dae216f68b95d8f6e77d6089d5db382a87f1fa75c093f1f83656d091cae7bde9

Analysis

max time kernel
137s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe
Size

47KB
MD5

2987971c53a3e3ea7de63d5aeb2a9cee
SHA1

86ffe38cf6175ecf6a127ecbcf70d83782e175c0
SHA256

dae216f68b95d8f6e77d6089d5db382a87f1fa75c093f1f83656d091cae7bde9
SHA512

93c11a9949005ee74daaab94bf7f480b194d03f323d88d7a691fb9759be7d8163f29b3ca1b481f4987cc4b06e8ee53633baabe67a524418a9fb281edd17c87a8
SSDEEP

768:rmNnDSb5J3a0N1DZKRkC4beGLJ8tRWX+mMKqRxXGFT0nEWa:SO1W4qzcjFqPGFA

Score

7^/10

adware discovery evasion execution persistence stealer trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2340	ZV2IOUM.EXE

Loads dropped DLL 1 IoCs

pid	Process
4560	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{636CE42E-32FE-5C59-379B-23A34BCC4051}	regsvr32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\QAISE4L4BY7T\TFVCKD15I4.EXE	ZV2IOUM.EXE
File opened for modification	C:\Program Files\QAISE4L4BY7T\TFVCKD15I4.EXE	ZV2IOUM.EXE
File created	C:\Program Files\QAISE4L4BY7T\7NMLH.EXE	ZV2IOUM.EXE
File opened for modification	C:\Program Files\QAISE4L4BY7T\7NMLH.EXE	ZV2IOUM.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\FDONSZUYCQS.txt	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe
File created	\??\c:\windows\fdonszuycqs.dll	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ZV2IOUM.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Play_Animations = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\ = "Thunder 1.0 Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT.COMPACT AUTHOR\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C262-6AC0-11CF-B6D1-00AA00BBBB58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language Authoring"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT AUTHOR\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\ = "JScript Language Authoring"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\ = "JScript Language Authoring"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer\ = "Thunder.xunlei.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{636CE42E-32FE-5C59-379B-23A34BCC4051}\ProgID\ = "Thunder.xunlei.1"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{636CE42E-32FE-5C59-379B-23A34BCC4051}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\0\win32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\LIVESCRIPT AUTHOR\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\ = "JScript Language Authoring"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\HELPDIR	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT AUTHOR\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JSCRIPT.ENCODE\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei.1\ = "xunlei Class"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.3\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT AUTHOR\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{636CE42E-32FE-5C59-379B-23A34BCC4051}\ = "xunlei Class"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.FileSystemObject	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\JAVASCRIPT1.1\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\ = "JScript Language"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Dictionary	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\PROGID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{97EFC6B7-C73A-423E-8458-82C589CA7E3B}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\OLEScript	regsvr32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4172	reg.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2892	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe
2892	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe
2892	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe
2892	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe
2892	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe
2340	ZV2IOUM.EXE
2340	ZV2IOUM.EXE

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 2340	2892	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe	88
PID 2892 wrote to memory of 2340	2892	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe	88
PID 2892 wrote to memory of 2340	2892	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe	88
PID 2892 wrote to memory of 4560	2892	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe	89
PID 2892 wrote to memory of 4560	2892	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe	89
PID 2892 wrote to memory of 4560	2892	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe	89
PID 2892 wrote to memory of 1916	2892	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe	90
PID 2892 wrote to memory of 1916	2892	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe	90
PID 2892 wrote to memory of 1916	2892	2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe	90
PID 1916 wrote to memory of 4520	1916	cmd.exe	92
PID 1916 wrote to memory of 4520	1916	cmd.exe	92
PID 1916 wrote to memory of 4520	1916	cmd.exe	92
PID 1916 wrote to memory of 3288	1916	cmd.exe	93
PID 1916 wrote to memory of 3288	1916	cmd.exe	93
PID 1916 wrote to memory of 3288	1916	cmd.exe	93
PID 1916 wrote to memory of 2676	1916	cmd.exe	94
PID 1916 wrote to memory of 2676	1916	cmd.exe	94
PID 1916 wrote to memory of 2676	1916	cmd.exe	94
PID 1916 wrote to memory of 3676	1916	cmd.exe	95
PID 1916 wrote to memory of 3676	1916	cmd.exe	95
PID 1916 wrote to memory of 3676	1916	cmd.exe	95
PID 1916 wrote to memory of 372	1916	cmd.exe	96
PID 1916 wrote to memory of 372	1916	cmd.exe	96
PID 1916 wrote to memory of 372	1916	cmd.exe	96
PID 1916 wrote to memory of 4064	1916	cmd.exe	97
PID 1916 wrote to memory of 4064	1916	cmd.exe	97
PID 1916 wrote to memory of 4064	1916	cmd.exe	97
PID 1916 wrote to memory of 4788	1916	cmd.exe	98
PID 1916 wrote to memory of 4788	1916	cmd.exe	98
PID 1916 wrote to memory of 4788	1916	cmd.exe	98
PID 1916 wrote to memory of 3872	1916	cmd.exe	99
PID 1916 wrote to memory of 3872	1916	cmd.exe	99
PID 1916 wrote to memory of 3872	1916	cmd.exe	99
PID 1916 wrote to memory of 3708	1916	cmd.exe	100
PID 1916 wrote to memory of 3708	1916	cmd.exe	100
PID 1916 wrote to memory of 3708	1916	cmd.exe	100
PID 1916 wrote to memory of 724	1916	cmd.exe	101
PID 1916 wrote to memory of 724	1916	cmd.exe	101
PID 1916 wrote to memory of 724	1916	cmd.exe	101
PID 1916 wrote to memory of 4172	1916	cmd.exe	102
PID 1916 wrote to memory of 4172	1916	cmd.exe	102
PID 1916 wrote to memory of 4172	1916	cmd.exe	102
PID 1916 wrote to memory of 1144	1916	cmd.exe	103
PID 1916 wrote to memory of 1144	1916	cmd.exe	103
PID 1916 wrote to memory of 1144	1916	cmd.exe	103

C:\Users\Admin\AppData\Local\Temp\2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2987971c53a3e3ea7de63d5aeb2a9cee_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2892
- C:\ZV2IOUM.EXE
  C:\ZV2IOUM.EXE FDONSZUYCQS
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2340
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "c:\windows\fdonszuycqs.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4560
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\GMHX97W.BAT
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s itss.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4520
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:3288
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2676
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s jscript.dll
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3676
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s scrrun.dll
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:372
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:4064
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:4788
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:3872
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:3708
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s vbscript.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:724
- - C:\Windows\SysWOW64\reg.exe
    reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4172
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s msvidctl.dll
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\GMHX97W.BAT

Filesize
1KB

MD5
8ad83a51d415c7d5d2beaf01d8083b23

SHA1
700fa9f0d42671a9086d02113eb892daab20e0b5

SHA256
39548db3192c9be6caa33eb253fcfa311d0e80f72e91162f1fa303f147caaacd

SHA512
23a34ded9eb7ae0813eb213a1441a3f1d03ee924a1131f874a2af00427f129896fb3287f71955fe106004f2e728a43bedea68d4a97c338b5f0aed5df187bb172

Download Submit
C:\Program Files\QAISE4L4BY7T\7NMLH.EXE

Filesize
47KB

MD5
2987971c53a3e3ea7de63d5aeb2a9cee

SHA1
86ffe38cf6175ecf6a127ecbcf70d83782e175c0

SHA256
dae216f68b95d8f6e77d6089d5db382a87f1fa75c093f1f83656d091cae7bde9

SHA512
93c11a9949005ee74daaab94bf7f480b194d03f323d88d7a691fb9759be7d8163f29b3ca1b481f4987cc4b06e8ee53633baabe67a524418a9fb281edd17c87a8

Download Submit
C:\Windows\FDONSZUYCQS.txt

Filesize
47KB

MD5
229c68dcdcbeab291fc2fc08b48838da

SHA1
defaf680480f5ee990adf3b5b4653275da07d188

SHA256
590e2789a31fe522e8deaae46131475c5f48c671495436e233fb2e3020ac9c1e

SHA512
9af5bb181250aec6638db41da0419e6d2b96aa77b5795aa13cb09930a0c6048e5447a9fd2d43c3628bba3d25572630decbcf45a5b585a54cc7f46290d7b06ac0

Download Submit
C:\ZV2IOUM.EXE

Filesize
10KB

MD5
f2da5ae8487e3f7572e325334e54cf61

SHA1
45036bae670a2253c038092ec0cdf6ad34e13021

SHA256
1d87765c85931b53cede519163ed1de17e824584552f8d9747bdb5623dd640f2

SHA512
c611a49edf753110572133128a84d107b95f55fcb31b9ded1e86241651ee3e5033e2a637127caf857d60aeb3e2e902d8ca3ef7db34a3742a995a1316b2fa30e0

Download Submit
\??\c:\windows\fdonszuycqs.dll

Filesize
28KB

MD5
82ac13500b978fdb07c73e504a871498

SHA1
5e8478e261b48d63ca460bee85dde9cf62688407

SHA256
fd8f4a34328e6299045a455777b74f2f0ccf4fdca8899f66d1ee10d2a15284bc

SHA512
7620fd5885eea7f9a9d3a4f22f36470439cf01bfbd31eff6e06beec7d2b4b951080533572e2b9a5fa42c4c7cafe1c09ae000d4d2ca3ee7282a1b050248d8902e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads