Malware Analysis Report

2025-06-16 06:59

Sample ID 241104-cabt8asrdp
Target 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118
SHA256 5628719cfb02376d02c02e23c61eb57e0052d95d306bc34b138778960f1443cc
Tags
adware discovery evasion stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5628719cfb02376d02c02e23c61eb57e0052d95d306bc34b138778960f1443cc

Threat Level: Known bad

The file 8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

adware discovery evasion stealer trojan

Windows security bypass

Deletes itself

Windows security modification

Installs/modifies Browser Helper Object

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Runs net.exe

Suspicious use of SetWindowsHookEx

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Modifies Control Panel

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 01:51

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 01:51

Reported

2024-11-04 03:56

Platform

win7-20240903-en

Max time kernel

122s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe"

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{06ec6572-7280-485a-a712-c380526bc048} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{06ec6572-7280-485a-a712-c380526bc048}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ieocx.dll C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\don't load C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\don't load\scui.cpl = "No" C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Control Panel\don't load\wscui.cpl = "No" C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c40000000002000000000010660000000100002000000032b02846ca3bc13b7aa58214298a8ce5b44aef81108a474b021a77f664aa510f000000000e8000000002000020000000c5eebe2ced05badf00a4563fc12daf2035135203f8a0b58939bd649811c383839000000039ffd1970d3eaf063446e84746c725a0a4578822ae9a3dad2a3eb5421cd2d120062f7adfae4a25689d8948e8a0e1de2e3fad37071d1a4cc7c6b97022af169701f9a89287fb6278f1c4e404b1a5714b5e03f3e397277eb8eea4f92a941fedf36f43e4820edcca01d1a7538fccf5d053bc0aab6b00a6bb34232ea049ef0343cceb15786bb7a8ff278e5f268747772bcc9540000000f1f288ceebc6ef115509936a7017aed80b3659d2fd158f790f28689f56998e901a965dc9c0912d7809ea8e3190116f572216e27ceb108b0c2bce728f325d4737 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{73D65151-9A60-11EF-AAF2-E67A421F41DB} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000005f6d42e15555e1c87dee80ca3fcfbc13d4b06bf0be6afd850e17458e73bd94cf000000000e8000000002000020000000d56c5a850c730f981dd3dec6327d1256f3f837e89367f27a284706ab984de39420000000a7dd0a22aecd5db5f328a508eccc5a48001ca8a26d0202d235cb00d9b5d7c1b34000000009fa57c883c730081421725d1f7bc4928ef0e4798b67660031688218e8d8f92099a5f059b122c948b02a74a3a1842e7d78e99a9ad17c6efabe72fa435e61d456 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 700ae84c6d2edb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436854319" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1\ = "IEocx Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\0\win32\ = "C:\\Windows\\ieocx.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CLSID\ = "{06ec6572-7280-485a-a712-c380526bc048}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ = "_IBhoAppEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\ = "IEocx Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\ = "IEocx Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\InprocServer32\ = "C:\\Windows\\ieocx.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\ = "DHCP 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1\CLSID\ = "{06ec6572-7280-485a-a712-c380526bc048}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\TypeLib\ = "{b360243e-09e8-402f-8721-00b6798089ad}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\HELPDIR\ = "C:\\Windows" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ = "_IBhoAppEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CurVer\ = "IEocxApp.IEocx.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\ProgID\ = "IEocxApp.IEocx.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\VersionIndependentProgID\ = "IEocxApp.IEocx" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B} C:\Windows\SysWOW64\regsvr32.exe N/A

Runs net.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1352 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1352 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1352 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1352 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1352 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1352 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1352 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1352 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 1352 wrote to memory of 2884 N/A C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2884 wrote to memory of 2896 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2884 wrote to memory of 2896 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2884 wrote to memory of 2896 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2884 wrote to memory of 2896 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1352 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1352 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1352 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1352 wrote to memory of 2520 N/A C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2520 wrote to memory of 2816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2520 wrote to memory of 2816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2520 wrote to memory of 2816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2520 wrote to memory of 2816 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1352 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1352 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\ieocx.dll

C:\Windows\SysWOW64\net.exe

C:\Windows\system32\net.exe stop "Security Center"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Security Center"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://tubeloyaln.com/videosz.php

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2520 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\asd.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 tubeloyaln.com udp
US 8.8.8.8:53 winpcdown99.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1352-1-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1352-0-0x0000000000401000-0x000000000040A000-memory.dmp

memory/1352-4-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1352-2-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1352-7-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1352-6-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Windows\ieocx.dll

MD5 34460c143c2ae3cf9b4ceb706f49f61d
SHA1 914a1f1fbc0780e82c83e6e6fb9abb6f39ded0e1
SHA256 c92442bc20934871d65309a987b610636d7f19621b297385b4ff0a3eb8333f2f
SHA512 632108e40b868bc785890d74053979c574f7f5d82be2dfad518edc778017f17f39e64d9828b82cbe00a5d140f6bea37ee79d7ca98b7c67a1f48f6724d2069dba

memory/1956-9-0x0000000010000000-0x000000001000A000-memory.dmp

memory/1956-12-0x0000000010000000-0x000000001000A000-memory.dmp

memory/1956-11-0x0000000010000000-0x0000000010002000-memory.dmp

memory/1956-10-0x00000000001F0000-0x00000000001F6000-memory.dmp

memory/1352-13-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1352-14-0x0000000000401000-0x000000000040A000-memory.dmp

memory/1352-19-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabBB83.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarBBE6.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 afb5e18500e58ab06d1730b6703ebbf6
SHA1 57cee9adafd9cf913a2ef8df2e83e0f25900baa1
SHA256 bc8992a6d6e1d7f4a4564c3acb3a73b39051fbf84e0152580ab791ac3cb37513
SHA512 a20051d45121a25ee430fc1551f475326a1ee06fc57313562d05a688d970ae05839165b0cede9a30391088732c76d5c75e428dd173ae41362c70d92bfb7b66a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5daf24cd94e579158df78bce7a729d0b
SHA1 d7779697e2cd5885502e7f54707e0b19c34662da
SHA256 85dcd0d4e7b2fa7124c45fa5cb213ca4893fc04c44f3a7377fbca1d27cffcef3
SHA512 640ea70356ff493c654919d98d068dfe7ffa0159bf62fba0c002ff1c9473fbc2b3ebfe5ecce1b8fbdded2f982d6b15040dae31155e25fa587848635bddc16a2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b308d3fc25314cb553ee0f89bbecff8
SHA1 3f635ad36cf0cc7ceb38f3de15e1f7c3f70f5393
SHA256 aa65af7cd94706be0a467d96a61b4187bc95fdf8a2ae9013b261e639f15feb22
SHA512 4b0292e4a53685592b0da681f65760f7ac9533d41e01fb70804ff55e72416c5c1ba6003f33a70082b8690f530adc60220d0a5c20d4cf2e1c69ee0c6c2dc3e0f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 51c45840470a143bb6aa86402196ef90
SHA1 00dcfbee566ac3b8444baf77f984cf1e5f4df401
SHA256 9aac75a74955f2b0b83af4f90213ecb6b87f07452526cfc662ecf70b8285635c
SHA512 289462f9c07f0f0a78602e3c354be39a2e6b419bba8fdea5da75535e170743cd76f55c32185ad6042ee3acaffe177eb1dc5ed6a3d3192c39406c434cc0cb25e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e3f4377431420ddfa1ffec037544792
SHA1 280e30e95c459b7658bf2ae6aa6baee74cacd46b
SHA256 4568d939294c29729cb9f64aea1dac00a6625c7f8d2cc5b08cc5fe4ae1e44ae8
SHA512 af4e17d2c8f47c7fa6c1d87e3045a6ee7f649714805486695c040fa4eed8ba282fced4e22c369fea7543f17c5dbd80a92e88691a5a9817031301619c2fd015b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a6cbba6f752d8fa51e849252a86c3d3
SHA1 a3de68bd2240dde0090d3c5dd09ee17eac7611d6
SHA256 61796d0dfa6d4bf88e6ae3dde84692c7d1a7d301885fd6d741c5ae1117a6b07f
SHA512 162037ed4a4ecfcb18a257c86e54ee26e2863bb74a90d0bc1bb9b55aac894d95b0e1e01bec0e11a48f16f665d3f80494527228f5ab83d6c81d4cf9b2d6389735

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c464ae3b3aa0b1640b3c97f6b22f181c
SHA1 75993dda1dfe972c2c686afdeaec11553309ce50
SHA256 b11fb653e51d846429d0653e63e845abef0932420f9a8e19aa8145f0bd166f2e
SHA512 2494edc3a7c6b6306fb8f5661e171d1b56efc43158678eac6096575afe82e94e033a2c50117a621edd28236a87eb711cc9442593c4a70edc476ec521081185c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f39619ba246e8545f77940a2ffd7860
SHA1 ad418ac6b4ee0d171c7724d8cf7090e9f79a2a97
SHA256 249e8ff519f0fea1d5f08f01f98d1fc255afc4dee5b9bdf5d118fe0be3f42955
SHA512 cac63b8fca562bd21ccccc3cfeb9a3c1689341d5a72ef28f3cd21bb3b693ba2a32d46e4f9646579840dcff492198b54eaa1d9fcf271ec7fdd40e6e99a73a3e9c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f446891cdf197b59d574e9cf78ad3eaa
SHA1 6be4b47c4056439ffc7bd4f1490c3ccb61141353
SHA256 3f9dd27938c699eec90c80871550caee3e029f1a3708795854b686a2524c25b3
SHA512 a1b17f706204fa1c22f4d5cb184b0f0571dc4aba1b6eb00be0abcb6bd59f2b67b049b1e0578d836933e8bc33253507cc940c34f89049f6d35bb58cce5b96f4eb

C:\Users\Admin\AppData\Roaming\asd.bat

MD5 45d14911e4f9937120fbac4fe41d4d7a
SHA1 29f8383371ab364534791374872e84550bbb1061
SHA256 2b7ac359a4c04c42ba8690b14a313830d7736b950dd34855e854e3d4c3fbaeef
SHA512 87fdc46d845eede03178d1dce29a59441c0bda47207dab0512f284e964a6dfcdd68741bdd0ae69b1a5e386b67fcd12ef3f8293ab9c5aeee2da72ba96004dbd68

memory/1352-457-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 235610f47afb44db69ff901a8d34dc40
SHA1 766e1c1ad85e3eda5ced39ff0b71521102cdc2d8
SHA256 07f23620d586090112ed5a281441374d9ff715b8fcdaacdafc171ec3e7840a91
SHA512 5337ffcddc621c57b56689dd72da3e596211c9230726e6a6342f2afdfee7df59c09556c7698adce15d3c1dfc94f4df6aaad10692d6e06b0ed3db8336ffbda185

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb63fe885f703eb0feb57cf4c8b607e6
SHA1 9ab2247582706bd5886dd0dcb9f560208b68adbc
SHA256 a413af9350407f4ff70d20e17a37af3f034e2c2441298ec4cc370c15145d81c8
SHA512 f1518d727533bf2f98e42d930341eb1064b6a9bea3ce6c0592df69858a84b8bbfd15260464ad33493e3a64d7854a4f1f80eec65bb33ae268ba35f12c1fdd8cf2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea65d27265de7b8f7866906341ee8a70
SHA1 60b3369cee35f976a7baa1d62ed2bdbb3f7471a2
SHA256 daab9783c616aec20f9ef276045f53060cc68991d315eed9f8e2284e203dc4f5
SHA512 739e74e63a8e2ab4ab9fef4d02231abe393c3a37a420ebe43238c3c465e1d5602f916bb4751eea3464321cbb9f52683bb3b126516cb642b6fe8ef83efacffa66

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1527cf0274e1ef8f6f4b19462fc09263
SHA1 465cefac36f3c786f3761fc3791b69e5ae173fcd
SHA256 8bc08cb7863593cabcfa41ab4ceee9bec9b4d487b6e2236f234771c5d0e8b7e2
SHA512 0f109ddc5c0c44ec97065e88e59347090d2ef7714b0cbb3c86082c3b5f83ce4c2f6723e18ec7568d9cc9726a08956b246e070392b5a2ab6765366b9a305aba23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f2dc3bdf7c8cc2ccf10dd82363097cc2
SHA1 6a65da1c540e0b1cc41b79efff6730c9ce244207
SHA256 4a4c1755c87264fdea61e84acba076a5253ba0b54cfa76c90dfad97fe1dc0ebc
SHA512 7bd71a0539e3c26f3a8d4b6d65b72cdcfe3f128521f0935c94d736f19e64b7bde435a0efdc6168a67351a52582cbb91515cc2dab1a2679ae0c27513635455616

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a1af8b73ea0ade2f0e1b8352be120c86
SHA1 0ab325ba8d26da22823bc4796a73f9419a75e08a
SHA256 021f08274b1a69c83e2b5195ea6fc4b483f03ffa1f80e78e7484e20afbfd53c9
SHA512 a061374cd5635edaab057797d908be595c7c6ac5ac371630d5d120143133fbadc35102bd35da078eb0556481d24da2417201e61d5cd2a6d065d1d6165f73fec8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fdaf7f5b26c20887fbc66a32796e9868
SHA1 703cb4209f8e59e885bc972eabede886c6a7ff5b
SHA256 01ec34d3d95db1604b92d14c73c281e64b2a1b3d606ec11c9a844b92bf1c37dd
SHA512 60f0b04360af725853953c1bc9cb46fd17003509e989318a6e88c751494780e70ed93cf8e239a0c033e8e5451ced09b613f01cc3cdc1fbb04ed4a60d71ab7dff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c4b6ecbaff7bdd278599b3503db4048c
SHA1 7954f9ffd48bb1f671511eed91f953afb0b57c02
SHA256 2196f4e43c205754ba751a92971d5903d84f4cb6c509661fec5147da2c398817
SHA512 0aa8d49166237ea641b765ad0f6e73ae888a54e2b3f1ed518069561745e13bc6bc07b65a591bc41e03156f1a932223dbc474e7579b8e5864a336153156f4072e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e8cbaf2cb26da9e84c5f935cb532d37
SHA1 199b7771ff6c65bc478e301fd6dec451b493df65
SHA256 f2e5fe92b4e56ea1be215f4941ca5eda6f5e9deabbf3c037ba03eb90fa389885
SHA512 554b0261b26be59eba7198f41d41afa642250fd304d2e732842027315e0f55aa24594fd9a5fff466ab0e4507c0dd9620a0a3ecc982ba2eb632a385b46b0e55bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c55047d3d49b5b58f25adb06e4a7877
SHA1 4e58c24b2cd98feeeaa4899dc7b5bb8e87ddf79b
SHA256 5624397d9bb90b1293567efb51af40cecf09be5a21dbb60870b7f5924f9bc809
SHA512 8a4e90b65efd39c70d412a63078f6222d0587804c0b5a7a244708a841cad3f9d96e971e99fab4398bcd3f84f8ad72c3fef3cab0e3c402472684401cdf07d2a71

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 01:51

Reported

2024-11-04 04:06

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

159s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8e8fd0b75b84ea8c55e48a35d34a4a8b_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/3180-2-0x0000000000401000-0x000000000040A000-memory.dmp

memory/3180-3-0x0000000000400000-0x0000000000433000-memory.dmp

memory/3180-6-0x0000000000401000-0x000000000040A000-memory.dmp

memory/3180-4-0x0000000000400000-0x0000000000433000-memory.dmp