d2b647a3f152e14d8798c6bb6ffe44654ce29ece98e54e94fd5a015f630b761c

Analysis

max time kernel
145s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 16:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Size

4.9MB
MD5

40c70602f51715fdc93b393ad02fd99b
SHA1

927d19c3bbff6bee970b5584382268ed9943ab8f
SHA256

d2b647a3f152e14d8798c6bb6ffe44654ce29ece98e54e94fd5a015f630b761c
SHA512

df81f6c7b35d88fe4a4e435dfe58ff5c89fef99a88084ad9bb9e828d2d630c381ebfec987ce5c3cb1597daa70c2fd2b772e0ee8acfb0ac87d42c1057813b542b
SSDEEP

98304:5Py2G+7PSipDhnMyyGnIaDplGkwm5O94SiRq6Fb+KN+UL:5Py2G+7PSipDhnMyyGIaDpwkD5O98+4+

Score

7^/10

adware discovery persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2036	m3SrchMn.exe
580	mwssvc.exe
1340	mwsoemon.exe
2760	mwssvc.exe
2248	mwsoemon.exe

Loads dropped DLL 34 IoCs

pid	Process
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
2248	mwsoemon.exe
2248	mwsoemon.exe
2248	mwsoemon.exe
2248	mwsoemon.exe
2248	mwsoemon.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MyWebSearch Plugin = "rundll32 C:\\PROGRA~2\\MYWEBS~1\\bar\\1.bin\\M3PLUGIN.DLL,UPF"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\My Web Search Bar Search Scope Monitor = "\"C:\\PROGRA~2\\MYWEBS~1\\bar\\1.bin\\m3SrchMn.exe\" /m=2 /w"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MyWebSearch Email Plugin = "C:\\PROGRA~2\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MyWebSearch Email Plugin = "C:\\PROGRA~2\\MYWEBS~1\\bar\\1.bin\\mwsoemon.exe"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\ = "mwsBar BHO"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\f3PSSavr.scr	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\f3PSSavr.scr	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3MEDINT.EXE	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3SKIN.DLL	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSSVC.EXE	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\Notifier\DOG.F3S	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\Notifier\MAID.F3S	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\Notifier\SURFER.F3S	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\Avatar\COMMON.F3S	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\icons\CM.ICO	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3HTTPCT.DLL	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3IMSTUB.DLL	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3POPSWT.DLL	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3SCHMON.EXE	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3IDLE.DLL	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3SLSRCH.EXE	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\FWPBUDDY.PNG	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3MSG.DLL	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3NTSTBR.JAR	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3PLUGIN.DLL	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\Game\CHESS.F3S	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3CJPEG.DLL	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3WALLPP.DAT	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\msimg32.dll	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\Notifier\LIFEGARD.F3S	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3HISTSW.DLL	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3REPROX.DLL	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\FWPBUDDY.PNG	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\Notifier\FISH.F3S	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3HTMLMU.DLL	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\f3imstub.dll	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\Notifier\LIFEGARD.F3S	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3OUTLCN.DLL	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSBAR.DLL	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\Notifier\MAILBOX.F3S	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\icons\PSS.ICO	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\icons\ZWINKY.ICO	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3MSG.DLL	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\Notifier\SEDUCT.F3S	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3SKPLAY.EXE	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSOEPLG.DLL	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSSVC.EXE	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3HTML.DLL	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3SKPLAY.EXE	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\Game\REVERSI.F3S	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\icons\PSS.ICO	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\Notifier\DOG.F3S	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\Notifier\KUNGFU.F3S	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\Game\CHECKERS.F3S	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\icons\MFC.ICO	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3PLUGIN.DLL	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSOEMON.EXE	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3BKGERR.JPG	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3HTMLMU.DLL	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3RESTUB.DLL	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3SCRCTR.DLL	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3OUTLCN.DLL	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\MWSOEPLG.DLL	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\NPMYWEBS.DLL	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\Message\COMMON.F3S	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3WALLPP.DAT	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3PSSAVR.SCR	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3SCHMON.EXE	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\F3SPACER.WMV	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
File created	C:\Program Files (x86)\MyWebSearch\bar\1.bin\M3MEDINT.EXE	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mwssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mwsoemon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mwssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mwsoemon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	m3SrchMn.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{07B18EA9-A523-4961-B6BB-170DE4475CCA}	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127}	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA}	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA}\Policy = "3"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7}\AppName = "m3SlSrch.exe"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7}\AppName = "f3PSSavr.scr"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481}\AppName = "m3impipe.exe"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481}\Policy = "3"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907}	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127}\AppName = "m3medint.exe"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127}\AppPath = "C:\\Program Files (x86)\\MyWebSearch\\bar\\1.bin"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA}\AppPath = "C:\\Program Files (x86)\\MyWebSearch\\bar\\1.bin"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907}\AppPath = "C:\\Program Files (x86)\\MyWebSearch\\bar\\1.bin"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F138D901-86F0-4383-99B6-9CDD406036DA}\AppName = "m3SrchMn.exe"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7}\Policy = "3"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7}\AppPath = "C:\\Program Files (x86)\\MyWebSearch\\bar\\1.bin"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481}\AppPath = "C:\\Program Files (x86)\\MyWebSearch\\bar\\1.bin"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907}\AppName = "m3SkPlay.exe"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7}	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\f3ScrCtr.dll	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\RunDLl32Policy\f3ScrCtr.dll\	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7}	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68AF847F-6E91-45dd-9B68-D6A12C30E5D7}\AppPath = "C:\\Windows\\system32"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170B96C-28D4-4626-8358-27E6CAEEF907}\Policy = "3"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{DDB1968E-EAD6-40fd-8DAE-FF14757F60C7}\Policy = "3"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59C7FC09-1C83-4648-B3E6-003D2BBC7481}	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D1A71FA0-FF48-48dd-9B6D-7A13A3E42127}\Policy = "3"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E3537FC-CF2F-4F56-AF54-5A6A3DD375CC}\TypeLib	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}\InprocServer32\ThreadingModel = "Apartment"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{7473D290-B7BB-4F24-AE82-7E2CE94BB6A9}\1.0	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F52A5FA-A705-4415-B975-88503B291728}\TypeLib\ = "{C8CECDE3-1AE1-4C4A-AD82-6D5B00212144}"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25E}\TypeLib\ = "{0D26BC71-A633-4E71-AD31-EADC3A1B6A3A}"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FunWebProducts.PopSwatterSettingsControl\CLSID\ = "{63D0ED2C-B45B-4458-8B3B-60C69BBBD83C}"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{63D0ED2C-B45B-4458-8B3B-60C69BBBD83C}\VersionIndependentProgID	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63D0ED2B-B45B-4458-8B3B-60C69BBBD83C}\ProxyStubClsid32	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F87D7FB5-9DC5-4C8C-B998-D8DFE02E2978}\TypeLib\Version = "1.0"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7473D294-B7BB-4f24-AE82-7E2CE94BB6A9}\Version	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C9D7BE3E-141A-4C85-8CD6-32461F3DF2C7}\VersionIndependentProgID	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CFF4CE82-3AA2-451F-9B77-7165605FB835}\ProgID	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25E}\TypeLib\ = "{0D26BC71-A633-4E71-AD31-EADC3A1B6A3A}"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{29D67D3C-509A-4544-903F-C8C1B8236554}\1.0	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E720453-B472-4954-B7AA-33069EB53906}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FunWebProducts.PopSwatterBarButton\ = "Bar Button Class"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E6F1830-9607-4440-8530-13BE7C4B1D14}\1.0\HELPDIR	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7473D291-B7BB-4F24-AE82-7E2CE94BB6A9}\TypeLib\ = "{7473D290-B7BB-4F24-AE82-7E2CE94BB6A9}"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyWebSearchToolBar.ToolbarPlugin	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{247A115F-06C2-4FB3-967D-2D62D3CF4F0A}\TypeLib	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63D0ED2B-B45B-4458-8B3B-60C69BBBD83C}\ProxyStubClsid32	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\TypeLib\Version = "1.0"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E3537FC-CF2F-4F56-AF54-5A6A3DD375CC}\ProxyStubClsid32	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\InprocServer32\ThreadingModel = "Apartment"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADB01E81-3C79-4272-A0F1-7B2BE7A782DC}\InprocServer32	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyWebSearch.HTMLPanel.1	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3E720452-B472-4954-B7AA-33069EB53906}\MiscStatus\1\ = "131473"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E79DFBC9-5697-4FBD-94E5-5B2A9C7C1612}	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7473D291-B7BB-4F24-AE82-7E2CE94BB6A9}\TypeLib\Version = "1.0"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{17DE5E5E-BFE3-4E83-8E1F-8755795359EC}\ = "_IDataCtrlEvents"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{8E6F1830-9607-4440-8530-13BE7C4B1D14}\1.0\FLAGS\ = "0"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3E720450-B472-4954-B7AA-33069EB53906}\1.0\0\win32\ = "C:\\Program Files (x86)\\MyWebSearch\\bar\\1.bin\\M3HTML.DLL"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{07B18EAB-A523-4961-B6BB-170DE4475CCA}\VersionIndependentProgID	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7473D293-B7BB-4F24-AE82-7E2CE94BB6A9}\ = "IMyWebSearchPseudoTransparent"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7473D293-B7BB-4F24-AE82-7E2CE94BB6A9}\TypeLib\Version = "1.0"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C8CECDE3-1AE1-4C4A-AD82-6D5B00212144}\1.0	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1093995A-BA37-41D2-836E-091067C4AD17}\ = "ICookie"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}\TypeLib	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{63D0ED2D-B45B-4458-8B3B-60C69BBBD83C}\TypeLib	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF54BE1C-9359-4395-8533-1657CF209CFE}\ProxyStubClsid32	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E79DFBCA-5697-4fbd-94E5-5B2A9C7C1612}\TypeLib	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{72EE7F04-15BD-4845-A005-D6711144D86A}\ProxyStubClsid32	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E79DFBC9-5697-4FBD-94E5-5B2A9C7C1612}\TypeLib	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07B18EAA-A523-4961-B6BB-170DE4475CCA}\TypeLib	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{17DE5E5E-BFE3-4E83-8E1F-8755795359EC}\ = "_IDataCtrlEvents"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F8ECF4F-3646-4C3A-8881-8E138FFCAF70}\InprocServer32	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ScreenSaverControl.ScreenSaverInstaller.1\ = "ScreenSaverInstaller Class"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2E3537FC-CF2F-4F56-AF54-5A6A3DD375CC}\ = "IScreenSaverInstaller"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07B18EAC-A523-4961-B6BB-170DE4475CCA}\ProxyStubClsid32	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{25560540-9571-4D7B-9389-0F166788785A}\Version\ = "1.0"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{991AAC62-B100-47CE-8B75-253965244F69}	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\FunWebProducts.HTMLMenu\CurVer\ = "FunWebProducts.HTMLMenu.2"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E1656ED-F60E-4597-B6AA-B6A58E171495}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E342AF55-B78A-4CD0-A2BB-DA7F52D9D25E}\TypeLib	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DE38C398-B328-4F4C-A3AD-1B5E4ED93477}	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6E74766C-4D93-4CC0-96D1-47B8E07FF9CA}\TypeLib	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EB9E5C1C-B1F9-4C2B-BE8A-27D6446FDAF8}\TypeLib	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{0D26BC71-A633-4E71-AD31-EADC3A1B6A3A}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\MyWebSearch\\bar\\1.bin\\"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9FF05104-B030-46FC-94B8-81276E4E27DF}\TypeLib	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9FF05104-B030-46FC-94B8-81276E4E27DF}\TypeLib\ = "{29D67D3C-509A-4544-903F-C8C1B8236554}"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{63D0ED2B-B45B-4458-8B3B-60C69BBBD83C}\TypeLib\ = "{8E6F1830-9607-4440-8530-13BE7C4B1D14}"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7473D296-B7BB-4f24-AE82-7E2CE94BB6A9}\ = "MyWebSearch Popup Menu Plugin"	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7473D293-B7BB-4F24-AE82-7E2CE94BB6A9}\ProxyStubClsid32	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2248	mwsoemon.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 572 wrote to memory of 2036	572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe	29
PID 572 wrote to memory of 2036	572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe	29
PID 572 wrote to memory of 2036	572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe	29
PID 572 wrote to memory of 2036	572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe	29
PID 572 wrote to memory of 580	572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe	30
PID 572 wrote to memory of 580	572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe	30
PID 572 wrote to memory of 580	572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe	30
PID 572 wrote to memory of 580	572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe	30
PID 572 wrote to memory of 1340	572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe	31
PID 572 wrote to memory of 1340	572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe	31
PID 572 wrote to memory of 1340	572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe	31
PID 572 wrote to memory of 1340	572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe	31
PID 572 wrote to memory of 2248	572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe	33
PID 572 wrote to memory of 2248	572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe	33
PID 572 wrote to memory of 2248	572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe	33
PID 572 wrote to memory of 2248	572	40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\40c70602f51715fdc93b393ad02fd99b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:572
- C:\PROGRA~2\MYWEBS~1\bar\1.bin\m3SrchMn.exe
  "C:\PROGRA~2\MYWEBS~1\bar\1.bin\m3SrchMn.exe" /m=2 /w
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2036
- C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwssvc.exe
  "C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwssvc.exe" -install
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:580
- C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwsoemon.exe
  "C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwsoemon.exe" /d
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1340
- C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwsoemon.exe
  "C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwsoemon.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2248

C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwssvc.exe
C:\PROGRA~2\MYWEBS~1\bar\1.bin\mwssvc.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\PROGRA~2\MYWEBS~1\bar\1.bin\M3SRCHMN.EXE

Filesize
24KB

MD5
72d911befc0e2c5daa2851ccbe654d0b

SHA1
1277cb51bbdeb2d1b074276c075ba70d73de0553

SHA256
2081aac222d9995125583539304fe6da3a8e591e79ffd4c581ef9a91f87aa4c6

SHA512
ef6060617bf81a90087b6ac325695edb64999e51de8254e11ddbd76492dbc355ca8064a999389f7a775fe071e7cb79854e9905e5a9aa97c3a0c89fb147898ad8

Download Submit
\PROGRA~2\MYWEBS~1\bar\1.bin\MWSOEMON.EXE

Filesize
32KB

MD5
9abbe6f791c0b599a7128c9aca27c094

SHA1
ab86ada4fc136255edf950b9adf3d380c60ebd8d

SHA256
16bf4998b6073e258661d52810a79ca7f90f951005434ae8102350b094697948

SHA512
fba34cf1c750a35a69b011855e35542e1ad86ebf87e396d813c4bfa5d243c43ada78ad6a668bd7d6184cf47bc428ba122562ed0552260a5696bb67153e024fa4

Download Submit
\PROGRA~2\MYWEBS~1\bar\1.bin\MWSSVC.EXE

Filesize
28KB

MD5
08ba920963941182128b463e27995615

SHA1
63ded73400623904333d66b7b7a46885bb542bea

SHA256
ddb5408e4e94f005b6613f7e030ecc6057f0abd752ac2854764a5306f1f61b56

SHA512
ab665186cf3202e371219b96207858733add665918c66ae55a424c2a0e782dbc9066435b17b2c082d9e546ec4915dd6620ce884b1b5eb248058476358e2f90db

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3CJPEG.DLL

Filesize
136KB

MD5
acb88f31279e312f633b24f48f8c0808

SHA1
742a35c7d3cedcd0eaf424b35fb5e861643210f0

SHA256
3a52298814e576ae90c5108651e9871dd351fbfd29bfb9b32820fd80cf5c8b7d

SHA512
6fd46a961deaa86e7bb92cc221a080bccbb0d35ac20d43c16ce6b5e283b0d6733654c9f6ccf3d0f3c0c2466ffdd38c5e088e40d1f332e2cb01f28b429a2d180f

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3DTACTL.DLL

Filesize
84KB

MD5
e651be4f6e4dcd99aa66ef80c5cdd28b

SHA1
553b35576446475c5e1ca2549354a611cf3fb8fb

SHA256
3e5a4ba558f1ddd8ae007c4d7fc366159160d60090b0f818b7c6b7cbecbd5856

SHA512
c198797043a06e66eb8c3b5aae81d81c0042dab04d6d62d1ab651c92fa7734877003257ad9d30f52a4a65c71327eefe7087bfc6dcbdd65ceb90922755c7054c4

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3HISTSW.DLL

Filesize
272KB

MD5
8e8757616254dbeae33585d99a374e57

SHA1
17eaaada49feecc03a2ce9b1bbea21f0d5022eeb

SHA256
5a098471c125c6484e943872fdb38a4237ec4545381fce9835b226460bef6e6b

SHA512
942836b97b14f94c6deeaf6044da69504281795bf0e936038076cab559a8a186dc6013ae0211a9bb4795c244f33bef13e676aba7a48b6e010d60118f5a930fa0

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3HTMLMU.DLL

Filesize
144KB

MD5
dd8a6ac438b15c37624cd3ea62d18c4c

SHA1
8851d17a1fdebe17eb01f171c3d16716a6f3beab

SHA256
484a2341c9952bc28fd4889772c0a11f30108c55642508e6a0cdd0eb14f19200

SHA512
4ae63946f5b089de59521acdcc95c00cf651122e043c10dbda22b005b70b5794875cf7a06bd8d8a1a8fb7a934b70ad494292ba581690eef3ed2ff96d114be72a

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3HTTPCT.DLL

Filesize
76KB

MD5
094276a6b3b508473db68af92cf7ddf9

SHA1
4d014941c37f3b4a740d09505387c882eda9af12

SHA256
d9cb3a3fa33f321f71a0bfb1a0c7bc9ff56379a04d9462efff1d13592d20d9d7

SHA512
f4c380d6a05d0b7b5733293502433d0a2d1a6dd0e4e98078d673ac08210e284df850af7ea6762b0e3047f3a69410c82bf32a48765def419236468996b89525a1

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3IMSTUB.DLL

Filesize
28KB

MD5
1375586480385cfdd91a0f27b2e28f3e

SHA1
511defd57d3b3d083697039b7cab9d1fff1f3c72

SHA256
36f6ecf4ceee2a36cdba179cddad42e8dbaae8d8346c87e66222324ea2f1708a

SHA512
29a761052d256f672af4518494938b9616816d2350da6c00b28b0ee135c9078e6557e535fbbf1a6404ed29df619fd549348c05f2924aea6d461399d3be7843e6

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3POPSWT.DLL

Filesize
124KB

MD5
40f5c8587253ce8f534e53b0bd7bd8fc

SHA1
445b42bb7bdb14ebb75440a1e8e3d279bfdcda62

SHA256
f8b3d92ec5fa8120b37bcbb1a328f55c2315ffffb71a1eafa4edf653d1059463

SHA512
6ea2b970637c0b7d10a3b626e83547cebf110249b0e0096e42f55ee887ec7b790654ddb7121605707d1ae4de77a13ab59bb8308eb38bf671d033b7d9cde64436

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3REPROX.DLL

Filesize
120KB

MD5
a1bd7551be79287f12e5110e05d0b128

SHA1
dadf37694b17e79b09111031e21da58718f2b328

SHA256
ac67777a6b218d433660a1f684cee7c498702f11bc922bdabebe3841fc72c0c3

SHA512
c47696aa1e159e53ed6c4e4288ba1f458cbbe5aac4935a9e5c6b260fdcac81d306fc4ad626277c722b8313437525522e70a3e0b089214488f85313db23eb1b93

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3RESTUB.DLL

Filesize
24KB

MD5
c4ff418909d55a7744b04774a83135c9

SHA1
2489008ef2e8fb7a3bdf6014d4488d01629c7034

SHA256
76adc93b3153ccd4ab6f692d78013cb75842f741168a6de5adee56c23748b7a3

SHA512
50b692ddb5c6a1433af93c4b78eea9206dc6bc020e8f084473a788e2f9d4bf4aa5ebe1fd31951ca2890630bf75a3f74a88864781c4b849fdb8b4417c265f191e

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3SCRCTR.DLL

Filesize
292KB

MD5
d700ef661c52f2f7a3a3c5ad28795b04

SHA1
66af20b8640c74d12bdbdb07e943f31e41b6e941

SHA256
eefd5a797736269ae4f74bbf9371d018c3463f24cf78aea92dafe51c7a858f19

SHA512
0ab6a82e48fc7b22d56cd7cfc451d228e8c547d84b3503922d7be60ce221ae852d95a71ec5c764d181e97feb829f0c016ef5b295a27ef3fe25a7c479a44fe015

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\F3WPHOOK.DLL

Filesize
20KB

MD5
cee57e05eccf470e751689ded838b7d2

SHA1
0abbc8d0284780bfa10d09f8b78c4964ffaffecd

SHA256
2cf54c47ddbc69ebc4e199e11c15c202844645aa97aed823ad2ac2df54df92f3

SHA512
4c0399857b5152185195cd27bcb8cefd15690499ab8ea426ef53a83b9ed9e7037786eef2f3fbe9ac625d3a48364f2b343f5eb24767d9dd404ece37c88265d161

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\M3HTML.DLL

Filesize
84KB

MD5
d460eca5d4574507ff4dabcc2cbc5f2e

SHA1
667b3cfcd047176e948dc7056a545e7ce3dc38f0

SHA256
cecf2b16a398141495764ce6ce4c507f37986e90d1f9705838962d879d446398

SHA512
aed6d7a7a324a811ed77fd688e699528cf91a3be1ae56e97f229c8a9065678cec0d210a942e8c3516321ff7d9dd16554909fc622ee076ef4f70aa0d48122a184

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\M3IDLE.DLL

Filesize
28KB

MD5
86445e5a1c4b02574d8bb1b49ebc1a73

SHA1
5d7a2184b0e8fe0d6006fef4700a1d41aaf68452

SHA256
dfc9ecb661cbab8d7fdb5da5d595173a07f188ff4413968288adbe3e559f1776

SHA512
ccdb79e986dbb5663b2da6b0742cceb43a50d6b8989dc84b34e74ae31eb9ae8970fd5b41f2b733a7fb2715defffeeb7c73dc99253916cb7e74f7491d845b9bce

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\M3MSG.DLL

Filesize
152KB

MD5
164b742c053c3cf682622a73bcc6d2fb

SHA1
22f94d99f3f76570f191983e1f6811755aea3b9f

SHA256
aa781903dd0eea8732f98565e7185aaa5d167ce6a132dc66a30a1289f0e289b2

SHA512
8d04f4d4466c2efb69b348286b4eff94b9d91668ac67cab872791bc644dfce53002ebdbf4afe4281c202f0370326a0a4301ef774e075e8c055b87f57cbbe67ac

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\M3OUTLCN.DLL

Filesize
68KB

MD5
26f833b7ad465a044a8da50b619775b2

SHA1
47e7c028a3f829e20494654b3f4a034ba11c4397

SHA256
ec5f5449f8283811a4718d59d7c05de2dbcee2e6eee4c0f69e00ef92a44236e6

SHA512
2fbd865be9ad5f1a8e2ac4f739b4480333c76c4d675d21354dbd9df83294bf4e6ea8f1584f0da7cbd1ee94e4f00aaf0cab6cd3a899f27c8cb666094e905c87e5

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\M3PLUGIN.DLL

Filesize
52KB

MD5
151b00b258a005b9571c79f89276e916

SHA1
0aaaebd70c77062792f0ef34efef6b1c1abf5560

SHA256
f13ad464fe7ceb0fc0752c5670a3fb88738fd6fddfc6f42cbd3350d106b9af88

SHA512
48778bc319cacf7f0f93525fbe8d847957a242970e37a9fcf92a078dc20e16b2fc5cb9f52c3b9f511b561ae8b1e2bf120f6b4eca510f4a35757af57b88f9092a

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\M3SKIN.DLL

Filesize
128KB

MD5
d1a29fbd9263013a3afd6bb24ee92604

SHA1
1453515e1f71ce526ea83df46c2ffe970df29215

SHA256
e01e420cc5301cdf4d61f132303888bfa329616de8091e82b8e1f50387a66b11

SHA512
9e3b832effca395903279c0b6ee76d9cbd67361fc424b325b9a3d9e23659b08c920cf2d8a24f65bb3c73005639ccadcd5b042295fd6cd3ea7ae389cb8defaff5

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\MWSBAR.DLL

Filesize
400KB

MD5
40fb6d560c494ed0f812b0cb302034d2

SHA1
f95b08616d6b80e4211d06f60146a87fb61789f7

SHA256
cb91430e2f833a5e0586ea1c57b28d076313a131e2816645436ecbf157aab707

SHA512
5ab3f8b256f04cedb386d01502e02f79bd719cc51d2626e33f73ec0f62b9da9455cf8fcbaabcfeec7fd32e42876b4a20b9c90c82c1bd1a154a374de5db75ff73

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\MWSOEPLG.DLL

Filesize
360KB

MD5
6ffc0fc8c2eadfd58def3fae4147ae0c

SHA1
426b5772fbf78b23674334fd3c06146282c53ed1

SHA256
43a77231cb42a1bea9ed67f2ce41090ca069b4021598552d66b666ff21f539fd

SHA512
92836057f0b6db53e8d2b6a6ecba88e3f44f02fce0af96443987b2e00edc8ae1559e0917f3ed2b4a948c373b9ed52efb463f6686ba9cc418e5ec70538c11291a

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\MWSOESTB.DLL

Filesize
44KB

MD5
1ff049d8548fb307b2d03bcf32c61da4

SHA1
d2339982febbcae674dee4f8b7727538e9a57edb

SHA256
e6f54a8ee2ef2891040443cb643e6d4535da86cb5311d6994d720627ef8b9238

SHA512
9a71b887daf0ab20105899f1bbcd8b2b8acbb7cdb6126e72594c6bfd650ddf493adeb9ee4635b849255af944759709f116bee5d0d5bad11353138fff5f88f2c7

Download Submit
\Program Files (x86)\MyWebSearch\bar\1.bin\NPMYWEBS.DLL

Filesize
24KB

MD5
4b85c597bb95d7e83d1872e52d4c3d7f

SHA1
7f94d4c4fd382fd9dcea691f6675bcbda4e67c17

SHA256
97278b6e7cb8f4406933021761690eb36a6122a0c78eb6366a9e8ce77b0a3151

SHA512
18c3f0c69e8e2a0f47f3a2195ecca73b7c840581e9968408a2b9261e3042d72917dc7d058d76a5cec055ff8faf03944375489bc518cb6e40b211837bda21beae

Download Submit