Overview
overview
7Static
static
3253c83103a...18.exe
windows7-x64
7253c83103a...18.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...is.dll
windows7-x64
3$PLUGINSDI...is.dll
windows10-2004-x64
3ffTrustMed...ion.js
windows7-x64
3ffTrustMed...ion.js
windows10-2004-x64
3ff/chrome/...942.js
windows7-x64
3ff/chrome/...942.js
windows10-2004-x64
3ff/chrome/...ion.js
windows7-x64
3ff/chrome/...ion.js
windows10-2004-x64
3ie/TrustMe...42.dll
windows7-x64
6ie/TrustMe...42.dll
windows10-2004-x64
6ie/TrustMe...64.dll
windows7-x64
7ie/TrustMe...64.dll
windows10-2004-x64
7uninstall.exe
windows7-x64
7uninstall.exe
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...is.dll
windows7-x64
3$PLUGINSDI...is.dll
windows10-2004-x64
3Analysis
-
max time kernel
123s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-10-2024 20:47
Static task
static1
Behavioral task
behavioral1
Sample
253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/aminsis.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/aminsis.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
ffTrustMediaViewerV1alpha3942chaction.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
ffTrustMediaViewerV1alpha3942chaction.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
ff/chrome/content/ffTrustMediaViewerV1alpha3942.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
ff/chrome/content/ffTrustMediaViewerV1alpha3942.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
ff/chrome/content/ffTrustMediaViewerV1alpha3942ffaction.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
ff/chrome/content/ffTrustMediaViewerV1alpha3942ffaction.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
ie/TrustMediaViewerV1alpha3942.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral14
Sample
ie/TrustMediaViewerV1alpha3942.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
ie/TrustMediaViewerV1alpha3942x64.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral16
Sample
ie/TrustMediaViewerV1alpha3942x64.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
uninstall.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
uninstall.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral20
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$PLUGINSDIR/aminsis.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
$PLUGINSDIR/aminsis.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe
-
Size
689KB
-
MD5
253c83103a7de1cb893f1aa63babc05a
-
SHA1
2835a87d754489ed17ef7575dc0d06b91f38abcf
-
SHA256
0cc49cea4423f5d35e9297c3f24c0131924e19dd9dad425019fbc89349b2dd4c
-
SHA512
69f51f0a93e0a868fd3becc6c11a8a315174d1be9b160ab302abd3a42f27b29a45a9ee1d3137a519c6a01d3b4a737ececef20ac126c4b60431ddeebe09759178
-
SSDEEP
12288:l3LhOb5FG4G4Y7jeKuVnvon+N83LwwiAn6KkM33nxDkjeKuV2v9b+N84LwwiHn6+:l3Ab/G4G37tUnvone83Z76bMHxgtU2v7
Malware Config
Signatures
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Loads dropped DLL 5 IoCs
pid Process 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 2896 regsvr32.exe 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 2104 regsvr32.exe 2704 regsvr32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 6 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{920a45de-5570-44c1-9e34-d2798e95e80c} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{920a45de-5570-44c1-9e34-d2798e95e80c}\ = "TrustMediaViewerV1alpha3942" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{920a45de-5570-44c1-9e34-d2798e95e80c}\NoExplorer = "1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{920a45de-5570-44c1-9e34-d2798e95e80c} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{920a45de-5570-44c1-9e34-d2798e95e80c}\ = "TrustMediaViewerV1alpha3942" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{920a45de-5570-44c1-9e34-d2798e95e80c}\NoExplorer = "1" regsvr32.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\System32\GroupPolicy 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe -
Drops file in Program Files directory 23 IoCs
description ioc Process File created C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ie\TrustMediaViewerV1alpha3942.dll 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ch\TrustMediaViewerV1alpha3942.crx 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File created C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ff\chrome\content\ffTrustMediaViewerV1alpha3942ffaction.js 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File created C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ff\chrome\content\icons\Thumbs.db 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File created C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ie\TrustMediaViewerV1alpha3942x64.dll 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File created C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ff\chrome.manifest 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File created C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ff\install.rdf 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ff\chrome\content\icons\Thumbs.db 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ff\chrome\content\icons\default 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File created C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ff\chrome\content\icons\default\TrustMediaViewerV1alpha3942_32.png 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File created C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ch\TrustMediaViewerV1alpha3942.crx 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ff\install.rdf 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ff\chrome\content 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File created C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ff\chrome\content\ffTrustMediaViewerV1alpha3942.js 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ff\chrome\content\ffTrustMediaViewerV1alpha3942ffaction.js 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ff\chrome\content\overlay.xul 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ff\chrome\content\icons 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ff\chrome\content\icons\default\TrustMediaViewerV1alpha3942_32.png 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ff\chrome.manifest 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ff\chrome 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ff\chrome\content\ffTrustMediaViewerV1alpha3942.js 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File created C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ff\chrome\content\overlay.xul 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe File created C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\uninstall.exe 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gpupdate.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Approved Extensions 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Approved Extensions\{920a45de-5570-44c1-9e34-d2798e95e80c} = 51667a6c4c1d3b1bce59108c4501aa0c8b3e99398cd1a918 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe -
Modifies registry class 56 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\ = "TrustMediaViewerV1alpha3942" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2BA1D450-AAB2-40FA-86BE-D048C630158F}\1.1\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2BA1D450-AAB2-40FA-86BE-D048C630158F}\1.1\0\win64 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2BA1D450-AAB2-40FA-86BE-D048C630158F}\1.1\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\Version\ = "1.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\Implemented Categories\ regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2BA1D450-AAB2-40FA-86BE-D048C630158F}\1.1\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2DB6C98-71BD-4609-8B3D-EAFBD928CB87} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2DB6C98-71BD-4609-8B3D-EAFBD928CB87}\ = "ITrustMediaViewerV1alpha3942BHO" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2DB6C98-71BD-4609-8B3D-EAFBD928CB87}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2DB6C98-71BD-4609-8B3D-EAFBD928CB87}\TypeLib\ = "{2BA1D450-AAB2-40FA-86BE-D048C630158F}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c} 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\Version\ = "1.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2BA1D450-AAB2-40FA-86BE-D048C630158F} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2BA1D450-AAB2-40FA-86BE-D048C630158F}\1.1\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\ = "Trust Media Viewer" 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2BA1D450-AAB2-40FA-86BE-D048C630158F}\1.1\0\win32\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha3942\\ie\\TrustMediaViewerV1alpha3942.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\InprocServer32\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha3942\\ie\\TrustMediaViewerV1alpha3942x64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\TypeLib\ = "{2ba1d450-aab2-40fa-86be-d048c630158f}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640}\ regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2BA1D450-AAB2-40FA-86BE-D048C630158F}\1.1\ = "TrustMediaViewerV1alpha3942Lib" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2BA1D450-AAB2-40FA-86BE-D048C630158F}\1.1\0\win64\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha3942\\ie\\TrustMediaViewerV1alpha3942x64.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2DB6C98-71BD-4609-8B3D-EAFBD928CB87}\TypeLib\Version = "1.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2BA1D450-AAB2-40FA-86BE-D048C630158F}\1.1\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2DB6C98-71BD-4609-8B3D-EAFBD928CB87}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\ = "TrustMediaViewerV1alpha3942" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2DB6C98-71BD-4609-8B3D-EAFBD928CB87}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\Version regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2BA1D450-AAB2-40FA-86BE-D048C630158F}\1.1\HELPDIR\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha3942\\ie" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2DB6C98-71BD-4609-8B3D-EAFBD928CB87}\ = "ITrustMediaViewerV1alpha3942BHO" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2DB6C98-71BD-4609-8B3D-EAFBD928CB87}\TypeLib\Version = "1.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2DB6C98-71BD-4609-8B3D-EAFBD928CB87}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\TypeLib\ = "{2ba1d450-aab2-40fa-86be-d048c630158f}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{2BA1D450-AAB2-40FA-86BE-D048C630158F}\1.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2DB6C98-71BD-4609-8B3D-EAFBD928CB87} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2DB6C98-71BD-4609-8B3D-EAFBD928CB87}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C2DB6C98-71BD-4609-8B3D-EAFBD928CB87}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\Implemented Categories\ regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\InprocServer32\ = "C:\\Program Files (x86)\\TrustMediaViewerV1\\TrustMediaViewerV1alpha3942\\ie\\TrustMediaViewerV1alpha3942.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{920a45de-5570-44c1-9e34-d2798e95e80c}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C2DB6C98-71BD-4609-8B3D-EAFBD928CB87}\TypeLib\ = "{2BA1D450-AAB2-40FA-86BE-D048C630158F}" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1352 wrote to memory of 2896 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 31 PID 1352 wrote to memory of 2896 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 31 PID 1352 wrote to memory of 2896 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 31 PID 1352 wrote to memory of 2896 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 31 PID 1352 wrote to memory of 2896 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 31 PID 1352 wrote to memory of 2896 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 31 PID 1352 wrote to memory of 2896 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 31 PID 1352 wrote to memory of 2104 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 32 PID 1352 wrote to memory of 2104 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 32 PID 1352 wrote to memory of 2104 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 32 PID 1352 wrote to memory of 2104 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 32 PID 1352 wrote to memory of 2104 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 32 PID 1352 wrote to memory of 2104 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 32 PID 1352 wrote to memory of 2104 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 32 PID 2104 wrote to memory of 2704 2104 regsvr32.exe 33 PID 2104 wrote to memory of 2704 2104 regsvr32.exe 33 PID 2104 wrote to memory of 2704 2104 regsvr32.exe 33 PID 2104 wrote to memory of 2704 2104 regsvr32.exe 33 PID 2104 wrote to memory of 2704 2104 regsvr32.exe 33 PID 2104 wrote to memory of 2704 2104 regsvr32.exe 33 PID 2104 wrote to memory of 2704 2104 regsvr32.exe 33 PID 1352 wrote to memory of 2252 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 34 PID 1352 wrote to memory of 2252 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 34 PID 1352 wrote to memory of 2252 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 34 PID 1352 wrote to memory of 2252 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 34 PID 1352 wrote to memory of 2252 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 34 PID 1352 wrote to memory of 2252 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 34 PID 1352 wrote to memory of 2252 1352 253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\253c83103a7de1cb893f1aa63babc05a_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 "C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ie\TrustMediaViewerV1alpha3942.dll" /s2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2896
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ie\TrustMediaViewerV1alpha3942x64.dll"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\system32\regsvr32.exe/s "C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ie\TrustMediaViewerV1alpha3942x64.dll"3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2704
-
-
-
C:\Windows\SysWOW64\gpupdate.exe"C:\Windows\System32\gpupdate.exe" /force2⤵
- System Location Discovery: System Language Discovery
PID:2252
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Browser Extensions
1Event Triggered Execution
1Component Object Model Hijacking
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ie\TrustMediaViewerV1alpha3942.dll
Filesize85KB
MD50a806bc88d53edb0241950de1cf2fcb6
SHA17a6fc8eaa08baec9dac414e0ccfbee1c2aeb84d4
SHA25619e705fc235d849856dfc84ca85e0ed236f510c32686bc55c8b8e5998993d397
SHA512669cbcdc339e7096669daa2f2f6a81f1ca7784c97d887337216864da8a3409fa57908de4392eff9f4e187d0386ac8747eaf755a9bd1b767b2a8832d8569893de
-
C:\Program Files (x86)\TrustMediaViewerV1\TrustMediaViewerV1alpha3942\ie\TrustMediaViewerV1alpha3942x64.dll
Filesize100KB
MD5ab98d1d0ebf62707bb27cc9ff6e71bb3
SHA1ac4617b75c6f4f9cfe409bf507f8304d98de1946
SHA2569fe0747b6aa6555793c9c05c932e92a70a9826fe00c359f121286c0887e0852a
SHA512473a8b7b62b8ad64f7d67f86f371ffb2b5cd6b7091bb2fe1c694234b7225bc34abbf4db9030f2706f0557310125b4a08158604f0b89ae31002e0142e2d03b56d
-
Filesize
567KB
MD5f346047b13f37f79c462e59a6319faa1
SHA1ce9e7cb9719000a69b463fe024c81229e322279f
SHA256e78e0e61707cabec8383f1e74da9db8e0fa123a3a7b36f0080d70fbaed6f7453
SHA512429209cc489ba9ac2d62055b128efb3cded3e31f966c7cdb1aee592ec7a54ab090526705fa2519498d92eb4bc2efa141cd83adc6c251b793388ad1208b172167
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f