Malware Analysis Report

2025-06-16 06:56

Sample ID 241104-dxfx5a1pgt
Target 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118
SHA256 e467e9373c00d6f435f341f8bbfedb433ed284f2df5a91d97a23b5e4706ad045
Tags
adware discovery evasion stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e467e9373c00d6f435f341f8bbfedb433ed284f2df5a91d97a23b5e4706ad045

Threat Level: Known bad

The file 8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

adware discovery evasion stealer trojan

Windows security bypass

Windows security modification

Deletes itself

Installs/modifies Browser Helper Object

Drops file in Windows directory

Program crash

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Modifies Control Panel

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 03:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 03:23

Reported

2024-11-04 04:50

Platform

win7-20241010-en

Max time kernel

138s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe"

Signatures

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{06ec6572-7280-485a-a712-c380526bc048}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{06ec6572-7280-485a-a712-c380526bc048} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ieocx.dll C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\don't load C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\don't load\scui.cpl = "No" C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Control Panel\don't load\wscui.cpl = "No" C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6092b4c9742edb01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EF851CD1-9A67-11EF-98B1-E20EBDDD16B9} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000002784c39b53c8016eb03ca9dc52246b24403050675bd5ac44f5a4e8079ac6b23000000000e800000000200002000000051fb8dc6751cdd7830d1ad4c937a6ef8990bde5a1253f6a49bef7209a56940e420000000e2b0c37d1e98b034c9a5f289b3af51cb32e771e7dec2fdbc9f9d8fa0a552cb7440000000aa1d383e06cc919390c294cf9b998835d481cf1f2c9ff3f0e158719bdae1e747f87d91b13691af2242b6d0f2597fa5123f6f09321d3d5ba347d4f28194185a92 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000078b927232ed5e51e1b7aee34480a8fc34f473522c84d645251c5780a04822e07000000000e8000000002000020000000d45ee24587c2439023dedc320b24777b13b53711c0cd024bd4392110658e9e24900000005efc9113fe2a33b75296c7332d4ba2804073c14939e6bb75cd73d6a3ad8be2d623ca78c2f25fb917d6ce8c67dfab9a62b49eb860b471e0810c0e727347f56ae4776301e7fa8372a71cb1ca10241f3cd0792fb4b901b35f20911468e20039735847020545917ed2e55f9d1c8f7f661afd79144fb3468e413fc04e87f2b89d3cd64e0c68f46e7af890ddd68cd26db9ceb34000000041834c411ade6cf1ac6bd94790380c79b810ccb903ec1d36501fff8c0a51c5627c5663772660ebc37b19a79b44aa0c8226505c729fff628d81838adb49eda51c C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436857535" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\InprocServer32\ = "C:\\Windows\\ieocx.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\TypeLib\ = "{b360243e-09e8-402f-8721-00b6798089ad}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ = "_IBhoAppEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\ProgID\ = "IEocxApp.IEocx.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\VersionIndependentProgID\ = "IEocxApp.IEocx" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\0\win32\ = "C:\\Windows\\ieocx.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\ = "DHCP 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1\ = "IEocx Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ = "_IBhoAppEvents" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\ = "IEocx Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CLSID\ = "{06ec6572-7280-485a-a712-c380526bc048}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\ = "IEocx Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx\CurVer\ = "IEocxApp.IEocx.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{06ec6572-7280-485a-a712-c380526bc048}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEocxApp.IEocx.1\CLSID\ = "{06ec6572-7280-485a-a712-c380526bc048}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\HELPDIR\ = "C:\\Windows" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp" C:\Windows\SysWOW64\regsvr32.exe N/A

Runs net.exe

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2304 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2304 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2304 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2304 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2304 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2304 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2304 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2304 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2304 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2304 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe C:\Windows\SysWOW64\net.exe
PID 2388 wrote to memory of 868 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2388 wrote to memory of 868 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2388 wrote to memory of 868 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2388 wrote to memory of 868 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2304 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2304 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2748 wrote to memory of 2628 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2748 wrote to memory of 2628 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2748 wrote to memory of 2628 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2748 wrote to memory of 2628 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2304 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2304 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe"

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32.exe /s C:\Windows\ieocx.dll

C:\Windows\SysWOW64\net.exe

C:\Windows\system32\net.exe stop "Security Center"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Security Center"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://loyal-porno.com/videosz.php

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2748 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\asd.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 loyal-porno.com udp
US 8.8.8.8:53 winpcdown99.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2304-2-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2304-1-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2304-0-0x0000000000401000-0x0000000000402000-memory.dmp

memory/2304-3-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\ieocx.dll

MD5 ef09200d176f64c9effcd6d71ef090cf
SHA1 19647fa778246ff860bd4ac2a74185d1429c1d6b
SHA256 ac3bf5cf4b459c932cdf15f79816aca14445bfb1477ea4ce58be8d8dec4ab886
SHA512 331b71bbc9fa5ba76d0bcbe2cf44a5443c73f8800701f9e9f2734c62e5755c366e0d05a7b5b239bede7dec2f260ca239f018bcf0b41a2ed2471096d5bcd744c2

memory/2556-6-0x0000000010000000-0x000000001000A000-memory.dmp

memory/2556-9-0x0000000010000000-0x000000001000A000-memory.dmp

memory/2556-8-0x0000000010000000-0x0000000010002000-memory.dmp

memory/2556-7-0x0000000000180000-0x0000000000186000-memory.dmp

memory/2304-11-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2304-10-0x0000000000401000-0x0000000000402000-memory.dmp

memory/2304-12-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab2704.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar27C2.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9eabe667405b67b9eab97cde4d26de5d
SHA1 b092d1fd37fc481441f33306763db560b28dbfbe
SHA256 59d437d6cafbe78aa8c3a19a557181f47025eda4f9ef3fcbbc0c05baf214771f
SHA512 56b0f07780e67c3ab80ece5fb1f3d68b6f58b79a49880df4866c5e8067a918bc6aa9f3efb60ba2345ce37f34de5997c0d24a278e5551ba1758c6b4a29971281f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6204605d84660835f58216454785d8bd
SHA1 686dc28790152580783ccd0d93d2bf8f71f246cb
SHA256 850025e1b572ce4ebbac5cae8c6b5a8b1e39a209f208f88896075ba19f08f04a
SHA512 8007897e5e9107b6507f8960bd4cac6bb7dc07755638e1c67e6eb3a98a9f4b76a662cd50983ad475e3b6c041c19ceac050eb32280ded42f5b13a99e738eb7559

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5cfd0c65fb6ee9d2f8c22e4457b0150d
SHA1 2f8130c57b54e8a0f8f6f926a705a50887424a58
SHA256 647a06cadcc59780499e49f630f8e5f56515dec272135c637e45ac0e5206b149
SHA512 ba9ab1f3717e157eabbf7bd4c414d87812923abd6cb64d660054842b70c64acf52612fe3449028eede9670837e559c725b9074067816a864160d67d2048590fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a5f30595940fdb5eff9b675b6a16cf20
SHA1 975a8175c8f58cc77d89dcdeae8a55d247e5eab1
SHA256 b1e3076e46c88e278d4f5146e603b3d37828fee1f15061e6bc09d2b8b7f20f99
SHA512 26381f48c599006168c4f5614888aa85645d2585ef9934af3c59b9959829ce34a1228d7f59071c878d23baac9be8d1a8dedc4d192337ca22613fe4971e5407ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d19bca890a354e759e20d6ffe67d1c9
SHA1 618ea2837d16da1f6dbefb0d4e22f3ac27436e26
SHA256 7cac152255035aa25626aeac00ed39dcc13b9fa6c98d972676dc079dafa51059
SHA512 93819c87f3a5e32c158077eb21a2292c4986a07d059ccf28ad9bb6bf63a0ee92e7e62a57dc7d32ec3ef2c9298b2a311633b9c890382b63e559036b1e44972edf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d03e1ff4e06dd531de561c254f0b21d
SHA1 48ab2f13d9d4b2c9929862dbab5f24cf2573ce35
SHA256 41635fffed2d64d9a97610a4252b824efb087616c3a8485b9e5104d8c1bf2a0a
SHA512 eea4ffae53e21cc96accb90a568e9717e33a3b92809425616b8c0666157e79261a9352ca32a585d91326b75a1fef9508ede77635788768433cf0cfc78a9417a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 539010c8dc1f3c8346328af56dab66c8
SHA1 f21c0b540737ea66710bcd73a934c5fea839e764
SHA256 f2b3eafe38f2a33d9400f105da412f73ad14dc8f40daa741602c2007f5ebe5e4
SHA512 6f9fa0c0d7936348354f939474de243020c217bae898bd8dda97bd1f0417e239daaab5937b32d00cdd5baba8dae247aa9b3b04a6edcf331601999f6c87cd22cf

C:\Users\Admin\AppData\Roaming\asd.bat

MD5 9b845fb70ec0cc18850c14afb7babb88
SHA1 dedae75d072aa9e7b3ae0e8c3a6f16c9f5650601
SHA256 c4d3a0e76ff4c760f031cbf0c03e68a267304ae3222de31f986d7ddeec937e67
SHA512 1a4d725b5c9c125459a264c0c29506e5799b1113daefbac5b12b427fd44646928c67ce3f4468ac6f33e7fc47c96e13c4755e6d0ef57a11b05df34d2b0bf0737b

memory/2304-291-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f8b3569d75459f00d23c5187cc53110e
SHA1 84cfe5b4aecd634a748f86b9cafcc655b566b1e7
SHA256 7fa828fcb56d935a9b55a12cab54bf557e0fce584eba3a6af52986c3d2fee008
SHA512 65b9d66d4edca5cd50a6599c614fa9fd9f75321dd3aa8ddc10ddf7a78e46f5f5afcc441abc59a266fa183f1ad96c3c0f9a7306b92bd3e0146e1b86c858e64b62

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 adaf43432d09e2225fa48cb1048a8f1d
SHA1 3932825cb12bc527aa4deff92d8b37a3e5622cd7
SHA256 58fb912a4855dd37a9ee01bd2fb069506b9870936ff7b49f90b0bd311a0dc74e
SHA512 9b5089f5762bba52a3bd66e43c5bbe5b5ce6c16f40c37e363beaf76f28a17ff05f2689e507711fd851a9418237fe3f65afa5e5d79c7334c691367d0bdead3f13

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8e9a70e9e75f00179eecfa0f51c36486
SHA1 d6450e71858041be5fb90807b496a0163a4195fb
SHA256 bc93c73e8239155debdfa587591c4128f7bcad139341edca3d7ef6c189e43155
SHA512 a29afa5b25197b3d0c6e29f568fe3f9c2737ca18e061eaa435334fa72fda182f0618fc382bac89ace4b5507b142ba3619d8df92fff1207626423abea350f1f77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a8b41bdec2bdccdb970f22e7a4ac5a3
SHA1 59125f663cc03fc8d3c4277f357b0b12d7face5f
SHA256 f7c06d61f3b2b5332e9e96c5154191c4e6b10131c4d02e4fc8f4c9cceb882708
SHA512 ce499e7b5eefaa7c4abec174e504c7c39f83ce77aa623b1c379ca2d2261e2e83da7ced933d223b80dbf6b08822df9ff5b3339ec10e18361424b9355641bd8669

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b38be646294e0b93793028789647f2e7
SHA1 c7918b7dd01377fc9208e6d6867253f179020f9a
SHA256 94b2b059a8addb90cdbc2b1ae23df8ea313313084362daefe17445fca04cf3b7
SHA512 2e012b32395ed1f6110d5dcd8bc624d39fe649df1b0c8612ffdf8dfd17eadf6b75778c9d0009708889afe0aac0bf88ee00c8bd95da8e7e44c06bdc16260ddc93

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e7cf10124e39bddcaaae68a3ba0f618
SHA1 3690c4d88db023aba83a04dfc5cedb9f1600d78b
SHA256 56525736cc4e55ea689cb3b2ec5529f67a2b7271e9bc788efaf676351b118088
SHA512 d087ca9e0273da4ddc285589d2fe96f21e86626e9a1c71504e1f160ce1bffb4dfe8edc5fb159cf040ac38eda0510d9bdb539f9e67fe8a1642b3fe0297ac32314

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3567d97198dec942f795b6b950666c11
SHA1 e863cf724cd94e01f93b882a0e68e13cf1ddc27f
SHA256 e5f972c12358766d5f77d7e05306f35a3f08cd5ef0461627f73c902100d98766
SHA512 de3c5a2d1f3553c4cef087199e54fddb06d1cec20b1967c2e7a6333829453c6d82c6aaef32867fc74df6b0cec00f4e3dd738497e42c2db55b91e7b1a18e44752

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1144aef8bcbf06539a611d580535d273
SHA1 a45fa738ac416aa3fff406df0ee69e3ec79782c5
SHA256 a423d96ac55987aa961dd690b2006a7ba843280da162ea25c2813c368d434883
SHA512 d55af5fe1562f1ac535735a8e8631f202671ab0c2c549aa8c7d1b58a69bbcd809f3b24393d52af09d13db0850e80e91004880a162a0b3798e27638188588a140

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 45cda979ad0fad53399feeb660d3e96d
SHA1 65ee23a21a6b92df82e0c09bf7726bf3b6e5a407
SHA256 779b3185d94513a16a1cb34329fb891ea135958097a67855dba1d4664a517299
SHA512 723e0e4b6d013d92043a2d45a82329a167c70d137bb5925b5624186d2bf881957c8ddeb1b3fb14ac43404cf2326f1b9279407b83a2e3688bdb9723d07062b6a2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85e57cac42a6c9873daa72b85b7f5f51
SHA1 e363dbec3b52a371be32f4f751faa7e79618f2af
SHA256 aa55cd82f235c3874bafa7f03c47b47647c497d05e6a0733dbf46f1c0118a54e
SHA512 5a56f8f4bc6211ef18d1f1ec5fc717f2cf0ccb5f5f3142cdbc4e760a4d75c098353c36832a5302a2d548e067280cca3d6f65bf46e602f739e49619a4918b5ffd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 86fca6593adb1ba19bc3ada76c891201
SHA1 de8a7091649d736c942db9a9f28ec932155bf8ce
SHA256 f18dddd587153a54e4251f76d94ffdd2c6ca62a1f84fac9a944259d95e9a55e6
SHA512 940ef98f803b8ed3ac51f3f5c4dd690944520e3acd0fda2789dfedad77c3ae1f30dc5d9d7d7b9d843ed378f1ed8643a2c5144e80934c8735cdf4bca795bd90af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74e860146cc6e6134def9c2b3ad6e67f
SHA1 2bc59a770e05bcf56b781b3a5841fada9f0cd987
SHA256 a7e1c09c56b3bc9ea308681cc2682c3972bfa541d3bb7d087130ea808cbbe8d7
SHA512 92b154970b82579f4a64a4379fc928e0c4d9a68554691f02ce4e1a41aa257c2a61de18c2715463e82679b78c94ed2fde159019a0994ef63d2788d812d1284da1

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 03:23

Reported

2024-11-04 04:58

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe"

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8ee6e82fed809c3c9184d4e3158b8739_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3048 -ip 3048

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 288

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A