Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Overview
overview
7Static
static
3JaffaCakes...d6.exe
windows7-x64
7JaffaCakes...d6.exe
windows10-2004-x64
7$APPDATA/M...ild.sh
ubuntu-18.04-amd64
3$APPDATA/M...ild.sh
debian-9-armhf
3$APPDATA/M...ild.sh
debian-9-mips
3$APPDATA/M...ild.sh
debian-9-mipsel
3$APPDATA/M...ild.sh
ubuntu-18.04-amd64
$APPDATA/M...ild.sh
debian-9-armhf
$APPDATA/M...ild.sh
debian-9-mips
$APPDATA/M...ild.sh
debian-9-mipsel
$APPDATA/M...lid.js
windows7-x64
3$APPDATA/M...lid.js
windows10-2004-x64
3$APPDATA/M...lay.js
windows7-x64
3$APPDATA/M...lay.js
windows10-2004-x64
3$APPDATA/M...oad.js
windows7-x64
3$APPDATA/M...oad.js
windows10-2004-x64
3$APPDATA/M...oad.js
windows7-x64
3$APPDATA/M...oad.js
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/fct.dll
windows7-x64
3$PLUGINSDIR/fct.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
3VFDInstall.exe
windows7-x64
6VFDInstall.exe
windows10-2004-x64
6bho_project.dll
windows7-x64
6bho_project.dll
windows10-2004-x64
6chromeaddo...ded.js
windows7-x64
3chromeaddo...ded.js
windows10-2004-x64
3chromeaddo...d.html
windows7-x64
3chromeaddo...d.html
windows10-2004-x64
3Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
25/01/2025, 02:55
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral2
Sample
JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build.sh
Resource
ubuntu1804-amd64-20240611-en
ubuntu-18.04-amd64
Behavioral task
behavioral4
Sample
$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build.sh
Resource
debian9-armhf-20240418-en
debian-9-armhf
Behavioral task
behavioral5
Sample
$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build.sh
Resource
debian9-mipsbe-20240729-en
debian-9-mips
Behavioral task
behavioral6
Sample
$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/build.sh
Resource
debian9-mipsel-20240226-en
debian-9-mipsel
Behavioral task
behavioral7
Sample
$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/config_build.sh
Resource
ubuntu1804-amd64-20240611-en
ubuntu-18.04-amd64
Behavioral task
behavioral8
Sample
$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/config_build.sh
Resource
debian9-armhf-20240418-en
debian-9-armhf
Behavioral task
behavioral9
Sample
$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/config_build.sh
Resource
debian9-mipsbe-20240729-en
debian-9-mips
Behavioral task
behavioral10
Sample
$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/config_build.sh
Resource
debian9-mipsel-20240611-en
debian-9-mipsel
Behavioral task
behavioral11
Sample
$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/content/installid.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/content/installid.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/content/overlay.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/content/overlay.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/content/vfdownload.js
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral16
Sample
$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/content/vfdownload.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/defaults/preferences/vfdownload.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
$APPDATA/Mozilla/Firefox/$R0/extensions/[email protected]/defaults/preferences/vfdownload.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$PLUGINSDIR/fct.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
$PLUGINSDIR/fct.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
VFDInstall.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral26
Sample
VFDInstall.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
bho_project.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
bho_project.dll
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
chromeaddon/._included.js
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral30
Sample
chromeaddon/._included.js
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
chromeaddon/background.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral32
Sample
chromeaddon/background.html
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe
-
Size
159KB
-
MD5
2793cb025fbd21dbfb9baa7d31639cd6
-
SHA1
891cd7b11e19c6ba57ef1a00a9bcc13808b09484
-
SHA256
754e73d783386a99ea36946cb578d34abe841adb9e32c0471711006d3ffeb61b
-
SHA512
a09907ff9021e27b7217237e9d2350fe4d89b3e010d410ff7cf7bd58d030f89a4c61d2070b38b9ed55431177e2937334fa318b933591277557952c487c607272
-
SSDEEP
3072:3Lk395hYXJ1ZfFsuGC5w9RinLEKMWhhXKQMN6PPmlAMosBNI:3QqjZuu/5wTso/UNKQMNQmSMHM
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2860 VFDInstall.exe -
Loads dropped DLL 10 IoCs
pid Process 2308 JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe 2308 JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe 2308 JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe 2308 JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe 2308 JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe 2936 regsvr32.exe 2308 JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe 2308 JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe 2308 JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe 2308 JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{625F420E-A4A9-4B40-BC23-716C1C43893A} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{625F420E-A4A9-4B40-BC23-716C1C43893A}\ = "BHO_PROJECT" regsvr32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{625F420E-A4A9-4B40-BC23-716C1C43893A}\NoExplorer = "1" regsvr32.exe -
Drops file in Program Files directory 17 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\OA\config.ini JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe File opened for modification C:\Program Files (x86)\OA\VFDInstall.exe JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe File created C:\Program Files (x86)\OA\chromeaddon\background.html JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe File created C:\Program Files (x86)\OA\chromeaddon\._included.js JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe File created C:\Program Files (x86)\OA\chromeaddon\included.js JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe File created C:\Program Files (x86)\OA\VFDInstall.exe JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe File created C:\Program Files (x86)\OA\chromeaddon\manifest.json JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe File created C:\Program Files (x86)\OA\ChromeAddon.pem JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe File created C:\Program Files (x86)\OA\status4.txt JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe File created C:\Program Files (x86)\OA\status2.txt JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe File opened for modification C:\Program Files (x86)\OA\conf.ini JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe File created C:\Program Files (x86)\OA\bho_project.dll JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe File created C:\Program Files (x86)\OA\vfd-adk_uninstall.exe JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe File opened for modification C:\Program Files (x86)\OA\chromeaddon\included.js JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe File created C:\Program Files (x86)\OA\status.txt JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe File created C:\Program Files (x86)\OA\status3.txt JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe File created C:\Program Files (x86)\OA\conf.ini JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language VFDInstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral1/files/0x0007000000016df3-26.dat nsis_installer_1 behavioral1/files/0x0007000000016df3-26.dat nsis_installer_2 -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{625F420E-A4A9-4B40-BC23-716C1C43893A}\AppName = "VFDInstall.exe" JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{625F420E-A4A9-4B40-BC23-716C1C43893A}\AppPath = "C:\\Program Files (x86)\\OA" JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{625F420E-A4A9-4B40-BC23-716C1C43893A}\Policy = "3" JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{625F420E-A4A9-4B40-BC23-716C1C43893A} JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\Software\AppDataLow\Software\VFDInstall\Installer\Folder JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe Key created \REGISTRY\USER\Software JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe -
Modifies registry class 32 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{625F420E-A4A9-4B40-BC23-716C1C43893A} JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{625F420E-A4A9-4B40-BC23-716C1C43893A}\InprocServer32 JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{186E19A3-B909-4F48-B687-BB81EB8BC7CE}\ = "bho_project" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B00FE392-639D-4688-976E-A1BFF368CB96}\1.0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B00FE392-639D-4688-976E-A1BFF368CB96}\1.0\0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3AE26843-9171-4F23-A8E5-5421701276A4}\ = "Ibho_object" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3AE26843-9171-4F23-A8E5-5421701276A4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B00FE392-639D-4688-976E-A1BFF368CB96}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3AE26843-9171-4F23-A8E5-5421701276A4}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3AE26843-9171-4F23-A8E5-5421701276A4} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3AE26843-9171-4F23-A8E5-5421701276A4}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B00FE392-639D-4688-976E-A1BFF368CB96}\1.0\0\win32\ = "C:\\Program Files (x86)\\OA\\bho_project.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B00FE392-639D-4688-976E-A1BFF368CB96}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\OA" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3AE26843-9171-4F23-A8E5-5421701276A4} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3AE26843-9171-4F23-A8E5-5421701276A4}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B00FE392-639D-4688-976E-A1BFF368CB96}\1.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3AE26843-9171-4F23-A8E5-5421701276A4}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3AE26843-9171-4F23-A8E5-5421701276A4}\TypeLib\ = "{B00FE392-639D-4688-976E-A1BFF368CB96}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{625F420E-A4A9-4B40-BC23-716C1C43893A}\InprocServer32\ = "C:\\Program Files (x86)\\OA\\bho_project.dll" JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{186E19A3-B909-4F48-B687-BB81EB8BC7CE} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\bho_project.DLL regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B00FE392-639D-4688-976E-A1BFF368CB96}\1.0\ = "bho_project 1.0 Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3AE26843-9171-4F23-A8E5-5421701276A4}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{625F420E-A4A9-4B40-BC23-716C1C43893A}\ = "VideoFileDownload" JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\bho_project.DLL\AppID = "{186E19A3-B909-4F48-B687-BB81EB8BC7CE}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B00FE392-639D-4688-976E-A1BFF368CB96} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B00FE392-639D-4688-976E-A1BFF368CB96}\1.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3AE26843-9171-4F23-A8E5-5421701276A4}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3AE26843-9171-4F23-A8E5-5421701276A4}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3AE26843-9171-4F23-A8E5-5421701276A4}\TypeLib\ = "{B00FE392-639D-4688-976E-A1BFF368CB96}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B00FE392-639D-4688-976E-A1BFF368CB96}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3AE26843-9171-4F23-A8E5-5421701276A4}\ = "Ibho_object" regsvr32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2308 wrote to memory of 2860 2308 JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe 31 PID 2308 wrote to memory of 2860 2308 JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe 31 PID 2308 wrote to memory of 2860 2308 JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe 31 PID 2308 wrote to memory of 2860 2308 JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe 31 PID 2308 wrote to memory of 2860 2308 JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe 31 PID 2308 wrote to memory of 2860 2308 JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe 31 PID 2308 wrote to memory of 2860 2308 JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe 31 PID 2860 wrote to memory of 2936 2860 VFDInstall.exe 32 PID 2860 wrote to memory of 2936 2860 VFDInstall.exe 32 PID 2860 wrote to memory of 2936 2860 VFDInstall.exe 32 PID 2860 wrote to memory of 2936 2860 VFDInstall.exe 32 PID 2860 wrote to memory of 2936 2860 VFDInstall.exe 32 PID 2860 wrote to memory of 2936 2860 VFDInstall.exe 32 PID 2860 wrote to memory of 2936 2860 VFDInstall.exe 32 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\IgnoreFrameApprovalCheck = "1" JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2793cb025fbd21dbfb9baa7d31639cd6.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2308 -
C:\Program Files (x86)\OA\VFDInstall.exe"C:\Program Files (x86)\OA\VFDInstall.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\regsvr32.exeregsvr32 /s "bho_project.dll"3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2936
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
90KB
MD53d460002229cadb478000e336ed844c1
SHA17053f2dd4e3873dde9b082e577556101bb24773f
SHA2562efbd2f8f49f059127d69d8437e1937ec4c378705a74c1462f853347739c7c83
SHA5121536fbc20805ee07f7a84d26614fca3df94593cf279e59e7afdca68cb2d1c8df3f35d7dbc2ccf6f833ab6dfd94126a2aa4a3eaabbc705b1bc3a2104f8d7eaa97
-
Filesize
194B
MD5a582b2fdb24ba9f42b963a957e62deda
SHA11e41c0df8d5d651b9894c7610b1a38fe859a4b0f
SHA256f7cdf988cb6947475caa7ca95acbf5615c7221ebf5f9c819c34ddb91c3bcc39e
SHA51255b8f27f233af62e6e7565679cd18e14b3077c59e8443bdfb6ce779a11960bbd534e51f1feafbf61586ee844be8fe23d1162510d89a51cba620b52e087b9ab2d
-
Filesize
131B
MD57abb7c4e80522810d314bc906b8de623
SHA1025289d3b79de2ed0805630743100b4e3ef48a09
SHA2567feda3a928bec6e3ac1d262dddc101010e9d141de3ebc8b6e3bc0f1ca270fc90
SHA512cdacb404f8d6338266a53dd338c3d48df2f25282c723e861639db9dfb13a07ce7897413f4cce1710b8418478f83bba9bcac4b1033a211302d242ccace1ffb03d
-
Filesize
54KB
MD5bbd5a872f7f1fba57f190708ac817717
SHA1042b1363929b4bc46bc8bc31c1d64335c0c8209d
SHA2565473931a9d66c7ef9a908956b9e41ea2a04acda2d1f5d9866042662f4b3c0e88
SHA512cf86aa506b3cdafd0f9ec83a1171ba23c4a1820bd1d6427b5ebf479e927a8a23979f14ce0ebbec681ee2d1034139df713d4bf6ee28bcffd79cdb49b8f9b5b612
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
4KB
MD5e3f3809f51c7982d96aaf9c090f7d176
SHA17494daa8000c0b31c58d94edc509232569a4606f
SHA256010f5e0c69b4a630b08b2551e03d8044a33350f151848dcf50953407012fab29
SHA5123fca284e384abc95201dc73f19bd9d75413e8890e819967070b9d9991115be2a8c17e07bd1aaaffcbc770b393bf9a2af253100ac4d9efba8d21110bac97737fc
-
Filesize
20KB
MD5e541458cfe66ef95ffbea40eaaa07289
SHA1caec1233f841ee72004231a3027b13cdeb13274c
SHA2563bce87b66d9272c82421920c34b0216e12c57a437d1955c36f23c74c1a01d420
SHA5120bf6313e4cb7bbdcfba828fb791540b630adc58c43aa4b5ba77790367d0f34f76077cd84cc62e2a2c98c788a88547f32a11e549873d172c5aa2753124847cd0c