16f6a0afbeb8e71e6fee8c92fc7fcc0b555fdd91593c313afa943bc7531740c7

Analysis

max time kernel
152s
max time network
146s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Size

964KB
MD5

f337b20ebd8b66d6448f5f998c116939
SHA1

cae36381427dd107e0ba56efce761630bdcbfcc7
SHA256

16f6a0afbeb8e71e6fee8c92fc7fcc0b555fdd91593c313afa943bc7531740c7
SHA512

fe0bf7497522f69948e6144e93d084f2fcf77fd11065ac992dc3e93ab5a9fd0905666e02bd571935f2ab073225ef62f08c11efada4d77522030d4a1ad69233b1
SSDEEP

24576:lqcxMsqT3KiAcXZebG+E/6nZAZegOEyDhcJVnq/R:McxMsqTAG+EwAOEmSJ9o

Score

7^/10

upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b00000001225c-5.dat	acprotect

Loads dropped DLL 1 IoCs

pid	Process
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b00000001225c-5.dat	upx
behavioral1/memory/2968-7-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2968-9-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2968-10-0x0000000010000000-0x000000001003D000-memory.dmp	upx
behavioral1/memory/2968-11-0x0000000010000000-0x000000001003D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DA33F4E1-FBD5-11EE-9555-6A83D32C515E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9091b4b2e28fda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ffebb09deeb747419e902f1accea58f70000000002000000000010660000000100002000000049fa68e4d0a4948159b9be3773dd3e38fcf3a7132761c48d299f8c92b5b12030000000000e800000000200002000000075f763be8017aba5d654a0f0c8bc94a529e21653233704041eacad98e5091cf59000000053c27a5db13597749f777d8acead7976d79f7c01f53cd5d096f299a8531a49115d759176b35fb9f6de20971b509ed42bc111b9577249b1854bb36b64b9f366bec636d920a11e1eeaa8524ca7cb3bd8850cde0334ec3d10308b3d51b923248c33c9eab0464091837d927ea7e46e6717755fbbaabcdc4aff699e90e562907d8e2d1e17fedf6cbf11e5129bf9cb03ce3e264000000043c3adefeb4c03e2a05c6f243efadfa80cfd2b5ce68cc8298864c4fcfafdbe37be71f35e39f82c4ec13dee812bd498dbb8338c1b6e9f01f37977ff06f30da10f	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419422509"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ffebb09deeb747419e902f1accea58f70000000002000000000010660000000100002000000002611178c20dd03c4ce0fba41d811a125a5e3861cc09d2c45f4f58a6b0ef94a0000000000e8000000002000020000000ca4c7eeef9036458ec9df4bc0260807348ade25536f9387de909bdf92fd0937a20000000b349dfa93aaca3e34059f265f439d479ee5a3a7ada7c12c5db7e23427d833ddc40000000020cbe31e13f93612db10dddb19e85365e594c103ff9ecb969d08929f1d6836014e852cc523565e3f27bb753be54e6d5fa5185129b6b95fa193eccd6ebfb33be	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: 33	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1948	iexplore.exe
1948	iexplore.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
1948	iexplore.exe
1948	iexplore.exe
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
1948	iexplore.exe
1948	iexplore.exe
1872	IEXPLORE.EXE
1872	IEXPLORE.EXE
1872	IEXPLORE.EXE
1872	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 1948	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe	28
PID 2968 wrote to memory of 1948	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe	28
PID 2968 wrote to memory of 1948	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe	28
PID 2968 wrote to memory of 1948	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe	28
PID 1948 wrote to memory of 2868	1948	iexplore.exe	30
PID 1948 wrote to memory of 2868	1948	iexplore.exe	30
PID 1948 wrote to memory of 2868	1948	iexplore.exe	30
PID 1948 wrote to memory of 2868	1948	iexplore.exe	30
PID 2968 wrote to memory of 2204	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe	36
PID 2968 wrote to memory of 2204	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe	36
PID 2968 wrote to memory of 2204	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe	36
PID 2968 wrote to memory of 2204	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe	36
PID 2968 wrote to memory of 2188	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe	37
PID 2968 wrote to memory of 2188	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe	37
PID 2968 wrote to memory of 2188	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe	37
PID 2968 wrote to memory of 2188	2968	f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe	37
PID 1948 wrote to memory of 1872	1948	iexplore.exe	39
PID 1948 wrote to memory of 1872	1948	iexplore.exe	39
PID 1948 wrote to memory of 1872	1948	iexplore.exe	39
PID 1948 wrote to memory of 1872	1948	iexplore.exe	39
PID 2188 wrote to memory of 888	2188	cmd.exe	40
PID 2188 wrote to memory of 888	2188	cmd.exe	40
PID 2188 wrote to memory of 888	2188	cmd.exe	40
PID 2188 wrote to memory of 888	2188	cmd.exe	40

C:\Users\Admin\AppData\Local\Temp\f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f337b20ebd8b66d6448f5f998c116939_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://bbs.HaiYn.Com
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1948 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2868
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1948 CREDAT:209944 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1872
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://Www.HaiYn.Com/
  2⤵
  PID:2204
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\230.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2188
- - C:\Windows\SysWOW64\netsh.exe
    netsh winsock reset
    3⤵
    PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\230.bat

Filesize
31B

MD5
7a1c638347f3634b1d9209604efff32d

SHA1
dc7a25e645243714c5596dd5fa6a81dcd28b2f94

SHA256
190c460c297f62860955523f4d4bf497b274e994d5743955f574061adda7c378

SHA512
c6d124403f56a126c1364037e9441afe314e8d0533a58a2e2de51415c16ace7deee95359a173587cb3c51f5c6175c2008dcd8a816eb7679a4031d6f4ff04eefa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
59f2341219a633e939e01f928bf274c5

SHA1
f4f46845a8da8e087cb7a5bb1bf198d5796ecddc

SHA256
3187c610122a417f18e65fb0026336e35b3f2c4498e96c63913aa165b0099871

SHA512
60f1636ae4801d908a560fb423d54be63e5df157d4f8611988411acabbbcfc0a78352bfd341553684f71d98a55bf1fb23dc5cde59508eb93e50c1d682f18921b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0a8766c7304f78651c18f8360a6ae0d2

SHA1
2969c7982bc8f65837a21d768257ba1fa912669a

SHA256
3880eb6f966ed608a02a917f2aa03efbd1f373a1edce9309dce67154dfaf850c

SHA512
f07a46879655e9ce8a4872788e0948a1f9e688b8938f29c559aa8a99ef3b4ef67491a582879a1b0d34f6807bc044ee27bcda9191de1928a8e5d8e68e4468dbe7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1b9f8d8ea5be3eb12a40d1893c4000de

SHA1
69886b2173f9cb94dd1f3a289f3d96752362866c

SHA256
2324a838fa1339763c30391c66abcfc4316596d5725d151bcef77c444f263b66

SHA512
ee2175107efdce79aac50a377985c8b2a929e1ff81cc3444f0a189de3ca6e5fb2e1285f40b5f5c6bc143fe90072d9bb40b22f5a7fb888dc8aed2afe97c83a99e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dfa072d9d29b27827cd54fe3b7c9244a

SHA1
253b7311fbdc288558c6e0c84ffba9a9dcacfceb

SHA256
68225b48f2d05eb984bda46cd178ab704c5bd0e96510f7bfa763076170331e46

SHA512
6287696c27b9ea6f8908ed67add9a1e7c753d74fa72c360b5146669ea77de43aed409e5e22a800890f636b8367468f9cbc9523c70f3443520c2b207fc436aa8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8412ae4dea04e123b9ec999eb931cb4b

SHA1
569bf61d0b9702c17effb46f6c001d19b0c49367

SHA256
d057543ea240f5d0c576250ed10fa40e26cfb24de2a0065cb68978d2704f17e8

SHA512
b0efd9c896be201321338d9b9f01fa1194b0bce73b59e651b15078a719b08dad9b5e35d6f538584206d7826a8285f5ebce649bd863edd663ef0430108c2c0d0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a8e8b8efc49e472b245d1a3cf3e43ffe

SHA1
0990b0c3c0dd8b7681ff85aa1cc6a6c7804a41c8

SHA256
aa024ddf332839de6b631f12503fd85be3c3a7ab46a02ea4923dd63aabe388f2

SHA512
8cfeba5041041e4ce503a2550044cc4823960a1956e3daff55e09672b765be5f3f4ebd55255a2bc1391be057438d6469e896d6027ee32e46439081a32527a9ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
41e7bef409c9b84c8a589ff44ae31d67

SHA1
53072d8d5c8ec79cac95ae99011674dc393f5b53

SHA256
6a0e0e0277db8ce6e2abc5fc0bfbf0b033507ac6f4db869c7e485f099ac307c3

SHA512
9d93392036dd89b300e64af1de7038da9d3571812b4255755df03a0ae658a3137df2993867fd574b811898400407c1082b5893439a0d142d797d2cf503e9e0c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
076aece20d657a3e6f65d4cbc7097add

SHA1
bafb715914171b5978835e69f0869e5adf6a6535

SHA256
862aace0c60ac86a685b5d8cea4a4361a7e9eaf300412eee855514f799399464

SHA512
f0d2a7228f238b933fb9f827d45e1476689cfdeecba0359cd7df931cea2368c003224f1c70f422a2fe1d4639f80fed39b9c4df05e87c361d25f2c4ebc2f3957c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4bad3fff3df80d185964b31618d59f6f

SHA1
8304fc25f752a40ee07d6106046b36982d1a18f4

SHA256
9fabba9013a64cd18a9f9bdb6d2109f5676de1a09352096fd4c5e04013987102

SHA512
06a18849ad30351c48257606ba21be4930461fdca0f79dac6a03ceda297034caa2ea756c4c6f340b5b403471f58f557788d29a6edd53f0f2c741ddab08cf222c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
31fef328af80f4bab14a6b86aae00711

SHA1
fcaec0f260b1d6fc1ad5ea6694d170642bae6b47

SHA256
45e991336ed0067b5932dcf1d0636e2e19a7906e62c54ab3c69a7d74244b5325

SHA512
4b3a6d246b364ce908cc2b2d1f6a347f10644df66d37fcead21f2d22fa6dc91cfbe5ceab625ff2370dd3e02dd3042a39d6589d5cf61feadce7c5b1d113ed802e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f0c673365ed7da217da6221364b8f27b

SHA1
d43539e1e01bd6c55d0a09b5da83cbc0e2d12c2a

SHA256
0859ac78ac4f1243f876d2c1148b8c19758807804057a5fd3d3e4b85fb04d2f6

SHA512
6c2d9e873e79b88249d66e23a27a6190675aab1a98a8d47b3f630f6f01de5d79af5c381b40657e446dde684c16c8c714cc23fd9a618e5a9454b4a9a06f7cb700

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6c9ef28a303ea5fbd240dbeeda91fa14

SHA1
4667a3d7b6299308e4990b961d91dae06ff98e80

SHA256
246567e746419ad40aef1a3ed610bcbce77e0bfe38adbca36852ebb49372785f

SHA512
68745e475c72e3c51379367716a79f0403a1cda93dd6d2436382abf9173e2e9a17980f583ede6464de8bbe87bd46dff12e0d129c4996f746fcfd82e5a016eeb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ae210e2c8f33637f7b8426909189ef7

SHA1
64129ca026f076b43d1173a6991745b86ec05bae

SHA256
170fda7150ce2ae89696a3a53e69791d61085d9ce3f88af42d75534f54258d94

SHA512
eaa65892e148521cac443cf05f6110108a72dd60ce74d6801ac759ff2fcd5ddac7a1c2f11fa14c97ef106fbde63b8fe650993b74282fbe7214ffa81ba3a6d889

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6792a2e4dbbcc358319a895aee8cc19b

SHA1
52722a63f86596d5c6ea26b0e9fe5e698edf54f9

SHA256
c16ee55289b6ea78444f66e4fb419fbe48bc1ef44bbcd48cdc5e28d3a268a9bc

SHA512
187fa2fbd185963d39be1c9201eb6cc296e1731fb0e9ebfda9e5636fd24fbd7791697df56f9fe8e9d3671eba5dcfa6fd48fd64909ffea2fc5e0c372d0e1aeb89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
690a763fcf09496e31777d11ffe6a88e

SHA1
b8859080fe087a477f533ca8c38c4532996137b4

SHA256
d561b14b65ee80f86db982f3464acd58b76f47f1f05ab65e4da94d66bd0fb6b0

SHA512
660c5040c7fc8f1e0c09bb084561fe9e9b4516d55250f2e348e875c3284cac00182d9b4496cbaba55965096dc04c4bfa706c1ba5fdc8fccc0da2b61591ca51dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3004cb2c6686b9dae807cc5b2a80c95a

SHA1
3f3d355d72b70670c147259fcb68644136c2a649

SHA256
94b84659904b2186b062ce9009abfa2229f59eeadae4aab12c9fbe517603dab9

SHA512
8fa03a74edf22eb9668a9a8e76c1e818a9947bd116db7e240e2965857088d4345522f56141f867c10c01a6369c7c72c73c00ee65305b87aa550389bb3434658e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
36da979f2fe816073bd230e5b73d26af

SHA1
b9efcf1e25034a282ee795b170455dde4088b707

SHA256
949bf2aad2ec4fe2d6f59804610299ad5b3222c97f370fd2856ad0215c8f7fb5

SHA512
bbb237478e1b1aa7a765cbfc7c8a1f2c83eee45c5570b1ae75b24e18b494c5e15093cec9952ab28e651fc18d19bedd90e76ba72f348c23290fce35300215d3d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f40c27aec1bd6d4453913e90268e9e7

SHA1
3e4105ec9ef0cc4beccd3f830e491b7e47f76e74

SHA256
62b755da5f7d1cb0dc21c9aef6bed08d7296980611384b9d976d0e04d9ac56e9

SHA512
cdbb1895508c0e4766623c4a296f8dd352ee538c9149297095bbdf0c1bde4b2999bf75c525a190db5102476182b89c04465f9f605cabbff7d10bc305ee8865a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
70fe0bf7bdf21b8ecb0adddb488b27df

SHA1
8ccc0ed5cdf1710831f2758b59466862518dcc6a

SHA256
85b113fb57d8a3c9f6ec0645933e469a045bd16e720a94c237578fe1c9531c08

SHA512
6f64e374b8dbc859ef9aa88a8c5cf5a373fbf93c251388456c88258d5ef55eeb544fbc24df68bd2e290bb4522f46610d3e9eb6e3f6e7ee2a35fffee64849e3be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7624b5e335173675b78d1d651bca9b1f

SHA1
73f02f761fd51b46e81eb4188fd2e52f97307807

SHA256
1fdac640c5abe5043b6126f1d473749fe66c7635bcb27f909ac359b270af445b

SHA512
9ab5e8da7e6389eb154d9ab316208e51a319b336322cf34e0fdaedc733f939d51a87b3786fc1fa8f9e53d29ca65158a9b83d4720d688f00c73999c370e93cf97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab84DB.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab85D8.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar860B.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\SkinH_EL.dll

Filesize
86KB

MD5
147127382e001f495d1842ee7a9e7912

SHA1
92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

SHA256
edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

SHA512
97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

Download Submit
memory/2968-11-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2968-0-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2968-2-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2968-493-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2968-7-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2968-9-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2968-10-0x0000000010000000-0x000000001003D000-memory.dmp

Filesize
244KB

Download
memory/2968-17-0x0000000000400000-0x0000000000772000-memory.dmp

Filesize
3.4MB

Download
memory/2968-1-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2968-994-0x00000000035D0000-0x00000000035D3000-memory.dmp

Filesize
12KB

Download