ramnit | 9e1251e4d0fa1234489cf5cedda38eed70b809efef6e34a81e7238f8c9e5824d

Analysis

max time kernel
120s
max time network
135s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_458c2a91b614f82bf3959e22a15de680.dll
Size

420KB
MD5

458c2a91b614f82bf3959e22a15de680
SHA1

37461e8d260ae14c0a4dc459fe10bee4ff24a8dd
SHA256

9e1251e4d0fa1234489cf5cedda38eed70b809efef6e34a81e7238f8c9e5824d
SHA512

1ce65d626c55b82d5e4a7635aa3bc6924fa0bf3d3ddb4dbe9702fbf8f02c3a15ab480a73b5f90090abdaa5756c925830321a9a98990722f7c7ee72e741b471e6
SSDEEP

6144:x6YI4ud53eGWtV7BH4Uc7zsbU10Ie4JoDQxCh2FOMQ:TqeER7zeTIeOoMre

Score

10^/10

ramnit banker discovery persistence spyware stealer trojan upx worm

Malware Config

Signatures

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit
Ramnit family
ramnit

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\ = "Themes Setup"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\ComponentID = "Theme Component"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\IsInstalled = "1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Locale = "CN"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\StubPath = "%SystemRoot%\\system32\\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\\system32\\themeui.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Version = "1,1,1,7"	regsvr32.exe

Executes dropped EXE 2 IoCs

pid	Process
2604	regsvr32Srv.exe
2648	DesktopLayer.exe

Loads dropped DLL 2 IoCs

pid	Process
1560	regsvr32.exe
2604	regsvr32Srv.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\regsvr32Srv.exe	regsvr32.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000e000000012267-2.dat	upx
behavioral1/memory/2604-8-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2604-15-0x0000000000400000-0x000000000042E000-memory.dmp	upx
behavioral1/memory/2604-14-0x0000000000230000-0x000000000023F000-memory.dmp	upx
behavioral1/memory/2648-27-0x0000000000400000-0x000000000042E000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Uninstall Information\Microsoft.Theme\Microsoft.Theme.DAT	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Uninstall Information\Microsoft.Theme\Microsoft.Theme.INI	regsvr32.exe
File opened for modification	C:\Program Files (x86)\Microsoft\pxD069.tmp	regsvr32Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	regsvr32Srv.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	regsvr32.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32Srv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DesktopLayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{99987271-C7F0-11EF-B666-DEF96DC0BBD1} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "441864035"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\themefile\shell\open\command\ = "%SystemRoot%\\SysWow64\\rundll32.exe %SystemRoot%\\system32\\shell32.dll,Control_RunDLL %SystemRoot%\\system32\\desk.cpl desk,@Themes /Action:OpenTheme /file:\"%1\""	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msstylesfile\ = "Windows ¿ÉÊÓ»¯·ç¸ñÎÄ¼þ"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56C927D6-56EF-482A-BFC2-582D6D5AE0E7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56C927D6-56EF-482A-BFC2-582D6D5AE0E7}\ = "IThemeManagerDisp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\themefile	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5a3d988e-820d-4aaf-ba87-440081768a17}\DefaultIcon	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\themefile\DefaultIcon\ = "%SystemDrive%\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_458c2a91b614f82bf3959e22a15de680.dll,-701"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56C927D6-56EF-482A-BFC2-582D6D5AE0E7}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Theme.Manager.1\ = "Windows Theme Manager API"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B12AE898-D056-4378-A844-6D393FE37956}\DefaultIcon	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B12AE898-D056-4378-A844-6D393FE37956}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4c892621-6757-4fe0-ad8c-a6301be7fba2}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5a3d988e-820d-4aaf-ba87-440081768a17}\DefaultIcon\ = "%SystemDrive%\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_458c2a91b614f82bf3959e22a15de680.dll,7"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADB9F5A4-E73E-49b8-99B6-2FA317EF9DBC}\DefaultIcon	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{41E300E0-78B6-11ce-849B-444553540000}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{40643250-8D23-47FB-895C-EAF48E2C8892}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E17C0EF-2851-459b-A3C8-27A41D4BC9F7}\Version	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56C927D6-56EF-482A-BFC2-582D6D5AE0E7}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{40643250-8D23-47FB-895C-EAF48E2C8892}\1.0\ = "Microsoft Theme API Type Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Theme.Manager\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Theme.Manager.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\themefile\DefaultIcon	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msstylesfile\DefaultIcon	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56C927D6-56EF-482A-BFC2-582D6D5AE0E7}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E17C0EF-2851-459b-A3C8-27A41D4BC9F7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5a3d988e-820d-4aaf-ba87-440081768a17}\ = "Windows Screen Resolution Fixer"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msstylesfile\shell\open\command\ = "%SystemRoot%\\SysWow64\\rundll32.exe %SystemRoot%\\system32\\shell32.dll,Control_RunDLL %SystemRoot%\\system32\\desk.cpl desk,@Appearance /Action:OpenMSTheme /file:\"%1\""	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{40643250-8D23-47FB-895C-EAF48E2C8892}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{40643250-8D23-47FB-895C-EAF48E2C8892}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{40643250-8D23-47FB-895C-EAF48E2C8892}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Theme.Manager\CurVer\ = "Theme.Manager.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{40643250-8D23-47FB-895C-EAF48E2C8892}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_458c2a91b614f82bf3959e22a15de680.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.theme\ = "themefile"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E17C0EF-2851-459b-A3C8-27A41D4BC9F7}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B7BBD408-F09C-4aa8-B65E-A00B8FE0F0B9}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\msstylesfile\shell\open\command	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{40643250-8D23-47FB-895C-EAF48E2C8892}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56C927D6-56EF-482A-BFC2-582D6D5AE0E7}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56C927D6-56EF-482A-BFC2-582D6D5AE0E7}\TypeLib\ = "{40643250-8D23-47FB-895C-EAF48E2C8892}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5a3d988e-820d-4aaf-ba87-440081768a17}\InProcServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Theme.Manager\ = "Windows Theme Manager API"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c79d1575-b8c6-4862-a284-788836518b97}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c79d1575-b8c6-4862-a284-788836518b97}\DefaultIcon	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.msstyles\ = "msstylesfile"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\msstylesfile\DefaultIcon\ = "%SystemDrive%\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_458c2a91b614f82bf3959e22a15de680.dll,-701"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56C927D6-56EF-482A-BFC2-582D6D5AE0E7}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5a3d988e-820d-4aaf-ba87-440081768a17}\InProcServer32\ = "%SystemDrive%\\Users\\Admin\\AppData\\Local\\Temp\\JaffaCakes118_458c2a91b614f82bf3959e22a15de680.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5a3d988e-820d-4aaf-ba87-440081768a17}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADB9F5A4-E73E-49b8-99B6-2FA317EF9DBC}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\themefile\ = "Windows Ö÷ÌâÎÄ¼þ"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{40643250-8D23-47FB-895C-EAF48E2C8892}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56C927D6-56EF-482A-BFC2-582D6D5AE0E7}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{56C927D6-56EF-482A-BFC2-582D6D5AE0E7}\ = "IThemeManagerDisp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{56C927D6-56EF-482A-BFC2-582D6D5AE0E7}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Theme.Manager	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Theme.Manager.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4c892621-6757-4fe0-ad8c-a6301be7fba2}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.msstyles	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{40643250-8D23-47FB-895C-EAF48E2C8892}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{40643250-8D23-47FB-895C-EAF48E2C8892}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2E17C0EF-2851-459b-A3C8-27A41D4BC9F7}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{ADB9F5A4-E73E-49b8-99B6-2FA317EF9DBC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5a3d988e-820d-4aaf-ba87-440081768a17}\InProcServer32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2648	DesktopLayer.exe
2648	DesktopLayer.exe
2648	DesktopLayer.exe
2648	DesktopLayer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	1560	regsvr32.exe
Token: SeRestorePrivilege	1560	regsvr32.exe
Token: SeRestorePrivilege	1560	regsvr32.exe
Token: SeRestorePrivilege	1560	regsvr32.exe
Token: SeRestorePrivilege	1560	regsvr32.exe
Token: SeRestorePrivilege	1560	regsvr32.exe
Token: SeRestorePrivilege	1560	regsvr32.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3040	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
3040	iexplore.exe
3040	iexplore.exe
2892	IEXPLORE.EXE
2892	IEXPLORE.EXE
2892	IEXPLORE.EXE
2892	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2060 wrote to memory of 1560	2060	regsvr32.exe	30
PID 2060 wrote to memory of 1560	2060	regsvr32.exe	30
PID 2060 wrote to memory of 1560	2060	regsvr32.exe	30
PID 2060 wrote to memory of 1560	2060	regsvr32.exe	30
PID 2060 wrote to memory of 1560	2060	regsvr32.exe	30
PID 2060 wrote to memory of 1560	2060	regsvr32.exe	30
PID 2060 wrote to memory of 1560	2060	regsvr32.exe	30
PID 1560 wrote to memory of 2604	1560	regsvr32.exe	31
PID 1560 wrote to memory of 2604	1560	regsvr32.exe	31
PID 1560 wrote to memory of 2604	1560	regsvr32.exe	31
PID 1560 wrote to memory of 2604	1560	regsvr32.exe	31
PID 2604 wrote to memory of 2648	2604	regsvr32Srv.exe	32
PID 2604 wrote to memory of 2648	2604	regsvr32Srv.exe	32
PID 2604 wrote to memory of 2648	2604	regsvr32Srv.exe	32
PID 2604 wrote to memory of 2648	2604	regsvr32Srv.exe	32
PID 2648 wrote to memory of 3040	2648	DesktopLayer.exe	33
PID 2648 wrote to memory of 3040	2648	DesktopLayer.exe	33
PID 2648 wrote to memory of 3040	2648	DesktopLayer.exe	33
PID 2648 wrote to memory of 3040	2648	DesktopLayer.exe	33
PID 3040 wrote to memory of 2892	3040	iexplore.exe	34
PID 3040 wrote to memory of 2892	3040	iexplore.exe	34
PID 3040 wrote to memory of 2892	3040	iexplore.exe	34
PID 3040 wrote to memory of 2892	3040	iexplore.exe	34

