Malware Analysis Report

2025-08-05 16:58

Sample ID 250127-zc2jzsvkax
Target JaffaCakes118_4374bc7c7e064c522ad5b244f7535340
SHA256 31f2cc0bc83c8288abc45f7d57560ab13b6bae574e0944cef4da98f6fd6b3940
Tags
upx discovery
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

31f2cc0bc83c8288abc45f7d57560ab13b6bae574e0944cef4da98f6fd6b3940

Threat Level: Likely malicious

The file JaffaCakes118_4374bc7c7e064c522ad5b244f7535340 was found to be: Likely malicious.

Malicious Activity Summary

upx discovery

Manipulates Digital Signatures

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Modifies registry class

Modifies data under HKEY_USERS

Runs regedit.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-27 20:35

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 20:35

Reported

2025-01-27 20:37

Platform

win7-20240903-en

Max time kernel

140s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374bc7c7e064c522ad5b244f7535340.exe"

Signatures

Manipulates Digital Signatures

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0\goicfboogidikkejccmclpieicihhlpo jimddp = "electronic-group" C:\Windows\iaccess32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A\Blob = 03000000010000001400000062119ef862c6b3a0d853419b87eb3e2f6c78640a2000000001000000df030000308203db30820344a00302010202033fc398300d06092a864886f70d01010405003055310b3009060355040613025a4131253023060355040a131c54686177746520436f6e73756c74696e67202850747929204c74642e311f301d0603550403131654686177746520436f6465205369676e696e67204341301e170d3035303831353031353134345a170d3037303931363133323531325a30818b310b3009060355040613024652310e300c0603550408130552686f6e65310d300b060355040713044c796f6e31193017060355040a1310656c656374726f6e69632d67726f757031273025060355040b131e536563757265204170706c69636174696f6e20446576656c6f706d656e743119301706035504031310656c656374726f6e69632d67726f757030820122300d06092a864886f70d01010105000382010f003082010a0282010100e2754d8a4e6d4db6e025b0073520ddd7eeec116a813940fda2c4c66f7a354adb3036188d4078f8891b3fe15d467dfba5e17984cac2b246c27c052e63956dfe817eb423b9615bddfddaadac5e2ac0f41f583edd24d7830f5875df2937a9152b741eef3950e5116e76d2e7e3ffdf6fcb5858af26f5e2effd019a1f82b98d7f21ed089d5bb8553cd89c823becaeb62ea1cc4b455cb4e93e8ac715320f31dc3fbc2d0be0d65c608c58c19ff06da7bc1ec48a45ef0219eef40294504e2663b1c9dad6a2241df996c59cf110b706285fbaeae0c55d776573536218c3c7ae248b82cae01513cd8b2828a94f4a70ba6e199919a0f5eae20643feaabebe2ba3b2819e92790203010001a381fd3081fa301f0603551d250418301606082b06010505070303060a2b060104018237020116301106096086480186f8420101040403020410301d0603551d0404163014300e300c060a2b0601040182370201160302078030230603551d11041c301a82187777772e656c656374726f6e69632d67726f75702e636f6d303e0603551d1f043730353033a031a02f862d687474703a2f2f63726c2e7468617774652e636f6d2f546861777465436f64655369676e696e6743412e63726c303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300c0603551d130101ff04023000300d06092a864886f70d01010405000381810075160a692f4bc2096bce67c58b0d88320552104e4d35f5018bc2ab1be03ecae3c0abe7db45629b1b3c1812039145c15d6f2774c211a2c86f93a819573d58a3c0e66d1e19e84638800e3372880b4e9cdcf70cc769bdeff236ed3ac6f20e370122fa791e71b0ea8be78077ffc288c382b201d78ea8bbf9e9457fad4ee80273279c C:\Windows\SysWOW64\regedit.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\iaccess32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\iaccess32.exe N/A
N/A N/A C:\Windows\iaccess32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\egaccess4_1071.dll C:\Windows\iaccess32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Instant Access\Multi\20100716020708\Common\module.php C:\Windows\iaccess32.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20100716020708\medias\p2e_1_3.gif C:\Windows\iaccess32.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20100716020708\medias\p2e_2_3.gif C:\Windows\iaccess32.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20100716020708\medias\p2e_3_3.gif C:\Windows\iaccess32.exe N/A
File opened for modification C:\Program Files (x86)\Instant Access\Multi\20100716020708\dialerexe.ini C:\Windows\iaccess32.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20100716020708\instant access.exe C:\Windows\iaccess32.exe N/A
File created C:\Program Files (x86)\Instant Access\DesktopIcons\NOCREDITCARD.lnk C:\Windows\iaccess32.exe N/A
File created C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk C:\Windows\iaccess32.exe N/A
File opened for modification C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk C:\Windows\iaccess32.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20100716020708\medias\p2e_logo_2.gif C:\Windows\iaccess32.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20100716020708\medias\p2e_go_3.gif C:\Windows\iaccess32.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20100716020708\medias\p2e.ico C:\Windows\iaccess32.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20100716020708\dialerexe.ini C:\Windows\iaccess32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\dialerexe.ini C:\Windows\iaccess32.exe N/A
File created C:\Windows\egdhtm_pack.epk C:\Windows\iaccess32.exe N/A
File created C:\Windows\iaccess32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374bc7c7e064c522ad5b244f7535340.exe N/A
File created C:\Windows\tmlpcert2007 C:\Windows\iaccess32.exe N/A
File created C:\Windows\dialexe.zl C:\Windows\iaccess32.exe N/A
File created C:\Windows\dialexe.epk C:\Windows\iaccess32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374bc7c7e064c522ad5b244f7535340.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\iaccess32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\iaccess32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ = "C:\\Windows\\SysWow64\\egaccess4_1071.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374bc7c7e064c522ad5b244f7535340.exe C:\Windows\iaccess32.exe
PID 2060 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374bc7c7e064c522ad5b244f7535340.exe C:\Windows\iaccess32.exe
PID 2060 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374bc7c7e064c522ad5b244f7535340.exe C:\Windows\iaccess32.exe
PID 2060 wrote to memory of 2356 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374bc7c7e064c522ad5b244f7535340.exe C:\Windows\iaccess32.exe
PID 2356 wrote to memory of 2244 N/A C:\Windows\iaccess32.exe C:\Windows\SysWOW64\regedit.exe
PID 2356 wrote to memory of 2244 N/A C:\Windows\iaccess32.exe C:\Windows\SysWOW64\regedit.exe
PID 2356 wrote to memory of 2244 N/A C:\Windows\iaccess32.exe C:\Windows\SysWOW64\regedit.exe
PID 2356 wrote to memory of 2244 N/A C:\Windows\iaccess32.exe C:\Windows\SysWOW64\regedit.exe
PID 2356 wrote to memory of 1152 N/A C:\Windows\iaccess32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2356 wrote to memory of 1152 N/A C:\Windows\iaccess32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2356 wrote to memory of 1152 N/A C:\Windows\iaccess32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2356 wrote to memory of 1152 N/A C:\Windows\iaccess32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2356 wrote to memory of 1152 N/A C:\Windows\iaccess32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2356 wrote to memory of 1152 N/A C:\Windows\iaccess32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2356 wrote to memory of 1152 N/A C:\Windows\iaccess32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374bc7c7e064c522ad5b244f7535340.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374bc7c7e064c522ad5b244f7535340.exe"

C:\Windows\iaccess32.exe

C:\Windows\iaccess32.exe

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\System32\regedit.exe" /s C:\Windows\tmlpcert2007

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Windows\system32\egaccess4_1071.dll"

Network

Country Destination Domain Proto
US 8.8.8.8:53 scripts.dlv4.com udp
DE 172.104.251.198:80 scripts.dlv4.com tcp
DE 172.104.251.198:80 scripts.dlv4.com tcp

Files

memory/2060-0-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2060-3-0x0000000000320000-0x000000000034E000-memory.dmp

C:\Windows\iaccess32.exe

MD5 108c8d631c72039039100658bc5ad599
SHA1 7a8e5c7118cd28a5b99bf9daa507748eccbb38fd
SHA256 eca0505983bb83f0a3b567e23b936600b8ea551584f4d2e73ab4e3080302ba4a
SHA512 87e2f9c781b6ae3d5c783b2a2e66ceabcace6d8a57af26bd0623408396e12ecd23caf9aaaa76937fb9d83bb4e998d08e18a9a8e9eae8b9acbf0137ec3b6aa358

memory/2356-11-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2060-10-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2060-7-0x0000000000320000-0x000000000034E000-memory.dmp

C:\Windows\tmlpcert2007

MD5 b103757bc3c714123b5efa26ff96a915
SHA1 991d6694c71736b59b9486339be44ae5e2b66fef
SHA256 eef8937445f24c2bcbe101419be42694e0e38628653a755ab29ecba357d81d48
SHA512 d04f2ab14ad4d3e06ea357b4c810515d73b32f2650533a5895ebf5d14b4b697752f25c0c371372e00faab661c0b051c33b8c25bf1226f30be5d6b8727dea81e1

C:\Windows\SysWOW64\egaccess4_1071.dll

MD5 b83f652ffa76451ae438954f89c02f62
SHA1 b3ba0014dd16cee5f6d4cfe7e28b2d5de79dc6dd
SHA256 f601991aa00cbe7001197affc0e3854ab76c51c05b9a6ca3e3f708fed876c32f
SHA512 965172a5ecd070ea6707ec9985ee3c135c06534561b90ae233e8049b247d87d529b8280f0faf2b0ed933f59c68844414726fa80c4d3119cffa4fdd1cb60eab83

memory/1152-34-0x0000000010000000-0x0000000010047000-memory.dmp

C:\Program Files (x86)\Instant Access\Multi\20100716020708\dialerexe.ini

MD5 2467b6db517327de4ba8a0549582b19f
SHA1 e81a9c551b8da351aa0d5bfeae6ab5b02bf27736
SHA256 ccc9290200f64d9035cc1c0cde88e9fdff10ddb3685328a0c3f38d30ab5415ba
SHA512 49a732b28e15d99dec418613ca3351f8738f733d7c775ab3184581d40a908711bb5551c625bdfde25afdf1760d860699373d9a935457faac4e0a7c8ca8242cd8

memory/2356-47-0x0000000001EF0000-0x0000000001F00000-memory.dmp

memory/2356-56-0x0000000001EF0000-0x0000000001F00000-memory.dmp

C:\Users\Public\Desktop\NOCREDITCARD.lnk

MD5 8671dec7d9fce484eb90e0d161247898
SHA1 92b4d775215443a4792d90077a4a05781bab025c
SHA256 92d7c0c165476a55f94292040bcb81dcdb1a62f653feb5876f0b856bc590b4b7
SHA512 20327123fabefd901d76cb3b7e16459338c63816548a69623b7de55e936d38bc399677844fd8e628062f290789a357615e9959ddbb05adef3e8ac5ef235b8de9

memory/2356-81-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2356-82-0x0000000001EF0000-0x0000000001F00000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-27 20:35

Reported

2025-01-27 20:37

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374bc7c7e064c522ad5b244f7535340.exe"

Signatures

Manipulates Digital Signatures

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A\Blob = 03000000010000001400000062119ef862c6b3a0d853419b87eb3e2f6c78640a2000000001000000df030000308203db30820344a00302010202033fc398300d06092a864886f70d01010405003055310b3009060355040613025a4131253023060355040a131c54686177746520436f6e73756c74696e67202850747929204c74642e311f301d0603550403131654686177746520436f6465205369676e696e67204341301e170d3035303831353031353134345a170d3037303931363133323531325a30818b310b3009060355040613024652310e300c0603550408130552686f6e65310d300b060355040713044c796f6e31193017060355040a1310656c656374726f6e69632d67726f757031273025060355040b131e536563757265204170706c69636174696f6e20446576656c6f706d656e743119301706035504031310656c656374726f6e69632d67726f757030820122300d06092a864886f70d01010105000382010f003082010a0282010100e2754d8a4e6d4db6e025b0073520ddd7eeec116a813940fda2c4c66f7a354adb3036188d4078f8891b3fe15d467dfba5e17984cac2b246c27c052e63956dfe817eb423b9615bddfddaadac5e2ac0f41f583edd24d7830f5875df2937a9152b741eef3950e5116e76d2e7e3ffdf6fcb5858af26f5e2effd019a1f82b98d7f21ed089d5bb8553cd89c823becaeb62ea1cc4b455cb4e93e8ac715320f31dc3fbc2d0be0d65c608c58c19ff06da7bc1ec48a45ef0219eef40294504e2663b1c9dad6a2241df996c59cf110b706285fbaeae0c55d776573536218c3c7ae248b82cae01513cd8b2828a94f4a70ba6e199919a0f5eae20643feaabebe2ba3b2819e92790203010001a381fd3081fa301f0603551d250418301606082b06010505070303060a2b060104018237020116301106096086480186f8420101040403020410301d0603551d0404163014300e300c060a2b0601040182370201160302078030230603551d11041c301a82187777772e656c656374726f6e69632d67726f75702e636f6d303e0603551d1f043730353033a031a02f862d687474703a2f2f63726c2e7468617774652e636f6d2f546861777465436f64655369676e696e6743412e63726c303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300c0603551d130101ff04023000300d06092a864886f70d01010405000381810075160a692f4bc2096bce67c58b0d88320552104e4d35f5018bc2ab1be03ecae3c0abe7db45629b1b3c1812039145c15d6f2774c211a2c86f93a819573d58a3c0e66d1e19e84638800e3372880b4e9cdcf70cc769bdeff236ed3ac6f20e370122fa791e71b0ea8be78077ffc288c382b201d78ea8bbf9e9457fad4ee80273279c C:\Windows\SysWOW64\regedit.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\iaccess32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\iaccess32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\egaccess4_1071.dll C:\Windows\iaccess32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Instant Access\Multi\20100716020708\medias\p2e_1_3.gif C:\Windows\iaccess32.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20100716020708\medias\p2e_2_3.gif C:\Windows\iaccess32.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20100716020708\medias\p2e_go_3.gif C:\Windows\iaccess32.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20100716020708\medias\p2e_3_3.gif C:\Windows\iaccess32.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20100716020708\medias\p2e.ico C:\Windows\iaccess32.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20100716020708\dialerexe.ini C:\Windows\iaccess32.exe N/A
File opened for modification C:\Program Files (x86)\Instant Access\Multi\20100716020708\dialerexe.ini C:\Windows\iaccess32.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20100716020708\Common\module.php C:\Windows\iaccess32.exe N/A
File opened for modification C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk C:\Windows\iaccess32.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20100716020708\instant access.exe C:\Windows\iaccess32.exe N/A
File created C:\Program Files (x86)\Instant Access\DesktopIcons\NOCREDITCARD.lnk C:\Windows\iaccess32.exe N/A
File created C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk C:\Windows\iaccess32.exe N/A
File created C:\Program Files (x86)\Instant Access\Multi\20100716020708\medias\p2e_logo_2.gif C:\Windows\iaccess32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\dialexe.zl C:\Windows\iaccess32.exe N/A
File created C:\Windows\dialexe.epk C:\Windows\iaccess32.exe N/A
File created C:\Windows\dialerexe.ini C:\Windows\iaccess32.exe N/A
File created C:\Windows\egdhtm_pack.epk C:\Windows\iaccess32.exe N/A
File created C:\Windows\iaccess32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374bc7c7e064c522ad5b244f7535340.exe N/A
File created C:\Windows\tmlpcert2007 C:\Windows\iaccess32.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\iaccess32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374bc7c7e064c522ad5b244f7535340.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\À C:\Windows\iaccess32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ = "C:\\Windows\\SysWow64\\egaccess4_1071.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A

Runs regedit.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374bc7c7e064c522ad5b244f7535340.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374bc7c7e064c522ad5b244f7535340.exe"

C:\Windows\iaccess32.exe

C:\Windows\iaccess32.exe

C:\Windows\SysWOW64\regedit.exe

"C:\Windows\System32\regedit.exe" /s C:\Windows\tmlpcert2007

C:\Windows\SysWOW64\regsvr32.exe

regsvr32.exe /s "C:\Windows\system32\egaccess4_1071.dll"

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 scripts.dlv4.com udp
US 8.8.8.8:53 13.153.16.2.in-addr.arpa udp
DE 139.162.181.76:80 scripts.dlv4.com tcp
DE 139.162.181.76:80 scripts.dlv4.com tcp
US 8.8.8.8:53 76.181.162.139.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 5.114.82.104.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 11.153.16.2.in-addr.arpa udp

Files

memory/4328-0-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Windows\iaccess32.exe

MD5 108c8d631c72039039100658bc5ad599
SHA1 7a8e5c7118cd28a5b99bf9daa507748eccbb38fd
SHA256 eca0505983bb83f0a3b567e23b936600b8ea551584f4d2e73ab4e3080302ba4a
SHA512 87e2f9c781b6ae3d5c783b2a2e66ceabcace6d8a57af26bd0623408396e12ecd23caf9aaaa76937fb9d83bb4e998d08e18a9a8e9eae8b9acbf0137ec3b6aa358

memory/2360-4-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4328-6-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Windows\tmlpcert2007

MD5 b103757bc3c714123b5efa26ff96a915
SHA1 991d6694c71736b59b9486339be44ae5e2b66fef
SHA256 eef8937445f24c2bcbe101419be42694e0e38628653a755ab29ecba357d81d48
SHA512 d04f2ab14ad4d3e06ea357b4c810515d73b32f2650533a5895ebf5d14b4b697752f25c0c371372e00faab661c0b051c33b8c25bf1226f30be5d6b8727dea81e1

C:\Windows\SysWOW64\egaccess4_1071.dll

MD5 b83f652ffa76451ae438954f89c02f62
SHA1 b3ba0014dd16cee5f6d4cfe7e28b2d5de79dc6dd
SHA256 f601991aa00cbe7001197affc0e3854ab76c51c05b9a6ca3e3f708fed876c32f
SHA512 965172a5ecd070ea6707ec9985ee3c135c06534561b90ae233e8049b247d87d529b8280f0faf2b0ed933f59c68844414726fa80c4d3119cffa4fdd1cb60eab83

memory/224-29-0x0000000010000000-0x0000000010047000-memory.dmp

C:\Windows\dialerexe.ini

MD5 2467b6db517327de4ba8a0549582b19f
SHA1 e81a9c551b8da351aa0d5bfeae6ab5b02bf27736
SHA256 ccc9290200f64d9035cc1c0cde88e9fdff10ddb3685328a0c3f38d30ab5415ba
SHA512 49a732b28e15d99dec418613ca3351f8738f733d7c775ab3184581d40a908711bb5551c625bdfde25afdf1760d860699373d9a935457faac4e0a7c8ca8242cd8

C:\Users\Public\Desktop\NOCREDITCARD.lnk

MD5 6eb65b9c9389b8319de18d97cbd79fc6
SHA1 8a9d501185ccb7cab5fce6f030b9319357e444e8
SHA256 dfc44f60d647bfd515a8c241b2953dd3b658471b58e16ec113b56afed98252d9
SHA512 72a34c60b51525b720f4d78e61288fae277526797a5fe1fa12777e127b42a55db7aa9ff4deeb03fff0edfc37e77f1a73ca198625ad60cf6851791184d536a48f

memory/2360-63-0x0000000000400000-0x000000000042E000-memory.dmp