Overview
overview
7Static
static
3JaffaCakes...98.exe
windows7-x64
7JaffaCakes...98.exe
windows10-2004-x64
7$0/Resourc...d.html
windows7-x64
3$0/Resourc...d.html
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...n.html
windows7-x64
3$PLUGINSDI...n.html
windows10-2004-x64
3$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PROGRAMFI...gs.exe
windows7-x64
3$PROGRAMFI...gs.exe
windows10-2004-x64
3$PROGRAMFI...ot.dll
windows7-x64
3$PROGRAMFI...ot.dll
windows10-2004-x64
3Analysis
-
max time kernel
144s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
20/01/2025, 12:04
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$0/Resources/BrowserSearch/alot_search_defend.html
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$0/Resources/BrowserSearch/alot_search_defend.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/eula_en.html
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/eula_en.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/installhelper.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/installhelper.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
$PROGRAMFILES/alot/bin/ALOTSettings.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
$PROGRAMFILES/alot/bin/ALOTSettings.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
$PROGRAMFILES/alot/bin/alot.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
$PROGRAMFILES/alot/bin/alot.dll
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe
-
Size
679KB
-
MD5
e69c5c6b034d010bb57126bf82813198
-
SHA1
e1b6a6df0d5a5296efa64e313a4627eef92fe746
-
SHA256
72f754ea837eebc99d547481ad5d74d4722269363d04bef454a35c2d3b699c4e
-
SHA512
eac5c1c505391fc91a9b052c97579e64f9038d35705caa0a26c4e1cc5ab4b3f89d7b287050785d26c633b2ab2753efad8d85ba9b4e0bb8dde00907d8a85c0a4d
-
SSDEEP
12288:AmJihrl03EUWue9S1gbmA8s64WhAmqupX0XKM4Yza2USiZzyjtexUQG3yB0vYsSW:AmJK6Ba9Sgbmd4CcqX0XJzxUSiZzyj8M
Malware Config
Signatures
-
Loads dropped DLL 5 IoCs
pid Process 2916 JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe 2916 JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe 2916 JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe 2916 JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe 2916 JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6} JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\ = "ALOT Toolbar Helper" JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\NoExplorer = "1" JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File created C:\Program Files (x86)\alot\bin\ALOTSettings.exe JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe File created C:\Program Files (x86)\alot\bin\alot.dll JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe File created C:\Program Files (x86)\alot\bin\BHO\alotBHO.dll JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe File opened for modification C:\Program Files (x86)\alot\bin\BHO\alotBHO.dll JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe File created C:\Program Files (x86)\alot\alotUninst.exe JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000f725d79886e35367b5fa4d77e8b72fe81cb44f58eb66b312e678d62f5ea53275000000000e8000000002000020000000a845548493292fa7fced146ae238b6f13ae4719fc907e8306a32edac19f6ed0110000000c330a423a7b4084381a73bc95d5db15f40000000ce80e6e355afbc604f6f1533cc04e8eb1f8b01ce5d588590ea55cfac958d681a3d4d8331714126c33c7dcbdd6405c46dbe416d17083ee343083ca8cc3682c8f4 JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000db281290863af43a93c4b2b42389de60a2698c31619d74c86c55c11141bd652d000000000e80000000020000200000005b132d9b44a58a95a3b831f28e85f723fe67c68431346da7f4a386dfcd686acd100000008d43092c2d131367de2d03df2c46402d40000000a4c9fdc0ad13e05a868b77deaa50d1a90ba40d9c72ec0468e36b07b4646ab5cc0b357594edf96b37b10cb2c7149b9462ad7cd8b8f9c697a59788773599c63bf6 JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000a75f4403091fb48f91ae0e8a851da72f7f5b76a3f8c6e00b4395977cf48ff7bd000000000e80000000020000200000005ba667ced36e6d2b01d92198d4ff06d1e043e97efb90929e9fdd142f02c4e41c100000007f7da44400b57ff27079d56661e4ca4a40000000b4e9a7f9c509dba065f8dab85f81a01ac6476943b897d880340d25e9196d2c5613f07cb5b0fe4bb03bdc6272cd159f8c69ea55827f53711482d97344c3c92947 JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6795114A-1CC4-462b-99E6-2C7B0FA69CDC} JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}\URL = "http://search.alot.com/web?q={searchTerms}" JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce0000000002000000000010660000000100002000000004086dbd902451598816d61951c7a4246cdeb050e29fed9e0b5a3ed6ef24ad0c000000000e800000000200002000000053ce0dd18814339cd464aa3d5acc59fece1d60c9482cbf9f60e3597c9ed53fc5100000006c8fa6e909e6213c944e9a84ade7976d400000006575991b5b875b5ee394f34586421ba634527a03232235e4a0beba3fadba4a6bc2a466eac9dbf7422c434284ca93377952655486eb8978d08c47a8cdac14d42a JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000ed0f39da9d511338556445262a05f8f803372765d55f1fa5ff6270db0e84054e000000000e8000000002000020000000a6e6aade5d73b568c5701749cbefa278534c8b33f5169b588a88bf02043c12c21000000070cba144b8233a812808fc27999f138340000000225de6b3c863b3846662a2c84661fdf08c1c894303397c1239ffbb9ec9fdec7dff9f21d551957642844f8fe88bc560dfd55c5195e1f55a988589a107ffec8dfc JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce000000000200000000001066000000010000200000007950ccafe02a4db80a37478e82f19d11f1013748293909c1e81b27b9811a0c4c000000000e8000000002000020000000ee0ef146ad48d1035838bfbebf14ccc7810ddbb239831943b4f2d2651b420ad610000000fd4dd3a829bb038edf9ec546a74b2eb9400000003ec615a6161d51afb4a525ac4c138e021ef9512397c6568dd0d5869ad2a01b56b47ab2ad07b2f38e2d11efeb3693e18ce742f45f02327773b6be4e2d3fa22fed JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}\SuggestionsURL_JSON = "http://sugg.alot.com/opensearch.php?q={searchTerms}" JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000b3e1ac29810a003f4a9898249142dff740a5bd066ecf47aedd5f8731cae3ee2b000000000e800000000200002000000081f374f6d2445183482be8d3e1a5fc6709e4b61cffc1c33ea7d5dc5588cb361510000000856efe66b88cc1a46b6ad6bb184bb3bb40000000723282b134628f122a074f7b55720dbe03150f137c45e815ee7a4dd849463619bc7cfe7a27aa87248012af34ef5ee392702189f2cfbdc6289a821ccadd18c62b JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}\DisplayName = "ALOT Search" JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce000000000200000000001066000000010000200000002696e99a0072302a840b65a72f0374b8721fed7a97694c5a4bcc46ade32a0786000000000e8000000002000020000000a15d6cc930707f4be74a0e5202662bb8d13e302c455dcc430cbc21c8bf67532a100000009f5415eaa101a7224fe94b84b896d3444000000086905db57669ae34c37d538f7f3273f90c6ab8d5d88d014af5675c4ecabd40edae4b607d3e601c4912999fb7b4265e77990a0434837e2d45aa9181c33d03541a JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce000000000200000000001066000000010000200000001b67f5acf8b3d1a324547028021bfaa619314b435fca172e78f1fded9f3dcb4b000000000e8000000002000020000000ff9131ba144884e2cc4c4bb9b9300aec20c3f87de3b8e841dd01346258d3ab2510000000a60bb969dd0f13dce9927c11d49a462040000000c568bf75c783d34e1953aa7fbb55f11e902891cb0c60ddc4e03082af86bec9daefd7fddde760292a3e5e095e169c2e3eeb54856ed770ab3965e9aec9f6a1a342 JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000b170bbee3caa662d1cb30d71acd140521992ed3a8be7dfe741f2537dcb14c60a000000000e8000000002000020000000e5bdcdc87c0863a6b68731b32359dcfa77d66d93f645a5d3560ac71aff917002100000001abb1beb3ac28a2b5435d5c6187034ad400000007066f705c4e6f05a0064a1a7ee8e1515d212495890ba6b141eddb7c3ee326f80a736c1314ab833755753052fd1b168ccd16af6a52455412bb278d9d12b77b9ab JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} = "ALOT Toolbar" JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce0000000002000000000010660000000100002000000022001230875af6ee63eb0caf1b72d6e0154724bbec591391866f024ebb054065000000000e8000000002000020000000e394925a90abed365ed11120b475aaee9d3c7d172d1f9464aff847f33905bcb21000000024d4898bb0a326ca282f3e391d7bf28f40000000e95383017909d07f06dac45f9a5272fb8df9022b35f53a81231ff5f48e13f537377d83eb1943ecd0723d2037c008233cdb097f5e8427655866052a0107da427a JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce000000000200000000001066000000010000200000004b9c8289e15ca33c622a5a944bfdcb2a8a4004f345683bf928f110c7df6ac447000000000e8000000002000020000000343b06c0414859a0ef294c9384a45492cd219f7dbf16d81b56d0d0bffb306913100000005fc989d59822d8a863df95aa0c5fe5ba40000000780f7dafd70f3e82322aecf3b9dfcadef51917ec1da346bfa73f4310cc06c17586084664f743c4e0010d8f71df5e1f24a7a7cafd26a2bf585d9958e0dd70fe49 JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000d3dcc5aae01e1e9da89edca56d28f36a163c9c6dc442360735b52616c099c83f000000000e8000000002000020000000463159f6ca180cc888b5a033ef51a448685b37c6640a12e5a389db7e15eaa0e21000000073dbc767b39c09570f592900c177b23d40000000b351c84facaea051b577d66335d6440d523da0d0d380f90e887d0600346ba02a7bfb8efd8f81e7f54ce136a7324ee30bae3a3b46a6675d47f5012ce8ddd79285 JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce000000000200000000001066000000010000200000001e367d32f53271c2e5a18b612c3b51ca3e23f1fd6721294fd2ccc0f5d8673b31000000000e80000000020000200000001b8b9cee8e537c84b8a83652bc2bf6fe7cf518e12b72dbefafd24dcfed84c65510000000930ff434ddeb40f95d6c534b218b975a400000009c039d9871658a7d91d33dfa6df31b492d1165ec75530deaf6534fcfba3ebaf7ad4023b046e3712ff105cd49f880db2233ad479e7a786016e48b8cdc923b69cb JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6795114A-1CC4-462b-99E6-2C7B0FA69CDC}\AppPath = "C:\\Program Files (x86)\\alot\\bin" JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce000000000200000000001066000000010000200000002d8049dac3fa524c4a1adb30324e64c62a99268e4a9560d9a4d218d4df08e2e1000000000e8000000002000020000000f31a3a5f2ef6b4809fd43a35c43d0a40f8962ce80402fe036fe4f7c1f905868b1000000091c6d14ecfc0cfc867c0b67da7c7c99a40000000c584dd58cc0544855e28c405709c7df9cf49533df87f421da61b4776519de5407295ebd36cf5d21834003b298a21234e441f2b8e13161bc6f3749f0776ee02b9 JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6795114A-1CC4-462b-99E6-2C7B0FA69CDC}\Policy = "3" JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000e5e11fb88a7e33168842892d26385c269b5c5e21c627557a7ee30c4a18f5dcd3000000000e8000000002000020000000342c81dd3f737a357a6e84f67d104c04d678e87c5f84ce8c52799808cc96c71810000000b04155d00e7553e3d4c6a7435eecf08d40000000f059db64fe8800aac398388da681c45091fa0bb59c6d14965fb15859c2ae1d44e7dbc4dfb4f6e425437991e3646f9f767bd6b61e5db43723aa22f5008e1a1517 JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000846bec7ddcc52b80dc89ad7c726353779f6fe8aaa4c297c3fba40fc510de0491000000000e80000000020000200000004f8a0becbf30f68151845f3f396e75051394452a76e171e3314a21db386e9c0c10000000031edf2f9d95b6176e93ed550e92897740000000b4fe385886d59196ed056b168ea7b9b06fdcee688d06d241259809a2e2d067bb499b6262f0c5dcd60026d22aadf9d68ac1e6535023c8779d13a43466c2ab93a1 JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce0000000002000000000010660000000100002000000069999699b738af10a3b293d149bd49b47a4c599ed91b18f991d32ef107cb9221000000000e8000000002000020000000c994d1b765f05b2ba4bf56234bd0320f28f1605949237cdcfe1b11a6d5281e7110000000bdb8e46f7b4d17283001464abf01d37840000000713aa0d2cfe56f134dc0d6856a31586886bf531742c62cd53ddb2bdfb938b3cb0c6dbc51ce0c189e80895d5a6423c1eb486b6a2cd462ec127d1756c7c502cae7 JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7} JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}\FaviconURLFallback = "http://files.alot.com/1/update/buttons/favicon.ico" JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000795e786675d768dafbf29309d0473395a162f44d57ffea1835280a93f3f60030000000000e80000000020000200000005ce3f7419f5f6dc1c2909bf6eabda2a6ba3752a6878d5e190f5fa420d263ce411000000017da8381ed98ed9e916d3b515b0cce94400000009311329db7340f5fc010356b0b3bf00a4e2b11ec5fa0dfb5c5071df00bffa792860793af7c58e96f09603db8cb34407b4557b7de5887fd3c543ef5af4c219cf4 JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce00000000020000000000106600000001000020000000b41304661d26795e17eed879e85f8bc9697cd6d0a6da15b5470823365baf2795000000000e8000000002000020000000fd08b4ada6b77ca70e57c4e37c5c2675e53e2c9b183d022ec0d8eb43778d7ce010000000251d0a97da833c0f6089e6175a526ad340000000383669223dbc404033ebfc4cede071af988f4d511d6bc1e142d437c2d34a91edb9903edc1a0ea7eb6d1d6b1a863a9ddbc3acfff493ff685052e7c1b4ec4034d0 JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce0000000002000000000010660000000100002000000050e211d12b938800b7a8234cffe036eae97f37792b8767ba195c2053bb463425000000000e800000000200002000000072cd3903f629f263f977d54b57aadcdee66914bef6af0aea5ea90e9bda072a7e10000000b2ec338706189aa2d19668c509fcbe5a400000009aaba860cb2aa9293bcba9cecd14898683fb1cf05a0501782a6c84ae0e521046bd9a55600de96b6c5444b26f1109113c09e58b48199c0f1228a51b2b9c0c52f8 JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{6795114A-1CC4-462b-99E6-2C7B0FA69CDC}\AppName = "ALOTSettings.exe" JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\{5AA2BA46-9913-4DC7-9620-69AB0FA17AE7}\ShowSearchSuggestions = "1" JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\User Preferences\6256FFB019F8FDFBD36745B06F4540E9AEAF222A25 = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006e9194506fb195439651b871544709ce000000000200000000001066000000010000200000007ff3d5ecaf494a6c1813f535897642bf80a38c5c279c4a650d01b5475f45393e000000000e80000000020000200000006390c77642cab2c610ca118ebe5d9421c4a720569397df21791184279020df1b100000006e29275703aacec7c35ad7dd1542fca540000000356241ef61741a96613e2a0788ebc61d9b0b07a9150bc9079720c300a60ba6fd0e30e8f67eb6072150dde699488b29802a8261bc465baab992c96a69c6cfae89 JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe -
Modifies registry class 10 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\InprocServer32 JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\InprocServer32\ThreadingModel = "Apartment" JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7} JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}\ = "ALOT Toolbar" JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}\InprocServer32\ = "C:\\Program Files (x86)\\alot\\bin\\alot.dll" JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\ = "ALOT Toolbar Helper" JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}\InprocServer32 JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5AA2BA46-9913-4dc7-9620-69AB0FA17AE7}\InprocServer32\ThreadingModel = "Apartment" JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6} JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{14CEEAFF-96DD-4101-AE37-D5ECDC23C3F6}\InprocServer32\ = "C:\\Program Files (x86)\\alot\\bin\\BHO\\alotBHO.dll" JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2916 JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2916 JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe 2916 JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe"1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2916
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C3948BE6E525B8A8CEE9FAC91C9E392_0C493B6872FE216C47DE50A9F8E11760
Filesize5B
MD55bfa51f3a417b98e7443eca90fc94703
SHA18c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA5124cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399
-
Filesize
29KB
MD594cd2434f802cc1d795d5fc2965ad827
SHA1bcd3ca114373d07b84aa6e2d2e249ad9d80838b9
SHA25682c4b7fc52038a34414fb8f7fb328289e0516f3a5e209f12488417236772794d
SHA5124c94214015beb2cb6914605b1d4acc10470299f3d4dda7c2c6cdd2fde5ed663a77bc7da3f9ba65876a7712eaaa0c3e80026930e8a4d9ed6bfba00428e145a134
-
Filesize
28KB
MD5e6a20b68ab7ebfa534eb020e84aacfe6
SHA15e1edd6166e586bb72f759104edefc754f344d33
SHA2562001499108e66e5ac01a657149af97e71e1f8c584c4b9d1c44757b598a24da74
SHA5129991a8bd8f0832e0b8333abf378479a163afb18d2a051791e6e9fb023f46f17865ccb13900121c1c40f302c9449ac4f79f142bca2a397d6b41016191d77c6fb7
-
Filesize
2KB
MD5a34c3aeca76e7bc74297a272d7c34522
SHA1cabe469ba2681d487fafdf8bd92bf6899e134bea
SHA256e11cee5be2b9ea2a238d0a1700af18a231f13cff5a86468bfcdd3c6865a6ac3b
SHA51262c08dcb7f06674568c3bd794cf823dd1850d3179e334688727b7484f517a11e3f7de91298bf9889ccf13701b2999761ab874978204b42a9be6db24d7fbfd032
-
Filesize
2KB
MD51bfc333220308823791c96d52ab9bee2
SHA17672c3f7aa2459baba59b7d8c6a3172feb6c4899
SHA25683b0f42ccf3172baf19897138a6c2b2a670b58e7e81e35e0172f92c1462dd6a3
SHA512c531fc3f2f8f4125d9def6901177c40f2386693443a76c3a988d808c0ca6d5a427360ff93f55ec29dfb398e5923f50618e9fabd11ab6bcf4f49f42f51292f751
-
Filesize
1KB
MD56a82b6a0fe6138096e549bef053ca02b
SHA1af3bba863d0e78d85a3fc9da7ea3da1f1ff5c2c3
SHA256974ff69ea21ffc3f5cb32db5536eed7d685120726eb6413c2040116a5016b26c
SHA512c425cf0a340b44819ffe65a3da58f790223956d0da13a1176e6fa9f3a4a61da057b1cf2515b3cf7be8105c4f9279bec81d7589ee41373dc2d3d142289397294f
-
Filesize
11KB
MD5f8aee788c2a09699cd4d607e1db670c8
SHA16457b766f043d901a6dd204d00626c4bea02d503
SHA256503477569d8a48c47c4febbfd4ae6d3cb036856432c8212dcb0226580e7034c9
SHA512424ef5a4f2653b27b3ca921c35e5e36f28c41ddfe9bcd6b5aba7968d87129826770777fbbfcdc78fce8512c1dce819be0e355282d4a729580591ff296a751162
-
Filesize
812KB
MD5acb423998044f7dcc904a43419ef2d78
SHA17fec3d6d444c8f3fef32b6634901fd010b0295bb
SHA25603707a3959ee86ab624d805a399b839d9b2949875f79940026f63a96e6be740f
SHA512f037a03564f3608dc69deef46aa63b9250721f4c16aa882054b8eae8a34842a2f7b39910abe47141b549e276b9316ad731056674b9c76bbf5991158ec2c6170a
-
Filesize
15KB
MD56e663f1a0de94bc05d64d020da5d6f36
SHA1c5abb0033776d6ab1f07e5b3568f7d64f90e5b04
SHA256458b70e1745dc6e768d2338ccf3e6e86436488954ca3763472d8ffec4e7177e4
SHA5122a037c39f3a08d4a80494227990f36c4fef2f73c4a6ad74dcc334317a1372234c25d08d8b80d79e126881a49fa4b3f2fffe3604c959d9ceceb47acc7192cc6a5
-
Filesize
11KB
MD5b9f430f71c7144d8ff4ab94be2785aa6
SHA1c5c1e153caff7ad1d221a9acc8bbb831f05ccb05
SHA256b496e81a74ce871236abcd096fb9a6b210b456bebaa7464fa844b3241e51a655
SHA512c7ce431b6a1493fd7d1fe1b1c823ad22b582c43c8eb2fb6a471c648dd9df9953277c89932c66afd598d43ea36f4a8602e84cd175115266943071cbc8ce204099
-
Filesize
127KB
MD591b0372096274dbd47395aa8b28ffedb
SHA105d79ba090439c2898d8ad480355c08091acee55
SHA2560411ab18ecb0d3d6292eabb89b4c8e41112b3e0be272b087555c2cb8cb0bfc28
SHA512c40b9eace25b6c871eee9b4186181268de7463c4fe1c4c19372413989489fa891ebd528175d15df031dc768613a81c619acce0981a4c29d475e795d18b1aff08