Analysis
-
max time kernel
122s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04/11/2024, 01:51
Static task
static1
Behavioral task
behavioral1
Sample
8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe
-
Size
129KB
-
MD5
8e8fd0b75b84ea8c55e48a35d34a4a8b
-
SHA1
860f945831c31cd0dc2de8f51eda92fddf172b5b
-
SHA256
5628719cfb02376d02c02e23c61eb57e0052d95d306bc34b138778960f1443cc
-
SHA512
2c5f1ae627f580458f6a61de25fb3bee1b7692bc3a4c7598b5fcc4cfb5cb7ce89bb6e4e2efe9c2caf56d85679a409b6946a2a12e064d3d8e3a984159144b4c7c
-
SSDEEP
3072:pKcpuHvsgW9KzKAcntvkVcXHLkiX/LYuIi9X3kuJ:pXgWkzKFtOcXLZXjYu7b
Malware Config
Signatures
-
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 1616 cmd.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{06ec6572-7280-485a-a712-c380526bc048} regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{06ec6572-7280-485a-a712-c380526bc048}\NoExplorer = "1" regsvr32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\ieocx.dll 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies Control Panel 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\don't load 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\don't load\scui.cpl = "No" 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\don't load\wscui.cpl = "No" 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c40000000002000000000010660000000100002000000032b02846ca3bc13b7aa58214298a8ce5b44aef81108a474b021a77f664aa510f000000000e8000000002000020000000c5eebe2ced05badf00a4563fc12daf2035135203f8a0b58939bd649811c383839000000039ffd1970d3eaf063446e84746c725a0a4578822ae9a3dad2a3eb5421cd2d120062f7adfae4a25689d8948e8a0e1de2e3fad37071d1a4cc7c6b97022af169701f9a89287fb6278f1c4e404b1a5714b5e03f3e397277eb8eea4f92a941fedf36f43e4820edcca01d1a7538fccf5d053bc0aab6b00a6bb34232ea049ef0343cceb15786bb7a8ff278e5f268747772bcc9540000000f1f288ceebc6ef115509936a7017aed80b3659d2fd158f790f28689f56998e901a965dc9c0912d7809ea8e3190116f572216e27ceb108b0c2bce728f325d4737 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{73D65151-9A60-11EF-AAF2-E67A421F41DB} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000005f6d42e15555e1c87dee80ca3fcfbc13d4b06bf0be6afd850e17458e73bd94cf000000000e8000000002000020000000d56c5a850c730f981dd3dec6327d1256f3f837e89367f27a284706ab984de39420000000a7dd0a22aecd5db5f328a508eccc5a48001ca8a26d0202d235cb00d9b5d7c1b34000000009fa57c883c730081421725d1f7bc4928ef0e4798b67660031688218e8d8f92099a5f059b122c948b02a74a3a1842e7d78e99a9ad17c6efabe72fa435e61d456 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 700ae84c6d2edb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436854319" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe -
Modifies registry class 60 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1\ = "IEocx Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\0\win32\ = "C:\\Windows\\ieocx.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CLSID\ = "{06ec6572-7280-485a-a712-c380526bc048}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\FLAGS regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ = "_IBhoAppEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\ = "IEocx Class" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\ = "IEocx Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\InprocServer32\ = "C:\\Windows\\ieocx.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\ = "DHCP 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1\CLSID\ = "{06ec6572-7280-485a-a712-c380526bc048}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\0\win32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\TypeLib\ = "{b360243e-09e8-402f-8721-00b6798089ad}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\HELPDIR\ = "C:\\Windows" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ = "_IBhoAppEvents" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\VersionIndependentProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CurVer\ = "IEocxApp.IEocx.1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\ProgID\ = "IEocxApp.IEocx.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\VersionIndependentProgID\ = "IEocxApp.IEocx" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B} regsvr32.exe -
Runs net.exe
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2520 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2520 iexplore.exe 2520 iexplore.exe 2816 IEXPLORE.EXE 2816 IEXPLORE.EXE 2816 IEXPLORE.EXE 2816 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 1352 wrote to memory of 1956 1352 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe 30 PID 1352 wrote to memory of 1956 1352 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe 30 PID 1352 wrote to memory of 1956 1352 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe 30 PID 1352 wrote to memory of 1956 1352 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe 30 PID 1352 wrote to memory of 1956 1352 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe 30 PID 1352 wrote to memory of 1956 1352 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe 30 PID 1352 wrote to memory of 1956 1352 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe 30 PID 1352 wrote to memory of 2884 1352 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe 31 PID 1352 wrote to memory of 2884 1352 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe 31 PID 1352 wrote to memory of 2884 1352 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe 31 PID 1352 wrote to memory of 2884 1352 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe 31 PID 2884 wrote to memory of 2896 2884 net.exe 33 PID 2884 wrote to memory of 2896 2884 net.exe 33 PID 2884 wrote to memory of 2896 2884 net.exe 33 PID 2884 wrote to memory of 2896 2884 net.exe 33 PID 1352 wrote to memory of 2520 1352 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe 34 PID 1352 wrote to memory of 2520 1352 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe 34 PID 1352 wrote to memory of 2520 1352 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe 34 PID 1352 wrote to memory of 2520 1352 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe 34 PID 2520 wrote to memory of 2816 2520 iexplore.exe 35 PID 2520 wrote to memory of 2816 2520 iexplore.exe 35 PID 2520 wrote to memory of 2816 2520 iexplore.exe 35 PID 2520 wrote to memory of 2816 2520 iexplore.exe 35 PID 1352 wrote to memory of 1616 1352 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe 37 PID 1352 wrote to memory of 1616 1352 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe 37 PID 1352 wrote to memory of 1616 1352 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe 37 PID 1352 wrote to memory of 1616 1352 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe"1⤵
- Windows security bypass
- Windows security modification
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\ieocx.dll2⤵
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1956
-
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe stop "Security Center"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"3⤵
- System Location Discovery: System Language Discovery
PID:2896
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://tubeloyaln.com/videosz.php2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2520 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2816
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\asd.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1616
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57b308d3fc25314cb553ee0f89bbecff8
SHA13f635ad36cf0cc7ceb38f3de15e1f7c3f70f5393
SHA256aa65af7cd94706be0a467d96a61b4187bc95fdf8a2ae9013b261e639f15feb22
SHA5124b0292e4a53685592b0da681f65760f7ac9533d41e01fb70804ff55e72416c5c1ba6003f33a70082b8690f530adc60220d0a5c20d4cf2e1c69ee0c6c2dc3e0f4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD551c45840470a143bb6aa86402196ef90
SHA100dcfbee566ac3b8444baf77f984cf1e5f4df401
SHA2569aac75a74955f2b0b83af4f90213ecb6b87f07452526cfc662ecf70b8285635c
SHA512289462f9c07f0f0a78602e3c354be39a2e6b419bba8fdea5da75535e170743cd76f55c32185ad6042ee3acaffe177eb1dc5ed6a3d3192c39406c434cc0cb25e1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58e3f4377431420ddfa1ffec037544792
SHA1280e30e95c459b7658bf2ae6aa6baee74cacd46b
SHA2564568d939294c29729cb9f64aea1dac00a6625c7f8d2cc5b08cc5fe4ae1e44ae8
SHA512af4e17d2c8f47c7fa6c1d87e3045a6ee7f649714805486695c040fa4eed8ba282fced4e22c369fea7543f17c5dbd80a92e88691a5a9817031301619c2fd015b9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55a6cbba6f752d8fa51e849252a86c3d3
SHA1a3de68bd2240dde0090d3c5dd09ee17eac7611d6
SHA25661796d0dfa6d4bf88e6ae3dde84692c7d1a7d301885fd6d741c5ae1117a6b07f
SHA512162037ed4a4ecfcb18a257c86e54ee26e2863bb74a90d0bc1bb9b55aac894d95b0e1e01bec0e11a48f16f665d3f80494527228f5ab83d6c81d4cf9b2d6389735
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c464ae3b3aa0b1640b3c97f6b22f181c
SHA175993dda1dfe972c2c686afdeaec11553309ce50
SHA256b11fb653e51d846429d0653e63e845abef0932420f9a8e19aa8145f0bd166f2e
SHA5122494edc3a7c6b6306fb8f5661e171d1b56efc43158678eac6096575afe82e94e033a2c50117a621edd28236a87eb711cc9442593c4a70edc476ec521081185c7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54f39619ba246e8545f77940a2ffd7860
SHA1ad418ac6b4ee0d171c7724d8cf7090e9f79a2a97
SHA256249e8ff519f0fea1d5f08f01f98d1fc255afc4dee5b9bdf5d118fe0be3f42955
SHA512cac63b8fca562bd21ccccc3cfeb9a3c1689341d5a72ef28f3cd21bb3b693ba2a32d46e4f9646579840dcff492198b54eaa1d9fcf271ec7fdd40e6e99a73a3e9c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f446891cdf197b59d574e9cf78ad3eaa
SHA16be4b47c4056439ffc7bd4f1490c3ccb61141353
SHA2563f9dd27938c699eec90c80871550caee3e029f1a3708795854b686a2524c25b3
SHA512a1b17f706204fa1c22f4d5cb184b0f0571dc4aba1b6eb00be0abcb6bd59f2b67b049b1e0578d836933e8bc33253507cc940c34f89049f6d35bb58cce5b96f4eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5235610f47afb44db69ff901a8d34dc40
SHA1766e1c1ad85e3eda5ced39ff0b71521102cdc2d8
SHA25607f23620d586090112ed5a281441374d9ff715b8fcdaacdafc171ec3e7840a91
SHA5125337ffcddc621c57b56689dd72da3e596211c9230726e6a6342f2afdfee7df59c09556c7698adce15d3c1dfc94f4df6aaad10692d6e06b0ed3db8336ffbda185
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cb63fe885f703eb0feb57cf4c8b607e6
SHA19ab2247582706bd5886dd0dcb9f560208b68adbc
SHA256a413af9350407f4ff70d20e17a37af3f034e2c2441298ec4cc370c15145d81c8
SHA512f1518d727533bf2f98e42d930341eb1064b6a9bea3ce6c0592df69858a84b8bbfd15260464ad33493e3a64d7854a4f1f80eec65bb33ae268ba35f12c1fdd8cf2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5afb5e18500e58ab06d1730b6703ebbf6
SHA157cee9adafd9cf913a2ef8df2e83e0f25900baa1
SHA256bc8992a6d6e1d7f4a4564c3acb3a73b39051fbf84e0152580ab791ac3cb37513
SHA512a20051d45121a25ee430fc1551f475326a1ee06fc57313562d05a688d970ae05839165b0cede9a30391088732c76d5c75e428dd173ae41362c70d92bfb7b66a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ea65d27265de7b8f7866906341ee8a70
SHA160b3369cee35f976a7baa1d62ed2bdbb3f7471a2
SHA256daab9783c616aec20f9ef276045f53060cc68991d315eed9f8e2284e203dc4f5
SHA512739e74e63a8e2ab4ab9fef4d02231abe393c3a37a420ebe43238c3c465e1d5602f916bb4751eea3464321cbb9f52683bb3b126516cb642b6fe8ef83efacffa66
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51527cf0274e1ef8f6f4b19462fc09263
SHA1465cefac36f3c786f3761fc3791b69e5ae173fcd
SHA2568bc08cb7863593cabcfa41ab4ceee9bec9b4d487b6e2236f234771c5d0e8b7e2
SHA5120f109ddc5c0c44ec97065e88e59347090d2ef7714b0cbb3c86082c3b5f83ce4c2f6723e18ec7568d9cc9726a08956b246e070392b5a2ab6765366b9a305aba23
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f2dc3bdf7c8cc2ccf10dd82363097cc2
SHA16a65da1c540e0b1cc41b79efff6730c9ce244207
SHA2564a4c1755c87264fdea61e84acba076a5253ba0b54cfa76c90dfad97fe1dc0ebc
SHA5127bd71a0539e3c26f3a8d4b6d65b72cdcfe3f128521f0935c94d736f19e64b7bde435a0efdc6168a67351a52582cbb91515cc2dab1a2679ae0c27513635455616
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a1af8b73ea0ade2f0e1b8352be120c86
SHA10ab325ba8d26da22823bc4796a73f9419a75e08a
SHA256021f08274b1a69c83e2b5195ea6fc4b483f03ffa1f80e78e7484e20afbfd53c9
SHA512a061374cd5635edaab057797d908be595c7c6ac5ac371630d5d120143133fbadc35102bd35da078eb0556481d24da2417201e61d5cd2a6d065d1d6165f73fec8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fdaf7f5b26c20887fbc66a32796e9868
SHA1703cb4209f8e59e885bc972eabede886c6a7ff5b
SHA25601ec34d3d95db1604b92d14c73c281e64b2a1b3d606ec11c9a844b92bf1c37dd
SHA51260f0b04360af725853953c1bc9cb46fd17003509e989318a6e88c751494780e70ed93cf8e239a0c033e8e5451ced09b613f01cc3cdc1fbb04ed4a60d71ab7dff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c4b6ecbaff7bdd278599b3503db4048c
SHA17954f9ffd48bb1f671511eed91f953afb0b57c02
SHA2562196f4e43c205754ba751a92971d5903d84f4cb6c509661fec5147da2c398817
SHA5120aa8d49166237ea641b765ad0f6e73ae888a54e2b3f1ed518069561745e13bc6bc07b65a591bc41e03156f1a932223dbc474e7579b8e5864a336153156f4072e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58e8cbaf2cb26da9e84c5f935cb532d37
SHA1199b7771ff6c65bc478e301fd6dec451b493df65
SHA256f2e5fe92b4e56ea1be215f4941ca5eda6f5e9deabbf3c037ba03eb90fa389885
SHA512554b0261b26be59eba7198f41d41afa642250fd304d2e732842027315e0f55aa24594fd9a5fff466ab0e4507c0dd9620a0a3ecc982ba2eb632a385b46b0e55bf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56c55047d3d49b5b58f25adb06e4a7877
SHA14e58c24b2cd98feeeaa4899dc7b5bb8e87ddf79b
SHA2565624397d9bb90b1293567efb51af40cecf09be5a21dbb60870b7f5924f9bc809
SHA5128a4e90b65efd39c70d412a63078f6222d0587804c0b5a7a244708a841cad3f9d96e971e99fab4398bcd3f84f8ad72c3fef3cab0e3c402472684401cdf07d2a71
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55daf24cd94e579158df78bce7a729d0b
SHA1d7779697e2cd5885502e7f54707e0b19c34662da
SHA25685dcd0d4e7b2fa7124c45fa5cb213ca4893fc04c44f3a7377fbca1d27cffcef3
SHA512640ea70356ff493c654919d98d068dfe7ffa0159bf62fba0c002ff1c9473fbc2b3ebfe5ecce1b8fbdded2f982d6b15040dae31155e25fa587848635bddc16a2d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
256B
MD545d14911e4f9937120fbac4fe41d4d7a
SHA129f8383371ab364534791374872e84550bbb1061
SHA2562b7ac359a4c04c42ba8690b14a313830d7736b950dd34855e854e3d4c3fbaeef
SHA51287fdc46d845eede03178d1dce29a59441c0bda47207dab0512f284e964a6dfcdd68741bdd0ae69b1a5e386b67fcd12ef3f8293ab9c5aeee2da72ba96004dbd68
-
Filesize
26KB
MD534460c143c2ae3cf9b4ceb706f49f61d
SHA1914a1f1fbc0780e82c83e6e6fb9abb6f39ded0e1
SHA256c92442bc20934871d65309a987b610636d7f19621b297385b4ff0a3eb8333f2f
SHA512632108e40b868bc785890d74053979c574f7f5d82be2dfad518edc778017f17f39e64d9828b82cbe00a5d140f6bea37ee79d7ca98b7c67a1f48f6724d2069dba