADEE736565}	WackyBirdHunter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7EE3F7-2ABF-CE25-597E-1E39FA3C2C13}\ = "Typed Data Thumbnail Handler"	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7EE3F7-2ABF-CE25-597E-1E39FA3C2C13}\Implemented Categories\{5AFFEC78-97B7-5E8E-2B39-3A822A361FB7}	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7EE3F7-2ABF-CE25-597E-1E39FA3C2C13}\Implemented Categories\{59C0F93C-005C-B3D9-7378-4B960458316C}	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E16B740-80F2-7BE3-9DA4-E2E59F112505}\Implemented Categories	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E16B740-80F2-7BE3-9DA4-E2E59F112505}\Implemented Categories\{68484B46-14F1-6317-3897-3F9C63611789}	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CEF5F861-6AC5-7651-C90D-E54C33DB4075}\Implemented Categories\{5873656F-3A17-8BAC-9EBA-08E9C0CA7052}	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7EE3F7-2ABF-CE25-597E-1E39FA3C2C13}\InProcServer32	WackyBirdHunter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7EE3F7-2ABF-CE25-597E-1E39FA3C2C13}\InProcServer32\ThreadingModel = "Apartment"	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8F96F4E-4270-603F-AD14-87520E2F7E46}	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8F96F4E-4270-603F-AD14-87520E2F7E46}\Implemented Categories\{4DA9BB96-3570-ADF1-3013-32F2489F8AB0}	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CEF5F861-6AC5-7651-C90D-E54C33DB4075}\Implemented Categories\{5CE08D7B-100B-D8F9-7009-BFA7CF573171}	WackyBirdHunter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8F96F4E-4270-603F-AD14-87520E2F7E46}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shell32.dll"	WackyBirdHunter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8F96F4E-4270-603F-AD14-87520E2F7E46}\InProcServer32\ThreadingModel = "Apartment"	WackyBirdHunter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CEF5F861-6AC5-7651-C90D-E54C33DB4075}\ = "Typed Data Thumbnail Handler"	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CEF5F861-6AC5-7651-C90D-E54C33DB4075}\Implemented Categories\{5E8DBF3B-895D-F0F8-3CE9-8B2660013BCF}	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7EE3F7-2ABF-CE25-597E-1E39FA3C2C13}\Implemented Categories\{5C031EE6-B2FF-C16F-6335-65A30F92C7D6}	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7EE3F7-2ABF-CE25-597E-1E39FA3C2C13}	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E16B740-80F2-7BE3-9DA4-E2E59F112505}\Implemented Categories\{6C17BEDF-C4A2-7DB2-F918-655CEF483C84}	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E16B740-80F2-7BE3-9DA4-E2E59F112505}\Implemented Categories\{6DB47D55-F0AB-C319-01D3-B3F9771A18C6}	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E16B740-80F2-7BE3-9DA4-E2E59F112505}\Implemented Categories\{6F50D5E5-3A15-3711-5D34-92219E64068A}	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8F96F4E-4270-603F-AD14-87520E2F7E46}\InProcServer32	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8F96F4E-4270-603F-AD14-87520E2F7E46}\Implemented Categories\{4BC31CEB-FED6-3701-9343-681C9ED19036}	WackyBirdHunter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7EE3F7-2ABF-CE25-597E-1E39FA3C2C13}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shell32.dll"	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7EE3F7-2ABF-CE25-597E-1E39FA3C2C13}\Implemented Categories\{5FB3223C-03BF-8745-8B39-E4727F779D76}	WackyBirdHunter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E16B740-80F2-7BE3-9DA4-E2E59F112505}\ = "Setup Cleanup Task"	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8F96F4E-4270-603F-AD14-87520E2F7E46}\Implemented Categories\{4F9C8EC8-695F-0B05-E809-8D8879617691}	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F8F96F4E-4270-603F-AD14-87520E2F7E46}\Implemented Categories\{4A9DD3B5-BAD2-8576-0EA9-BD58BEC7C63B}	WackyBirdHunter.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CEF5F861-6AC5-7651-C90D-E54C33DB4075}	WackyBirdHunter.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CEF5F861-6AC5-7651-C90D-E54C33DB4075}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shell32.dll"	WackyBirdHunter.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Wacky Bird Hunter\WackyBirdHunter.exe:{964FC97A-1EFE-A44D-6745-C45C3232E896}	WackyBirdHunter.exe
File created	C:\Program Files (x86)\Wacky Bird Hunter\WackyBirdHunter.exe:{964FC97A-1EFE-A44D-6745-C45C3232E896}	WackyBirdHunter.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1548	WackyBirdHunter.exe
1548	WackyBirdHunter.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 1436	2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe	86
PID 2648 wrote to memory of 1436	2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe	86
PID 2648 wrote to memory of 1436	2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe	86
PID 1436 wrote to memory of 4572	1436	nsE4B5.tmp	88
PID 1436 wrote to memory of 4572	1436	nsE4B5.tmp	88
PID 1436 wrote to memory of 4572	1436	nsE4B5.tmp	88
PID 2648 wrote to memory of 1548	2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe	90
PID 2648 wrote to memory of 1548	2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe	90
PID 2648 wrote to memory of 1548	2648	2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe	90

C:\Users\Admin\AppData\Local\Temp\2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2759fc3e04ec20fddaa801c3ed9f402f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\nsh98C6.tmp\nsE4B5.tmp
  "C:\Users\Admin\AppData\Local\Temp\nsh98C6.tmp\nsE4B5.tmp" "C:\Program Files (x86)\Wacky Bird Hunter\7za.exe" x "C:\Program Files (x86)\Wacky Bird Hunter\data-01.7z" -y "-oC:\Program Files (x86)\Wacky Bird Hunter\" "*" -r
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Program Files (x86)\Wacky Bird Hunter\7za.exe
    "C:\Program Files (x86)\Wacky Bird Hunter\7za.exe" x "C:\Program Files (x86)\Wacky Bird Hunter\data-01.7z" -y "-oC:\Program Files (x86)\Wacky Bird Hunter\" "*" -r
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:4572
- C:\Program Files (x86)\Wacky Bird Hunter\WackyBirdHunter.exe
  "C:\Program Files (x86)\Wacky Bird Hunter\WackyBirdHunter.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Wacky Bird Hunter\7za.exe

Filesize
460KB

MD5
632f81520aeef635c2e86a7ebd032131

SHA1
fdc663954b7926f90f0626801c3eb821f91d9e42

SHA256
dfa9dc10c2e18009cba21d219ff6792b908b5a3c0946bac162265b461c02d6be

SHA512
b30abe7f17561da6083f00791b5d1f0607fbc030c5dc496c1cdd1271bf1036c74f778cc7d29fd93d70ca5e149988b8e87b63e9f6fdc68440179495dce4c36007

Download Submit
C:\Program Files (x86)\Wacky Bird Hunter\WackyBirdHunter.exe

Filesize
4.6MB

MD5
8e3b1281bc806c281fc19c16150fc636

SHA1
3f40dc0bd951dc01a57fed47308884b42e707804

SHA256
04a39bb1801482b3d212b39c95f1d5cb43b08029d9d4132dc33d3c3172972ff9

SHA512
b86dd4452497ed690a1cfe4d6042badb5485534703306d2b83602fe19e4162300599122e87599b0cea75bf90863ec041268b9b9e0bbe0b9d85f591b280d4be4d

Download Submit
C:\Program Files (x86)\Wacky Bird Hunter\aminstall.dll

Filesize
76KB

MD5
1355477b5c55c14e7e9afbcd85b9f90c

SHA1
ec698ea604194fe4c4563d289f176ebbee84188e

SHA256
70275894c9fa5286b344add663882434216caf45b101584e6755ca297e1b2a22

SHA512
f3b37e5b099485f7fa9575408f81710f49c9309aa02c6ddd4ac2afdc9942d2c321f187be64cd00a1f883e45af4b6bbd3c1d5145abe939e81c1282d5c1eaa9776

Download Submit
C:\Program Files (x86)\Wacky Bird Hunter\data-01.7z

Filesize
6KB

MD5
83bb5287cb9405e2fa47e1e5606da800

SHA1
8e931389d2498d829bd435f000d7cf7cf2056649

SHA256
8c7cbc2855a1801d0ce6bba6b432ba413ddd6d5b6dcc0b06f443bec5ed85a811

SHA512
cb34cd8fae157c4ab16541473cf3714e649a3bb46f658162a661348e87163bf296d52d907d90cb9874af95e82e59f150aa6f6fb1cb763ade2da3d59b98c50e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh98C6.tmp\BgImage.dll

Filesize
7KB

MD5
a3f29d638d38fa62fbc099353631c25e

SHA1
30fd4b815b925e1cf94015bc1e0a8f1101660e0b

SHA256
0ccabc3733a75c5b7e0d2b6dd9fd2ba5712dbce823424187d89b719d830ae570

SHA512
ca4dda8368b01b356a9f1ddf190b31a07547bb4e04ec08d13beaaf919b6b97ecfb343d559a7b714bcbd64848eaefb81f01c6dbdd5e1058e25305727bff969170

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh98C6.tmp\InstallOptions.dll

Filesize
12KB

MD5
3c19f79ce11facc2fc4d3351dbb263e0

SHA1
17f4bf4b18ea7700f70ac7d825dc997be0d25f71

SHA256
cfaba712ad640ce2b4890005ffcf03ed9e2a18a6cf9075295f3aaea1478896b9

SHA512
05c9ac861e4fed610171fcb5fad40abc30cbf90e9c7cb13c758f52cdff568af0fdd6af968db4fb143a748c77f21c353c7cffea28cbcbd2ad17157038ab490273

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh98C6.tmp\System.dll

Filesize
10KB

MD5
725145e8caa39635cab9899c47c72eda

SHA1
30478c907551bd920bf359638b091fc5c10b5a53

SHA256
1759e4f7777fb8c9ed356a7d4dc237a90e0760061685d44ea02d40ca9e359ceb

SHA512
de31286ea10321f762a3b6e7c6c82177d5b6f45a82adc936fcbbc23105708cbbbec903ba94ba94e7723e80f1828393e5395ef575b37136b19de7535e74e24547

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh98C6.tmp\UserInfo.dll

Filesize
4KB

MD5
1178db8f35343834993d79887aa12350

SHA1
dab6309d66b84b6656c12c83aa8506f1c10b5e09

SHA256
6f64f1311a633ce83abd6f9e08dea53ba8836fb7239f889a7a74e80d70f48b87

SHA512
45196d63701037bcf55e0801f6d027844037cc799dbc847be579a04db0bb522e4c7c85b89a7ad15a5b0cf4d7d9d306fa3a36515bc554dde9cf1e82fbff0ad24d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh98C6.tmp\cpudesc.dll

Filesize
4KB

MD5
d25102051b33f61c9f7fb564a4556219

SHA1
c683964c11d5175171bd009cb08f87592c923f85

SHA256
e58e5d1d8da2ea526d0d754b4faad3773021166b0720723efb7b30f1f5075398

SHA512
8828eec31926251d7e51b5bf1050c3519c9b7fca4f978fb6ee0bf18f9642c3460687f10ff79e5892100ecadbf49725711567c348e1dfccb3644bd9ef992a92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh98C6.tmp\ioSpecial.ini

Filesize
763B

MD5
0b1ff67dc8c3c3e40b0dce60e57c37e7

SHA1
0e178e3b3d740c020ac41f7c501140a36ac4e0b5

SHA256
6dd814e97db25f1f7ab87d1d97417c0eecee1642e6b84d2e3b38cf7e0532f541

SHA512
1d0ca75e22e3e93204fbc35c482b180202ac429084b66bf859a523faa4afb91aada7a1d2004999bfa4a0dcaf635e3aa3f1aff65fcf5f31ff7ec53c78f23d64c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh98C6.tmp\ioSpecial.ini

Filesize
702B

MD5
37fb669e93a7772b2f6ff7aab3a78131

SHA1
38f91405b20c01c25d1a66b9c90042feb30e1eeb

SHA256
57ed7474fbaef679d4504f9b94903de78b15c96e1aadd367fcbbe3daa7ebc2cd

SHA512
29fb1d96e898be2470cb9d400e8c37181d23cfc8a88876eefe0da06d77d20b00415283836aecf758b95b912b82b64997e3283b965d54ebcc3393bcaffd630d71

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh98C6.tmp\nsE4B5.tmp

Filesize
6KB

MD5
17ae02eccba09107ef3fe5461025bad7

SHA1
db4a903dff43320cc656e549653bb4687362ff2e

SHA256
7a015572ef90a52331b1a2f56970b350a9b7b60539a9fab6efd3b4acc4bdabaa

SHA512
99bdba7f5f8937144f4c91eb1b9ba818791e022076a5aa9c6d277d71bf16dcd983832fab492a2645c949f9dd4291c551997b9842b721339ff1ef2e4a9c6c0787

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh98C6.tmp\nsExec.dll

Filesize
6KB

MD5
05d80bc376fef439fb7d2dbb004aa662

SHA1
e83904b91cee7a9b93ed84591bdcf2bb700edd88

SHA256
c49f3d805e87f6df15dc0410770dcec4df09f73b20f6d88b44f55223da64c96c

SHA512
87b9e1ee7382654d3568dd0a0e59d3f2175372358b4f815e4f42657b79fd3f852203cdf26a73606f1b5d4ec9daa3d4d61952eaf494cf9bb00036741ac6b3fac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh98C6.tmp\nsisdt.dll

Filesize
5KB

MD5
df4795dfabe3bc9278a73d496cc4b40d

SHA1
2648ded47e29ecf3e1a1cc20c631e83caf566897

SHA256
2261027077f23c8dba6b72af28862832aaa059740d0f5634b46cabb14326dd10

SHA512
013d9712c3d699a7f41ab3e55931c9abb421fb2eda3542da5a4831ad2f073a1b0643120cc78147db0bfcd01df98ade3045ecb2f1e252fff1dc40be845e5ae303

Download Submit
memory/1548-631-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-632-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-601-0x00000000010A0000-0x00000000010A1000-memory.dmp

Filesize
4KB

Download
memory/1548-600-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/1548-603-0x00000000010C0000-0x00000000010C2000-memory.dmp

Filesize
8KB

Download
memory/1548-604-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-606-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-609-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-610-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-611-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-605-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-614-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-616-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-618-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-619-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-617-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-615-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-613-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-607-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-620-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-622-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-621-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-623-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-627-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-599-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-628-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-630-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-634-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-636-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-635-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-633-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-602-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/1548-629-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-626-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-625-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-637-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-638-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-639-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-642-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-640-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-643-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-644-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-646-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-648-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-650-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-653-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-652-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-654-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-659-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-660-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-661-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-657-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-656-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-658-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-651-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-649-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-647-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-645-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-641-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-663-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/1548-1666-0x0000000000400000-0x0000000000C75000-memory.dmp

Filesize
8.5MB

Download
memory/2648-167-0x0000000003040000-0x0000000003056000-memory.dmp

Filesize
88KB

Download