Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-04-2024 06:38
Static task
static1
Behavioral task
behavioral1
Sample
070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe
-
Size
264KB
-
MD5
070a6e2ee81e6a9d3aa7f6e64b7c0915
-
SHA1
6e04b2c65729f1e50edfbc8fa7fefcf445bfe233
-
SHA256
9f0939584e0fa2a5764d39eed63b42e6dd744bfd237c7e10fa3b5e9c93c2dd15
-
SHA512
018714d13246032d4d9741e1da5e8a6f2ec8ed09d63f10029c3c2cf0215e13c0592298195fc4657696a7f17abdbf4e8e8baf27e33f1b4271884641fb6d68704e
-
SSDEEP
6144:K11jsU5B0b7GmO7MOpi5RZwRNhtpp9ONDnGPzGNi6:e1XB0b7GmO7MOpi5RZwRNhtpp9ONDnGN
Malware Config
Signatures
-
Drops startup file 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dll.vbe 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\open.vbe hot.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\open.vbe hot.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.vbe 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnk.vbe 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 2552 hot.exe 1964 qq.exe 1912 smss.exe -
Loads dropped DLL 6 IoCs
pid Process 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 2992 WScript.exe 2992 WScript.exe 2992 WScript.exe 2992 WScript.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\smss = "c:\\windows\\s\\smss.exe" reg.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{571392DB-3536-4ED1-98E4-5CF495999659} regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{571392DB-3536-4ED1-98E4-5CF495999659}\ = "??????" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{571392DB-3536-4ED1-98E4-5CF495999659} regedit.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\lnk.vbe 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dll.vbe 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tao.ico 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\movie.ico 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File created C:\Windows\SysWOW64\reg.reg 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\qq.exe 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File created C:\Windows\SysWOW64\del.bat qq.exe File opened for modification C:\Windows\SysWOW64\host.vbe 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Internet Explorer\iexlore.exe cmd.exe File created C:\Program Files\Maxthon2\imaxthon.exe cmd.exe File created C:\Program Files\360\360se3\360s.exe cmd.exe File created C:\Program Files (x86)\Internet Explorer\iexlore.exe cmd.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File opened for modification C:\Windows\StrongIndex.reg 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File opened for modification C:\Windows\updateLnk.vbe hot.exe File created C:\Windows\google.exe cmd.exe File created C:\Windows\back_XUNLEI.DLL WScript.exe File created C:\Windows\bhoreg.reg WScript.exe File opened for modification C:\Windows\google.exe hot.exe File created C:\Windows\????.lnk 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File opened for modification C:\Windows\????.lnk 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File opened for modification C:\Windows\XUNLEI.DLL 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File created C:\Windows\StrongIndex.reg 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File opened for modification C:\Windows\hot.exe 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File opened for modification C:\Windows\google.exe cmd.exe File opened for modification C:\Windows\back_XUNLEI.DLL WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main smss.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\InprocServer32\ = "C:\\Windows\\XUNLEI.DLL" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\??(&R)\Command regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ShellFolder regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}\1.0\0\win32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\ProgID\ = "XunLeiAdBlocker.XunLeiBlock" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XunLeiAdBlocker.XunLeiBlock\ = "XunLeiAdBlocker.XunLeiBlock" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\ = "????(&H)" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}\1.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\Command\ = "Rundll32.exe" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\TypeLib regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\??(&R)\Command\ = "rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\Command regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ShellFolder regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ = "Internet Explorer" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\Command\ = "Rundll32.exe" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}\1.0\HELPDIR\ = "C:\\Windows" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\ = "????(&H)" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\TypeLib\ = "{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ProxyStubClsid regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ = "Internet Explorer" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A} regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\ = "??(&D)" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}\1.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\ = "XunLeiAdBlocker.XunLeiBlock" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\ = "??(&D)" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ProxyStubClsid32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XunLeiAdBlocker.XunLeiBlock regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\TypeLib\ = "{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\Command regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A} regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\??(&R)\Command\ = "rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\ = "??(&D)" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe,0" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\ = "????(&H)" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\Command regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\Command\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe http://www.dianxin.cn?162" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\TypeLib\Version = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\TypeLib\ = "{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shdocvw.dll" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\Command\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe http://www.dianxin.cn?162" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\DefaultIcon regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\InProcServer32 regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\??(&R) regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\??(&R)\Command regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ = "XunLeiBlock" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ShellFolder regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ShellFolder\ = "00.00.00.00" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\ProgID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\VERSION\ = "1.0" regsvr32.exe -
Runs .reg file with regedit 5 IoCs
pid Process 3020 regedit.exe 2804 regedit.exe 2680 regedit.exe 2444 regedit.exe 1360 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1620 WScript.exe 1620 WScript.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1620 WScript.exe 1620 WScript.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 2552 hot.exe 1964 qq.exe 1964 qq.exe 1964 qq.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2032 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 28 PID 2180 wrote to memory of 2032 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 28 PID 2180 wrote to memory of 2032 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 28 PID 2180 wrote to memory of 2032 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 28 PID 2180 wrote to memory of 2504 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 30 PID 2180 wrote to memory of 2504 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 30 PID 2180 wrote to memory of 2504 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 30 PID 2180 wrote to memory of 2504 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 30 PID 2180 wrote to memory of 2548 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 31 PID 2180 wrote to memory of 2548 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 31 PID 2180 wrote to memory of 2548 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 31 PID 2180 wrote to memory of 2548 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 31 PID 2180 wrote to memory of 2552 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 34 PID 2180 wrote to memory of 2552 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 34 PID 2180 wrote to memory of 2552 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 34 PID 2180 wrote to memory of 2552 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 34 PID 2032 wrote to memory of 3020 2032 cmd.exe 35 PID 2032 wrote to memory of 3020 2032 cmd.exe 35 PID 2032 wrote to memory of 3020 2032 cmd.exe 35 PID 2032 wrote to memory of 3020 2032 cmd.exe 35 PID 2504 wrote to memory of 2804 2504 cmd.exe 36 PID 2504 wrote to memory of 2804 2504 cmd.exe 36 PID 2504 wrote to memory of 2804 2504 cmd.exe 36 PID 2504 wrote to memory of 2804 2504 cmd.exe 36 PID 2548 wrote to memory of 2680 2548 cmd.exe 37 PID 2548 wrote to memory of 2680 2548 cmd.exe 37 PID 2548 wrote to memory of 2680 2548 cmd.exe 37 PID 2548 wrote to memory of 2680 2548 cmd.exe 37 PID 2552 wrote to memory of 2752 2552 hot.exe 38 PID 2552 wrote to memory of 2752 2552 hot.exe 38 PID 2552 wrote to memory of 2752 2552 hot.exe 38 PID 2552 wrote to memory of 2752 2552 hot.exe 38 PID 2552 wrote to memory of 2424 2552 hot.exe 39 PID 2552 wrote to memory of 2424 2552 hot.exe 39 PID 2552 wrote to memory of 2424 2552 hot.exe 39 PID 2552 wrote to memory of 2424 2552 hot.exe 39 PID 2552 wrote to memory of 2564 2552 hot.exe 41 PID 2552 wrote to memory of 2564 2552 hot.exe 41 PID 2552 wrote to memory of 2564 2552 hot.exe 41 PID 2552 wrote to memory of 2564 2552 hot.exe 41 PID 2180 wrote to memory of 2472 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 44 PID 2180 wrote to memory of 2472 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 44 PID 2180 wrote to memory of 2472 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 44 PID 2180 wrote to memory of 2472 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 44 PID 2552 wrote to memory of 2992 2552 hot.exe 46 PID 2552 wrote to memory of 2992 2552 hot.exe 46 PID 2552 wrote to memory of 2992 2552 hot.exe 46 PID 2552 wrote to memory of 2992 2552 hot.exe 46 PID 2552 wrote to memory of 1660 2552 hot.exe 48 PID 2552 wrote to memory of 1660 2552 hot.exe 48 PID 2552 wrote to memory of 1660 2552 hot.exe 48 PID 2552 wrote to memory of 1660 2552 hot.exe 48 PID 2472 wrote to memory of 2444 2472 cmd.exe 47 PID 2472 wrote to memory of 2444 2472 cmd.exe 47 PID 2472 wrote to memory of 2444 2472 cmd.exe 47 PID 2472 wrote to memory of 2444 2472 cmd.exe 47 PID 2180 wrote to memory of 1964 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 50 PID 2180 wrote to memory of 1964 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 50 PID 2180 wrote to memory of 1964 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 50 PID 2180 wrote to memory of 1964 2180 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 50 PID 1964 wrote to memory of 2780 1964 qq.exe 51 PID 1964 wrote to memory of 2780 1964 qq.exe 51 PID 1964 wrote to memory of 2780 1964 qq.exe 51 PID 1964 wrote to memory of 2780 1964 qq.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\cmd.execmd /c regedit.exe /s C:\Windows\StrongIndex.reg2⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Windows\StrongIndex.reg3⤵
- Modifies registry class
- Runs .reg file with regedit
PID:3020
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c regedit.exe /s C:\Windows\StrongIndex.reg2⤵
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Windows\StrongIndex.reg3⤵
- Modifies registry class
- Runs .reg file with regedit
PID:2804
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c regedit.exe /s C:\Windows\StrongIndex.reg2⤵
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Windows\StrongIndex.reg3⤵
- Modifies registry class
- Runs .reg file with regedit
PID:2680
-
-
-
C:\Windows\hot.exeC:\Windows\hot.exe2⤵
- Drops startup file
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\cmd.execmd.exe /c copy "C:\Windows\hot.exe " "C:\Program Files (x86)\Internet Explorer\iexlore.exe"3⤵
- Drops file in Program Files directory
PID:2752
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c copy "C:\Windows\hot.exe " "C:\Program Files\Maxthon2\imaxthon.exe"3⤵
- Drops file in Program Files directory
PID:2424
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c copy "C:\Windows\hot.exe " "C:\Program Files\360\360se3\360s.exe"3⤵
- Drops file in Program Files directory
PID:2564
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\updateLnk.vbe" 03⤵
- Loads dropped DLL
PID:2992
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c copy "C:\Windows\hot.exe " "C:\Windows\google.exe"3⤵
- Drops file in Windows directory
PID:1660
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c regedit.exe /s C:\Windows\system32\reg.reg2⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Windows\system32\reg.reg3⤵
- Installs/modifies Browser Helper Object
- Runs .reg file with regedit
PID:2444
-
-
-
C:\Windows\SysWOW64\qq.exeC:\Windows\system32\qq.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\cmd.execmd /c C:\Windows\SysWOW64\del.bat3⤵PID:2780
-
\??\c:\windows\s\smss.exe"c:\windows\s\smss.exe"4⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1912 -
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v "smss" /d "c:\windows\s\smss.exe" /f5⤵
- Adds Run key to start application
PID:112
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnk.vbe" 02⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1620
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Windows\XUNLEI.DLL"2⤵
- Modifies registry class
PID:2200
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dll.vbe" 02⤵
- Drops file in Windows directory
PID:1576 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s C:\Windows\XUNLEI.DLL3⤵
- Modifies registry class
PID:1480
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s C:\Windows\bhoreg.reg3⤵
- Installs/modifies Browser Helper Object
- Runs .reg file with regedit
PID:1360
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\tj[1].js
Filesize520B
MD552bc1705043251299cd4b4e71bde9a59
SHA1489d2a67263f969618c2a85caaa488887a9c8747
SHA256465987a7ecbd938a8648bb9aac3871b33db724ba23f35da6e95f6c4c0dd52189
SHA5120bbb43d576ac5b6694107cf37202172407a75e8f88c7ae423704f90b7346eae1de9ed64fdf2d6b15d9db73d140bc4667709d986fd41e5554e330f906cac59969
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OORQXHVT\common[1].js
Filesize1KB
MD53fe851c08d4a64733c249b3aef00dd3c
SHA1dfd9e1bacb53fef86b9dc40244bd6edecdfae636
SHA2562adc9f8d62d1550b4b8aac988f5ef4eb55bcdd48b569fac7251169366a40fb37
SHA51250aa265a3dd0a111061447ca7508be27a01cb1eca9f553c8b5609b2434461322500586261708bf8dbd135f287282a7be64963604f6239104c334f8464be77bec
-
Filesize
1KB
MD5ac426679bceba77a1d2d9f2755387f37
SHA19ca63a59a805799bb92dbb1500970408ef918ae5
SHA256090f3cd8b3d1b0232a340b1b32cb1c5d25d16218f047b11c05213e12a3ff51b8
SHA5125fd657aef38640cb4e5525cc7a986f2150e1b3b00dac1b1782b862d1ff5a5e4da26f59e64db1ecd1f41a4c2a26d34e201837de3e81977da93fc25a402832f702
-
Filesize
2KB
MD532ad14609ab972a8063fca62fef35295
SHA167fa67b824671ffb35418f30863607fc0a5f2a59
SHA256f5b7139c4dbf533334ad46e03d7b69d28d5a6505b6ca1866ac9541423da04bca
SHA5127bbc1b6f9ab42d8a64a17721239ca63f2233f4b3173d0b41bfa2fcb900d7de85b6491038ceff4b30dcedbeb7b78ee8586b271d15d9e22557534bd2a0d26d3c3c
-
Filesize
1KB
MD53840df4f59fc8472804d6534ee47c86f
SHA1cb5df88f2a661c72edcdf8461e95e5ae7aa529d3
SHA256fe35a7171754b3368aea0fb7fa4a57fe17d49a4fc95645286c599fd2223b8166
SHA512c0bd0c72c43088a96f289492ba3c8076531d858255579fbe15a447a80e317eb4eaff818c0d5e5e42cfeedf4c6257887ca49c284efda6becb2a5e572eb7132c28
-
Filesize
104B
MD584058ffb298449cd911b8ed3e382352e
SHA18a7a77f0dae04c4e7fc850bc50a749135feb4c78
SHA256f2ddd8a2652810d07d8fd85ec3dedad84a1595bce6f2dec13e01607cc1c3171c
SHA512fc6c59c8b56d46a551d613253e5ec0c973c48185efb4fbe82000fb21dbe48f9b8a5750c7ab04f07f8abd83d727e85f3b847e2b3f644bfc22d0865409f5e709cf
-
Filesize
185B
MD506384c898003bd123646056e835eb171
SHA192906b2a8c0112c29374352644871873de00208a
SHA2561a74f3572ff21f2967f6043b7e77bfd769beba2a226a182904e8d35924e1e304
SHA512a2c4a781090b93dcb87e30b34e485fb5109f6398f21a0483cc15f9b0b9cedde73f4f107c8e10f0a629a730a0085f3b36cea61a466d7089fff972b44bda235e59
-
Filesize
28KB
MD57b339e9e67773d0622ef801afbd28b8d
SHA16c5cd55f56ba8d01d7c68b64540bb9ef9e0fcb12
SHA256b2334d85640afb8b617b2e8a04d35474dc2b46376b30429314772eee363f6747
SHA512cf3a571c3fff7e6eca3cb5b04ad30faa3a7ed1fb19f8a5792d49a095e43265032d37a863b8a6a778433ffc033ae78274ab09e9096013ec944f162fd0aad298fb
-
Filesize
173B
MD55445be71fa6b294bbbc40f3025197a45
SHA12b67ceef71dfb405424d91ca21d864a300ef2fec
SHA256e9d2aa5fca34c11fd1fd3b1f73607e0b8004e14de835e95252394f4e5a96ed97
SHA512481b8547790491d3a61c42ac1906e519d6ed244cdf92088ad72cd319e8bb56fd0cf73579e9e8d35fd5d53524469b29465c350e0e4c5ba94434d661c9943409ff
-
Filesize
56KB
MD5e87bd49ad0363b5112570021264e88ce
SHA16b879a50ab9528f863870d319a0b1d66ec5f1b36
SHA256a25164ad33196d13c50a6998440d66baaabc403a02fddf0ebd408ce700e2bb69
SHA51264a74c43f665125b9febe0523429d1e390a835d7a801a9bf8f6011f265c7f740e5cdcefa9292f6287eb6bf54bced51c9484f28c0570740f6e7ce8e7c67c06826
-
Filesize
4KB
MD55bf80e38e5312144f5a3f637bff1adfd
SHA162de872c490ee580a5d6a8b77276a0b0b7c82438
SHA256e7e01513bcab6a0b6c6191138d53fe680ef8790239471cee7a398060259e2174
SHA5125489967a469bfd4033b4cce86343bb5d075f39be496d2e83ac67b5e7e293d577e4c325f4d0230a5aa2e2a5af526584003d12e27e1b302462630db2e867c0a634
-
Filesize
84KB
MD51222247a98269a3f305840c7cccd8d02
SHA18aba585b8c9d7737b411c5ef008513c6bc3fe222
SHA2565e9f2a7a2bb8e43b5b7ad6c472e9100dc6fc4a982634b96c968ca649fa76589b
SHA512ef576a047b23adf876730ccac1f645e89ac0019a3208c74c0cd17a0565958e5af9b6f37328a1eeb481fd2e7d20b86ff480eda2375e9b770d327b661ca01b307a