6bb8b4822a1a9c974b8e0a93018e1b5f4e8bde03494d4846208e94c752e52fdf

Analysis

max time kernel
124s
max time network
129s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
09/04/2024, 00:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
Size

1.4MB
MD5

e8cc26b884360bb72b071bf773955bb0
SHA1

3d73a968ff49a0b12dd16a04f00246dfe07a34d7
SHA256

6bb8b4822a1a9c974b8e0a93018e1b5f4e8bde03494d4846208e94c752e52fdf
SHA512

5e1b0423c76bf19da10b1ee1bdf7dcd7dcb8b6ca2830ad487889c86e9fe150ccced4a2958e025801fea0f75a28f35eaeccd9b7aecbd6c7ec87b4c9af9b55425d
SSDEEP

24576:Pphr/4p6qO4pDlPJsZtZQk5p8hulbEwfDpBzjRvdsxlTShiVNlT:xR/4Qf4pxPctqG8IllnxvdsxZ4UjT

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 10 IoCs

pid	Process
3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\jishu_172212\sc\126ÍøÖ·´óÈ«ÉÏÍø×î·½±ã.url	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_172212\sc\2144Ð¡ÓÎÏ·--³¬¼¶ºÃÍæ£¬ÀÖºÇºÇ.url	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_172212\sc\Ã¿ÌìÍÅ¹ºÒ»ÏÂ-¾Û±ãÒË.url	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_172212\sc\ÍøÉÏ¹ºÎïÍøÖ·´óÈ«-Íø¹ºµÚÒ»Õ¾.url	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft172212\d_1712.exe	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_172212\dailytips.ini	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_172212\ImgCache\www.2144.net_favicon.ico	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft172212\a	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft172212\wl06079.exe	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_172212\newnew.ini	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_172212\sc\²ÊÆ±¿ª½±²éÑ¯-ÔÚÏßÂò²ÊÆ±.url	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_172212\sc\»Æ¹ÏµçÓ°Íø-ÔÚÏßµçÓ°.url	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\jishu_172212\jishu_172212.ini	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft172212\B_1220111205121213221217121212.txt	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft172212\1220111205121213221217121212.txt	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft172212\pipi_dae_381.exe	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_172212\FlashIcon.ico	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_172212\newnew.exe	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_172212\sc\GoogleËÑË÷.url	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft172212\MiniJJ_12318.exe	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e00000000020000000000106600000001000020000000f1987839fd0995b18c47f6abef470882d304a331e43504038367b15c1670a6ff000000000e80000000020000200000004dc07b3e7e324feb5f1a3d17c694c43d8921b28b8d5fe4541cccb3ab4ccea00590000000fa2327b1adf3f7272543b8f461af68a091d7c4d06b48573770ce073655e8b88094701116f8cb2703709d95d5972a10b4093994710ad7fb87222b2594db3bc525cb479e617a30bc3a2ecb0344fb4f059a3e235cb1a72c127137c71db3f5ae06cb6c70d00a8cb8570b6d82516c24446146055e6178c89ba641fda02f3edd2eb3ef1ae8d9bea604286f78e43998cc5f36bf400000000667148d6a91418aed8f700f990420326bfdec8d517969911a5dc9a2c7176b496292b8676d44719d8ad18e87f37897a820168176a6138e1352b5ebcaf6c7f651	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002dcc56832ee45b40af0f973e997a3e3e00000000020000000000106600000001000020000000513133b9ec547763f8a1220512ca228e3302d39c08b3f2dbd2589170e775846f000000000e80000000020000200000006454e6c2a5897940c8fabcc3963630c863af43165f4ec7aada80c69c6ecda7c020000000a450a36a7eedd9fcc3ac43567c944b0a2e30e242645d572d6ad9115258967be2400000000ce0412e3ae2c90e0c1f2955726af7ed7349021946ca6af173e4eb1b680f3ee86d129e6f9d5b8ab0a0b607343179ce415386f9cb748a3ac85f160821b127f47d	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CAB13B41-F608-11EE-8414-4A4F109F65B0} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90cb88b8158ada01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CAA2F301-F608-11EE-8414-4A4F109F65B0} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418784679"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2608	IEXPLORE.EXE
2312	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2608	IEXPLORE.EXE
2608	IEXPLORE.EXE
2732	IEXPLORE.EXE
2732	IEXPLORE.EXE
2312	IEXPLORE.EXE
2312	IEXPLORE.EXE
1504	IEXPLORE.EXE
1504	IEXPLORE.EXE
1504	IEXPLORE.EXE
1504	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2828	3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe	28
PID 3000 wrote to memory of 2828	3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe	28
PID 3000 wrote to memory of 2828	3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe	28
PID 3000 wrote to memory of 2828	3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe	28
PID 3000 wrote to memory of 2828	3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe	28
PID 3000 wrote to memory of 2828	3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe	28
PID 3000 wrote to memory of 2828	3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe	28
PID 2828 wrote to memory of 2608	2828	IEXPLORE.EXE	29
PID 2828 wrote to memory of 2608	2828	IEXPLORE.EXE	29
PID 2828 wrote to memory of 2608	2828	IEXPLORE.EXE	29
PID 2828 wrote to memory of 2608	2828	IEXPLORE.EXE	29
PID 2608 wrote to memory of 2732	2608	IEXPLORE.EXE	30
PID 2608 wrote to memory of 2732	2608	IEXPLORE.EXE	30
PID 2608 wrote to memory of 2732	2608	IEXPLORE.EXE	30
PID 2608 wrote to memory of 2732	2608	IEXPLORE.EXE	30
PID 2608 wrote to memory of 2732	2608	IEXPLORE.EXE	30
PID 2608 wrote to memory of 2732	2608	IEXPLORE.EXE	30
PID 2608 wrote to memory of 2732	2608	IEXPLORE.EXE	30
PID 3000 wrote to memory of 2704	3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe	31
PID 3000 wrote to memory of 2704	3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe	31
PID 3000 wrote to memory of 2704	3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe	31
PID 3000 wrote to memory of 2704	3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe	31
PID 3000 wrote to memory of 2704	3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe	31
PID 3000 wrote to memory of 2704	3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe	31
PID 3000 wrote to memory of 2704	3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe	31
PID 3000 wrote to memory of 3020	3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe	32
PID 3000 wrote to memory of 3020	3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe	32
PID 3000 wrote to memory of 3020	3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe	32
PID 3000 wrote to memory of 3020	3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe	32
PID 3000 wrote to memory of 3020	3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe	32
PID 3000 wrote to memory of 3020	3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe	32
PID 3000 wrote to memory of 3020	3000	e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe	32
PID 2704 wrote to memory of 2312	2704	IEXPLORE.EXE	33
PID 2704 wrote to memory of 2312	2704	IEXPLORE.EXE	33
PID 2704 wrote to memory of 2312	2704	IEXPLORE.EXE	33
PID 2704 wrote to memory of 2312	2704	IEXPLORE.EXE	33
PID 3020 wrote to memory of 1152	3020	Wscript.exe	34
PID 3020 wrote to memory of 1152	3020	Wscript.exe	34
PID 3020 wrote to memory of 1152	3020	Wscript.exe	34
PID 3020 wrote to memory of 1152	3020	Wscript.exe	34
PID 3020 wrote to memory of 1152	3020	Wscript.exe	34
PID 3020 wrote to memory of 1152	3020	Wscript.exe	34
PID 3020 wrote to memory of 1152	3020	Wscript.exe	34
PID 2312 wrote to memory of 1504	2312	IEXPLORE.EXE	36
PID 2312 wrote to memory of 1504	2312	IEXPLORE.EXE	36
PID 2312 wrote to memory of 1504	2312	IEXPLORE.EXE	36
PID 2312 wrote to memory of 1504	2312	IEXPLORE.EXE	36
PID 2312 wrote to memory of 1504	2312	IEXPLORE.EXE	36
PID 2312 wrote to memory of 1504	2312	IEXPLORE.EXE	36
PID 2312 wrote to memory of 1504	2312	IEXPLORE.EXE	36

C:\Users\Admin\AppData\Local\Temp\e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e8cc26b884360bb72b071bf773955bb0_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2608 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2732
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2312 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1504
- C:\Windows\SysWOW64\Wscript.exe
  "C:\Windows\system32\Wscript" "C:\Program Files (x86)\soft172212\b_1712.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files (x86)\soft172212\300.bat" "
    3⤵
    PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\soft172212\300.bat

Filesize
3KB

MD5
28c48bae5030457ddbcae5e7f0cae296

SHA1
89f41ce2d16c2470a934f44c743efe702e52a38f

SHA256
4c8895f986011464c89a36013f64b534ed2373337ef8f47319543fff7946b2fb

SHA512
e154f41fdd95a01e8c5e61db818c1979b98b9c1140b17221aa964add1030343bff92f29db91cc45ad8909240549ac182dc1be2711f6f01e72f5fbd7924dfef4b

Download Submit
C:\Program Files (x86)\soft172212\b_1712.vbs

Filesize
247B

MD5
d3b3e4b1cb77aaf9068329ace14cd807

SHA1
7c9afc7612d4cba23e8d6a48632a6d6bbad97a56

SHA256
1af31c5518334bbc5ef20868f7da8158e93c3a2ef7c5ba3773e9683a6df8ecb2

SHA512
2888d50dae196165d1e6a2bfd387e43958db3ee2d3fb5ca49b93d9fade32117092e45143cbe32289e22ac2e5a38ce0d104dceb3612da35a2fade0c5b1ac198c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2e0c1aaf25d7834ca9afe8806e325005

SHA1
fc2b7cbc70ebcfc81b0b754e7da06d601742aedc

SHA256
48438b77f684de855edeba1a3b43d0add8d167b3e6dfc134d45ba575e36c39cc

SHA512
d93c583f807568403b49513d4c678ff749177037af2cbf64991ded5108747c7b9a3a8e92ee4ef805cd83c2d358616191aafd7dbcff903d80058d4dd90194a4d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
68166b7bf7a0e5a287bf3ca8f6e6a077

SHA1
2b6958b22fff7f5977a01782aabccda13d22a6ed

SHA256
26c2207873c8b6e7bbacd3e4352d2090f9447a2aef85a429af05e9a6beae0ad1

SHA512
ce8515d4051f7bf30561840b31e769cb92a48dbab0243efc00fbe5d77a7535f0ba8bff3077686ff2af2eb406f07cb163bfb06d615004c02cc123785dcba74704

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dd8790ffce0499021b4d701e992dad5b

SHA1
11fcb35d2b7a7ceffb3310f2c69d8b429ee05c3b

SHA256
7dd3e0433418c80c75f8023974a4b8000d3fdd8af97c9f8b5c5a29f196367f6e

SHA512
df8553ac678987a9e25e5a90752088bb2973050d0481220381f82680ea3fc2c3fdc921f83a4ea6cfcf0c82c3d01cda3fba03b201361ca4a4fff6749bf57ce01e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d6de681058dc7a0022d5bcb67d01e272

SHA1
64d3d49e67ad68aca2a7d354e33f8e7bbe6dfc69

SHA256
4f457e3348a5a9c85a07428d9dadaf2e0293195384edbb6c8e598560e9cc364c

SHA512
7166995864e8545031b392eaa7ef03b20973e5037908e655b39a41a6f371047e775fda6ff8a57cec2024af3921e865b0a1ee2c51223b75bfe6442fb89908a36a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
87f323c52456cda3436ebe6a54e59458

SHA1
7a372d7baaa88c91dd40f7a90869b7a3fb302988

SHA256
ba72d885fd2cc41784ac662fc95460e21995f712983dd97452b7e6ae10512875

SHA512
f50c79916239705b519ce38ef15108aa30301a4c7ba062d3d7d90e7ff18b85fa67f69fa594bc2442808477ee2f0399e5e1a5919b77c77d02161c552cfc4ba611

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1dcece6ba5de099e274277dbd81097de

SHA1
d90e170833a1bd42cfa4fa3b69a3ce10bf7f7f59

SHA256
8a1ff8d474ef7a46d76a1b32d7c3edc5a93ecde59ac2d11803719fb16e0d26eb

SHA512
17eb3bd9a79c400af28fdc1361de89f10b1c3b0f4da1c53ddd9630b81828aace2ba90fc198a8633244f936d55c556b6c74d3a291889f7d60524bb749a934ffcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
67e698de8b1e5061dcbcd3f8dff5ee8d

SHA1
700123e7e575269dc7bce3964c8bba374a3e7d45

SHA256
4ad9157f6d446e20c692393f2d31bc82df80b3ea01bdd033d12617a8453e8c4c

SHA512
9b0987e010f300684e7b2aa36d02602f610fb40c71c1c1f1af06ed23074f3f1ae0c01d563704621196de87b4635d6a2c6d9190b329135acb6f145bed29007196

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6f4bbe795e71bb66d97872376756a62b

SHA1
f59690d318f125d14a5c80dd91914eb9e4451e04

SHA256
bb1639d3e50830daa9ab97a3eb732c5b7d7a4ede3532f977a938e96a88afc6d4

SHA512
6d9d3769c2c16238a9ddf5e770f03b82c0e83f2b468e7b2951f70439a597fe59a1ddf211b502673e1956bab5b116dd6c79291591c45228648e52d5b73635580c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
947e9336e9c6dee4577b5af21821212c

SHA1
62e7c623af0fe1a7299631da2b8b110f197bfbdb

SHA256
7ae174dbf8aac8ee0cc094f2cbb029b5398700ad1cb387788e0204c657823ba2

SHA512
b69b1265af6bc734b6f3b6c44ca9378a9287271fdcf01f51cddd6267d1ec43a0fe2a6e8c7e8005378b5b958c465abe943941d21277a5e84836e9bc72b82424d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c9c2b6a903a07cb5985e11b12cbdcd92

SHA1
c94373fb195b3740840895e5c0e866dd7fe76422

SHA256
056a08e5d61277c735b69d130ac06b7b79ba99477375ca4f939ce1cb6a93195e

SHA512
778d848b898db29732dbc33497e2eca67c6a785ac691bc2e293bc2bd8d58e7b20924d1920de41d27a4577dadb8aeb6ac1dfa8f6cf875f4fddbf853469d2fa1d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
559ec45f449be3ce695f9c563c069bad

SHA1
3dce0d3cd33ebe5e6e4f480d4a3d9d098c705b03

SHA256
6208a651a46c87f8149bdf6a929249722c32cb33911b702c450e130b307b4f06

SHA512
6adb4830da13d3eed83c12849cc2b6a9a186761e40d320fb40667b28a459aeb8bb576bb2a92e4c5faf22c4dc38217533311d86a3a3f5c7c0343cb64259231d11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a10a0e56556f8791f4655727b9a9d054

SHA1
99a96a0cf36d7bac5ed109a49924e14e87133d5c

SHA256
7fc8886ce590e3e98e76a7812b52973e3e57bd3824de16f883f324aee86622b5

SHA512
f5215eb174ba29096211a35554f042e53076ab3dac3aca76c210ef3fc366887fe65668f3e4e12ddb4c65e4cb0057f95948d1815c98e9b4f98c3c73277a8565e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7ebf0b06ef9272d8860ad7b2c76c70e0

SHA1
c364980f11d226553e877d90ab83aa0b2e67eed1

SHA256
9eabe9935a8485f05f00fa22ecb2fa06bf12ae69d1eb4692f6e177888fa67e86

SHA512
90892f14ca705192f21a9c04f82924c2690535f29149b267ff844edd144dcdcad668bb48c77ff92e8c18f8d0193dc14d80c09f00ce01c2a24a9ac7aeb31b5b3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
83a940f519b7d3c70f6d9eab29cd3a18

SHA1
4e904214dcf8dfe7c8a67e1c6ef01304e7c06574

SHA256
acb928a931b6c38e7a550e1b85da3487d2241b9f55243c070f7a222d122fe33f

SHA512
12cb6cc64a55ec7a466833f6fee245a0e44585c20bab61919941388a6648cafdca93caa07da9d4f2eb4fa4f14b56de9f9acae3d37f82b7b0e5ce10c6f78de0a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a8b77c8497a0ae66cab5382cc404e6fe

SHA1
25380cf14013ed5babd736ed5fb1f0f26d1af5d1

SHA256
3d08bd59b672624092bd2899fb0b84256e51f0c83d74ec7d902d36ecb0ef6a54

SHA512
71c3be327dd8deaf90adbf04a5ff3d745e6fd256bd06607a4d986bbe0f9c805d0215c6a1b68f1af647399ceaa4013b5df05bc435d6ac1a0e44c73ebedae3f316

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f841f903aecc6ce1f06d16505f82da81

SHA1
70e116fa6e9232996f3e20577cdb3c065ee3d965

SHA256
bf5bb5c0a39eba64a2bee74aae99f17ec2a114a100c7d461a44a955142046349

SHA512
cdc3c8a2659268edaf8536b5b1eea0ee7efe7f27c34950bc244d5cbc37fd1781ca49300655b04c95608ad7ff8aa09dfe8d91faf9c570b3bc2e87e6fc60fb16df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c0eb5a82b9b873da26583a4ba6efc32e

SHA1
aaaa3e38157eede34fbd16fc1eb3036d29636a40

SHA256
7bfefc3d3a96a1797fa10ebb0199503a0e98f3d9d24a6b6ca911254a3f29127b

SHA512
3d99511ae8f27fc38864e35f001f355a9ddf9e117bce67762fcf2908924652aee4882dfb5ae1b546d382429279cb609717d514c31a11c739c5cb5b54e6871421

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
317633f58fbb4c41d64c09a89eb65df0

SHA1
5bf315b9a68ea972782ae2d2b316a8f7cfdb4e65

SHA256
be23889ceb79fd2383aae88e3beaf7f6a1fb629acb62325da847a60d80832175

SHA512
8ca6735c790cd5ffbf0faf8b2354996dde7fbd4dac554f1ba4471fb15acda8c4577bc471da229677f5e488c55e165418d6822fbb4a81f140681622624b36d52b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CAA2F301-F608-11EE-8414-4A4F109F65B0}.dat

Filesize
5KB

MD5
746e260fcc19d7264f00c38c2291ef9d

SHA1
45d29d810b1a9146ae2a6fb8eaa6862606253769

SHA256
8ad588c27b94f74195c187debb150995108979800c52c665e83f03effa43ff5c

SHA512
8eb4220805392a9c3a8d3112a91b7ce9667294baeca9eb3a549c714feaeb532580a091d6d484c4839a0e86b61343020cae8064088b50ea782bbe8c3d577c53fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDF39.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE02C.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\ Intornot Exploror .lnk

Filesize
1KB

MD5
e3a2b83dfe7afc6f5264a4f4ece0f7e8

SHA1
3e60f24c63946d08dc82809cab1513b29ba82f69

SHA256
71ec2280036e2427fa76d7bc77ebef5a53c73c177aa05d78061888440310d89a

SHA512
0e429fe636077429576ff70aa94a4af5c12700d81e4891a013c65d76ef2af0dd5656f18d17f8bc5509a6c5813fd301660711d6ca1816c6990b1aef50727052db

Download Submit
\Program Files (x86)\jishu_172212\jishu_172212.exe

Filesize
1.0MB

MD5
e2590fb7bac27dbfa512820e9139f28b

SHA1
209d8d0b77c7a8863a3c68464ce47f6a3f00d454

SHA256
4369c213390dd318aaf57b841e338f0b781b16e61713c39e3d961d6065de1821

SHA512
a6b8cdac512c2d05eb2270f8b4f64248cc177785acbd8d4f0ad725acdd2c894f639e7e7259066a8014a79d69f213812dc09793a2bad7a3d6bd9a511f3ee57223

Download Submit
\Users\Admin\AppData\Local\Temp\nst2222.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nst2222.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit