f74513ac94b2c4fa1ca18bcc98fc42a4c17f780ec621cf0a0275334d986421c1

Analysis

max time kernel
121s
max time network
150s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
11/04/2024, 10:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Size

77KB
MD5

ed35119f8a8074063d261efb9252e6ba
SHA1

f8def0e51be94670974d35365d851fd4648ca038
SHA256

f74513ac94b2c4fa1ca18bcc98fc42a4c17f780ec621cf0a0275334d986421c1
SHA512

45a71ab542379d95dc7bedae0b5ef94303fe07fb1aa9d88060b3e397050d2e2436c27c237a6db9e16421a3207c6b758ea9e898f5ff715572c91928174d55b26b
SSDEEP

768:HJB9Ib/zA3DSCTe8wsdBJiJ8ZLb+uZnHTs53nYroiwG:vEoD7AupbFt45CbwG

Score

7^/10

upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2816	wscript.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/620-0-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/620-9-0x0000000000400000-0x0000000000415000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{59148C21-F7EE-11EE-8440-5A791E92BC44} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ffebb09deeb747419e902f1accea58f7000000000200000000001066000000010000200000004b492b0d3bf9846f0f380325a7c8c3e68ea0363dc5664d106e1b8bf085e62804000000000e800000000200002000000058ff21af71f227ab1694abd1704e2f05795d0f9aba69dc52e2643f25c119095d2000000014bd594ea9eb58ef744e240cc3b12777de22e462c46b42b10a427c43375d6e69400000007abc0a94d10bdaba0febcc2ce568cd6834341e8272e20c1e4ba4508fb7c015b78640024f32e89e26e8fa088c250195a8877a422115167839ccd598477aea0eae	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ffebb09deeb747419e902f1accea58f700000000020000000000106600000001000020000000a99f89ec648e016995c17c2906687c0d9a26557824676bb853592977dfa558aa000000000e80000000020000200000008cad22409f59c8214e1579497c22fc40a39daa583b4a7279757d4d7dd593a045900000006ea0d090fe96b9e5764df45c371ec7b99e0f00667255249383fce2316e5d589dd4bc8eaba502fd37d2c28a08e849faad1a5cc67a1007834184a30db8fd9b9197272dbaf2e78b9b91f6eb631d9c2fe96c00938f9e88a944da3ab1478c0e6ea38a85eac17099fc459a38d374a3d61285bd39dcc9c1b38850e1b4558507a0c13171bb9583a211d3853705f32a3e225f4a3f4000000084f763974c40350647dbdec0e7ae975ae081c69cf9662f5fcd25da1110825d193995eccf80b6f5f4a88fe05f1d39c86c450d3164182a5fdc05ddf6288552bf9b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 700c4f30fb8bda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "418993225"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Wow6432Node\CLSID	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iexploreFile\shell\ = "open"	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" http://www.54600.com/1"	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ = "????(&O)"	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" http://www.54600.com/1"	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iexploreFile	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iexploreFile\ScriptEngine	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\ = "????(&O)"	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iexploreFile\shell	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\LocalizedString = "Internet Explorer"	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "1"	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Wow6432Node	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\ = "????(&O)"	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.iexplore\ = "iexploreFile"	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iexploreFile\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe"	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iexploreFile\shell\open	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ = "Internet Explorer"	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.iexplore	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iexploreFile\ScriptEngine\ = "JScript.Encode"	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iexploreFile\CLSID	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iexploreFile\shell\open\command\ = "%SystemRoot%\\SysWow64\\WScript.exe \"%1\" %*"	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iexploreFile\NeverShowExt	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iexploreFile\DefaultIcon	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iexploreFile\shell\open\CLSID = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\iexploreFile\shell\open\command	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\ = "????(&O)"	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ = "Internet Explorer"	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "1"	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\IntroText = "Internet Explorer"	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iexploreFile\ = "????"	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\iexploreFile\CLSID\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe

Runs .reg file with regedit 2 IoCs

pid	Process
2556	regedit.exe
2524	regedit.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2496	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
620	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
2496	iexplore.exe
2496	iexplore.exe
2980	IEXPLORE.EXE
2980	IEXPLORE.EXE
2980	IEXPLORE.EXE
2980	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 1132	620	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe	28
PID 620 wrote to memory of 1132	620	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe	28
PID 620 wrote to memory of 1132	620	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe	28
PID 620 wrote to memory of 1132	620	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe	28
PID 1132 wrote to memory of 2556	1132	cmd.exe	31
PID 1132 wrote to memory of 2556	1132	cmd.exe	31
PID 1132 wrote to memory of 2556	1132	cmd.exe	31
PID 1132 wrote to memory of 2556	1132	cmd.exe	31
PID 620 wrote to memory of 2496	620	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe	33
PID 620 wrote to memory of 2496	620	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe	33
PID 620 wrote to memory of 2496	620	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe	33
PID 620 wrote to memory of 2496	620	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe	33
PID 620 wrote to memory of 1720	620	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe	34
PID 620 wrote to memory of 1720	620	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe	34
PID 620 wrote to memory of 1720	620	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe	34
PID 620 wrote to memory of 1720	620	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe	34
PID 1720 wrote to memory of 2524	1720	cmd.exe	36
PID 1720 wrote to memory of 2524	1720	cmd.exe	36
PID 1720 wrote to memory of 2524	1720	cmd.exe	36
PID 1720 wrote to memory of 2524	1720	cmd.exe	36
PID 2496 wrote to memory of 2980	2496	iexplore.exe	37
PID 2496 wrote to memory of 2980	2496	iexplore.exe	37
PID 2496 wrote to memory of 2980	2496	iexplore.exe	37
PID 2496 wrote to memory of 2980	2496	iexplore.exe	37
PID 620 wrote to memory of 2816	620	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe	38
PID 620 wrote to memory of 2816	620	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe	38
PID 620 wrote to memory of 2816	620	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe	38
PID 620 wrote to memory of 2816	620	ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe	38

C:\Users\Admin\AppData\Local\Temp\ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ed35119f8a8074063d261efb9252e6ba_JaffaCakes118.exe"
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regedit /s c:\reg.reg
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s c:\reg.reg
    3⤵
    - Runs .reg file with regedit
    PID:2556
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.54600.com/1
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2496 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2980
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regedit /s c:\reg2.reg
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s c:\reg2.reg
    3⤵
    - Runs .reg file with regedit
    PID:2524
- \??\c:\windows\SysWOW64\wscript.exe
  c:\windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\Killme.vbs
  2⤵
  - Deletes itself
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e6bd697ec82c23a9afa1930e16bde1f6

SHA1
e0cb7f40242014ea58d95b5c0b63ece6a91d8092

SHA256
27a4e3dc1c6dece2645d1bb1d991d001f8f57d38de78b07571c056a371f51ad3

SHA512
f8e572a15ccd9b1444bdb205bf0abcfa94a323ed64612130907fc56857d8576a59b998ddf25c3499f5f56173779510812a71e1ae6cc1c5a4ded2500b74fa34aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
afdba033d6ed3de79a2c55e59f5d0644

SHA1
08f7fcfcd89d1be95581556392aa6968fe7e0b82

SHA256
db18a267c0d9dda06b88f6be8a3cd89c336a495ee687f09eb8e4c73883c8c05b

SHA512
1031d0252bf8eb21b7e725d2a207d12b894d98fd80a352bbae94f6e3b030a8860c4db267b172be7c8e12b621070fb41badb6b608d53432d729937765f857efe4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3ee78a5f4f41c213e6a13fbe5b718d86

SHA1
b8f8f5be43ee9cce45b13166dc9db7d053d72953

SHA256
aff61f41a0628d5fd4742b09a0ab51a1994d9b6affd8e2b1dd61e679894ba1b5

SHA512
a54f7eb63f8f4f777e0b61073da9467ff20eb3f6310424cdc23b37ef86276bc0cfd8d6b9bae9a7423ab7c38d47c8377a8873213ef4b8ccba1a77af4879979451

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d12d66c3beff92542906803d7e849e75

SHA1
10e52d80a62c8cb28989c3bd215dd9a05e1bab49

SHA256
eac215a73937d84968156f2f7eaacd29ba6a811e1ce2d0a3beea0d5dc67f03b9

SHA512
05e7e674b4a4dbbb7b1661a5b6d88514e7a16ded1376f6df51639603f3e900940459258c725844acbc2d777f5afa55ad6558abdec8ebbea589e2444a65848baa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0d667d0de2bd9857c44da11cbeab51a2

SHA1
6ec0cf663f748c16badf717042f771d747ac72d4

SHA256
7965aa23981595920ae482078066e1d71ce10147226f9e4ea3c11072153500c2

SHA512
4bd130fbdb8bbcba4fc0b253d16e524ddbb694cff903c52ff017555da08aa7227633e605835c0e450ecf3852d2c425e4099a6847297c976166041831b56d3c68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
61323b32d30566cf1a7663ed834c11cb

SHA1
b6d49c24fbe2b366d2709b9ad1efcd695ff142e3

SHA256
42617567bcd202d5b6a30181790659a38bdf6b39700ea7d13c42ca3c28520314

SHA512
6503655f8bc86e5bb86d0030345ba10f3c33b8e5fec67a85849488cd5fc5499256f8b0a19c32b0e371e95ba8946b04d7243ebe2c7a721afd44513e978a4d2671

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
aaf04ed13e68615af07ba43044bdb1f5

SHA1
1c9a79b82141e11e8cf4076b7c74b9d44ff9057b

SHA256
4fc6bc680c80979046fae763ff0cf48d8c91493db474c54383e092c2a154ee49

SHA512
85c1972b3665a8e0f0ab435dfe624e2bff071b26846f258b33d82993a5c9091e85abc319bd75b19eb532fa1e66eb768a213f9e84219484cb864b0c1ab279426e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e0a47690cdb6097693470b299105046c

SHA1
17ae0136b711c80e8055f20e57b2bdf2d42025a9

SHA256
cee69427733ced30c9a62d39f3fda155eef6939a6a675c8f2abadb08f15d7841

SHA512
23b5dab8001cdb6e725c896c667e7f87872c6f82c03fc89ecd1a69a1e0edba6d5767750221f01ac13e0d8c3eb2838af4a56a13142eb369555e78985357c3b6ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5f059d16d38bfe1f34b46add56475b88

SHA1
f6cfc3d9fee004e0590f1b4812acd5411404a0b9

SHA256
28302056e9db4aca84cf66c2d1178902586af4bda284df551f83e9bb53ca4355

SHA512
e679b920d9392508fa24db79468e9850d0ba60dcb6faf4592d02afdadf01843ad73801f01f4de6228b7f1a4d654e7ad9994499d9e126d75285175d07a8ff257f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
39f91ce2d611e9b6ba79ebf777900a0e

SHA1
d6e584bbe5db1675b55dafb226532905ce77e13c

SHA256
e20351b1d0a92ccb1013f287664fbda81101dda07e19cca330e4d0937f125bed

SHA512
8f4a2c420c22673476c926ee7c99b6ee018af00c25fa05abe4f1c8d7e0d4a9f03249b28ef25bb22c3007cf4d9ff9203dbde899d48541f6267042c775f4a4c0a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d99ef9da6b0d6e0e304d4142dfedc94d

SHA1
29396be2793ab7bd969d06ca51a1d8d272ce0d2a

SHA256
a74a855a323d56bedf775c3d6e3a14cecc319561675384c0fa8c9bbf82dcfea3

SHA512
2b535c339be8598ac2eafb848b6a785234d98aca1929f128aad66e3c8441614938181ffd1e81421cd931c785324ee477ec060add1426b482f0a611561dee8200

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e783fc430b95f2cb6e74805dc685db6a

SHA1
9ed923115c284ea3e77657ac4cac4c62ab8b832e

SHA256
1a9478241d59b5aa582786c0e30a4d8a08b04234c6fb0dcf98dcde317753e1a1

SHA512
a6af5b33fb0ad751e6709e07526dd27a243ae9402bbf40639aaae08582dbc97bc2f0929559d803ba6c8752914e53d09f52d225afe3c9988da7c2c0f7ab300c85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d38390bf67022727c7b88952b4304711

SHA1
85e41146536616f461082f44e20b76fecb66d40b

SHA256
1f9b71066574c4d660a5d1394be71bbbbea94395c5b4f7b779e196ac4c3ce8b1

SHA512
436807d22d09f6d03b516fe1998591d435f9f42a2fdfafb2de4a81aefd20d819d468a83d587d57812187f37ead09a2b8ba2476030b89ddc62ddb2027e2fded5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c207b588384f56e4c146e940491894f5

SHA1
4e585d6dd7490c4d9b3c4d13c86229e872c9532b

SHA256
abd2926a0a8cd917332c24ce2f893e641aecb0dda2a3e2e51dc6a6df416064e2

SHA512
2d4f26c564f0811ae1b3379bd99b3cd9dda9aba4bbb5ebab4ed6d5266d0619b059b42ade2108bf1c963d96e097f63ba6bf9e7613c3845cc10ea6a7ac4d732bf4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
84eeba3f6127b3aed0263ab196c338ad

SHA1
584afad3360580075a77363cffdf76169ef6ff72

SHA256
294e4d3004aa606907fd1f849c7964b009edbb3bb52035c7bd193f2b32d88ac8

SHA512
b4d50389a122a9d98f4be46c852ee6b3d16da6c18889d0afe4aae2d6c6fd1e4c8a35e8160392ea82a10a1c227412200ec16c11e7beb1eca884ff3358f0ee0b9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
661f94a29499d0025822e7a7bc70e709

SHA1
e44a638afc097f05fe64ac4c500ccd6c43ef01c5

SHA256
f842f2eaca297552ab807ee3c8a881227bf044cccb1bf56c078a2d2577e01d64

SHA512
2dd5b85089df61f6c5fee074e1780e9dfc07cd7913fcb9e726f097d19c56cec20d1f218f8e6773ca6af4061d3561c0dcd9c60d74bf360911628c8b68031b1e28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
472f943d6c02f25c85b0aa18e6b8a7a9

SHA1
ad91b79dcd93a382831b3a18b3273c3c9aadaaf5

SHA256
41a6183f48d27e39d863dba7348b935682f4bf63167d6af3b0087880550b9b15

SHA512
64945849d849a5ad87a5b2f29ee83452af246614e43c612e3e7b7df3a1c6fb25a07587a3f18782db622c127ea63187e4c147b5a2d7cf2dd0deae4ffc3bbeacc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6815795e8f58060251307eebc955ad12

SHA1
3dff0d89455d5a7e0e8952ed1ef369bbe4109294

SHA256
f06f25cce5dbe4267aadb3b0bfa1c3c493e3e50cc1801ff0e34d2e56f487c615

SHA512
da743948460a634edce679206bfdc7aec2ab6f652670887e95a0e7f5d60a5f084ad2616fa26edf8392880850b3a07e53cbefdae90a7677eb630a81c85f9eae04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7a01554b6388971e0e102eb507383749

SHA1
03a68624c5c35c159910d35bba7f0ed3f4452622

SHA256
aa9951779eb99b34f7bf3971ea2dba59d35691a93cd43200fdd8a5e7a7fec587

SHA512
a7280f706a3a2c1327b25a705132386b93e57813a0156d341077182d75f7c17a8828e22eb51dca946d107576781b45b6f6f4e2fa1e3a2b3f8c63b2a7d0d2126b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f2f5a2a541d6da05dbd1360e48182ebe

SHA1
3637bb36041daf5fde18dcf8591a6c37f61e6e0f

SHA256
c53f07838611239500e2edc153c78dcdb9b01c6e09488a1e53e629c187d3d184

SHA512
223c870a0668c8487cb7258a15387451d3d16a26cdf0dfe758d97f183a319514cd9910d92c5eef94c2a748010b5e0f19fe1e92852776754c04b6c6a4f3deba96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
2a95a4c03d4b19f26a26cc1e6b98b90a

SHA1
2900d0a423ffdd3678c83a20fb7432a4e3106356

SHA256
624b22da339559bdebcef3753bcbc039c312345b852396ae78a16d5929279c48

SHA512
56b0f6cf6e28a233241b8276b027a0dd04680368bbc361ca0b573746cfa4d9d397cfc60b1c84cd4be786211afb1ab7baff6422f08a06953d16ebc07448b21be0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a24514319d476d4de91f160fe302379

SHA1
6deabf625fc88b88486c1366083508e4e077fdb8

SHA256
b1a4e068f6a7f8ed177283484d4c0f0fe8e2d526da9584498f9b51d8839ac6df

SHA512
ce625d59086250e01054ccb4721a7597146ce1c2dee002f3bd907a8f8f68b4b4481628a6b46c6f04199fb3ba75fc0a4c6cc9bbf3bd790f27c63dbedf0c07bb88

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ec6bda9a6be417efea4215a906c42c9e

SHA1
a3dc475df48bfe7feeb03277c641b7638f5b8f15

SHA256
1d3779020e23b2ea1523d4799993473025c97d580bb6545fdc97848a2d1628ea

SHA512
b37a058df6f064528c043000e35f4d995416af2f601d6241a25b9b749a2e9e07ee880cbb8cca196b320a7fd07419c859a7c2f25b9fb2182ab21fe85a30ccf3a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
59ad0d4650b24b6cf51407a48176b6f7

SHA1
e1c66df563908252a0525d5a04561d1d80a4b1d3

SHA256
b6d2dc442b7bf3139a8d6418e8383c7ee06c7872447e5945dc6434483c2f22d8

SHA512
0328803ad3e4e924369c1f81181fd342bf9a3ba0bca52afa595a8d1392b3c6b328498cd5341922e51073f22704071fc4412ee432392e1227a96a3ec702fce902

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAD81.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAE3E.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Killme.vbs

Filesize
289B

MD5
1a2a966418112bfec7ac709257e1e828

SHA1
6892da4f91662dec19a9f4a713645052ece548de

SHA256
b39099932c555013ee32303aa0849385053bbc8ebf15251a58cc7be7c4a8bdfe

SHA512
b38dd3987fd3f85ae795f46be656431ec93e067e431751042ef070e290c95f8f5a7fc351b8023da79dc774f773a4b38432673c3a0161d58c57a04a54dc3e1750

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAE63.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\??\c:\reg.reg

Filesize
195B

MD5
d074af1950aed38a9507428f23df9ad2

SHA1
0313b03e880b283cfacf64aea25c54259d388201

SHA256
5f3cd51950de3b9c7f8bb8a14cf5c39f3d480270d89a7c8fabb54900c9c34ca8

SHA512
484029eb461a182a9b088f9912047d455749381eab696d15af719f020f4982b6a331b20f1ab5437a8f9312724770ac26791f83d20c79e0e1b1340e53d1122fbc

Download Submit
\??\c:\reg2.reg

Filesize
450B

MD5
2944837920fafc0892eb196e7d774b23

SHA1
31269a61616a0064576e0e6a93e23722cf5a2057

SHA256
1c2c0c933e0023e7a24cdd4dd5bf363b00449094d3dc9ff3e7188d893e2580dc

SHA512
027b5677254eb8582a672cee88cd5c82dce09170fdc2fd47e9dfaacbd29b691719a5c7ecacbae1fb8c3a5d4a5243e9d3aad64be63e9c788e01f6dfd24f0e003f

Download Submit
memory/620-0-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/620-9-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download