Analysis Overview
SHA256
31f2cc0bc83c8288abc45f7d57560ab13b6bae574e0944cef4da98f6fd6b3940
Threat Level: Likely malicious
The file JaffaCakes118_4374bc7c7e064c522ad5b244f7535340 was found to be: Likely malicious.
Malicious Activity Summary
Manipulates Digital Signatures
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Modifies registry class
Modifies data under HKEY_USERS
Runs regedit.exe
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-27 20:35
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-27 20:35
Reported
2025-01-27 20:37
Platform
win7-20240903-en
Max time kernel
140s
Max time network
140s
Command Line
Signatures
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing\Trust Database\0\goicfboogidikkejccmclpieicihhlpo jimddp = "electronic-group" | C:\Windows\iaccess32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A\Blob = 03000000010000001400000062119ef862c6b3a0d853419b87eb3e2f6c78640a2000000001000000df030000308203db30820344a00302010202033fc398300d06092a864886f70d01010405003055310b3009060355040613025a4131253023060355040a131c54686177746520436f6e73756c74696e67202850747929204c74642e311f301d0603550403131654686177746520436f6465205369676e696e67204341301e170d3035303831353031353134345a170d3037303931363133323531325a30818b310b3009060355040613024652310e300c0603550408130552686f6e65310d300b060355040713044c796f6e31193017060355040a1310656c656374726f6e69632d67726f757031273025060355040b131e536563757265204170706c69636174696f6e20446576656c6f706d656e743119301706035504031310656c656374726f6e69632d67726f757030820122300d06092a864886f70d01010105000382010f003082010a0282010100e2754d8a4e6d4db6e025b0073520ddd7eeec116a813940fda2c4c66f7a354adb3036188d4078f8891b3fe15d467dfba5e17984cac2b246c27c052e63956dfe817eb423b9615bddfddaadac5e2ac0f41f583edd24d7830f5875df2937a9152b741eef3950e5116e76d2e7e3ffdf6fcb5858af26f5e2effd019a1f82b98d7f21ed089d5bb8553cd89c823becaeb62ea1cc4b455cb4e93e8ac715320f31dc3fbc2d0be0d65c608c58c19ff06da7bc1ec48a45ef0219eef40294504e2663b1c9dad6a2241df996c59cf110b706285fbaeae0c55d776573536218c3c7ae248b82cae01513cd8b2828a94f4a70ba6e199919a0f5eae20643feaabebe2ba3b2819e92790203010001a381fd3081fa301f0603551d250418301606082b06010505070303060a2b060104018237020116301106096086480186f8420101040403020410301d0603551d0404163014300e300c060a2b0601040182370201160302078030230603551d11041c301a82187777772e656c656374726f6e69632d67726f75702e636f6d303e0603551d1f043730353033a031a02f862d687474703a2f2f63726c2e7468617774652e636f6d2f546861777465436f64655369676e696e6743412e63726c303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300c0603551d130101ff04023000300d06092a864886f70d01010405000381810075160a692f4bc2096bce67c58b0d88320552104e4d35f5018bc2ab1be03ecae3c0abe7db45629b1b3c1812039145c15d6f2774c211a2c86f93a819573d58a3c0e66d1e19e84638800e3372880b4e9cdcf70cc769bdeff236ed3ac6f20e370122fa791e71b0ea8be78077ffc288c382b201d78ea8bbf9e9457fad4ee80273279c | C:\Windows\SysWOW64\regedit.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\iaccess32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\iaccess32.exe | N/A |
| N/A | N/A | C:\Windows\iaccess32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\egaccess4_1071.dll | C:\Windows\iaccess32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Instant Access\Multi\20100716020708\Common\module.php | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20100716020708\medias\p2e_1_3.gif | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20100716020708\medias\p2e_2_3.gif | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20100716020708\medias\p2e_3_3.gif | C:\Windows\iaccess32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Instant Access\Multi\20100716020708\dialerexe.ini | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20100716020708\instant access.exe | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\DesktopIcons\NOCREDITCARD.lnk | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk | C:\Windows\iaccess32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20100716020708\medias\p2e_logo_2.gif | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20100716020708\medias\p2e_go_3.gif | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20100716020708\medias\p2e.ico | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20100716020708\dialerexe.ini | C:\Windows\iaccess32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\dialerexe.ini | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Windows\egdhtm_pack.epk | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Windows\iaccess32.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374bc7c7e064c522ad5b244f7535340.exe | N/A |
| File created | C:\Windows\tmlpcert2007 | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Windows\dialexe.zl | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Windows\dialexe.epk | C:\Windows\iaccess32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374bc7c7e064c522ad5b244f7535340.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\iaccess32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\iaccess32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ = "C:\\Windows\\SysWow64\\egaccess4_1071.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374bc7c7e064c522ad5b244f7535340.exe | N/A |
| N/A | N/A | C:\Windows\iaccess32.exe | N/A |
| N/A | N/A | C:\Windows\iaccess32.exe | N/A |
| N/A | N/A | C:\Windows\iaccess32.exe | N/A |
| N/A | N/A | C:\Windows\iaccess32.exe | N/A |
| N/A | N/A | C:\Windows\iaccess32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374bc7c7e064c522ad5b244f7535340.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374bc7c7e064c522ad5b244f7535340.exe"
C:\Windows\iaccess32.exe
C:\Windows\iaccess32.exe
C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe" /s C:\Windows\tmlpcert2007
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Windows\system32\egaccess4_1071.dll"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | scripts.dlv4.com | udp |
| DE | 172.104.251.198:80 | scripts.dlv4.com | tcp |
| DE | 172.104.251.198:80 | scripts.dlv4.com | tcp |
Files
memory/2060-0-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2060-3-0x0000000000320000-0x000000000034E000-memory.dmp
C:\Windows\iaccess32.exe
| MD5 | 108c8d631c72039039100658bc5ad599 |
| SHA1 | 7a8e5c7118cd28a5b99bf9daa507748eccbb38fd |
| SHA256 | eca0505983bb83f0a3b567e23b936600b8ea551584f4d2e73ab4e3080302ba4a |
| SHA512 | 87e2f9c781b6ae3d5c783b2a2e66ceabcace6d8a57af26bd0623408396e12ecd23caf9aaaa76937fb9d83bb4e998d08e18a9a8e9eae8b9acbf0137ec3b6aa358 |
memory/2356-11-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2060-10-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2060-7-0x0000000000320000-0x000000000034E000-memory.dmp
C:\Windows\tmlpcert2007
| MD5 | b103757bc3c714123b5efa26ff96a915 |
| SHA1 | 991d6694c71736b59b9486339be44ae5e2b66fef |
| SHA256 | eef8937445f24c2bcbe101419be42694e0e38628653a755ab29ecba357d81d48 |
| SHA512 | d04f2ab14ad4d3e06ea357b4c810515d73b32f2650533a5895ebf5d14b4b697752f25c0c371372e00faab661c0b051c33b8c25bf1226f30be5d6b8727dea81e1 |
C:\Windows\SysWOW64\egaccess4_1071.dll
| MD5 | b83f652ffa76451ae438954f89c02f62 |
| SHA1 | b3ba0014dd16cee5f6d4cfe7e28b2d5de79dc6dd |
| SHA256 | f601991aa00cbe7001197affc0e3854ab76c51c05b9a6ca3e3f708fed876c32f |
| SHA512 | 965172a5ecd070ea6707ec9985ee3c135c06534561b90ae233e8049b247d87d529b8280f0faf2b0ed933f59c68844414726fa80c4d3119cffa4fdd1cb60eab83 |
memory/1152-34-0x0000000010000000-0x0000000010047000-memory.dmp
C:\Program Files (x86)\Instant Access\Multi\20100716020708\dialerexe.ini
| MD5 | 2467b6db517327de4ba8a0549582b19f |
| SHA1 | e81a9c551b8da351aa0d5bfeae6ab5b02bf27736 |
| SHA256 | ccc9290200f64d9035cc1c0cde88e9fdff10ddb3685328a0c3f38d30ab5415ba |
| SHA512 | 49a732b28e15d99dec418613ca3351f8738f733d7c775ab3184581d40a908711bb5551c625bdfde25afdf1760d860699373d9a935457faac4e0a7c8ca8242cd8 |
memory/2356-47-0x0000000001EF0000-0x0000000001F00000-memory.dmp
memory/2356-56-0x0000000001EF0000-0x0000000001F00000-memory.dmp
C:\Users\Public\Desktop\NOCREDITCARD.lnk
| MD5 | 8671dec7d9fce484eb90e0d161247898 |
| SHA1 | 92b4d775215443a4792d90077a4a05781bab025c |
| SHA256 | 92d7c0c165476a55f94292040bcb81dcdb1a62f653feb5876f0b856bc590b4b7 |
| SHA512 | 20327123fabefd901d76cb3b7e16459338c63816548a69623b7de55e936d38bc399677844fd8e628062f290789a357615e9959ddbb05adef3e8ac5ef235b8de9 |
memory/2356-81-0x0000000000400000-0x000000000042E000-memory.dmp
memory/2356-82-0x0000000001EF0000-0x0000000001F00000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-27 20:35
Reported
2025-01-27 20:37
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
143s
Command Line
Signatures
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\62119EF862C6B3A0D853419B87EB3E2F6C78640A\Blob = 03000000010000001400000062119ef862c6b3a0d853419b87eb3e2f6c78640a2000000001000000df030000308203db30820344a00302010202033fc398300d06092a864886f70d01010405003055310b3009060355040613025a4131253023060355040a131c54686177746520436f6e73756c74696e67202850747929204c74642e311f301d0603550403131654686177746520436f6465205369676e696e67204341301e170d3035303831353031353134345a170d3037303931363133323531325a30818b310b3009060355040613024652310e300c0603550408130552686f6e65310d300b060355040713044c796f6e31193017060355040a1310656c656374726f6e69632d67726f757031273025060355040b131e536563757265204170706c69636174696f6e20446576656c6f706d656e743119301706035504031310656c656374726f6e69632d67726f757030820122300d06092a864886f70d01010105000382010f003082010a0282010100e2754d8a4e6d4db6e025b0073520ddd7eeec116a813940fda2c4c66f7a354adb3036188d4078f8891b3fe15d467dfba5e17984cac2b246c27c052e63956dfe817eb423b9615bddfddaadac5e2ac0f41f583edd24d7830f5875df2937a9152b741eef3950e5116e76d2e7e3ffdf6fcb5858af26f5e2effd019a1f82b98d7f21ed089d5bb8553cd89c823becaeb62ea1cc4b455cb4e93e8ac715320f31dc3fbc2d0be0d65c608c58c19ff06da7bc1ec48a45ef0219eef40294504e2663b1c9dad6a2241df996c59cf110b706285fbaeae0c55d776573536218c3c7ae248b82cae01513cd8b2828a94f4a70ba6e199919a0f5eae20643feaabebe2ba3b2819e92790203010001a381fd3081fa301f0603551d250418301606082b06010505070303060a2b060104018237020116301106096086480186f8420101040403020410301d0603551d0404163014300e300c060a2b0601040182370201160302078030230603551d11041c301a82187777772e656c656374726f6e69632d67726f75702e636f6d303e0603551d1f043730353033a031a02f862d687474703a2f2f63726c2e7468617774652e636f6d2f546861777465436f64655369676e696e6743412e63726c303206082b0601050507010104263024302206082b060105050730018616687474703a2f2f6f6373702e7468617774652e636f6d300c0603551d130101ff04023000300d06092a864886f70d01010405000381810075160a692f4bc2096bce67c58b0d88320552104e4d35f5018bc2ab1be03ecae3c0abe7db45629b1b3c1812039145c15d6f2774c211a2c86f93a819573d58a3c0e66d1e19e84638800e3372880b4e9cdcf70cc769bdeff236ed3ac6f20e370122fa791e71b0ea8be78077ffc288c382b201d78ea8bbf9e9457fad4ee80273279c | C:\Windows\SysWOW64\regedit.exe | N/A |
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\iaccess32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\iaccess32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\egaccess4_1071.dll | C:\Windows\iaccess32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Instant Access\Multi\20100716020708\medias\p2e_1_3.gif | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20100716020708\medias\p2e_2_3.gif | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20100716020708\medias\p2e_go_3.gif | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20100716020708\medias\p2e_3_3.gif | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20100716020708\medias\p2e.ico | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20100716020708\dialerexe.ini | C:\Windows\iaccess32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Instant Access\Multi\20100716020708\dialerexe.ini | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20100716020708\Common\module.php | C:\Windows\iaccess32.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20100716020708\instant access.exe | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\DesktopIcons\NOCREDITCARD.lnk | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Center\NOCREDITCARD.lnk | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Program Files (x86)\Instant Access\Multi\20100716020708\medias\p2e_logo_2.gif | C:\Windows\iaccess32.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\dialexe.zl | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Windows\dialexe.epk | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Windows\dialerexe.ini | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Windows\egdhtm_pack.epk | C:\Windows\iaccess32.exe | N/A |
| File created | C:\Windows\iaccess32.exe | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374bc7c7e064c522ad5b244f7535340.exe | N/A |
| File created | C:\Windows\tmlpcert2007 | C:\Windows\iaccess32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\iaccess32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374bc7c7e064c522ad5b244f7535340.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\À | C:\Windows\iaccess32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ = "C:\\Windows\\SysWow64\\egaccess4_1071.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{413E282B-C32A-4717-A0F3-4F2E6FE25F83}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Runs regedit.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374bc7c7e064c522ad5b244f7535340.exe | N/A |
| N/A | N/A | C:\Windows\iaccess32.exe | N/A |
| N/A | N/A | C:\Windows\iaccess32.exe | N/A |
| N/A | N/A | C:\Windows\iaccess32.exe | N/A |
| N/A | N/A | C:\Windows\iaccess32.exe | N/A |
| N/A | N/A | C:\Windows\iaccess32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374bc7c7e064c522ad5b244f7535340.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374bc7c7e064c522ad5b244f7535340.exe"
C:\Windows\iaccess32.exe
C:\Windows\iaccess32.exe
C:\Windows\SysWOW64\regedit.exe
"C:\Windows\System32\regedit.exe" /s C:\Windows\tmlpcert2007
C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\Windows\system32\egaccess4_1071.dll"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | scripts.dlv4.com | udp |
| US | 8.8.8.8:53 | 13.153.16.2.in-addr.arpa | udp |
| DE | 139.162.181.76:80 | scripts.dlv4.com | tcp |
| DE | 139.162.181.76:80 | scripts.dlv4.com | tcp |
| US | 8.8.8.8:53 | 76.181.162.139.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.153.16.2.in-addr.arpa | udp |
Files
memory/4328-0-0x0000000000400000-0x000000000042E000-memory.dmp
C:\Windows\iaccess32.exe
| MD5 | 108c8d631c72039039100658bc5ad599 |
| SHA1 | 7a8e5c7118cd28a5b99bf9daa507748eccbb38fd |
| SHA256 | eca0505983bb83f0a3b567e23b936600b8ea551584f4d2e73ab4e3080302ba4a |
| SHA512 | 87e2f9c781b6ae3d5c783b2a2e66ceabcace6d8a57af26bd0623408396e12ecd23caf9aaaa76937fb9d83bb4e998d08e18a9a8e9eae8b9acbf0137ec3b6aa358 |
memory/2360-4-0x0000000000400000-0x000000000042E000-memory.dmp
memory/4328-6-0x0000000000400000-0x000000000042E000-memory.dmp
C:\Windows\tmlpcert2007
| MD5 | b103757bc3c714123b5efa26ff96a915 |
| SHA1 | 991d6694c71736b59b9486339be44ae5e2b66fef |
| SHA256 | eef8937445f24c2bcbe101419be42694e0e38628653a755ab29ecba357d81d48 |
| SHA512 | d04f2ab14ad4d3e06ea357b4c810515d73b32f2650533a5895ebf5d14b4b697752f25c0c371372e00faab661c0b051c33b8c25bf1226f30be5d6b8727dea81e1 |
C:\Windows\SysWOW64\egaccess4_1071.dll
| MD5 | b83f652ffa76451ae438954f89c02f62 |
| SHA1 | b3ba0014dd16cee5f6d4cfe7e28b2d5de79dc6dd |
| SHA256 | f601991aa00cbe7001197affc0e3854ab76c51c05b9a6ca3e3f708fed876c32f |
| SHA512 | 965172a5ecd070ea6707ec9985ee3c135c06534561b90ae233e8049b247d87d529b8280f0faf2b0ed933f59c68844414726fa80c4d3119cffa4fdd1cb60eab83 |
memory/224-29-0x0000000010000000-0x0000000010047000-memory.dmp
C:\Windows\dialerexe.ini
| MD5 | 2467b6db517327de4ba8a0549582b19f |
| SHA1 | e81a9c551b8da351aa0d5bfeae6ab5b02bf27736 |
| SHA256 | ccc9290200f64d9035cc1c0cde88e9fdff10ddb3685328a0c3f38d30ab5415ba |
| SHA512 | 49a732b28e15d99dec418613ca3351f8738f733d7c775ab3184581d40a908711bb5551c625bdfde25afdf1760d860699373d9a935457faac4e0a7c8ca8242cd8 |
C:\Users\Public\Desktop\NOCREDITCARD.lnk
| MD5 | 6eb65b9c9389b8319de18d97cbd79fc6 |
| SHA1 | 8a9d501185ccb7cab5fce6f030b9319357e444e8 |
| SHA256 | dfc44f60d647bfd515a8c241b2953dd3b658471b58e16ec113b56afed98252d9 |
| SHA512 | 72a34c60b51525b720f4d78e61288fae277526797a5fe1fa12777e127b42a55db7aa9ff4deeb03fff0edfc37e77f1a73ca198625ad60cf6851791184d536a48f |
memory/2360-63-0x0000000000400000-0x000000000042E000-memory.dmp