88482442aeddc715fc460c9bdd50bf58a7982f71edd8efe4b03868adef3c6449

Analysis

max time kernel
120s
max time network
131s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8adce606997105dbaa155511089e8295.exe
Size

107KB
MD5

8adce606997105dbaa155511089e8295
SHA1

6a47f018514769ad057b83375faa793977e80c05
SHA256

88482442aeddc715fc460c9bdd50bf58a7982f71edd8efe4b03868adef3c6449
SHA512

959733030594de8a7bd86dae3d196242e1455ffc457cb1ec279fa3540e25ec18b66738105c23693368096ff42f9afb9102867287d0d7e9181d8f4dfe7698a62f
SSDEEP

1536:7sOltfMABYPUoE9+7KMVIhwTmUmSAxP6H2l7Hbb45DnLZD4bJaVcdTX3kuJY:7oP/E6tVIKyU1M6e7Gv2Ei9X3kuJY

Score

10^/10

adware defense_evasion discovery stealer trojan

Malware Config

Signatures

Windows security bypass 2 TTPs 3 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	JaffaCakes118_8adce606997105dbaa155511089e8295.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	JaffaCakes118_8adce606997105dbaa155511089e8295.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	JaffaCakes118_8adce606997105dbaa155511089e8295.exe

Deletes itself 1 IoCs

pid	Process
648	cmd.exe

Windows security modification 2 TTPs 3 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	JaffaCakes118_8adce606997105dbaa155511089e8295.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	JaffaCakes118_8adce606997105dbaa155511089e8295.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	JaffaCakes118_8adce606997105dbaa155511089e8295.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{39fc2065-c9c7-49cd-8942-44cc2dedc844}	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{39fc2065-c9c7-49cd-8942-44cc2dedc844}\NoExplorer = "1"	regsvr32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ieocx.dll	JaffaCakes118_8adce606997105dbaa155511089e8295.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8adce606997105dbaa155511089e8295.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Control Panel 3 IoCs

defense_evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\don't load	JaffaCakes118_8adce606997105dbaa155511089e8295.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\don't load\scui.cpl = "No"	JaffaCakes118_8adce606997105dbaa155511089e8295.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Control Panel\don't load\wscui.cpl = "No"	JaffaCakes118_8adce606997105dbaa155511089e8295.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "449344161"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000596298383b88f045b768ac3737055a04000000000200000000001066000000010000200000007a21b9467b70f5e78b9d97d3b39cd818c9e9fa5bdde370ca09ba23d3351f0d0c000000000e800000000200002000000085d09137ad65ba7c8bf1b248b798565a4d7667709c500526adfecb7eb39538fc2000000024bdf34b69f439a14ef6757378c40d633427a1c5c1c4b68bb50218a0c0c3a1ad4000000075045201f0d34dab87b11dcbf0d821d5d2dedf37a016a01987acbb480f4c4d013112323c066324ad70fe10c663328cc8bfb4bf84623a7c2674d30206433824b6	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f04f487705a0db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A11F9D61-0BF8-11F0-9807-6E486C965423} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000596298383b88f045b768ac3737055a0400000000020000000000106600000001000020000000f7a9bc01f84f4378fd8ef08117296cc6c314c34c3a4d0d5037c5778a1152a2fc000000000e800000000200002000000010eb7529096002e7ae0c98375f8ae2ce5c0885a387a80cf0c4bb028472c17459900000003f8ecdb27c7b7cc44901f38f87c7c934392a4dd598c3888f37072e2a3c16f0dd4ab3ecec26d9749bcba96fd64449a1a0e1d86dedba6a1ca9da06a05828a246046a7ef9ef427827d9d99844edc4f1c5dc059b45fec99556364262acd204197d9d3259a70b1078369f272d0fbdacd53400b3521c37f2b613f1887538c6690096034e4eb8d21ef5708e081a4a35f2ac03ed40000000675ccf01e47d04bdc12f28162acae66f593e8c0e1c96dc7666a2e7f5e4a9dde267a2095eb8d0413eb4ad9b6a1d91bb3221f9c90a9bfb32dfb60e24f64811b4cc	iexplore.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinInetApp.WinInet\CurVer\ = "WinInetApp.WinInet.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\0\win32\ = "C:\\Windows\\ieocx.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}\VersionIndependentProgID\ = "WinInetApp.WinInet"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinInetApp.WinInet\CLSID\ = "{39fc2065-c9c7-49cd-8942-44cc2dedc844}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ = "_IBhoAppEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}\InprocServer32\ = "C:\\Windows\\ieocx.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ = "_IBhoAppEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinInetApp.WinInet\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinInetApp.WinInet\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}\ProgID\ = "WinInetApp.WinInet.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinInetApp.WinInet.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\HELPDIR\ = "C:\\Windows"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}\ = "WinInet Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinInetApp.WinInet	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinInetApp.WinInet.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinInetApp.WinInet\ = "WinInet Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}\TypeLib\ = "{b360243e-09e8-402f-8721-00b6798089ad}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ = "IBhoApp"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\HELPDIR	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B360243E-09E8-402F-8721-00B6798089AD}\1.0\ = "WinInet 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinInetApp.WinInet.1\ = "WinInet Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinInetApp.WinInet.1\CLSID\ = "{39fc2065-c9c7-49cd-8942-44cc2dedc844}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{39fc2065-c9c7-49cd-8942-44cc2dedc844}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\ = "{B360243E-09E8-402F-8721-00B6798089AD}"	regsvr32.exe

Runs net.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2492	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2492	iexplore.exe
2492	iexplore.exe
1240	IEXPLORE.EXE
1240	IEXPLORE.EXE
1240	IEXPLORE.EXE
1240	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 1744	2344	JaffaCakes118_8adce606997105dbaa155511089e8295.exe	30
PID 2344 wrote to memory of 1744	2344	JaffaCakes118_8adce606997105dbaa155511089e8295.exe	30
PID 2344 wrote to memory of 1744	2344	JaffaCakes118_8adce606997105dbaa155511089e8295.exe	30
PID 2344 wrote to memory of 1744	2344	JaffaCakes118_8adce606997105dbaa155511089e8295.exe	30
PID 2344 wrote to memory of 1744	2344	JaffaCakes118_8adce606997105dbaa155511089e8295.exe	30
PID 2344 wrote to memory of 1744	2344	JaffaCakes118_8adce606997105dbaa155511089e8295.exe	30
PID 2344 wrote to memory of 1744	2344	JaffaCakes118_8adce606997105dbaa155511089e8295.exe	30
PID 2344 wrote to memory of 2472	2344	JaffaCakes118_8adce606997105dbaa155511089e8295.exe	31
PID 2344 wrote to memory of 2472	2344	JaffaCakes118_8adce606997105dbaa155511089e8295.exe	31
PID 2344 wrote to memory of 2472	2344	JaffaCakes118_8adce606997105dbaa155511089e8295.exe	31
PID 2344 wrote to memory of 2472	2344	JaffaCakes118_8adce606997105dbaa155511089e8295.exe	31
PID 2472 wrote to memory of 2656	2472	net.exe	33
PID 2472 wrote to memory of 2656	2472	net.exe	33
PID 2472 wrote to memory of 2656	2472	net.exe	33
PID 2472 wrote to memory of 2656	2472	net.exe	33
PID 2344 wrote to memory of 2492	2344	JaffaCakes118_8adce606997105dbaa155511089e8295.exe	34
PID 2344 wrote to memory of 2492	2344	JaffaCakes118_8adce606997105dbaa155511089e8295.exe	34
PID 2344 wrote to memory of 2492	2344	JaffaCakes118_8adce606997105dbaa155511089e8295.exe	34
PID 2344 wrote to memory of 2492	2344	JaffaCakes118_8adce606997105dbaa155511089e8295.exe	34
PID 2492 wrote to memory of 1240	2492	iexplore.exe	35
PID 2492 wrote to memory of 1240	2492	iexplore.exe	35
PID 2492 wrote to memory of 1240	2492	iexplore.exe	35
PID 2492 wrote to memory of 1240	2492	iexplore.exe	35
PID 2344 wrote to memory of 648	2344	JaffaCakes118_8adce606997105dbaa155511089e8295.exe	37
PID 2344 wrote to memory of 648	2344	JaffaCakes118_8adce606997105dbaa155511089e8295.exe	37
PID 2344 wrote to memory of 648	2344	JaffaCakes118_8adce606997105dbaa155511089e8295.exe	37
PID 2344 wrote to memory of 648	2344	JaffaCakes118_8adce606997105dbaa155511089e8295.exe	37

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8adce606997105dbaa155511089e8295.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8adce606997105dbaa155511089e8295.exe"
1⤵
- Windows security bypass
- Windows security modification
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s C:\Windows\ieocx.dll
  2⤵
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:1744
- C:\Windows\SysWOW64\net.exe
  C:\Windows\system32\net.exe stop "Security Center"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Security Center"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2656
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://pornproductions09.com/videosz.php
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2492
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2492 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1240
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\bhs.bat" "
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bf622187dd03827d96cb0802c8c317f1

SHA1
af5d8edc7109579454b16afec620708e07085ba1

SHA256
c82d8a4474f8ea2d2060366fa91d3e31c6f6cf4fbd268f4daa03c0266a78e44b

SHA512
971d920cc3b6dafe47537816b39fd255895bcfd8882ec0df9ed72a42dfb5219e96d7932919aa78699b9746d9bf548de824957f1bd7f4ced8cf21a70e7b9786c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e5273713183373aaec8998cd33afabbe

SHA1
efa79cc184685fe6111a09096bc1dd2d2464409e

SHA256
96376027e4514386380b0a73628dfd4f248fea0bef39619071eb97d7f05b1941

SHA512
68dfe43fb412911119bcca46123ddc6b4f0fce8e6cf76809972861aef8328ea9819da4627fb08061b28e43a43d3bbae5f592d93c65895aa09adb11c8ba6ec557

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c6c4627524b391857a96e4ef48117de5

SHA1
ed5957be4847d7e81912be7ab519f05f3f0aa725

SHA256
a55536b75fd215f0475004011ffadfbfaea80c9f85f6a2cd4bd97e681d54f38b

SHA512
f4e6a02e93f0a1d517794143c6524cc380fe3dc09dfaf24c6c20c951e703cf925e7671c0df842129ec429a030cb23d8a4a4c1bce2edc464011a18d77b28b8aa1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f1bcf4a11265da67fe235be0237b4ed8

SHA1
127c0056e86aa7d71e07dca82fcff263c734078d

SHA256
34e8304c129237530e1e25b6b10418e9ac3f5f10ec524598068f0eb843b81bad

SHA512
c87143f5f06ab395773d10a0bc3e4a27b750b321ed34d06abdbc5377bbb22f59fe08570c7c4ae13b2df704980a87e5513a6848cf1a627a8ebf0070b83ada3458

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f0d6ec4b8127bcd256e938a28f88e894

SHA1
57d40b6d655a6f24f74c627bc73ab43ad59ab0fd

SHA256
e9ab5d2891b1c7b0e763457fe67ef0366cbe2bbfe7fe1c15c11d97d283b806b1

SHA512
35be7a149619b138236a1be4f34f4867c3dda5b7f8d848a5c82a3dec43b1dfaf1bab493a3a518095cb963edf640d951f866857724bef4e9e9ab4441e4f9a3f6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
59acda6936d2275438c29e11658966e2

SHA1
1eb774ceb78e9e6002ac32e0754f29a96a7e00bd

SHA256
df41afb656677f48c6afae1892988bb5bfe61b7af9d1c3b8552b9c91759b82f1

SHA512
a3f74c6af7f2062cb29eea5b416a4c08c8ff505973098156c63d899f59a1af0e8ef36aec8527e02f2bbcc22da38a7f4669e3f67e5ebee2df945466c9f1fc41f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f43680253a91953342ba2d5778b4ce7e

SHA1
3870abc4a36cac65d7a8e94945c041b4cda3c3fe

SHA256
8e868e9b0ae19e20e4950bb6e4af338cf8fc7d689535e5bc7650fdefd8e78406

SHA512
5c967535c5c5da971a13b64800e3f41c1f5b709057a62e2fa1b28bd2d478c6f8266ae7a94c694e746d93692812b5484c9e37ef0e66625b0669d9bdcc375fb014

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cff59da6075e1629072af0d523e1b29d

SHA1
50834ee239aeaa07d2be12b51def1460988b4bdb

SHA256
04c54d2df90f1a24b7a2fbe24dbd7fdfd377c2d4f092a71d1a4f5adae4aac290

SHA512
cb4b5c35f7a6bba80965ab5c3672dc1386349be0e00aa5158038599d9867c9aa1fcd192ed56a19cb35d3dea2445c4b78989b6e465c44a3e1254646805d0341ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e01e32d1ac65fd63e70b55a900037a3e

SHA1
cbcb1572daa6f948c6f5aa36eccbbc97e4753911

SHA256
5875d92f0483d561002584fb52cc197670c8808ae0d9093b54f1c5c2f04b57d0

SHA512
7df8bd1606b9559f8618dc71e7dc7feb8d743c3239286b7e1f8e555a38dd684f47031551fb6b940a519ac78693cfc963b30a9e89b260e994a7f980a84eb7b8fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
662b8035b23b681719a04daf316b96a5

SHA1
be5c436e45b23b698cf0b1412c0dc59a05ad7423

SHA256
c4ed8b71f5d7874a1e89815502f8922160cc26e3c24b8bb45d0ee7e96dd8985f

SHA512
e73718e9aa355b56d26f5f279e5aaff288527a9921790b8004f6c808d43b0341e2fde44daac0d82bc2da203866e85b382934fb458e75ee8dd12b92b1ddcdd715

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f4aa7f284275e50bf792d8b7034aa98a

SHA1
57acfabfbe00131e1db123035e673fc78b565a65

SHA256
01041a5139762d8f3af22b1073c764d598dc741958bedf92a448c553fadc70ce

SHA512
048b76b783eb8507928943c362d306fa85eeccea4ac79bd98a1dacda53ed16f608cfc2b162324228a377f9bfa94d9bb06f2f401100a9b7bba03c3db8c439ad33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7826b2ec8c4825651d2106b737b6d7d7

SHA1
7e341b892e9235914aab01d30d44c47445e77d10

SHA256
89ee09c1f82aa7fd0b0e4d63ac017f934e9f2aecc52ebe4b44b1bb6086adf52a

SHA512
5e8cbe4fe7af7fa05db19ea0fdc052ce4f77f00e0a7f506d74557595f7a9e94c65b0b20c1bbd00bfd985a11c03f5328905ffd9c077f9ecdc7c52daece15b2fdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
25f0f79d5a26144d5f5b0203a54b8d75

SHA1
01606e77e3eba561c682aa1da0c14a73b5870d91

SHA256
5897ea784caa4ac141975c00eb1ebc380c555f0ec59666bdded9a09ad937c17a

SHA512
a7df59e675bde6a5ee401ef40da3bfcac55bd5883706e0672dd2088014b5a39d3555facb223b35e28785cf51895cf8d73ee2c20009a720b5843852fbd8afa673

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3dd60164a5b396245fa22b4b4e13cd11

SHA1
f2950d689d37b5f2ec2d62a25eaa2fad677fc3aa

SHA256
901e5ff8a5c1bd8b893352015db2d0f7179349c898eea24c89fe14ccd25a767c

SHA512
2d461d7169d1149e081b536ded9746ed2a524b97b92ec2eaae955f5eedff7103aa8d35fbd7fe6963bdcb7c41c4e15da4a864cbdfe2e3de6b164acd0f33151793

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
caac0ade46929908966d9559f77c1450

SHA1
3733b2ffb59afc1ad5bc729ab3963ffc2853413d

SHA256
c7575a6d21e57df1163e2803e65379a46b3c2b8ede8e424946e33577025791ba

SHA512
e75c4d280c73b243b641adafa4b7b60365e998fa4508931a187e06f8389ffd166c5977ee1458f7c31d17d783ff07874de8871001740cf9b7cdbcc988e81b0abd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9c859453a780a3100cdafe166dba25c5

SHA1
61749eb39a000043027db271ca82ca3bea6b0f30

SHA256
4380fa84ed6b25f3303996b61aeef37336a02620e741092748fb4d5f47b376ef

SHA512
7b40904c9ec4bf183698bba0349a258f6e2e25b3d86fe79160f93ad72798285da6f693c1260de93f4fde20f6e3cf5926067b8230f3682a875726b471753093c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC101.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC231.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Roaming\bhs.bat

Filesize
256B

MD5
ece606146a56d7e82350d18cfc1f0fc2

SHA1
8fc2eac9c5371bfcd741a64862cf25618605f17c

SHA256
b5e9be7a18cfb133821a059f13e7729efcfe8fa7099cf1f4974c127a6f09748c

SHA512
6c07869865782e58688973fc0dfcccb530b8142ca427a8f031f21726af509c76fb07c529c34ae3dea3c05b3db11c132fd3e1d63d3f5b7238228360ce2fae500b

Download Submit
C:\Windows\ieocx.dll

Filesize
28KB

MD5
a10e6205c62802ad7c472bd5d003cb4a

SHA1
2bc0806195ae258cdab3f8f753f624bd07d729fa

SHA256
1a04223a5dfc65a5ec55800e770dd0b3138eeace42120559385ae95535d9aa8c

SHA512
adc92257e0eee52b61560f6c8d7d6e57b48082cb1abb98ba1cef3846442937a843f0f45c536fa9c85fae40a46d07708a70fd44a47018c360af1fe83873f2e075

Download Submit
memory/1744-8-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/1744-5-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/1744-6-0x0000000010000000-0x0000000010002000-memory.dmp

Filesize
8KB

Download
memory/1744-7-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/1744-4-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/2344-2-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2344-37-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2344-15-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2344-13-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2344-1-0x0000000000401000-0x0000000000405000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads