9b3c25d13ed5dde35e2007cce55d6e1a84b1457b7195f45778fae945fab74137

Analysis

max time kernel
120s
max time network
129s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Size

62KB
MD5

8ad751aa4eec7e08698f5e63240a2f35
SHA1

1774bb0a097ef5e152d11812ccc6a1b00799919c
SHA256

9b3c25d13ed5dde35e2007cce55d6e1a84b1457b7195f45778fae945fab74137
SHA512

a74dd9e05fab7f699df6e71aed64ebd9765b2596f9fa3bb5e9e8190d633331f1957a1f1c6a1e6e52fa6190fa081a7d5f3e43e55a56ba288150706b067a5ca691
SSDEEP

1536:zwXVn7kDcuaXa5H5udrqFyTWtLEfjr0mXbAG:UXhugCHeOJtQjr0mXbD

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2932	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2308	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E14DCE67-8FB7-4721-8149-179BAA4D792C}	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wsock32.sys	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
File opened for modification	C:\Windows\SysWOW64\epzbm6r346.ini	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
File created	C:\Windows\SysWOW64\epzbm6r346.ini	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
File created	C:\Windows\SysWOW64\del32.bat	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0f7adc9ff9fdb01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b63c91252260e744bcd1a47322dc266b00000000020000000000106600000001000020000000223e3864f0f045b7d22d880b127a3a2b6eb784e4afbc962408b51856465ddf9a000000000e8000000002000020000000f9c94b8b6c8d522bbd70bd9ce12d9df9b834c129cc82a5f2f4c5f2c809c3ff729000000030e8ca17e3c38e66fa45161d11f114547379e8fbf4af424117245bbacaef1e93c7d1f0ceb2b08d38a241cd9665b3d704730d66e86926615eaecbb8ce9b1d51f1557d5fb7a64766a6c483d6b32c7229eaf3f892156cbdc0e1dd6e8e62544ac64fc242c8d2c9f6caeaea859e0c5029b5e2e346aaea44997bf1881038e0cf1d106fedce2dad228a5658ccca303c22a7528b40000000fbfa5652607c24de1a49d484c4e8a80eb1ef44ac0ebba5e0eaf72fa652f39ff35c007ba033f1834ac54d36a3a3a346aa68fb272732d9cce5431b8047a36ea1d3	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "449341724"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F5047AA1-0BF2-11F0-831B-5E0455F18BC4} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b63c91252260e744bcd1a47322dc266b000000000200000000001066000000010000200000002865b44a2a37ac0bbbe6f5337d31808f6d9e4d231f91bcd6d9185f124fd233d2000000000e8000000002000020000000f6ec79a8456cfc2f2f5b56a7000ba6b1adbcab1f084577288fb2e0a06293d8cc2000000039bf4f27cc42c002a22315b5fe8bc96239ac54d4c23b1e26e61b0ce0c9ebe2ad4000000038694b9b0d473457cf687745a6b686a691b6e7aec42695ced54b59953e65993756e52060d6e8cdceab3c78168b42ca16454241bc6843f21fb7f9645b317723b1	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ = "Cs4"	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\HELPDIR	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\ = "{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}"	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32\ThreadingModel = "Apartment"	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ = "_Cs4"	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4\Clsid	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\FLAGS\ = "0"	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\Version = "3.0"	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\ProgID	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\VERSION\ = "3.0"	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4\Clsid\ = "{E14DCE67-8FB7-4721-8149-179BAA4D792C}"	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0\win32	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ = "_Cs4"	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\ProgID\ = "N.Cs4"	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\InprocServer32\ = "C:\\Windows\\SysWow64\\wsock32.sys"	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\TypeLib	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\N.Cs4\ = "N.Cs4"	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\ = "N.Cs4"	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\FLAGS	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\0\win32\ = "C:\\Windows\\SysWow64\\wsock32.sys"	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\ = "{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}"	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\TypeLib\ = "{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}"	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\ = "N"	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TYPELIB\{C9F1C5A0-F3D8-48E2-8B8C-3E86B4CAC7E3}\3.0\HELPDIR\ = "C:\\Windows\\system32"	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\ProxyStubClsid32	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0958C4C9-77B0-4AA8-9364-7886BFCA7E39}\TypeLib\Version = "3.0"	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E14DCE67-8FB7-4721-8149-179BAA4D792C}\VERSION	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2464	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2308	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
2464	IEXPLORE.EXE
2464	IEXPLORE.EXE
2372	IEXPLORE.EXE
2372	IEXPLORE.EXE
2372	IEXPLORE.EXE
2372	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 3000	2308	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe	31
PID 2308 wrote to memory of 3000	2308	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe	31
PID 2308 wrote to memory of 3000	2308	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe	31
PID 2308 wrote to memory of 3000	2308	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe	31
PID 3000 wrote to memory of 2464	3000	iexplore.exe	32
PID 3000 wrote to memory of 2464	3000	iexplore.exe	32
PID 3000 wrote to memory of 2464	3000	iexplore.exe	32
PID 3000 wrote to memory of 2464	3000	iexplore.exe	32
PID 2464 wrote to memory of 2372	2464	IEXPLORE.EXE	33
PID 2464 wrote to memory of 2372	2464	IEXPLORE.EXE	33
PID 2464 wrote to memory of 2372	2464	IEXPLORE.EXE	33
PID 2464 wrote to memory of 2372	2464	IEXPLORE.EXE	33
PID 2308 wrote to memory of 2932	2308	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe	34
PID 2308 wrote to memory of 2932	2308	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe	34
PID 2308 wrote to memory of 2932	2308	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe	34
PID 2308 wrote to memory of 2932	2308	JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ad751aa4eec7e08698f5e63240a2f35.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Program Files (x86)\internet explorer\iexplore.exe
  "C:\Program Files (x86)\internet explorer\iexplore.exe" http://
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3000
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2464 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Windows\system32\del32.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
73568042110ed29a8c8ca524b94e5157

SHA1
19979024bc87d72d0725bc7bc26fb3fc410246be

SHA256
4e07e47810b4dbdb7485914ac0b48d0aeca1405a0c01a0c0ce605a7cc088754c

SHA512
29d8c57409f06052c4df253507c961770606a83a6c4c487ccded9234754c211511d340f2e0cf2456d56669d4f5cfa1371c21a60a23ff2bb74779b040fd3d2f43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1b7bc22d9992ed7c6306d243b0f42f04

SHA1
1a04f1dbe1b5a0da20ab04c6d73225ec64d11cf9

SHA256
d5f1c789e136a7f63602c229aab1056894efc56a1377a468976f176b840afa33

SHA512
c63155ed4ea75f4fde68f4af6be6ab788411ae53ca2dc982801fcc84f403bf32094f0c673809350a542b24333099caec3a5ca243d9c85ec396f30330fccf5009

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
787f300f088ebbf78688bc3c8b979b61

SHA1
e0032ccbb64e5316327ba4ae32bbb7acba80f434

SHA256
f072023b8a43e45e97adb3d92ae4e5be2ec378e9a4c067f64a5a833470997020

SHA512
09a8b52f6035e9895fca83db5211612132f6dc04113bedc257bf0c052109e58e1a07b25f597ea0f95de1b3b2a1c391f7ea0f126e89d0f22f9ea876e4425f36ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fbc91c985488ce469d9cf9cdf799ea95

SHA1
333d26cdafa4dfdc50cfe0bf8a6e1b2732135d46

SHA256
1a0a03237b5d25e0fd395fb800782f9699f141530a9ff707fb66b0cde82a5edf

SHA512
0ec1633deebf5d9bb043d9c1609023db04e99178ecab64990472ef4484ddde1c1e74b10ba857caa30006bb501f6af07e0f0e068421d28a07c613795606016c55

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
90bc14bf5eb37bc429b66f938b459be8

SHA1
024a3408fad42fd0128ea638b3812ddcc4dce479

SHA256
952e3250a121af96197ff1cb02aab9b81cdd40666be00751e41bb9b76cd4438c

SHA512
dc617d5c6ab0e3f0300cba0763a17db917ad3887cc3c1c4afe65bd7309180c40d75fb2e18d3f233902c9b9570cea56f3d204da1021f10e24aeedd050164760bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
baab997850cd85bbcdb39345e2f0f862

SHA1
d43f6e45b917523fbab1c662902c2871dd039cc1

SHA256
fe1b38c9c5151a10efeff4e6fd7847230ae77b7d6f36f4cf67fb630346d064c4

SHA512
eb134c2fd3bc13d3154a63e467741748b21a1f2a2616577c2034d6da049802214eb9d0f809483ccb6468eac6ce51f4f3fe49a8134ef817da2dfeba856bae78bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
81bfa2d0a62c147e1a2ddfc543537929

SHA1
64e49fe4549bfba10f2e942b54e563b82a6ab4a7

SHA256
cf44613ac53d52d117762cbcfadc886d027ab28f761b7371a34dd4923baf2c14

SHA512
18047a4e8a9d4ec61a3fe85bb47ed03a228022f6469178fa08e708b40257ffb805565ab3fc5e6121c93bb42781518377420b6a9d962fa584d92dfd43b40a6b32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d3ee997939205e10a6cfe4f8e98ecb2a

SHA1
c4f68fb6e025cdc47325528c8c2142bad674471b

SHA256
b9ca4e87a18fc308b4d1c03d43414cd1b7db52a8b92179f347265aaed645317c

SHA512
f2debc6adbbe33fde208bf5034ea98a21793fe8a1fe9ea6b0e7e564b51cf691c3ec0fa13940db875a5fe01bacd51dbd67311bff7d4c0304d436f461915f5b5bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d6e190a19d2262e420003d79fae7ec20

SHA1
8d85c8a0cfd9d34ff455ee55fc1bec153310d569

SHA256
0ed1754817c55287be521c32453e36d96d5fa38ba78e021437a3ece9c08c6a67

SHA512
93a5b8d5ac8d438c62963f5abf520a0f70ce4a855a31fd3e113485329a83e98381276a2bdc468f32aa35fb2d7d62fc2ad92305770c2d52e3b36fd10b0b5e69ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
47ed80026c4ce57b651a8c344ea39057

SHA1
fade41b257a7e34f454dd3c01cf756b99b8b6a0c

SHA256
9fc497294d01dd59903b98066a9a305a09898c98d4fd12e4eac2f8aac0c22e7d

SHA512
5601812fa17b3656f7fc5714cbdfbb024bebbba50efc4ffa1e1da1e2445adb2a26d92c17ba95aadf6d3533713749718c83a008b7155065416633d6ad7cac3ece

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
27999d71d01254e2dc21184106071171

SHA1
827402b45e59d950500419992d9626054a134366

SHA256
f15136d06dd9c38226c4a5d1056da4a7c627d1144a1451e67d92d3afbbd389ad

SHA512
fee3b868c365634ee2eb7bfcba877100d48073a9d26503290e6fefc79cff223d7420277e9fd58d70f8cf2908cb943b9fc330837612b6d74bfafb2a415fba9995

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
78a4ed5e24aebb3f55400e4d65a847e6

SHA1
08e547a289fa0e8f4096c8b8ce296f1554a1fcd0

SHA256
9c43b5ab766d44a37c6dc33f7e4e9589b07635be89aa1ebb002d14d3b354394b

SHA512
3e90ad81651d486509fc661727dc2834ef9e68f2fa73886a931f734f18eebbf1ece156c61487172e679dc2bd1f513c0fe089e3e7dffcb83094149b88e84a6355

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
481a2dce95eb2f54fd1d2582afb737bb

SHA1
0a9790fea93e35f4289dd22a130f337f8ff19980

SHA256
ac10e4618ef924877d68cedaf9164af6367046061c05844af1563377967cf7cf

SHA512
ec7ee211c6c82cfd031816c27a0a3fdc756dcfc0251efa6ceea94237f8b037c4aee1e84ac3a47fb29b334adb47742a699f8c39b43644d8ad73092456ed4feef2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
12565651439a9bbd946ee4e0b87a77d0

SHA1
1fcd4afefcf3c4ee40acfd562299ede371a84277

SHA256
4e488dc50f3c365df5bb5e7e8cc21b516bb8ebf3519239cda621f75884dd5bbc

SHA512
80a05f4223610dc6725ccda546bab7e447682ea1fac77a19ce31d464d535ae89b34281c024271acc03002a8fab3abf00892f8115e513074726035c3eb7404018

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e8528bc6d8ac2fc6a115beb3a1add6cc

SHA1
e28734573e938a3a6315a444507c62ad0d0e12ce

SHA256
42829dd7df527bb58520662123789c013f17b9610a3284832c58d9dd323f63be

SHA512
4c5b7d95ae978acb434b8f2eca4c236bac103ddfdc1a5982ea3116e3eb52c4bd38ff7707a1f3bc595f4434188eed03e4b0683fc1375904ce02a4e929fdca34cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
133a2fd9094207015161b7a503725cf8

SHA1
01555baa5517e721269692779d40392a362b8de7

SHA256
eaccc0ca636292269ecc0ba2e0850222e2003abcdb02d1ba9e69e4158f61864e

SHA512
6835a42053ea08f06877342c7ba4fd15fb2e2955e6b1fc0ece58be18d5d8249af25cd89731b0626bebfbb0ade7d63e20e40646d57588ab04cdf11f7affbaaff7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
159558e8931c8ed965bf8ae37c60e89d

SHA1
ff552b8ef60474b38c7cc440bfbb0e7b4696b396

SHA256
8db1a0e47f4ff8e5b655c0ec21ebb8d78bb3ccdf326d50a0c451d4ea256db4cb

SHA512
366c77bd26519115c0d7faf77f574bc5c6e31c7e1fadda4fb6eaff76fea5470fb5b0b73f5a0b4d9d62f00052fe190a6e260ab7eb6abca8c552b71cdb23c7696b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aef500895ccd59899d18b0cd7cd7e447

SHA1
d2eb3f6f2b7f9795d73e135bd8be896d7b6e6000

SHA256
0bca08eabb3c2421af9282c14b7ac772a828d4e304cb973f8d42d2353a65b448

SHA512
df99d4fe112dda7af97f5caff368fc33c49a5989e0e5c2ad477f7a96e36337d77062a7ac7a667a39a75879d822b361881f5cdfff10394f843bdedb5b1a92e510

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0492b0c735840a263d356a20fd802ec4

SHA1
ba77ee92ea8dc2e81d671d99532eaf7ddb81c6b3

SHA256
00bd3a1a177f97a889e2f7b2edf11dfa6695a3bd4b040ee32d17ab9e7a492b0e

SHA512
c60553c29fe2c40806d33ca7309c982a32c986b1ffff553f988970c6dae41ebbbca26f5c7295f3e243477e0c865f7e34dea09813df9e267fec70e2b1f54390f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF8D3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF9E3.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Windows\SysWOW64\del32.bat

Filesize
174B

MD5
b69fe5fa220d7b3cc04a493615a4bdc3

SHA1
d0f3df7a4cbeba8ddbde30f55865d7eb9bc89be0

SHA256
3c2cfb4ee0e522c4983027fa7305fc0846c26bc988c678188fe360ee685897d3

SHA512
1cb8dac2a9a112c0d73044346818f9ec929966a615b031f4d31ccda98c3d15484388779b7be71fa379e2f01d637f54a461782afd166bc3cee48a9446e365f1d3

Download Submit
\Windows\SysWOW64\wsock32.sys

Filesize
159KB

MD5
e542cc1875d57544eb2382faf41573b1

SHA1
e23d5915349d5772f23180dfa2c2cac2c0b8d14e

SHA256
0a907a6bb00f24dffa890786c2b0ac06bfb09a9bd79294c1181957108ba828ac

SHA512
5c59a3532e6fe273e954a5161cc095be463377426cb4c6f948d566f833ba7558b437742fa5ee261f7dd31c611ce2bc8092df6ad04f1dc50ed4d0118c75f59468

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads