50e1541ca866f8c1606afece714a16c6cdf9e3bee99a88a3631ef7da260722e7

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 09:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe
Size

262KB
MD5

1ac5c8463691505745720e6a74063eed
SHA1

e3edab2999515a8f3ca8927a9fcebacafee708a2
SHA256

50e1541ca866f8c1606afece714a16c6cdf9e3bee99a88a3631ef7da260722e7
SHA512

d974d8414b9c214080f638fad8699498e52a746f65ebfb3c33e16119c5b5347f3c77bc12fa716027c36cb53ae801fd10d078f264b97e900e0f8506cde0dcadf5
SSDEEP

6144:Ge346ip75+ZPPfnE2Qyn20UATyniR1E2OGPCXiu75+ZPPfnE2Qyn20U:3ipF+ZPPfnEUnPTKiUhGaiuF+ZPPfnEG

Score

7^/10

adware discovery persistence stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.

Processes:

resource yara_rule

\Users\Admin\AppData\Local\Temp\nsi142D.tmp\SelfDel.dll acprotect
behavioral1/memory/2148-44-0x00000000743A0000-0x00000000743A9000-memory.dmp acprotect
Deletes itself 1 IoCs

Processes:

explorer.exe

pid process

2424 explorer.exe
Executes dropped EXE 1 IoCs

Processes:

EasyOn.exe

pid process

848 EasyOn.exe

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsi142D.tmp\SelfDel.dll	acprotect
behavioral1/memory/2148-44-0x00000000743A0000-0x00000000743A9000-memory.dmp	acprotect

pid	process
2424	explorer.exe

pid	process
848	EasyOn.exe

Loads dropped DLL 9 IoCs

Processes:

1ac5c8463691505745720e6a74063eed_JaffaCakes118.exeregsvr32.exeregsvr32.exe

pid	process
2148	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe
2148	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe
2148	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe
2148	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe
2148	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe
2804	regsvr32.exe
2148	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe
2148	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe
2436	regsvr32.exe

UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
upx

Processes:

resource yara_rule

\Users\Admin\AppData\Local\Temp\nsi142D.tmp\SelfDel.dll upx
behavioral1/memory/2148-44-0x00000000743A0000-0x00000000743A9000-memory.dmp upx
Adds Run key to start application 2 TTPs 1 IoCs
persistence

Registry Run Keys / Startup Folder
T1547.001

Modify Registry
T1112

Processes:

EasyOn.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EasyOn = "C:\\Program Files (x86)\\EasyOn\\EasyOn.exe" EasyOn.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

resource	yara_rule
\Users\Admin\AppData\Local\Temp\nsi142D.tmp\SelfDel.dll	upx
behavioral1/memory/2148-44-0x00000000743A0000-0x00000000743A9000-memory.dmp	upx

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\EasyOn = "C:\\Program Files (x86)\\EasyOn\\EasyOn.exe"	EasyOn.exe

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1CE681DC-1190-40EF-85A9-ADE47098CF51}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1CE681DC-1190-40EF-85A9-ADE47098CF51}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{1CE681DC-1190-40EF-85A9-ADE47098CF51}	regsvr32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe

description pid process target process

PID 2148 set thread context of 2424 2148 1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe explorer.exe

description	pid	process	target process
PID 2148 set thread context of 2424	2148	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe	explorer.exe

Drops file in Program Files directory 4 IoCs

Processes:

1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\EasyOn\EasyOn.dll	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe
File created	C:\Program Files (x86)\EasyOn\EasyOn.exe	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe
File created	C:\Program Files (x86)\EasyOn\Uninstall.exe	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe
File created	C:\Program Files (x86)\EasyOn\1	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabProcGrowth = "0"	regsvr32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\TabProcGrowth = "0"	regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\TabProcGrowth = "0"	regsvr32.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeregsvr32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\0\win32\ = "C:\\Program Files (x86)\\EasyOn\\EasyOn.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32\ = "C:\\Program Files (x86)\\EasyOn\\EasyOn.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ProgID\ = "EasyOn.BandHelper.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\ = "BandHelper Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\EasyOn\\"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID\ = "EasyOn.BandHelper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ = "IBandHelper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper\CLSID\ = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\CLSID\ = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ = "EasyOn"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Implemented Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\CLSID\ = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\Implemented Categories\{00021493-0000-0000-C000-000000000046}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper.1\CLSID\ = "{1CE681DC-1190-40EF-85A9-ADE47098CF51}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32\ = "C:\\Program Files (x86)\\EasyOn\\EasyOn.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.BandHelper.1\ = "BandHelper Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand.1\CLSID\ = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\ = "EasyOnHelper"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\ProxyStubClsid32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib\ = "{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand.1\ = "SideBand Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand.1\CLSID\ = "{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\FLAGS\ = "0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\EasyOn.SideBand\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B32ACA33-EA72-4757-A8CF-EFAE06B218EB}\TypeLib\Version = "1.0"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{51A6FBA6-21E1-44B9-8998-5E886EB3E74F}\ProgID\ = "EasyOn.SideBand.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9EC01A8D-1377-4F63-89D8-AE6CD3E43C32}\1.0\ = "EasyOn 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5740EFD7-04A6-4FEB-AA0F-E5F2BA962DB0}\ = "ISideBand"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1CE681DC-1190-40EF-85A9-ADE47098CF51}\TypeLib	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe

pid process

2148 1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe
2148 1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

EasyOn.exe

pid process

848 EasyOn.exe
848 EasyOn.exe

pid	process
848	EasyOn.exe
848	EasyOn.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

1ac5c8463691505745720e6a74063eed_JaffaCakes118.exeEasyOn.exe

description	pid	process	target process
PID 2148 wrote to memory of 2804	2148	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe	regsvr32.exe
PID 2148 wrote to memory of 2804	2148	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe	regsvr32.exe
PID 2148 wrote to memory of 2804	2148	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe	regsvr32.exe
PID 2148 wrote to memory of 2804	2148	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe	regsvr32.exe
PID 2148 wrote to memory of 2804	2148	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe	regsvr32.exe
PID 2148 wrote to memory of 2804	2148	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe	regsvr32.exe
PID 2148 wrote to memory of 2804	2148	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe	regsvr32.exe
PID 2148 wrote to memory of 848	2148	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe	EasyOn.exe
PID 2148 wrote to memory of 848	2148	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe	EasyOn.exe
PID 2148 wrote to memory of 848	2148	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe	EasyOn.exe
PID 2148 wrote to memory of 848	2148	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe	EasyOn.exe
PID 2148 wrote to memory of 2424	2148	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe	explorer.exe
PID 2148 wrote to memory of 2424	2148	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe	explorer.exe
PID 2148 wrote to memory of 2424	2148	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe	explorer.exe
PID 2148 wrote to memory of 2424	2148	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe	explorer.exe
PID 2148 wrote to memory of 2424	2148	1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe	explorer.exe
PID 848 wrote to memory of 2436	848	EasyOn.exe	regsvr32.exe
PID 848 wrote to memory of 2436	848	EasyOn.exe	regsvr32.exe
PID 848 wrote to memory of 2436	848	EasyOn.exe	regsvr32.exe
PID 848 wrote to memory of 2436	848	EasyOn.exe	regsvr32.exe
PID 848 wrote to memory of 2436	848	EasyOn.exe	regsvr32.exe
PID 848 wrote to memory of 2436	848	EasyOn.exe	regsvr32.exe
PID 848 wrote to memory of 2436	848	EasyOn.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1ac5c8463691505745720e6a74063eed_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2148

C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\EasyOn\EasyOn.dll"
2⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:2804

C:\Program Files (x86)\EasyOn\EasyOn.exe
"C:\Program Files (x86)\EasyOn\EasyOn.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\EasyOn\EasyOn.dll"
3⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies Internet Explorer settings
- Modifies registry class
PID:2436

C:\Windows\SysWOW64\explorer.exe
C:\Windows\system32\explorer.exe
2⤵
- Deletes itself
PID:2424

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\EasyOn\EasyOn.dll
Filesize
126KB

MD5
b8d58e3a0587f0015e5ef6e611444f30

SHA1
181d12bc03b329f4ddd4f85f792b2f0a7b9d147a

SHA256
41321b02a4922ab9911e340c190eead9e17d5f56590921953b0658958e1bfba8

SHA512
b2e1c3f4ec7e1f468fd8e4d190a17268f2008dfc8e8a68e45b6a109cb98322c5363d49d5aaf8e76cf38c7fc1e813179f776dd90ad6ae55b6b46ddbafe1b56434

Download Submit
\Program Files (x86)\EasyOn\EasyOn.exe
Filesize
38KB

MD5
e95bc409a64ea9a611bf6df227eb7e3c

SHA1
9388530cf6d248c1c73cee05a2d66c77a1cbcac4

SHA256
9bf1cea5efcecb3dd7f28c3d6359037807b3379aeb82f154c27e1f84c3286f3a

SHA512
a5220d93b3c94d158e33b8d01fa2dc18dbf029ebd70871351b3b1c0fa6225d42e419122ecc0d0a12abecd3d42a90ab87793f239c21c63afcf05d6b2e10bc550e

Download Submit
\Users\Admin\AppData\Local\Temp\nsi142D.tmp\IpConfig.dll
Filesize
114KB

MD5
a3ed6f7ea493b9644125d494fbf9a1e6

SHA1
ebeee67fb0b5b3302c69f47c5e7fca62e1a809d8

SHA256
ec0f85f8a9d6b77081ba0103f967ef6705b547bf27bcd866d77ac909d21a1e08

SHA512
7099e1bc78ba5727661aa49f75523126563a5ebccdff10cabf868ce5335821118384825f037fbf1408c416c0212aa702a5974bc54d1b63c9d0bcade140f9aae1

Download Submit
\Users\Admin\AppData\Local\Temp\nsi142D.tmp\NSISdl.dll
Filesize
14KB

MD5
a5f8399a743ab7f9c88c645c35b1ebb5

SHA1
168f3c158913b0367bf79fa413357fbe97018191

SHA256
dacc88a12d3ba438fdae3535dc7a5a1d389bce13adc993706424874a782e51c9

SHA512
824e567f5211bf09c7912537c7836d761b0934207612808e9a191f980375c6a97383dbc6b4a7121c6b5f508cbfd7542a781d6b6b196ca24841f73892eec5e977

Download Submit
\Users\Admin\AppData\Local\Temp\nsi142D.tmp\SelfDel.dll
Filesize
4KB

MD5
7cff7fe2caea5184d98c147e7e263132

SHA1
21f39d3d0dd5f7198d67ef30e95d10ae3460093e

SHA256
281c39b733579e031c62bdd247b41543ece1fe3bd6eda26fc8ad474b10f33101

SHA512
fb1161b8571d1d0c67e2df0d571b08f5e7a73f81409aed847344154d02406910629181bcce4e18e998ec472f51a6a1b40d956a010abdd10e850413aafa87808a

Download Submit
\Users\Admin\AppData\Local\Temp\nsi142D.tmp\UAC.dll
Filesize
13KB

MD5
29858669d7da388d1e62b4fd5337af12

SHA1
756b94898429a9025a04ae227f060952f1149a5f

SHA256
c24c005daa7f5578c4372b38d1be6be5e27ef3ba2cdb9b67fee15cac406eba62

SHA512
6f4d538f2fe0681f357bab73f633943c539ddc1451efa1d1bb76d70bb47aa68a05849e36ae405cc4664598a8194227fa7053de6dbce7d6c52a20301293b3c85f

Download Submit
\Users\Admin\AppData\Local\Temp\nsi142D.tmp\nsProcess.dll
Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
memory/2148-25-0x0000000002A60000-0x0000000002A86000-memory.dmp

Filesize
152KB

Download
memory/2148-44-0x00000000743A0000-0x00000000743A9000-memory.dmp

Filesize
36KB

Download