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_458c2a91b614f82bf3959e22a15de680.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_458c2a91b614f82bf3959e22a15de680.dll
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\regsvr32Srv.exe
    C:\Windows\SysWOW64\regsvr32Srv.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
      "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2648
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe"
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3040
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3040 CREDAT:275457 /prefetch:2
        6⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c82e863c7a5ce07d1a9bce50280772f4

SHA1
47228f56863c443612ca6377eb2fec30d49e6c0f

SHA256
4efbb7f109d8ef4eafd51725f96251768b4ca8b0c89e26d821f4f6701b3efd54

SHA512
1dfd43eec96c5755de2d1ff36aeb22d17ba017166eb97873e0461011407fcbfc9ce4001f589153a7c7c812b9439142c7bc55738ef9b209f058661db0423c4159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ec6135f6b4c2fe5dfa9638fb1490228

SHA1
142695072e5221c67f30c332d2dbfa2bb504d7a8

SHA256
d74c871c568504541d9cf19290ba1b23582940eabd9000a2bdd129231d57d1c5

SHA512
2313fcad772f23181fc71a85d5a08cfb87f195b24cdf9b40cd4b8f65c8087611bd7319f08a9cd1430754890a49be9171a0b7398827852a5dfa400e35e4aa1a42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c60acac1240e2b183544863c08315294

SHA1
94cf9c9b5395195c9c6b96f98dff667a9bbc553c

SHA256
c94a37d658c55913d898ae927dc18495189a5a2afe5309993639023c23183e5d

SHA512
08fa4c5fff50142d6c497bf2eab1a5b35c75ac562d66e51c93f956c26484486a0cfecb5b4355bc79718ce6c12187b29f27697813bda201052fd35e743ee30d20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
587707c0bf9a068a3da6ae88ef5dcf1e

SHA1
0d6e5fa350f661ebeb6978e523c8c86ee9a51659

SHA256
067d84764978c3cd31855f7df8028a5d320eb7fa587bc5e0a1beadf0849e319c

SHA512
5600cf771ce7e14ad0de03878f2b39772c44a59e61b00429a8e7af99db7455819d27d3f7491fa65b69b8eb675a6f0f733a2598f71b943ff9596b892d4f58f70d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa984a8c23eb2ab16c9cafbcb2172167

SHA1
926b2f048e29706d5ae430c8ef01ee167c099412

SHA256
b9d4bc182b7b495ad27d8a21a9a4a189d0fc5ac8f8bd2f0f0fff6e5a306654f7

SHA512
1a7d95365b660390ff49fba18ed4604fa79c5c2951e808362daef897dbd901d77cafb4134d0e85d597d427f7c35842c02f67d3545b6fd29349385537d9e07d91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a818ffe7d884129245990be1b1c35f57

SHA1
30ae6db4b510209759ca4fe198b349cf3894f496

SHA256
c682be468b0189cd46197d91a1f3e3ac0f27833a9eec102b72facdc3ac681d0f

SHA512
118496d97e187d6e6a29716d1ec68725b3c8fe7d76cc5c4dbe0d1cb78cc0cfdf9b2cabf12bf63f939810c8db16eb2f88ff9ceebb1b05dbbdc32caec121d50f81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
369988c77aa266bdc66d815ebaa16d15

SHA1
0931e5b37c75857aece9b4d1b4d76090022793d8

SHA256
1d2318873a3c616cf37101290675ba5e4055b52675dbd290d7c453584f801056

SHA512
74fb82c9765c69bd161614979ad2329d89f4a1a1454a241bca90a8e3685ee709eed8156f959f9b93e351260726d2983462ba0d55292834f61842474f082f1f08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1596.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGICFFC.tmp

Filesize
7KB

MD5
023167ef8f99d8f9e4b459e0887d3351

SHA1
2d197db3045b645e24642e9cf4987bfd3fb8a8ec

SHA256
fc0c48bfd1b843779a5b6436b76ffeac5ee1b395bad92029296834f0c8f95485

SHA512
4ed375489504c457f1ee8bbc20b3ba96ae8e593aa8019950d353f6f325051c4fc38d45877315f98aeca2f2267c8d56fd82b22c40d9e8b6999ad9f9f0ef50c36e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1626.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Windows\SysWOW64\regsvr32Srv.exe

Filesize
55KB

MD5
ff5e1f27193ce51eec318714ef038bef

SHA1
b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6

SHA256
fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320

SHA512
c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

Download Submit
memory/1560-6-0x00000000001B0000-0x000000000022D000-memory.dmp

Filesize
500KB

Download
memory/1560-1-0x000000005B680000-0x000000005B6FD000-memory.dmp

Filesize
500KB

Download
memory/1560-5-0x00000000001B0000-0x00000000001DE000-memory.dmp

Filesize
184KB

Download
memory/2604-14-0x0000000000230000-0x000000000023F000-memory.dmp

Filesize
60KB

Download
memory/2604-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2604-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2648-25-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2648-27-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download