e1ed64a0c74d6f1e3381272ba45b3b148c1edf232ab18318079ceb3f997b9832

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
30-11-2024 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Size

56KB
MD5

b4f258eadecfe33cae5a7833edba344e
SHA1

205dd3973d5f7ae4e5636b58fdfb4cad5737c0ce
SHA256

e1ed64a0c74d6f1e3381272ba45b3b148c1edf232ab18318079ceb3f997b9832
SHA512

6fabe4f01249fc0032f8f26e1b3c0341a7096974e9ed55522a14c68de4ed96637eda3f06c351cdceb7e208dd42ae9d8ed9c4f30fb7f384cbb320d96b10cc4c27
SSDEEP

1536:PwXVJwza5mfhFMPlrsFRyDlcBKlkKFtZR7Kmorc:YXryPG1wyhcBkZRroA

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2624	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1960	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E14DCE67-8FB7-4721-8149-179BAA4D792C}	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wsock32.sys	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\i72f6U8LOU.ini	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\i72f6U8LOU.ini	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\del32.bat	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e734463a80a4024da78c40b512f4e5980000000002000000000010660000000100002000000026174dd8cab926c22301323bfe6176075e95a3b569b4d6ac5d20e7c2d03e8b09000000000e8000000002000020000000d8d35c6597c21f0dc233fe05eb3a023dde43f3336b831545dbdae73db53ff47d900000006719dd2467fb4fa0e369291e059d4135c7cc90378a19d486de8621cba1528bcbd5a95b47d42af0ef1560d08b47235d38ef06cfd4efd20f3e855161c62850fbed8e008473c6c1486748230b164445fd58cb11c790221629948240d63f70bf65aba05dd18e18ccf6ab697282b82940815f5a0aa74f6a2b019fb664c80a784ea85445485229a68686c57e0b788b07de64d340000000e6316e3bdd20b3affe5eaf8e98416bc85fd9d7d7fb356f28ff30c763e38d81d2569420c8d1ee011eb32190acef9e6167ea49d83b7666e8663a2176b4f1af33c8	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439105694"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50be2c2ce742db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e734463a80a4024da78c40b512f4e59800000000020000000000106600000001000020000000bc4635240deec6f8301cc43e3ffaaf9fd98d8d3f6e04afd541c6f864f75e5a2a000000000e8000000002000020000000a2201d219b14758e3fe9e02f836fc0eff6d5d32a31ab77a44207ae3f7c9f3de0200000008ad8a875963dab7e1e25ed877cb2f5fdb74b21c993a2bad8641dcfedbf3727bc4000000032a251410c68472d523404ba7e9dbe72049b98d78dd37e0eea23a1ac9f64861a776836cc1a363b62d2c1e220bfa62d72c4d1b58458a36218cb2163fa3ac894c7	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{57B07B71-AEDA-11EF-AF9A-46D787DB8171} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ = "_Cs4"	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\ = "N.Cs4"	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4\Clsid	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\ = "N"	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\FLAGS\ = "0"	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\ProgID\ = "N.Cs4"	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4\ = "N.Cs4"	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4\Clsid\ = "{E14DCE67-8FB7-4721-8149-179BAA4D792C}"	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ = "_Cs4"	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\ = "{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}"	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\Version = "3.0"	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\ProgID	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32\ThreadingModel = "Apartment"	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0\win32	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0\win32\ = "C:\\Windows\\SysWow64\\wsock32.sys"	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\HELPDIR	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ = "Cs4"	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\VERSION	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\Version = "3.0"	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\TypeLib\ = "{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}"	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\ = "{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}"	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\HELPDIR\ = "C:\\Windows\\system32"	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\TypeLib	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\VERSION\ = "3.0"	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\FLAGS	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32\ = "C:\\Windows\\SysWow64\\wsock32.sys"	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2116	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1960	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
2116	IEXPLORE.EXE
2116	IEXPLORE.EXE
2720	IEXPLORE.EXE
2720	IEXPLORE.EXE
2720	IEXPLORE.EXE
2720	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2448	1960	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe	30
PID 1960 wrote to memory of 2448	1960	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe	30
PID 1960 wrote to memory of 2448	1960	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe	30
PID 1960 wrote to memory of 2448	1960	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe	30
PID 2448 wrote to memory of 2116	2448	iexplore.exe	31
PID 2448 wrote to memory of 2116	2448	iexplore.exe	31
PID 2448 wrote to memory of 2116	2448	iexplore.exe	31
PID 2448 wrote to memory of 2116	2448	iexplore.exe	31
PID 2116 wrote to memory of 2720	2116	IEXPLORE.EXE	32
PID 2116 wrote to memory of 2720	2116	IEXPLORE.EXE	32
PID 2116 wrote to memory of 2720	2116	IEXPLORE.EXE	32
PID 2116 wrote to memory of 2720	2116	IEXPLORE.EXE	32
PID 1960 wrote to memory of 2624	1960	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe	34
PID 1960 wrote to memory of 2624	1960	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe	34
PID 1960 wrote to memory of 2624	1960	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe	34
PID 1960 wrote to memory of 2624	1960	b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b4f258eadecfe33cae5a7833edba344e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Program Files (x86)\internet explorer\iexplore.exe
  "C:\Program Files (x86)\internet explorer\iexplore.exe" http://
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2116 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\del32.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
350bf24f50e759d7675a2705c1b1e9c5

SHA1
4c57eef6ddd75b1e375b7f895aa3872c1927aa14

SHA256
1f75b1201d5a8c94562fdfea0507c4f8b891a2dd4e5d1dc3b215d5cea91e806a

SHA512
34f6720ecf71aaab4b3e58ece03c876643a0f5d138bef583d18054da8f92cb8788b68dafd652f7160886abcc4e8c0ca5fbd6818ecf4626f228c35f36b9a55e0b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5339f9c9ed0a452cc992e9c68c30c9f

SHA1
7bc74175d948a9f1ca53e7162673ed34172277fd

SHA256
19b20999c77c75dfed896c8c73a8585312b1eaf99d17ac90fcfe9367a1eb4962

SHA512
df68d6b3ef01f1a830b8060761d23d9a78d59490a97e1dd40f03ef8813d082688d5e309bb27216006c8fe3829447cd88f9158f0e83a54ee4a4ffcff1caf0ab85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b34e7bc161c03695639c0debb9630221

SHA1
32cf09aeae00dda547dc2153d4fc7dd84781a8be

SHA256
b91855009cc6d10a4c7369cf96a8821de99c9182026fd78eb4f547d691fb2abc

SHA512
f346bcf0dd065f05ab203f43f9080ea7741e29c4d7d277019494ebb988e67785391c9d25032c1b06cc06f31d0cc773a900c512d8e628055d41c5001df9fb0f3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c6c2c47b90a493b9421765bbbc409cf

SHA1
c9c54a80b85f2f9cf700f71f6fbea0464ea33ce8

SHA256
3d8139b7afbeab23b0c437ae1d09eee7bfb42251d8f65957474732d1fe419a9e

SHA512
c4ee2aed217976bccbfc87c3c13e5a74f075929ecb1ad361cf1eaba0a079431517314dd5eb8416251a4d1598badcd10afc298f81774fc811a037f545a458895d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad135eec87504e81a3b44533d1bbead3

SHA1
1bcb67f8a0105889dccb9163d4760eba7dd6b3f8

SHA256
de1a6df381fde347ed5f260b18657fa1fcba584b90422cf67f2c26a2c9cc6472

SHA512
4a453faa60b4e4d0b25efb27572551749a68cc8a6a4ab348b2782fdc9b50994b8534ddf81d5ed684cdfc23d8d41fb99cf8df7d53c2cd2742ede199b6d3725b8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9e5e5710b49dc94d6c368d08c2483a8

SHA1
354af2c95fa3a4cab76fbe074b3f498354d24c54

SHA256
5f1d7faf4f60896c9f18789b98f6ec273fbf8154bccd6f690e337fa40dbaf39b

SHA512
329e10be3f6db2e599d4dbc3946061787545a1af5177c71af5f340c5da9ac7b2cde180477764bed23a0214cbcc5d068b9b6e34c82b144fda76177d4156949813

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b7f4392a69ca56dfb173855233d0664

SHA1
2ac1cbd2ad64f2978044c5bbff999fc5ef0d5f83

SHA256
83e93b0d6dd10f90db3c7acd7d55ba41e37fb021dbf94806357288a30141111b

SHA512
3ab0dd7de0fa5a08da2d247a8df774eccb6daf58280a08ae566c37dc31400f2eb6dfc90c53899d5576908a0522dce60867db637d3c09ab66c6b3c9eaf7ca0489

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa66e04e2fe0adeee884b22c82f1c4fe

SHA1
e968526eb338954f2fa55499ddfe8216068a2b33

SHA256
76d9a0b9dfe1c03bd3c9c84c162cbd6c746c70519247dd66dd8ac907bc2d95e2

SHA512
f6704bfefac15c67e12b2466ae953e1030883f39500cbcbab7f46872aa5556a5c226bf25044c9e8d08e696a135324b84ee74dd4c2f72517079e9282aeab97455

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
12f9e331f4f2c3e55e0fe9072e40dffb

SHA1
afd736f58d9d4838d9d4fe85e0935f1e089346c5

SHA256
a116e51dd3c6e9830346b966eb93705c881601515e9464c2a0028cc99cba8b5d

SHA512
4cab87dc89edd63e53bae6753bda76f40d139ef1b4f3a90cb49f50b9f96e68923426eb61cd160b53ad191960ff68a668e75f447908851c6549e08fa966c2786d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dc6629d7f5bf9eb106d96d96ceecbb3

SHA1
0253e8e8f1392b39d6e00bf2d186d237cf07e3a3

SHA256
1f7eaca5c15ece7aee3b14172f529e706cb4610d24e299c30117146a421ee0d0

SHA512
86762cb4dccc7c9f0ec76a323737fb0527222e76672e98bfb6f4ceb47f6b68ea34a618d2e3087ab8c6e3ec427425945380bc2c8791319ad442f1347e599cbb0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8dc06c95b2d92c950a6f58fb75b217c9

SHA1
c0289eb48d700c6abed48c6a29e9c0c2c13ef05a

SHA256
e5f777a5761eea4848362b35c899c77b9dca7fdc87c993ab67f98ece2a40a9a7

SHA512
9a34f80a76d9cf2e1f8ecf1dcfb5d5ea0bd34b48c72dfa81e81054a3f5e7587a25f3dabfaae520d1ac79da73249653e1aa019b14f10ae27c5769f1c75edc144f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2595f9178c469a424466b3675674c6a4

SHA1
b6bf5f5831b1c04d94541776414b2d40862c053f

SHA256
f3d3039c50833ffdea36d6ca0effe1b89c95a5a1dee7670e902df795c652aeb2

SHA512
762fdcea9179f8eb68b919d8e7c323532731477979cc56be89cc7457bc3c26733398fa2cca5d7702837016dd604cf5367b796616937825a7e5de6556fa61c143

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c53039b7e60c0a4a972de9eefeedf7e

SHA1
69bd7941e9fcfc5bd1a5872c0ebd509110498dd8

SHA256
7fb58d1b1b7d47119b58a1804fbe8191f292f32287aa79c3d673d0ecd8547c14

SHA512
cccf06c49e2f6237dcd5affc34d5eeca395fc2ff40b9fb7f4a7701fc7aa31afb684bd31a590fc8bbdba4fbc6a9c07b03c8d5930aa068f7751f8939a3208af70c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8847ae7d24617a1cdd51c65f1dd052fd

SHA1
db1d77ad11f89efa1b27bbe40f036b03e4f1aa0c

SHA256
4df1f47bcbc749d8dd55b243e335a6d037915f6e2f26c5f90e6d2fa4932ac0fa

SHA512
ed8219e2a62af21db16c61140c05e77c61e21bc4567e7552c8dd3ba94e8d93d40c7012a89b6329afe4ede3b3f68601322f378b81cbc3cd02da9d48a17ca4e3ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9601c3a46cb3658a0845be7777226f9b

SHA1
853ff671b49affc3bcabd31d36d886bc1e3cffe2

SHA256
a892c6989400cf97c6e1621365e48e1a040d14aa3c0d8eec8302ec07f5651b4b

SHA512
24f5c1a74f971f04f2350cc48d55a2f7ba53527bdba6e76a139c161a8dae4bd5f1488560676ab5ae026c15eebd0cc179dc5bf14ec5ecac2bf6f40b5ee3eda6e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8bd642473611edf651bc848ca523efa8

SHA1
9ec323c1596afc1dcb2068ac3df6efb12beed81b

SHA256
3012951dcfc1f5eb3aa2d09db731ac3397bbff52b145c579630a0204163fb594

SHA512
3185c8a371a07766ac40b1176aa745c9e4af0651a519ea560174838b512ce1949e59132fa786059254cb97649af5c1392685990b5716596c1337cb87d0cd11f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a25fdb89a1742c3227d57f8b4c80c6c

SHA1
d3bfc5f991d8a55ca413e4e1bf20d66b58d19840

SHA256
8083d1b6c19cf5b973be5a8ce60861cc9c330d260f4a0d9a1a897402dc65ba42

SHA512
2a2ba952c5e70d7e21c49780bfbfaa2992e1d62f3e366e57d2f674fca79ee482b6067f46edea9748cb63b399a030c37e276797b4147c034ebd82f5acca0c4cd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e01cd6c00bb5a9ee8275e28aa5551b2

SHA1
f5507531c2cd3045223e7afb889b9a8a26882d61

SHA256
a179ba7cf1841a80ec0d83a449535fbf261f5e1ff2b3cb0ae5407a73486935bd

SHA512
656d0f44fa2adbd5ce54570582ca3e14359061eed16d1dbeea720d883307834a9e2d37089097a1a3d249954bd1361b67f7a4d77bb14a5c22bd10be6143735398

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0cf5cc859effdc7fb3361f507c46f075

SHA1
51d3393b3a7d891857da1033e495df7ad01a9823

SHA256
6919b7202bf2805bfc1ecace639246dcf5cfcebfccb3db3e1214f6769a7ca734

SHA512
ae4ad1e7879ad12b516a64dcbdca39ac707d35ccc1ebb10630c106c4ac2f1bcb64563f41f859c446874a4b589b874ab93cc7b3a48236a5c1fa59407d4353cb25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7721adade5afdf38893dcecf43b2fe02

SHA1
4dd199bee1d8bb2cfae66f93e7712d1fd5b46f24

SHA256
5b11864decda4a36a1abb639ac246d5f7bdaf3e168a568cfd3447a2a6434cb76

SHA512
810a8510e065454b83e74d0e5881bc2019e282f60e3481ad950987c9d83cd6e7ebaec3a8959644000ee2eb9b4d0e900ff571c079535891d6fc255452a9a12192

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
406340c827cc3da248e6b89119f0ff9b

SHA1
a5f95126ac0b650eeb495973970482a262ca2ba2

SHA256
3798e194637674d0a2f1624c9563f065d7629ccd8876b6f5bfe3137a45ed7baa

SHA512
eb8ba2143b1d06c0aee0c76bd316179dd3c930212d13aa66f0c69d19e69222707b56be89439e240b4680b442e6163b0fa82e0b60c3f504b6022d6b8fbc5bf3f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCA82.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCB31.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\del32.bat

Filesize
174B

MD5
51ab12393d26178da5907580ee31218f

SHA1
530c5c8feeb291cf1ac349be61eebe0bd664dea9

SHA256
5090ba21805c3ce1fd58d099c577389d9e25a48e263ab572d47f14e55e12a011

SHA512
a2083e935166bdfe505da433dff08c5626ae06cc5f1e09279d48e506d6822b679bc69c576139e864988b59b0dafdc245668173aab6ad7dc35a2d915c4bebd626

Download Submit
C:\openme.exe

Filesize
114B

MD5
e89f75f918dbdcee28604d4e09dd71d7

SHA1
f9d9055e9878723a12063b47d4a1a5f58c3eb1e9

SHA256
6dc9c7fc93bb488bb0520a6c780a8d3c0fb5486a4711aca49b4c53fac7393023

SHA512
8df0ab2e3679b64a6174deff4259ae5680f88e3ae307e0ea2dfff88ec4ba14f3477c9fe3a5aa5da3a8e857601170a5108ed75f6d6975958ac7a314e4a336aed0

Download Submit
\Windows\SysWOW64\wsock32.sys

Filesize
159KB

MD5
e542cc1875d57544eb2382faf41573b1

SHA1
e23d5915349d5772f23180dfa2c2cac2c0b8d14e

SHA256
0a907a6bb00f24dffa890786c2b0ac06bfb09a9bd79294c1181957108ba828ac

SHA512
5c59a3532e6fe273e954a5161cc095be463377426cb4c6f948d566f833ba7558b437742fa5ee261f7dd31c611ce2bc8092df6ad04f1dc50ed4d0118c75f59468

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads