353de44681cf517321aad71ae5c0827540169c2f5ca2a0e5b6457f7af07ce1bf

Analysis

max time kernel
126s
max time network
136s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
Size

1.4MB
MD5

fa193e8424632650cfeb7cd1333300d2
SHA1

6672fd7e5ee448f2bdd40a51f7cb8ab5443312fc
SHA256

353de44681cf517321aad71ae5c0827540169c2f5ca2a0e5b6457f7af07ce1bf
SHA512

439a2c820776a863216a0b30cd159235e5e3f4aabb428b90734ab0a2eb4cd39c2b2b54fdd6612abd159768e309e2937da024168337387d2b0166a667e3220f9b
SSDEEP

24576:9L7r/4p6qO4pDlPJsZtZQk5p8hulbEwfDpBzjRvdsxlTShiVN/5:J/4Qf4pxPctqG8IllnxvdsxZ4UV5

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 10 IoCs

pid	Process
2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\jishu_134108\sc\126ÍøÖ·´óÈ«ÉÏÍø×î·½±ã.url	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_134108\sc\²ÊÆ±¿ª½±²éÑ¯-ÔÚÏßÂò²ÊÆ±.url	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_134108\sc\Ã¿ÌìÍÅ¹ºÒ»ÏÂ-¾Û±ãÒË.url	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft134108\a	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft134108\pipi_dae_381.exe	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft134108\d_1308.exe	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_134108\dailytips.ini	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_134108\newnew.exe	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_134108\newnew.ini	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_134108\sc\2144Ð¡ÓÎÏ·--³¬¼¶ºÃÍæ£¬ÀÖºÇºÇ.url	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft134108\0820110805080819410813080808.txt	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft134108\wl06079.exe	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_134108\FlashIcon.ico	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_134108\ImgCache\www.2144.net_favicon.ico	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_134108\sc\GoogleËÑË÷.url	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_134108\sc\»Æ¹ÏµçÓ°Íø-ÔÚÏßµçÓ°.url	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_134108\sc\ÍøÉÏ¹ºÎïÍøÖ·´óÈ«-Íø¹ºµÚÒ»Õ¾.url	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft134108\MiniJJ_12318.exe	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000373cd328586cc548d4d5f0cb33a9518f251c5300ec164b2c9490f1b086a46b7b000000000e80000000020000200000009d895c836ce3dac0069b048658b3c332c41989001c7e014413ef54f96512d29f200000003ec2f34d828742c6fba367b339eaeaae507bb9876724df7b276073b81538092640000000b714da4aa07531db63f006fafde325029b1b0dc00894e4c520129329b38b9844dec79b40fae6972d5efffaf9e4528898b344950c13eb7513816b27dbec3be7bb	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e07af7e74792da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419685843"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000a725c34a70c4a7865792ae51aec28c8e063b32404b4dd9354b186b58ab8e5819000000000e8000000002000020000000ee8a25462f2470d0241687eae3c282433d8e049395fd6e2244831586cfbda38f90000000a75a971ae197e19cee5cd28630760dfa22eeaac7bccbfd96d8f4b806fd07341088beac154fc3c748516b89b8f2b3dc29cf973a57ce97cb055f5248e21cff082f6efcbfbfe4f8d493167b67a95f062d256a0a7e1c42d93cd5f9f3ee9385b08d7e8e299f841205c7ff313d7975c5f0e89cd293f101030fe8d1edf31da439e9e3babfe4c5e8edcc023a63ad925df9148ea8400000006d67fcff4ecd44a76ed0274fbda2c768dc1caedcccbf58b5216f5b938d75ac9a782d88f4e62c2748573362c963d6d80ef34e4fa6b0b588b33c4f8ee0159a2d34	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F9DD3C41-FE3A-11EE-97FB-6A55B5C6A64E} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F9A41B41-FE3A-11EE-97FB-6A55B5C6A64E} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2964	IEXPLORE.EXE
2460	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2964	IEXPLORE.EXE
2964	IEXPLORE.EXE
2400	IEXPLORE.EXE
2400	IEXPLORE.EXE
2460	IEXPLORE.EXE
2460	IEXPLORE.EXE
1672	IEXPLORE.EXE
1672	IEXPLORE.EXE
1672	IEXPLORE.EXE
1672	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 2652	2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe	28
PID 2772 wrote to memory of 2652	2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe	28
PID 2772 wrote to memory of 2652	2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe	28
PID 2772 wrote to memory of 2652	2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe	28
PID 2772 wrote to memory of 2652	2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe	28
PID 2772 wrote to memory of 2652	2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe	28
PID 2772 wrote to memory of 2652	2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe	28
PID 2652 wrote to memory of 2964	2652	IEXPLORE.EXE	29
PID 2652 wrote to memory of 2964	2652	IEXPLORE.EXE	29
PID 2652 wrote to memory of 2964	2652	IEXPLORE.EXE	29
PID 2652 wrote to memory of 2964	2652	IEXPLORE.EXE	29
PID 2772 wrote to memory of 2640	2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2640	2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2640	2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2640	2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2640	2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2640	2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe	30
PID 2772 wrote to memory of 2640	2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2460	2640	IEXPLORE.EXE	32
PID 2640 wrote to memory of 2460	2640	IEXPLORE.EXE	32
PID 2640 wrote to memory of 2460	2640	IEXPLORE.EXE	32
PID 2640 wrote to memory of 2460	2640	IEXPLORE.EXE	32
PID 2772 wrote to memory of 2448	2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe	31
PID 2772 wrote to memory of 2448	2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe	31
PID 2772 wrote to memory of 2448	2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe	31
PID 2772 wrote to memory of 2448	2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe	31
PID 2772 wrote to memory of 2448	2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe	31
PID 2772 wrote to memory of 2448	2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe	31
PID 2772 wrote to memory of 2448	2772	fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe	31
PID 2964 wrote to memory of 2400	2964	IEXPLORE.EXE	33
PID 2964 wrote to memory of 2400	2964	IEXPLORE.EXE	33
PID 2964 wrote to memory of 2400	2964	IEXPLORE.EXE	33
PID 2964 wrote to memory of 2400	2964	IEXPLORE.EXE	33
PID 2964 wrote to memory of 2400	2964	IEXPLORE.EXE	33
PID 2964 wrote to memory of 2400	2964	IEXPLORE.EXE	33
PID 2964 wrote to memory of 2400	2964	IEXPLORE.EXE	33
PID 2460 wrote to memory of 1672	2460	IEXPLORE.EXE	34
PID 2460 wrote to memory of 1672	2460	IEXPLORE.EXE	34
PID 2460 wrote to memory of 1672	2460	IEXPLORE.EXE	34
PID 2460 wrote to memory of 1672	2460	IEXPLORE.EXE	34
PID 2460 wrote to memory of 1672	2460	IEXPLORE.EXE	34
PID 2460 wrote to memory of 1672	2460	IEXPLORE.EXE	34
PID 2460 wrote to memory of 1672	2460	IEXPLORE.EXE	34

C:\Users\Admin\AppData\Local\Temp\fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa193e8424632650cfeb7cd1333300d2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2964 CREDAT:340993 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2400
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2460 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1672
- C:\Windows\SysWOW64\Wscript.exe
  "C:\Windows\system32\Wscript" "C:\Program Files (x86)\soft134108\b_1308.vbs"
  2⤵
  PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\soft134108\b_1308.vbs

Filesize
226B

MD5
8a9d001191085f3900808d418faf4840

SHA1
0cfb3c7adb64da1640fac02745cb2caec39d77e1

SHA256
02bc6610cfda293b6794f66a850bd6d8407a4d8c9b2d224cb960bf39c9707885

SHA512
6edf9a381cb487f98e1c4d1cdf385ec207437a43a7519a34271496ddae04b25d2e679a7d94d12ba6d41fdc289ebee31f5fec5423f463fbabf08ae59e0d848f90

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7dd1c17415500ee668c61617407f347b

SHA1
6f45ee0f589347f57907db29519118cc237b1423

SHA256
f01849aa0acd110473bdbf3e77a50d2e21d6a6e453c80e12bac3b72419d53544

SHA512
5d30410f928cc75ad895dd889863eb45e73855a8f8cafbd18f9adddfc3a78a47168179179d694b6b6072b3668152ceac64a14def7f8f831b29841c0ce2700137

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
786c2dc784f0beb07cdd7af5a3c93d34

SHA1
a8778a5302bb917c89d9ccf092024ddee37b4811

SHA256
ff4d622a45e0a49b6a0a30b6b91f3a4557d9a6c630075ed04cfbedcea7490ec7

SHA512
1bae6594fd40d554d7da29b45c0aad240686af2fad26048138e771038495ee45661b4e91749fd6e51bb9c9585ca8d37cd573d63b6a025a64ec16dd241b95490f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
917024e4bcb666a93bd5226ae108a9aa

SHA1
9c663b6ca51162733ef1d0ef3ea5bed5e9d0e515

SHA256
01405e9be4c0683378328c64a34bbbf1ea2ecade738a872a57559a339eb742c2

SHA512
a7caedab457f834c91544b246202e59a1b5d5b870b2f322445d37814be26c0bead3cea88512efca2d64e3d338c5ca01e2daad2f4ee7b26d4033e6b85f8d6bd3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e3a3765cc2611ae2bbb678a02580886d

SHA1
a75585f45c41d0ed0bac6a72a7c18588bb619e8e

SHA256
fae9d78b049290262ab30f143d06af832b1982bc120bcb9b5cc69f84fcb2b301

SHA512
4d50097496c397abd4eea7601c64e30c5e08fa0130fe69d55cf4d8924d13ed31ec346d0b1cadd170fd40e94a6fef0cd57deb69959d290e575f7b23ab1714fbe4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
90dab0c40c802392a1920664e0cd25c5

SHA1
59f97ee668659e862d8fb3bc28ddc2985661c813

SHA256
6b9f78efd28790ea7ba4d66f31ee80d1529f4fcf48c3b7050bf98e95cbd2469b

SHA512
c1ddacfa9730d3ff14e799f559db4d5ec42bc40277728226af07eef1ab0cbdffc93773ad2b49886af316c485888f237bcd739c7dd9038df6877b56a88017ff1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
77aae6b7f513a78dc44fc7c906d21941

SHA1
dfcacbf7c4ef12b1b01c6e0e85dcd1f4bd2bdbba

SHA256
b03c4c00b1c7bc03e3119b5991fd8c918ce0e6d82cee1a7094aa2dd2513afbcf

SHA512
748e62d108934d62afe78886ec8fa54a00b966f2995257aab8c93c1563fc6ca9ecce6e6eb62c171165e4d3ea7f5268c1e2b9dd96ae5b9968a93a6726c39838b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ce53acd36ea403a8c9006cdeed41aab5

SHA1
2d217adc218806194992ea152bf5681ac3a9fd42

SHA256
056200e88ec347ebc4e499c12809b6715e7ba37b4971c0f9e6fb41664f10f0c5

SHA512
f92752ea46a2d22c8b53e22a9cb0e3e845faa93922be3113d2d7b3f3ad4df43058ccc5c3df45f4e4c9d0a3f507fae63b806be7575f622c43640a1adca6d811a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
742e75c55087b39adb2d5b61514565d9

SHA1
3d40f283d14cb6e752c57dd4e46397facae0bba2

SHA256
eab596825d55ea195a237f7289209516bc782f27b2ffa16f61d710c647cc4b7d

SHA512
a7b37f81fb1775e6a2f385e4714c645db339aa4ed2cc0481e8c40066169569720506b9485077ac0c8912a02e16e7506885545d41c63f04ac26680ab30783e8a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
09136dd15c0724a02309f6b77f091cd5

SHA1
16979da3e72dd0478a7f5f7878f568f6f84d571e

SHA256
f8813e153531339e0fd10c4d9ead0ab9cdde05b9e18d2314ee7dd21f7f935901

SHA512
2d6560a196ce4b9d662837239a1de1caa1b63be880190f05f7046c97534cb9c53ece816dc3e540a3b48b8a0e4f32aa3d037ce21a07ed627a1ea97ed5b1c73e94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8625e74e5181f3ba860e2c3789743e2c

SHA1
2ab6d97d372b15df9dc73ada9b70d5f75eddc1f7

SHA256
263dda77290984a9572295cec24ac33fe23787a8d12b2671d4d31716a5ba4a65

SHA512
45491efec92d9bb7e854ed4980702464f10807dd4b9c9ed7fa24c4b246745b1e70885938c3e606c7acd00b73153765a94658a9ceadd217287bc57d5ca28429b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d1ee6e87464d7e4301035539b9c25d2a

SHA1
ebbd85a65569eeb617cb64d1a500b9986c0ce9ee

SHA256
3c75d3a59b40ea59d9b284e731c5acd0e707044e34ac504a12b2e3446fc68cb0

SHA512
76c5014b589eb3c02870ef008d192d1f65896401ef09dba401bfc71bb620fe9204949471aa3dc2b2e22debf693b2873324679798e2e4bc404e0b968ae160d145

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9ce476449741f275f39a9d0c26e4f1d3

SHA1
d613ba77611275cbb2c661ce7d522a28f1763f25

SHA256
77e81f0aa97dc4648b5d98ac6ad10039268d6239e939cf339f08a15d4277d9a1

SHA512
55932a00a78a23d9cfbc3f3ce279391682bbccab7fa5fdea4e3e3bb80b0265e93997942f5ac3081072f65594083a94d81ee92adfe28374c50700a2fda478d10c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b48eedeb4286effa8b8599af12119e46

SHA1
adbd4fb2fa18ddb983eeda435ca305e24b7bd4bc

SHA256
bfa7ebd3d5ef6bfd38c452946310a1d29bbdc4249a04beaf6af6a090f51fe811

SHA512
f8a6db5c976e4bddc1e8c893191ee08dc6befe529d1a6fb72ffd3e2e0263b669308a409caf157630f12ec3d6bef32f5493e77a4982ac26e3cfcf3d8b46272a43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7d1cf94b236709b49a08a2acef35a2c6

SHA1
5a922f2ea885ae45cab936f433a7d91dc3535008

SHA256
14b571cab101b419b102480ac42bbd2b7677826a4eab3d5e1fdae291af7d14c2

SHA512
cd48a9bc483afc00115e561411f2a34e31953840e98e72497a336ef36ed4989f9c72fcda5c2935aee97dae7f86f71e61bd8cf75bcce0a2dd49e1d3cec84273a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8b72e824a9dba56f20e1a531d14e50cd

SHA1
32dccf8eb39a1a49259f2b4b18fbd8f6ae909ea0

SHA256
ce101e7781b91eae1257af07a6c36053d7a9e9ad37690bc4b59c6f6d39102080

SHA512
31e460cf8b4216216bfc637eb178f1cb9ac017a5ff27c57e2ae1ba8d02a2fa252ad4f36976b75ec24fb611852cebbe934285ef749020b0c909f61d30df5d73d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
344b8b0c6e32d95ebd6e9600c11de8ca

SHA1
7c3642d2e828904bbe092d4bffa24c186bd189a5

SHA256
384a170ccaaa63b0574213ea9929601d83d473cf3b7cce88b1a1e1a0c653cb53

SHA512
8fd012df98a5421dc05ad19c64359e124d43838ae4ee5a633aa19cc054be08622754a92ccf8c967ed851c8d539a98663c4f7819432ab6f87c93ad65ac3e411ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
3bf8d7cbac910cf6ee958b066df041de

SHA1
23790a28faf6a756e92a999713db6472308a5d42

SHA256
53d8aa0fd1f5f5656eb00de86b28ee2c2aac896b8c7ffb883ea463249fa1d5c5

SHA512
4836b0c2182002395a888b91d77044f06ad74f8fc9bdd3f6cf80323a550f0452f713f868ebd6258decc3a89e0ff85e5c00ce99a48bcf134afe653c63cdec686d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e04a747fec66e4211693575a05e247af

SHA1
8d57cb3681fa0060f4e7690d0ca47a0848aa85fb

SHA256
f782728141fc298453b35446878850925c406428ec8b122e1f6a3a053a38d415

SHA512
a4399c5a7f9cd5415b919c31d0f47aa51f9ed3d0edc8495ba83b436781da38e4b071779623a8145b9ec8b0be8054bc3f376c5304779668c78a6a143553760366

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
25a193c80f4fdb9d6d5edb3549891cb9

SHA1
262b7352dfa7acc2845231be8e207dbe660ca7c1

SHA256
2a8cb2ca272b7d0d757e5ed361c7a5328387c963ada3456096fbea89128c1d91

SHA512
aa8d4cd4ec8bc94e27f72f187fa5ecf74c803524ec6a404e01f49a57ce1993b5740ddf7e138a3c5cc02f715c57a47e8eef2202f6b63cb501ee99671a4797f48e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{F9A41B41-FE3A-11EE-97FB-6A55B5C6A64E}.dat

Filesize
5KB

MD5
3882c012066d172d63fdb1ff9b061340

SHA1
56a2c6ea3aaba3530e140b52f559e268992e40d8

SHA256
d7f04c67fa708319f3e90dc389679d4bc37c49b7ffb7dc2e9c0cd5002b5145d0

SHA512
71b01b699e6e9739321bc97199191bc7b6d043b9a9f9345bd0ec5b99a7757cec5c7abe78a75799d2a0e7f661f3af0105c6be71077572a635ad903127017aaee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6124.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6237.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsjA056.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Program Files (x86)\jishu_134108\jishu_134108.exe

Filesize
1.0MB

MD5
e2590fb7bac27dbfa512820e9139f28b

SHA1
209d8d0b77c7a8863a3c68464ce47f6a3f00d454

SHA256
4369c213390dd318aaf57b841e338f0b781b16e61713c39e3d961d6065de1821

SHA512
a6b8cdac512c2d05eb2270f8b4f64248cc177785acbd8d4f0ad725acdd2c894f639e7e7259066a8014a79d69f213812dc09793a2bad7a3d6bd9a511f3ee57223

Download Submit
\Users\Admin\AppData\Local\Temp\nsjA056.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit