a81846dd1d93571b6a7b912d0f5233f03d018e95d11a45a7b8bc9f9879d6a016

Analysis

max time kernel
93s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2024, 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Size

208KB
MD5

2a83fe209c8b3d8ff5bcd5f2abcb0208
SHA1

2b2a3a3698da93c04c2674f46e36f863031ae70c
SHA256

a81846dd1d93571b6a7b912d0f5233f03d018e95d11a45a7b8bc9f9879d6a016
SHA512

f690a1dfd3a070ed2c170dde45b518e777ce20550403b009362c3ec3d305b0e6aa91069aa7f3b53cc8d4633fae309b1bd60a354296f2fd671093c32bb48367aa
SSDEEP

6144:WieaN100EL6Q9xB9H9khaPsSuDoe4nmQBEYC6O:WieL/6QHPnIUmh

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe

Loads dropped DLL 6 IoCs

pid	Process
2984	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
2984	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
2984	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
2984	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
2984	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
2984	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CnsMin = "Rundll32.exe C:\\Windows\\Downloaded Program Files\\CnsMin.dll,Rundll32"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\3721\Assist\assist.dll	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
File created	C:\Program Files (x86)\3721\Assist\asnoad.dll	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
File created	C:\Program Files (x86)\3721\Assist\filter.ini	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
File created	C:\Program Files (x86)\3721\Assist\sound.wav	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
File created	C:\Program Files (x86)\3721\Assist\float.gif	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Downloaded Program Files\CnsMin.dll	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rundll32.exe

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Enable\ValueName = "CNSEnable"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Enable\DefaultValue = "1"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Hint\RegPath = "SOFTWARE\\Microsoft\\Internet Explorer\\Main"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\AutoUpdate\CheckedValue = "1"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Menu	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Search	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Search\CustomizeSearch = "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CNSEnable = "1"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\AutoUpdate\UncheckedValue = "3239015521"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\MenuExt	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\ResetCatch	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Enable\UncheckedValue = "3239015521"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Hint\DefaultValue = "1"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\AutoUpdate\HKeyRoot = "2147483649"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CNSReset = "3239015521"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Bitmap = "C:\\Windows\\Downloaded Program Files\\CnsMin.dll,215"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Enable\RegPath = "SOFTWARE\\Microsoft\\Internet Explorer\\Main"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Hint\Text = "Show hint at address bar"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\AutoUpdate\DefaultValue = "1"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Type = "group"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Hint\CheckedValue = "1"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\AutoUpdate\ValueName = "CNSAutoUpdate"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Menu	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Enable\HKeyRoot = "2147483649"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\AutoUpdate\Type = "checkbox"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\AutoUpdate\RegPath = "SOFTWARE\\Microsoft\\Internet Explorer\\Main"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\AutoUpdate\Text = "Auto upgrade without notification"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CNSList = "3239015521"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Text = " Chinese keywords"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Enable	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Enable\Text = "Enable chinese keywords"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Hint	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Hint\Type = "checkbox"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Hint\HKeyRoot = "2147483649"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Hint\UncheckedValue = "3239015521"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\PlugUIText = "@C:\\Windows\\Downloaded Program Files\\CnsMin.dll,-117"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Enable\Type = "checkbox"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CNSMenu = "3239015521"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CNSHint = "1"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Enable\CheckedValue = "1"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\Hint\ValueName = "CNSHint"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\AutoUpdate	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\!CNS\ResetCatch	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Search\SearchAssistant = "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CNSAutoUpdate = "1"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist.1\ = "EasyAssist Class"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F97E75A4-0103-4F27-A752-327B600B1130}\1.0\0\win32	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}\InprocServer32\ = "C:\\Windows\\Downloaded Program Files\\CnsMin.dll"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AAB6BCE3-1DF6-4930-9B14-9CA79DC8C267}\1.0	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\0\win32	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\0\win32\ = "C:\\PROGRA~2\\3721\\Assist\\assist.dll"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F97E75A4-0103-4F27-A752-327B600B1130}\1.0\0	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{172862CD-9D35-40E7-BAF2-BA7ECF043B9C}	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CnsHelper.CH.1\ = "3721"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}\Implemented Categories\	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AAB6BCE3-1DF6-4930-9B14-9CA79DC8C267}\1.0\HELPDIR	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF692509-D9EF-48A0-9CD0-3AA5B81F6F68}	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{141A5E19-BDCB-4E27-A3D7-9E16503BC05B}	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}\	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{141A5E19-BDCB-4E27-A3D7-9E16503BC05B}	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{172862CD-9D35-40E7-BAF2-BA7ECF043B9C}\TypeLib\ = "{F97E75A4-0103-4F27-A752-327B600B1130}"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ADKiller.ADKillerObj\CurVer	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{141A5E19-BDCB-4E27-A3D7-9E16503BC05B}\VersionIndependentProgID	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\FLAGS	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{924F5B3A-7A27-484A-B873-E855C9708667}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{924F5B3A-7A27-484A-B873-E855C9708667}\TypeLib	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ADKiller.ADKillerObj.1\ = "ADKillerObj Class"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ADKiller.ADKillerObj\CurVer\ = "ADKiller.ADKillerObj.1"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}\MiscStatus\1\ = "131473"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF692509-D9EF-48A0-9CD0-3AA5B81F6F68}\ProxyStubClsid32	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist.1\CLSID	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F97E75A4-0103-4F27-A752-327B600B1130}\1.0\FLAGS	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ADKiller.ADKillerObj\CLSID	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CnsHelper.CH.1\CLSID\ = "{B83FC273-3522-4CC6-92EC-75CC86678DA4}"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AAB6BCE3-1DF6-4930-9B14-9CA79DC8C267}	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AAB6BCE3-1DF6-4930-9B14-9CA79DC8C267}\1.0\0\win32	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF692509-D9EF-48A0-9CD0-3AA5B81F6F68}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF692509-D9EF-48A0-9CD0-3AA5B81F6F68}\TypeLib\Version = "1.0"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B0E7716-898E-48CC-9690-4E338E8DE1D3}\InprocServer32\ = "C:\\Program Files (x86)\\3721\\Assist\\assist.dll"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B0E7716-898E-48CC-9690-4E338E8DE1D3}	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\0	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{924F5B3A-7A27-484A-B873-E855C9708667}\TypeLib\Version = "1.0"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{172862CD-9D35-40E7-BAF2-BA7ECF043B9C}\TypeLib	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CnsHelper.CH\CurVer	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}\Implemented Categories\{56FFCC30-D398-11D0-B2AE-00A0C908FA49}	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AAB6BCE3-1DF6-4930-9B14-9CA79DC8C267}\1.0\FLAGS	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF692509-D9EF-48A0-9CD0-3AA5B81F6F68}\TypeLib\ = "{AAB6BCE3-1DF6-4930-9B14-9CA79DC8C267}"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CnsHelper.CH.1	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DF692509-D9EF-48A0-9CD0-3AA5B81F6F68}\ProxyStubClsid32	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{172862CD-9D35-40E7-BAF2-BA7ECF043B9C}\TypeLib	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CnsHelper.CH\CLSID	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DF692509-D9EF-48A0-9CD0-3AA5B81F6F68}\ = "ICH"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\ = "Assist 1.0 Type Library"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{141A5E19-BDCB-4E27-A3D7-9E16503BC05B}\InprocServer32\ThreadingModel = "Apartment"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CnsHelper.CH	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}\InprocServer32\ThreadingModel = "Apartment"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{924F5B3A-7A27-484A-B873-E855C9708667}\TypeLib\ = "{19069804-2CF0-4357-B696-BA6E9AAD99EF}"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{172862CD-9D35-40E7-BAF2-BA7ECF043B9C}\TypeLib\Version = "1.0"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}\Insertable	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{AAB6BCE3-1DF6-4930-9B14-9CA79DC8C267}\1.0\0	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B0E7716-898E-48CC-9690-4E338E8DE1D3}\InprocServer32	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{924F5B3A-7A27-484A-B873-E855C9708667}\ = "IEasyAssist"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{172862CD-9D35-40E7-BAF2-BA7ECF043B9C}\ProxyStubClsid32	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{141A5E19-BDCB-4E27-A3D7-9E16503BC05B}\ProgID\ = "ADKiller.ADKillerObj.1"	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CnsHelper.CH.1\CLSID	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B83FC273-3522-4CC6-92EC-75CC86678DA4}\ToolboxBitmap32	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist\CLSID	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2984	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 3432	2984	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe	85
PID 2984 wrote to memory of 3432	2984	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe	85
PID 2984 wrote to memory of 3432	2984	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe	85
PID 2984 wrote to memory of 4872	2984	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe	87
PID 2984 wrote to memory of 4872	2984	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe	87
PID 2984 wrote to memory of 4872	2984	2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2a83fe209c8b3d8ff5bcd5f2abcb0208_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32.exe C:\Windows\Downloaded Program Files\CnsMin.dll,Rundll32
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3432
- C:\Windows\SysWOW64\Rundll32.exe
  Rundll32.exe C:\Windows\Downloaded Program Files\CnsMin.dll,Rundll32
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\3721\Assist\asnoad.dll

Filesize
116KB

MD5
21bcbadcbaa1cb19796bd2b139954c7b

SHA1
90e3f2a57232416b25f235b9126f761cc35e4f0f

SHA256
2e1932faf7ec70da75786dd9a0aadc45ad0f15d8e5c4a11dd2951e6c3a30a786

SHA512
bb94e1d9a66c0b9f18b419b81d545e85d674925ce0facd8c9d1229d4f3e1b8c107c5b940faf66410efb8b50cebf48797fad322454c0e4fbcc3d2942653e349ef

Download Submit
C:\Program Files (x86)\3721\Assist\assist.dll

Filesize
49KB

MD5
a3cbf83f654e5cc90422f4cc7a44f339

SHA1
58d03194e3e7691e30294a19ba798005fe9eba0b

SHA256
985815be546603778889135b8057ca9e43494993b21d880e7ad164659fff8060

SHA512
5f56d5dd8f4443ebaea493ae56f940fa68c1b384f045c8d01f64c92440cbcc10fc83f6a3cab924d258a90345c51bd5d1c481338a627b521a1384a570e2958d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8F22.tmp\System.dll

Filesize
9KB

MD5
e085476805e8f5ef1c7ed635c5309017

SHA1
609e79fdc29d6dee40cc5dd333094db5f9f63eec

SHA256
4eb689e2db8d683afcfffe6dee1985fbd458d2770093547331d563acece80c67

SHA512
082932aea8d993de8ca1eeb60f7bb4e56cc7eab4a683c59822b2c544223febab5915bb2b7c2e2dad79472bbd8ad400770dd7c1f112cef24d18ebd0f1ad63fe9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8F22.tmp\wmpns.dll

Filesize
56KB

MD5
df27621893ffa61cee095b6fb9cb895c

SHA1
e846e6540d1f967101b8651178c4a250856f1503

SHA256
10970587920f364372e5d38d17570e10c07b6678127aa301acdf8a981c49f77e

SHA512
de34a30d124e6b6a81aca29690d28917e3dd4919f407476bdad4098b2120062f427cd1ca590a472c3df35f1a10e567f5642a67407f2c9235c716ad2975424b1c

Download Submit
C:\Windows\Downloaded Program Files\CnsMin.dll

Filesize
180KB

MD5
d8c444fb40a837cbf46b1e7f553ca3f3

SHA1
3219c44b73337cbceea93b4a4ef22058d734b1a4

SHA256
c1f7b72a03c516a389800078407bb42fd3483b89004dcca244e1bd80f48ff97b

SHA512
5d5d7f42ba05daaf022efb113b16bdc47b82a72593c0205d5dbd56c06d1013da67e4803e4d25dfc23de41af5ab9077f1bba2517bee4daf1d8a2f17c096195958

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads