Analysis
-
max time kernel
138s -
max time network
136s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
04/11/2024, 03:23
Static task
static1
Behavioral task
behavioral1
Sample
8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe
-
Size
104KB
-
MD5
8ee6e82fed809c3c9184d4e3158b8739
-
SHA1
3db007f2562986a91d6b22681e566a1bcac183ad
-
SHA256
e467e9373c00d6f435f341f8bbfedb433ed284f2df5a91d97a23b5e4706ad045
-
SHA512
e51acc1a6b436d93ecb9b42e137041e78cd84219eea137e7b39e828ec257848046586ecdbe9f8838eff601ca064174584af19fdebb7adb961d49e00c43ed68da
-
SSDEEP
1536:f2bVqZG54ncao6aTiqXMiLsGUJQzA1oYTaxwAHMIAy5vTw9VcdTX3kuf:+hqZ42ro6KixmUJPoYeLMIi9i9X3kuf
Malware Config
Signatures
-
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 2668 cmd.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe -
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{06ec6572-7280-485a-a712-c380526bc048}\NoExplorer = "1" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{06ec6572-7280-485a-a712-c380526bc048} regsvr32.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\ieocx.dll 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
Modifies Control Panel 3 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\don't load 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\don't load\scui.cpl = "No" 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\don't load\wscui.cpl = "No" 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6092b4c9742edb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EF851CD1-9A67-11EF-98B1-E20EBDDD16B9} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000002784c39b53c8016eb03ca9dc52246b24403050675bd5ac44f5a4e8079ac6b23000000000e800000000200002000000051fb8dc6751cdd7830d1ad4c937a6ef8990bde5a1253f6a49bef7209a56940e420000000e2b0c37d1e98b034c9a5f289b3af51cb32e771e7dec2fdbc9f9d8fa0a552cb7440000000aa1d383e06cc919390c294cf9b998835d481cf1f2c9ff3f0e158719bdae1e747f87d91b13691af2242b6d0f2597fa5123f6f09321d3d5ba347d4f28194185a92 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000078b927232ed5e51e1b7aee34480a8fc34f473522c84d645251c5780a04822e07000000000e8000000002000020000000d45ee24587c2439023dedc320b24777b13b53711c0cd024bd4392110658e9e24900000005efc9113fe2a33b75296c7332d4ba2804073c14939e6bb75cd73d6a3ad8be2d623ca78c2f25fb917d6ce8c67dfab9a62b49eb860b471e0810c0e727347f56ae4776301e7fa8372a71cb1ca10241f3cd0792fb4b901b35f20911468e20039735847020545917ed2e55f9d1c8f7f661afd79144fb3468e413fc04e87f2b89d3cd64e0c68f46e7af890ddd68cd26db9ceb34000000041834c411ade6cf1ac6bd94790380c79b810ccb903ec1d36501fff8c0a51c5627c5663772660ebc37b19a79b44aa0c8226505c729fff628d81838adb49eda51c iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436857535" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe -
Modifies registry class 60 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CurVer regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\InprocServer32\ = "C:\\Windows\\ieocx.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\TypeLib\ = "{b360243e-09e8-402f-8721-00b6798089ad}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ = "_IBhoAppEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\ProgID\ = "IEocxApp.IEocx.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\VersionIndependentProgID\ = "IEocxApp.IEocx" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\0\win32\ = "C:\\Windows\\ieocx.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\ = "DHCP 1.0 Type Library" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1\ = "IEocx Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ = "_IBhoAppEvents" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\HELPDIR regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\ = "IEocx Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CLSID\ = "{06ec6572-7280-485a-a712-c380526bc048}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\ = "IEocx Class" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CurVer\ = "IEocxApp.IEocx.1" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\VersionIndependentProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1\CLSID\ = "{06ec6572-7280-485a-a712-c380526bc048}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\HELPDIR\ = "C:\\Windows" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp" regsvr32.exe -
Runs net.exe
-
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2748 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2748 iexplore.exe 2748 iexplore.exe 2628 IEXPLORE.EXE 2628 IEXPLORE.EXE 2628 IEXPLORE.EXE 2628 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2556 2304 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe 31 PID 2304 wrote to memory of 2556 2304 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe 31 PID 2304 wrote to memory of 2556 2304 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe 31 PID 2304 wrote to memory of 2556 2304 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe 31 PID 2304 wrote to memory of 2556 2304 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe 31 PID 2304 wrote to memory of 2556 2304 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe 31 PID 2304 wrote to memory of 2556 2304 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe 31 PID 2304 wrote to memory of 2388 2304 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe 32 PID 2304 wrote to memory of 2388 2304 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe 32 PID 2304 wrote to memory of 2388 2304 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe 32 PID 2304 wrote to memory of 2388 2304 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe 32 PID 2388 wrote to memory of 868 2388 net.exe 34 PID 2388 wrote to memory of 868 2388 net.exe 34 PID 2388 wrote to memory of 868 2388 net.exe 34 PID 2388 wrote to memory of 868 2388 net.exe 34 PID 2304 wrote to memory of 2748 2304 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe 35 PID 2304 wrote to memory of 2748 2304 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe 35 PID 2304 wrote to memory of 2748 2304 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe 35 PID 2304 wrote to memory of 2748 2304 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe 35 PID 2748 wrote to memory of 2628 2748 iexplore.exe 36 PID 2748 wrote to memory of 2628 2748 iexplore.exe 36 PID 2748 wrote to memory of 2628 2748 iexplore.exe 36 PID 2748 wrote to memory of 2628 2748 iexplore.exe 36 PID 2304 wrote to memory of 2668 2304 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe 38 PID 2304 wrote to memory of 2668 2304 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe 38 PID 2304 wrote to memory of 2668 2304 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe 38 PID 2304 wrote to memory of 2668 2304 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe"1⤵
- Windows security bypass
- Windows security modification
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe /s C:\Windows\ieocx.dll2⤵
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2556
-
-
C:\Windows\SysWOW64\net.exeC:\Windows\system32\net.exe stop "Security Center"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"3⤵
- System Location Discovery: System Language Discovery
PID:868
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://loyal-porno.com/videosz.php2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2748 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2628
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\asd.bat" "2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2668
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55cfd0c65fb6ee9d2f8c22e4457b0150d
SHA12f8130c57b54e8a0f8f6f926a705a50887424a58
SHA256647a06cadcc59780499e49f630f8e5f56515dec272135c637e45ac0e5206b149
SHA512ba9ab1f3717e157eabbf7bd4c414d87812923abd6cb64d660054842b70c64acf52612fe3449028eede9670837e559c725b9074067816a864160d67d2048590fb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a5f30595940fdb5eff9b675b6a16cf20
SHA1975a8175c8f58cc77d89dcdeae8a55d247e5eab1
SHA256b1e3076e46c88e278d4f5146e603b3d37828fee1f15061e6bc09d2b8b7f20f99
SHA51226381f48c599006168c4f5614888aa85645d2585ef9934af3c59b9959829ce34a1228d7f59071c878d23baac9be8d1a8dedc4d192337ca22613fe4971e5407ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56d19bca890a354e759e20d6ffe67d1c9
SHA1618ea2837d16da1f6dbefb0d4e22f3ac27436e26
SHA2567cac152255035aa25626aeac00ed39dcc13b9fa6c98d972676dc079dafa51059
SHA51293819c87f3a5e32c158077eb21a2292c4986a07d059ccf28ad9bb6bf63a0ee92e7e62a57dc7d32ec3ef2c9298b2a311633b9c890382b63e559036b1e44972edf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59d03e1ff4e06dd531de561c254f0b21d
SHA148ab2f13d9d4b2c9929862dbab5f24cf2573ce35
SHA25641635fffed2d64d9a97610a4252b824efb087616c3a8485b9e5104d8c1bf2a0a
SHA512eea4ffae53e21cc96accb90a568e9717e33a3b92809425616b8c0666157e79261a9352ca32a585d91326b75a1fef9508ede77635788768433cf0cfc78a9417a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5539010c8dc1f3c8346328af56dab66c8
SHA1f21c0b540737ea66710bcd73a934c5fea839e764
SHA256f2b3eafe38f2a33d9400f105da412f73ad14dc8f40daa741602c2007f5ebe5e4
SHA5126f9fa0c0d7936348354f939474de243020c217bae898bd8dda97bd1f0417e239daaab5937b32d00cdd5baba8dae247aa9b3b04a6edcf331601999f6c87cd22cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f8b3569d75459f00d23c5187cc53110e
SHA184cfe5b4aecd634a748f86b9cafcc655b566b1e7
SHA2567fa828fcb56d935a9b55a12cab54bf557e0fce584eba3a6af52986c3d2fee008
SHA51265b9d66d4edca5cd50a6599c614fa9fd9f75321dd3aa8ddc10ddf7a78e46f5f5afcc441abc59a266fa183f1ad96c3c0f9a7306b92bd3e0146e1b86c858e64b62
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5adaf43432d09e2225fa48cb1048a8f1d
SHA13932825cb12bc527aa4deff92d8b37a3e5622cd7
SHA25658fb912a4855dd37a9ee01bd2fb069506b9870936ff7b49f90b0bd311a0dc74e
SHA5129b5089f5762bba52a3bd66e43c5bbe5b5ce6c16f40c37e363beaf76f28a17ff05f2689e507711fd851a9418237fe3f65afa5e5d79c7334c691367d0bdead3f13
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58e9a70e9e75f00179eecfa0f51c36486
SHA1d6450e71858041be5fb90807b496a0163a4195fb
SHA256bc93c73e8239155debdfa587591c4128f7bcad139341edca3d7ef6c189e43155
SHA512a29afa5b25197b3d0c6e29f568fe3f9c2737ca18e061eaa435334fa72fda182f0618fc382bac89ace4b5507b142ba3619d8df92fff1207626423abea350f1f77
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59a8b41bdec2bdccdb970f22e7a4ac5a3
SHA159125f663cc03fc8d3c4277f357b0b12d7face5f
SHA256f7c06d61f3b2b5332e9e96c5154191c4e6b10131c4d02e4fc8f4c9cceb882708
SHA512ce499e7b5eefaa7c4abec174e504c7c39f83ce77aa623b1c379ca2d2261e2e83da7ced933d223b80dbf6b08822df9ff5b3339ec10e18361424b9355641bd8669
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59eabe667405b67b9eab97cde4d26de5d
SHA1b092d1fd37fc481441f33306763db560b28dbfbe
SHA25659d437d6cafbe78aa8c3a19a557181f47025eda4f9ef3fcbbc0c05baf214771f
SHA51256b0f07780e67c3ab80ece5fb1f3d68b6f58b79a49880df4866c5e8067a918bc6aa9f3efb60ba2345ce37f34de5997c0d24a278e5551ba1758c6b4a29971281f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b38be646294e0b93793028789647f2e7
SHA1c7918b7dd01377fc9208e6d6867253f179020f9a
SHA25694b2b059a8addb90cdbc2b1ae23df8ea313313084362daefe17445fca04cf3b7
SHA5122e012b32395ed1f6110d5dcd8bc624d39fe649df1b0c8612ffdf8dfd17eadf6b75778c9d0009708889afe0aac0bf88ee00c8bd95da8e7e44c06bdc16260ddc93
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52e7cf10124e39bddcaaae68a3ba0f618
SHA13690c4d88db023aba83a04dfc5cedb9f1600d78b
SHA25656525736cc4e55ea689cb3b2ec5529f67a2b7271e9bc788efaf676351b118088
SHA512d087ca9e0273da4ddc285589d2fe96f21e86626e9a1c71504e1f160ce1bffb4dfe8edc5fb159cf040ac38eda0510d9bdb539f9e67fe8a1642b3fe0297ac32314
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53567d97198dec942f795b6b950666c11
SHA1e863cf724cd94e01f93b882a0e68e13cf1ddc27f
SHA256e5f972c12358766d5f77d7e05306f35a3f08cd5ef0461627f73c902100d98766
SHA512de3c5a2d1f3553c4cef087199e54fddb06d1cec20b1967c2e7a6333829453c6d82c6aaef32867fc74df6b0cec00f4e3dd738497e42c2db55b91e7b1a18e44752
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51144aef8bcbf06539a611d580535d273
SHA1a45fa738ac416aa3fff406df0ee69e3ec79782c5
SHA256a423d96ac55987aa961dd690b2006a7ba843280da162ea25c2813c368d434883
SHA512d55af5fe1562f1ac535735a8e8631f202671ab0c2c549aa8c7d1b58a69bbcd809f3b24393d52af09d13db0850e80e91004880a162a0b3798e27638188588a140
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD545cda979ad0fad53399feeb660d3e96d
SHA165ee23a21a6b92df82e0c09bf7726bf3b6e5a407
SHA256779b3185d94513a16a1cb34329fb891ea135958097a67855dba1d4664a517299
SHA512723e0e4b6d013d92043a2d45a82329a167c70d137bb5925b5624186d2bf881957c8ddeb1b3fb14ac43404cf2326f1b9279407b83a2e3688bdb9723d07062b6a2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD585e57cac42a6c9873daa72b85b7f5f51
SHA1e363dbec3b52a371be32f4f751faa7e79618f2af
SHA256aa55cd82f235c3874bafa7f03c47b47647c497d05e6a0733dbf46f1c0118a54e
SHA5125a56f8f4bc6211ef18d1f1ec5fc717f2cf0ccb5f5f3142cdbc4e760a4d75c098353c36832a5302a2d548e067280cca3d6f65bf46e602f739e49619a4918b5ffd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD586fca6593adb1ba19bc3ada76c891201
SHA1de8a7091649d736c942db9a9f28ec932155bf8ce
SHA256f18dddd587153a54e4251f76d94ffdd2c6ca62a1f84fac9a944259d95e9a55e6
SHA512940ef98f803b8ed3ac51f3f5c4dd690944520e3acd0fda2789dfedad77c3ae1f30dc5d9d7d7b9d843ed378f1ed8643a2c5144e80934c8735cdf4bca795bd90af
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD574e860146cc6e6134def9c2b3ad6e67f
SHA12bc59a770e05bcf56b781b3a5841fada9f0cd987
SHA256a7e1c09c56b3bc9ea308681cc2682c3972bfa541d3bb7d087130ea808cbbe8d7
SHA51292b154970b82579f4a64a4379fc928e0c4d9a68554691f02ce4e1a41aa257c2a61de18c2715463e82679b78c94ed2fde159019a0994ef63d2788d812d1284da1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56204605d84660835f58216454785d8bd
SHA1686dc28790152580783ccd0d93d2bf8f71f246cb
SHA256850025e1b572ce4ebbac5cae8c6b5a8b1e39a209f208f88896075ba19f08f04a
SHA5128007897e5e9107b6507f8960bd4cac6bb7dc07755638e1c67e6eb3a98a9f4b76a662cd50983ad475e3b6c041c19ceac050eb32280ded42f5b13a99e738eb7559
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
256B
MD59b845fb70ec0cc18850c14afb7babb88
SHA1dedae75d072aa9e7b3ae0e8c3a6f16c9f5650601
SHA256c4d3a0e76ff4c760f031cbf0c03e68a267304ae3222de31f986d7ddeec937e67
SHA5121a4d725b5c9c125459a264c0c29506e5799b1113daefbac5b12b427fd44646928c67ce3f4468ac6f33e7fc47c96e13c4755e6d0ef57a11b05df34d2b0bf0737b
-
Filesize
27KB
MD5ef09200d176f64c9effcd6d71ef090cf
SHA119647fa778246ff860bd4ac2a74185d1429c1d6b
SHA256ac3bf5cf4b459c932cdf15f79816aca14445bfb1477ea4ce58be8d8dec4ab886
SHA512331b71bbc9fa5ba76d0bcbe2cf44a5443c73f8800701f9e9f2734c62e5755c366e0d05a7b5b239bede7dec2f260ca239f018bcf0b41a2ed2471096d5bcd744c2