ee400585dfc76b6174dad5d9ba022338618e423a38e3e66495239f946d6f40c7

Analysis

max time kernel
133s
max time network
127s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 01:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3d0b7f66fccea19223dde03e6738a75d_JaffaCakes118.exe
Size

75KB
MD5

3d0b7f66fccea19223dde03e6738a75d
SHA1

c91483773b9eed3478a704cb63cb3fb0be8dedc4
SHA256

ee400585dfc76b6174dad5d9ba022338618e423a38e3e66495239f946d6f40c7
SHA512

2eed88d7482cef0b4eeb6603277cd13ca3f2c8201b580e18152f551d223a5702318d16e8a87e4cc5d12c840546d3ce544818c17e368102ad8bf44d9dc7b75085
SSDEEP

1536:KbF2ZP7tgpM1EYNf38pS9yiDdGSWy4uXbo2t9ZVgyZTC8nLk1:Y2ZP7tgpM1EYNf38pS9yiDdGSWy4uXbm

Score

7^/10

adware discovery stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b000000012029-2.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
1032	regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{87FD33C2-7891-45D5-ACD1-7935F9AEA26B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{87FD33C2-7891-45D5-ACD1-7935F9AEA26B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{87FD33C2-7891-45D5-ACD1-7935F9AEA26B}	3d0b7f66fccea19223dde03e6738a75d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{87FD33C2-7891-45D5-ACD1-7935F9AEA26B}\	3d0b7f66fccea19223dde03e6738a75d_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\epsdrv.dll	3d0b7f66fccea19223dde03e6738a75d_JaffaCakes118.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000012029-2.dat	upx
behavioral1/memory/1032-4-0x0000000010000000-0x0000000010014000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3d0b7f66fccea19223dde03e6738a75d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00517f860e1ddb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{ADAD2951-8901-11EF-8B05-6E295C7D81A3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000942188000a95d57a35ca86b491e183f2586fe02eb4f3a55ff7cd132a302c6184000000000e8000000002000020000000eebb8230d59e54507189b364084d5e339ecd4be57c8330c26f57404a73705e0d200000007f7182fdec79c54cda7f0f0426f7f1f87f390b24c6570ff2e6970650caac94ef40000000b201485a4e96828634f894318d67bda2eceeafc0403863c4df3acc1e37aa9141d3de8b789b7e88973a5cfb8b7f4a335d48f6056c86392d762101c8f2fac7bfba	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000ce6ffa783d8390490f66d6ce110f879b61fb42aca79aedb895a52a839cd55312000000000e8000000002000020000000e9f4c9c7e5c8475a2e049c519a17fe0b9cc9ecf5b0486c7ec7c2053248f12c4a90000000e2e79e6a566c763c85aa5ff5d92858be40ec59771719b92ea47272276ee6daf94e846a3160aa775ad773f79232c6ba9243201aef3286e3b76a3d0829c8a67f356cf30f8054472d698b842e79e0a65e41be11eded1f34b1ca16304b1f2a6a4047a42676a3d36254ff14b2a4be264922127496859905860df86c8f8d8d78408a45b28bf43f5833dbd7fc8d1a4b926a5b894000000019f69ca61f80d3b808de533d363946da63368696526f9ff1d5780b2df51f1fbe897e28405929078537aaba46d00e724b71139c3144ce4a5309e13d57841da631	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434944444"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.Bho	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.Bho\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87FD33C2-7891-45D5-ACD1-7935F9AEA26B}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\ = "_IBhoEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.Bho.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87FD33C2-7891-45D5-ACD1-7935F9AEA26B}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.Bho.1\ = "EpsonToolBandKicker Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\ = "IBho"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87FD33C2-7891-45D5-ACD1-7935F9AEA26B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87FD33C2-7891-45D5-ACD1-7935F9AEA26B}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87FD33C2-7891-45D5-ACD1-7935F9AEA26B}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\epsdrv.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.Bho\CLSID\ = "{87FD33C2-7891-45D5-ACD1-7935F9AEA26B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.Bho\CurVer\ = "BhoNew.Bho.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\ = "_IBhoEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.Bho.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.Bho.1\CLSID\ = "{87FD33C2-7891-45D5-ACD1-7935F9AEA26B}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87FD33C2-7891-45D5-ACD1-7935F9AEA26B}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.Bho\ = "EpsonToolBandKicker Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\ = "Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoNew.Bho\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87FD33C2-7891-45D5-ACD1-7935F9AEA26B}\ProgID\ = "BhoNew.Bho.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\ = "IBho"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87FD33C2-7891-45D5-ACD1-7935F9AEA26B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87FD33C2-7891-45D5-ACD1-7935F9AEA26B}\VersionIndependentProgID\ = "BhoNew.Bho"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87FD33C2-7891-45D5-ACD1-7935F9AEA26B}\InprocServer32\ = "C:\\Windows\\SysWow64\\epsdrv.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\TypeLib\ = "{15C7D7AD-A87A-4C0D-9D8B-637FCD3488EF}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CAF9D798-C659-4B9B-8E19-EE27C3D04EE7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87FD33C2-7891-45D5-ACD1-7935F9AEA26B}\ = "EpsonToolBandKicker Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{87FD33C2-7891-45D5-ACD1-7935F9AEA26B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4937D5D1-2039-409A-BD83-FEC9B39B2356}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2212	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2212	iexplore.exe
2212	iexplore.exe
2896	IEXPLORE.EXE
2896	IEXPLORE.EXE
2896	IEXPLORE.EXE
2896	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 2212	2872	3d0b7f66fccea19223dde03e6738a75d_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2212	2872	3d0b7f66fccea19223dde03e6738a75d_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2212	2872	3d0b7f66fccea19223dde03e6738a75d_JaffaCakes118.exe	28
PID 2872 wrote to memory of 2212	2872	3d0b7f66fccea19223dde03e6738a75d_JaffaCakes118.exe	28
PID 2872 wrote to memory of 1032	2872	3d0b7f66fccea19223dde03e6738a75d_JaffaCakes118.exe	29
PID 2872 wrote to memory of 1032	2872	3d0b7f66fccea19223dde03e6738a75d_JaffaCakes118.exe	29
PID 2872 wrote to memory of 1032	2872	3d0b7f66fccea19223dde03e6738a75d_JaffaCakes118.exe	29
PID 2872 wrote to memory of 1032	2872	3d0b7f66fccea19223dde03e6738a75d_JaffaCakes118.exe	29
PID 2872 wrote to memory of 1032	2872	3d0b7f66fccea19223dde03e6738a75d_JaffaCakes118.exe	29
PID 2872 wrote to memory of 1032	2872	3d0b7f66fccea19223dde03e6738a75d_JaffaCakes118.exe	29
PID 2872 wrote to memory of 1032	2872	3d0b7f66fccea19223dde03e6738a75d_JaffaCakes118.exe	29
PID 2212 wrote to memory of 2896	2212	iexplore.exe	30
PID 2212 wrote to memory of 2896	2212	iexplore.exe	30
PID 2212 wrote to memory of 2896	2212	iexplore.exe	30
PID 2212 wrote to memory of 2896	2212	iexplore.exe	30

C:\Users\Admin\AppData\Local\Temp\3d0b7f66fccea19223dde03e6738a75d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3d0b7f66fccea19223dde03e6738a75d_JaffaCakes118.exe"
1⤵
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://hotvid44.com/bind2.php?id=3913049
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2896
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\system32\epsdrv.dll"
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e00f071129026929aff986fcdf84cc28

SHA1
6829196b6517ffee59c101f483325191046a7b27

SHA256
370c840b7a88dcae4bedb6790fb3df72e8434b097027f446ce37bf3b74e97251

SHA512
6cd4c6d64806dc76304c4e6d549d347941f1a809e5f4b46129aef0801b721d06bdacf2115e04fa6f8af34665182a542819c538e8fc1e0136dada1c3f2a53a850

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95685e1d068161b77cae483de987d16b

SHA1
2cdf44f44a13b46826d45eb1baf6ae2f3df846ba

SHA256
3eb4324f43add9bf57f7298044ccb9df4005ec0db877a48b2a2c8cd53c94f86a

SHA512
45f95f5b4d1109afdc57e7e0bc84eb49a49a5586dbf1af6a133132a1e0987d4f3fe3d6f9e843945fc6e1b4f20c6f044490f2a91e9c763cd19eef7737b2fdd411

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d94ed8b4a0d018d2d636b6ad8485f5ad

SHA1
e18108ecee8e3aca75da656454a15d61eced08c0

SHA256
d628441967102f7d8dee16652f4e9f24ab5f32104ce440d863fe97db7ce598aa

SHA512
71981452c75282c901b3a087e5dc4af842a2d060cbdde5879d3cc086a089f5bcd9d3409da1e5cd73d589493544fbd109648348721db770828bd4dcd530169b76

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4b8a1880142a6138840df02507e7d9b

SHA1
7bf8885d8e77857c2e5a5107959232a5af263a90

SHA256
909a38949bd7e77c63b5cde244433dd3d208600d936a6c99222da726e80aae83

SHA512
2620829c526eef561aae2b68907dc0499eb64dbf4affd468cf1ff0f6c43b2449038f02c34e4fa5f3e24a7643c91d190901fea8e42d0c846cf74c88d3794adb86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c976f848e50b67918c1fb4697a7efe63

SHA1
06be2b47d5cafef8330a9826d76145b38806ae4a

SHA256
a995645a45b018708f91cf0e297483710fadd21c5c6143f78a6c23da24c81510

SHA512
26d77fdf17f0eb908d2b09b5280d144d7bff06839ad182b1f77f770c2c64535a5b91146ec596625acd121e75093f6057b0f239c82c3570740efc197c41d52d72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f7fb64a0cbac6c45732be06fe5c25c3

SHA1
fd21bdee05b06fc0e3242501d29c8c0da52213bf

SHA256
cc0b929c24c361a8c5061af802133f25c1ae9652e99b1f8e8582b45eb7663260

SHA512
c301df9323494c4795a206ad55b22920565ff9463d369dc3a7cd4fe42d49a3547701ccb2c092e2a34c7835c6db59b072e4795e18e301a409dd852fb439f54a58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00d215ab7c16fca1ab3b5aa5bd11b900

SHA1
a5b74edff579834fabdb724adf6f0d85e4718a5c

SHA256
a9ec6e5300eacfd3b38a4d768c030576d7f3fa09e15b0858d98ba14f37509bfa

SHA512
b311cbddc723af26c7ff1c35a3d40c9cd0290aa2f090c58928a4b9f4d0592e0fb619034eed988e479c8a0809ab4860ed39b3a173ae1efdb6a3e91e7917dd050e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
769665b47e02a09acd606771dcb48718

SHA1
03557af5f8572efb44e912a75786bd20a085025b

SHA256
f644a9b5b662ecddd6630c131e0da420d362ff42971e61e79a04ee6af87e0fd7

SHA512
8cbd916a0b5b3f6cebd140a3dfbde02184682d779b8295a903fb561069e057a4dbc1cd53c58030644f5c6c88193be855c2a7b4303ea23fa1ac82285447c136b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
359b96a5304dda3cf39ef4e8de1f7a3b

SHA1
2a601620ef7a7f2ba1daf5bc6549ebcdb452fa36

SHA256
1184610c4f260010ae1be3fd659ba4a3f603368cef9c65c91b18121b64b0feec

SHA512
477d6528e37794cd7e0589f87892a6c9c581c833884fb15ff499c232bb652020f2a25547d86bff7bc36dfe4362827f064f18bbfa05adc9e9b17141bcc2612d90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3137b5f38f1a6502947a57248bfb9ae7

SHA1
5b12b63347b357d74de39697f1566c2e45325b41

SHA256
0786143e8f01449d0bc2caffa2a7520cafa06dab522d8c942f374fdc0aa1c608

SHA512
e37611b42ac159ac784467a6289c23635770ca47383b1e8de94b4f85a22451f8b5f29a756bb233bf141499616f44b1e173b49c19fbfffc98babd2d5dfe4d2a61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b02cc36d4f39307a818473628c4e7be3

SHA1
12239de2a04913a5c62bed921617ade974074ff2

SHA256
03777a453903330fd9c20ba0466e453c15f1370019965253b66a79badbae1a76

SHA512
ee1b98a5c6b2f42080ffe9cc5e62997069f20dd886ff7d2ab17468cffb71f5ef9445d28bca4a9d82d0248b9c28568c90cf2488830798daceac7577cff9bf8248

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBB46.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBBD6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\epsdrv.dll

Filesize
22KB

MD5
d3da5d334c7d597cb8fa4c4a9105fde2

SHA1
1a7d844678c2f5905d1943d281a4981a41e751b3

SHA256
c13089a7d90d5dea39a9e24fef9acf2105b13edd3c694e9593163b20bbd2a86c

SHA512
013bcf137ec577d1fca9336dafbecbd208699eccc0e35f659a31e4630421cfb5d564d2986ad962a90ec897dc258c3d0f7faed02f90ab8353da6f2899b12b1ba6

Download Submit
memory/1032-4-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/2872-1-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads