dae216f68b95d8f6e77d6089d5db382a87f1fa75c093f1f83656d091cae7bde9

Analysis

max time kernel
140s
max time network
143s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe
Size

47KB
MD5

2987971c53a3e3ea7de63d5aeb2a9cee
SHA1

86ffe38cf6175ecf6a127ecbcf70d83782e175c0
SHA256

dae216f68b95d8f6e77d6089d5db382a87f1fa75c093f1f83656d091cae7bde9
SHA512

93c11a9949005ee74daaab94bf7f480b194d03f323d88d7a691fb9759be7d8163f29b3ca1b481f4987cc4b06e8ee53633baabe67a524418a9fb281edd17c87a8
SSDEEP

768:rmNnDSb5J3a0N1DZKRkC4beGLJ8tRWX+mMKqRxXGFT0nEWa:SO1W4qzcjFqPGFA

Score

7^/10

adware discovery evasion execution persistence stealer trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2276	RAWNCSEMZD5.EXE

Loads dropped DLL 1 IoCs

pid	Process
2276	RAWNCSEMZD5.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{636CE42E-32FE-5C59-379B-23A34BCC4051}	regsvr32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\4QWBYHBE0\71VPHV.EXE	RAWNCSEMZD5.EXE
File opened for modification	C:\Program Files\4QWBYHBE0\71VPHV.EXE	RAWNCSEMZD5.EXE
File created	C:\Program Files\4QWBYHBE0\E7FMR47BEU.EXE	RAWNCSEMZD5.EXE
File opened for modification	C:\Program Files\4QWBYHBE0\E7FMR47BEU.EXE	RAWNCSEMZD5.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\fdonszuycqs.dll	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe
File created	C:\Windows\FDONSZUYCQS.txt	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RAWNCSEMZD5.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Play_Animations = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{636CE42E-32FE-5C59-379B-23A34BCC4051}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\HELPDIR\ = "c:\\windows"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\ = "JScript Language Authoring"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\ = "JScript Compact Profile (ECMA 327)"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ = "C:\\Windows\\SysWOW64\\jscript.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\ = "JScript Language"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\ = "JScript Language Authoring"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\aspfile	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile.HostEncode	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\ = "JScript Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\CLSID\ = "{636CE42E-32FE-5C59-379B-23A34BCC4051}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID\ = "{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\PROGID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID\ = "{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ = "JScript Compact Profile (ECMA 327)"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2956	reg.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2908	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe
2908	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe
2908	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe
2908	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe
2908	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe
2276	RAWNCSEMZD5.EXE
2276	RAWNCSEMZD5.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2908 wrote to memory of 2276	2908	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe	30
PID 2908 wrote to memory of 2276	2908	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe	30
PID 2908 wrote to memory of 2276	2908	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe	30
PID 2908 wrote to memory of 2276	2908	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe	30
PID 2908 wrote to memory of 2912	2908	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe	31
PID 2908 wrote to memory of 2912	2908	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe	31
PID 2908 wrote to memory of 2912	2908	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe	31
PID 2908 wrote to memory of 2912	2908	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe	31
PID 2908 wrote to memory of 2912	2908	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe	31
PID 2908 wrote to memory of 2912	2908	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe	31
PID 2908 wrote to memory of 2912	2908	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe	31
PID 2908 wrote to memory of 2764	2908	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe	32
PID 2908 wrote to memory of 2764	2908	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe	32
PID 2908 wrote to memory of 2764	2908	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe	32
PID 2908 wrote to memory of 2764	2908	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe	32
PID 2764 wrote to memory of 2916	2764	cmd.exe	34
PID 2764 wrote to memory of 2916	2764	cmd.exe	34
PID 2764 wrote to memory of 2916	2764	cmd.exe	34
PID 2764 wrote to memory of 2916	2764	cmd.exe	34
PID 2764 wrote to memory of 2916	2764	cmd.exe	34
PID 2764 wrote to memory of 2916	2764	cmd.exe	34
PID 2764 wrote to memory of 2916	2764	cmd.exe	34
PID 2764 wrote to memory of 2920	2764	cmd.exe	35
PID 2764 wrote to memory of 2920	2764	cmd.exe	35
PID 2764 wrote to memory of 2920	2764	cmd.exe	35
PID 2764 wrote to memory of 2920	2764	cmd.exe	35
PID 2764 wrote to memory of 2888	2764	cmd.exe	36
PID 2764 wrote to memory of 2888	2764	cmd.exe	36
PID 2764 wrote to memory of 2888	2764	cmd.exe	36
PID 2764 wrote to memory of 2888	2764	cmd.exe	36
PID 2764 wrote to memory of 2860	2764	cmd.exe	37
PID 2764 wrote to memory of 2860	2764	cmd.exe	37
PID 2764 wrote to memory of 2860	2764	cmd.exe	37
PID 2764 wrote to memory of 2860	2764	cmd.exe	37
PID 2764 wrote to memory of 2860	2764	cmd.exe	37
PID 2764 wrote to memory of 2860	2764	cmd.exe	37
PID 2764 wrote to memory of 2860	2764	cmd.exe	37
PID 2764 wrote to memory of 2160	2764	cmd.exe	38
PID 2764 wrote to memory of 2160	2764	cmd.exe	38
PID 2764 wrote to memory of 2160	2764	cmd.exe	38
PID 2764 wrote to memory of 2160	2764	cmd.exe	38
PID 2764 wrote to memory of 2160	2764	cmd.exe	38
PID 2764 wrote to memory of 2160	2764	cmd.exe	38
PID 2764 wrote to memory of 2160	2764	cmd.exe	38
PID 2764 wrote to memory of 3068	2764	cmd.exe	39
PID 2764 wrote to memory of 3068	2764	cmd.exe	39
PID 2764 wrote to memory of 3068	2764	cmd.exe	39
PID 2764 wrote to memory of 3068	2764	cmd.exe	39
PID 2764 wrote to memory of 2820	2764	cmd.exe	40
PID 2764 wrote to memory of 2820	2764	cmd.exe	40
PID 2764 wrote to memory of 2820	2764	cmd.exe	40
PID 2764 wrote to memory of 2820	2764	cmd.exe	40
PID 2764 wrote to memory of 2876	2764	cmd.exe	41
PID 2764 wrote to memory of 2876	2764	cmd.exe	41
PID 2764 wrote to memory of 2876	2764	cmd.exe	41
PID 2764 wrote to memory of 2876	2764	cmd.exe	41
PID 2764 wrote to memory of 2524	2764	cmd.exe	42
PID 2764 wrote to memory of 2524	2764	cmd.exe	42
PID 2764 wrote to memory of 2524	2764	cmd.exe	42
PID 2764 wrote to memory of 2524	2764	cmd.exe	42
PID 2764 wrote to memory of 2940	2764	cmd.exe	43
PID 2764 wrote to memory of 2940	2764	cmd.exe	43
PID 2764 wrote to memory of 2940	2764	cmd.exe	43
PID 2764 wrote to memory of 2940	2764	cmd.exe	43

C:\Users\Admin\AppData\Local\Temp\2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2908
- C:\RAWNCSEMZD5.EXE
  C:\RAWNCSEMZD5.EXE FDONSZUYCQS
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2276
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "c:\windows\fdonszuycqs.dll"
  2⤵
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\U64RW37S5EZ.BAT
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s itss.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2916
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2920
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2888
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s jscript.dll
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2860
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s scrrun.dll
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2160
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:3068
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2820
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2876
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2524
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s vbscript.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2940
- - C:\Windows\SysWOW64\reg.exe
    reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2956
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s msvidctl.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\RAWNCSEMZD5.EXE

Filesize
10KB

MD5
f2da5ae8487e3f7572e325334e54cf61

SHA1
45036bae670a2253c038092ec0cdf6ad34e13021

SHA256
1d87765c85931b53cede519163ed1de17e824584552f8d9747bdb5623dd640f2

SHA512
c611a49edf753110572133128a84d107b95f55fcb31b9ded1e86241651ee3e5033e2a637127caf857d60aeb3e2e902d8ca3ef7db34a3742a995a1316b2fa30e0

Download Submit
C:\U64RW37S5EZ.BAT

Filesize
1KB

MD5
8ad83a51d415c7d5d2beaf01d8083b23

SHA1
700fa9f0d42671a9086d02113eb892daab20e0b5

SHA256
39548db3192c9be6caa33eb253fcfa311d0e80f72e91162f1fa303f147caaacd

SHA512
23a34ded9eb7ae0813eb213a1441a3f1d03ee924a1131f874a2af00427f129896fb3287f71955fe106004f2e728a43bedea68d4a97c338b5f0aed5df187bb172

Download Submit
C:\Windows\FDONSZUYCQS.txt

Filesize
47KB

MD5
229c68dcdcbeab291fc2fc08b48838da

SHA1
defaf680480f5ee990adf3b5b4653275da07d188

SHA256
590e2789a31fe522e8deaae46131475c5f48c671495436e233fb2e3020ac9c1e

SHA512
9af5bb181250aec6638db41da0419e6d2b96aa77b5795aa13cb09930a0c6048e5447a9fd2d43c3628bba3d25572630decbcf45a5b585a54cc7f46290d7b06ac0

Download Submit
\??\c:\windows\fdonszuycqs.dll

Filesize
28KB

MD5
82ac13500b978fdb07c73e504a871498

SHA1
5e8478e261b48d63ca460bee85dde9cf62688407

SHA256
fd8f4a34328e6299045a455777b74f2f0ccf4fdca8899f66d1ee10d2a15284bc

SHA512
7620fd5885eea7f9a9d3a4f22f36470439cf01bfbd31eff6e06beec7d2b4b951080533572e2b9a5fa42c4c7cafe1c09ae000d4d2ca3ee7282a1b050248d8902e

Download Submit
\Program Files\4QWBYHBE0\E7FMR47BEU.EXE

Filesize
47KB

MD5
2987971c53a3e3ea7de63d5aeb2a9cee

SHA1
86ffe38cf6175ecf6a127ecbcf70d83782e175c0

SHA256
dae216f68b95d8f6e77d6089d5db382a87f1fa75c093f1f83656d091cae7bde9

SHA512
93c11a9949005ee74daaab94bf7f480b194d03f323d88d7a691fb9759be7d8163f29b3ca1b481f4987cc4b06e8ee53633baabe67a524418a9fb281edd17c87a8

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads