Analysis
-
max time kernel
141s -
max time network
75s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
29-04-2024 06:38
Static task
static1
Behavioral task
behavioral1
Sample
070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe
-
Size
264KB
-
MD5
070a6e2ee81e6a9d3aa7f6e64b7c0915
-
SHA1
6e04b2c65729f1e50edfbc8fa7fefcf445bfe233
-
SHA256
9f0939584e0fa2a5764d39eed63b42e6dd744bfd237c7e10fa3b5e9c93c2dd15
-
SHA512
018714d13246032d4d9741e1da5e8a6f2ec8ed09d63f10029c3c2cf0215e13c0592298195fc4657696a7f17abdbf4e8e8baf27e33f1b4271884641fb6d68704e
-
SSDEEP
6144:K11jsU5B0b7GmO7MOpi5RZwRNhtpp9ONDnGPzGNi6:e1XB0b7GmO7MOpi5RZwRNhtpp9ONDnGN
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation hot.exe Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation WScript.exe -
Drops startup file 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\open.vbe hot.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\open.vbe hot.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\host.vbe 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnk.vbe 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dll.vbe 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 4432 hot.exe 2512 qq.exe 4580 smss.exe -
Loads dropped DLL 2 IoCs
pid Process 4704 regsvr32.exe 3780 regsvr32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\smss = "c:\\windows\\s\\smss.exe" reg.exe -
Installs/modifies Browser Helper Object 2 TTPs 3 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{571392DB-3536-4ED1-98E4-5CF495999659}\ = "??????" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{571392DB-3536-4ED1-98E4-5CF495999659} regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{571392DB-3536-4ED1-98E4-5CF495999659} regedit.exe -
Drops file in System32 directory 8 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\lnk.vbe 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\dll.vbe 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\tao.ico 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\movie.ico 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File created C:\Windows\SysWOW64\reg.reg 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\qq.exe 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File created C:\Windows\SysWOW64\del.bat qq.exe File opened for modification C:\Windows\SysWOW64\host.vbe 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File created C:\Program Files\Maxthon2\imaxthon.exe cmd.exe File created C:\Program Files\Internet Explorer\iexlore.exe cmd.exe File opened for modification C:\Program Files\Internet Explorer\iexlore.exe cmd.exe File created C:\Program Files\360\360se3\360s.exe cmd.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File opened for modification C:\Windows\hot.exe 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File opened for modification C:\Windows\????.lnk 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File created C:\Windows\????.lnk 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File created C:\Windows\google.exe cmd.exe File opened for modification C:\Windows\google.exe cmd.exe File created C:\Windows\bhoreg.reg WScript.exe File opened for modification C:\Windows\StrongIndex.reg 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File opened for modification C:\Windows\XUNLEI.DLL 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File created C:\Windows\back_XUNLEI.DLL WScript.exe File opened for modification C:\Windows\back_XUNLEI.DLL WScript.exe File created C:\Windows\StrongIndex.reg 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe File opened for modification C:\Windows\updateLnk.vbe hot.exe File opened for modification C:\Windows\google.exe hot.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ProxyStubClsid32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\InProcServer32 regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000_Classes\Local Settings 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XunLeiAdBlocker.XunLeiBlock\ = "XunLeiAdBlocker.XunLeiBlock" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\XunLeiAdBlocker.XunLeiBlock\Clsid\ = "{571392DB-3536-4ED1-98E4-5CF495999659}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ShellFolder regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ = "Internet Explorer" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\Command regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\TypeLib\Version = "1.0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\Programmable regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ProxyStubClsid regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\ = "??(&D)" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}\1.0\ = "XunLeiAdBlocker" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\TypeLib regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\ProgID regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\XunLeiAdBlocker.XunLeiBlock regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\Command regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\VERSION\ = "1.0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ = "_XunLeiBlock" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\InprocServer32\ = "C:\\Windows\\XUNLEI.DLL" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\Implemented Categories regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\Command\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe http://www.dianxin.cn?162" regedit.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ShellFolder\Attributes = 00000000 regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\ = "????(&H)" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}\1.0 regsvr32.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\XunLeiAdBlocker.XunLeiBlock regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe,0" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\??(&R)\Command\ = "rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}\1.0\FLAGS\ = "0" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\TypeLib\ = "{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\??(&R)\Command regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}\1.0\0\win32\ = "C:\\Windows\\XUNLEI.DLL" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shdocvw.dll" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\ShellFolder\ = "00.00.00.00" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\ = "??(&D)" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\ = "????(&H)" regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\Command regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\DefaultIcon regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\InProcServer32 regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\Q\Command regedit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}\1.0\HELPDIR\ = "C:\\Windows" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\TypeLib\ = "{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shdocvw.dll" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe,0" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\??(&R)\Command\ = "rundll32.exe shell32.dll,Control_RunDLL inetcpl.cpl,,0" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\ = "????(&H)" regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\ = "_XunLeiBlock" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\VERSION regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\Programmable regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\ = "XunLeiAdBlocker.XunLeiBlock" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\VERSION regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309A}\Shell\OpenHomePage\Command regedit.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{014AA08F-E338-4F7A-8849-4AD3FF88BA3A}\TypeLib\ = "{B960BA11-2B6D-462F-B149-2CFAE1BBFF55}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{571392DB-3536-4ED1-98E4-5CF495999659}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe -
Runs .reg file with regedit 5 IoCs
pid Process 1960 regedit.exe 2644 regedit.exe 1988 regedit.exe 2616 regedit.exe 3292 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2868 WScript.exe 2868 WScript.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2868 WScript.exe 2868 WScript.exe -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 4432 hot.exe 2512 qq.exe 2512 qq.exe 2512 qq.exe 4580 smss.exe 4580 smss.exe 4580 smss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 864 wrote to memory of 908 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 83 PID 864 wrote to memory of 908 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 83 PID 864 wrote to memory of 908 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 83 PID 864 wrote to memory of 440 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 85 PID 864 wrote to memory of 440 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 85 PID 864 wrote to memory of 440 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 85 PID 864 wrote to memory of 4832 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 86 PID 864 wrote to memory of 4832 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 86 PID 864 wrote to memory of 4832 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 86 PID 908 wrote to memory of 1988 908 cmd.exe 88 PID 908 wrote to memory of 1988 908 cmd.exe 88 PID 908 wrote to memory of 1988 908 cmd.exe 88 PID 440 wrote to memory of 2616 440 cmd.exe 90 PID 440 wrote to memory of 2616 440 cmd.exe 90 PID 440 wrote to memory of 2616 440 cmd.exe 90 PID 4832 wrote to memory of 3292 4832 cmd.exe 91 PID 4832 wrote to memory of 3292 4832 cmd.exe 91 PID 4832 wrote to memory of 3292 4832 cmd.exe 91 PID 864 wrote to memory of 4432 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 92 PID 864 wrote to memory of 4432 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 92 PID 864 wrote to memory of 4432 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 92 PID 4432 wrote to memory of 2316 4432 hot.exe 94 PID 4432 wrote to memory of 2316 4432 hot.exe 94 PID 4432 wrote to memory of 2316 4432 hot.exe 94 PID 4432 wrote to memory of 4624 4432 hot.exe 95 PID 4432 wrote to memory of 4624 4432 hot.exe 95 PID 4432 wrote to memory of 4624 4432 hot.exe 95 PID 4432 wrote to memory of 664 4432 hot.exe 96 PID 4432 wrote to memory of 664 4432 hot.exe 96 PID 4432 wrote to memory of 664 4432 hot.exe 96 PID 864 wrote to memory of 3016 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 100 PID 864 wrote to memory of 3016 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 100 PID 864 wrote to memory of 3016 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 100 PID 4432 wrote to memory of 4112 4432 hot.exe 102 PID 4432 wrote to memory of 4112 4432 hot.exe 102 PID 4432 wrote to memory of 4112 4432 hot.exe 102 PID 4432 wrote to memory of 3220 4432 hot.exe 103 PID 4432 wrote to memory of 3220 4432 hot.exe 103 PID 4432 wrote to memory of 3220 4432 hot.exe 103 PID 3016 wrote to memory of 1960 3016 cmd.exe 105 PID 3016 wrote to memory of 1960 3016 cmd.exe 105 PID 3016 wrote to memory of 1960 3016 cmd.exe 105 PID 864 wrote to memory of 2512 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 106 PID 864 wrote to memory of 2512 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 106 PID 864 wrote to memory of 2512 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 106 PID 2512 wrote to memory of 4424 2512 qq.exe 108 PID 2512 wrote to memory of 4424 2512 qq.exe 108 PID 2512 wrote to memory of 4424 2512 qq.exe 108 PID 4424 wrote to memory of 4580 4424 cmd.exe 110 PID 4424 wrote to memory of 4580 4424 cmd.exe 110 PID 4424 wrote to memory of 4580 4424 cmd.exe 110 PID 4580 wrote to memory of 1036 4580 smss.exe 111 PID 4580 wrote to memory of 1036 4580 smss.exe 111 PID 4580 wrote to memory of 1036 4580 smss.exe 111 PID 864 wrote to memory of 2868 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 113 PID 864 wrote to memory of 2868 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 113 PID 864 wrote to memory of 2868 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 113 PID 864 wrote to memory of 4704 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 114 PID 864 wrote to memory of 4704 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 114 PID 864 wrote to memory of 4704 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 114 PID 864 wrote to memory of 372 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 115 PID 864 wrote to memory of 372 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 115 PID 864 wrote to memory of 372 864 070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe 115 PID 372 wrote to memory of 3780 372 WScript.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\070a6e2ee81e6a9d3aa7f6e64b7c0915_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops startup file
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Windows\SysWOW64\cmd.execmd /c regedit.exe /s C:\Windows\StrongIndex.reg2⤵
- Suspicious use of WriteProcessMemory
PID:908 -
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Windows\StrongIndex.reg3⤵
- Modifies registry class
- Runs .reg file with regedit
PID:1988
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c regedit.exe /s C:\Windows\StrongIndex.reg2⤵
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Windows\StrongIndex.reg3⤵
- Modifies registry class
- Runs .reg file with regedit
PID:2616
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c regedit.exe /s C:\Windows\StrongIndex.reg2⤵
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Windows\StrongIndex.reg3⤵
- Modifies registry class
- Runs .reg file with regedit
PID:3292
-
-
-
C:\Windows\hot.exeC:\Windows\hot.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Windows\SysWOW64\cmd.execmd.exe /c copy "C:\Windows\hot.exe " "C:\Program Files\Internet Explorer\iexlore.exe"3⤵
- Drops file in Program Files directory
PID:2316
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c copy "C:\Windows\hot.exe " "C:\Program Files\Maxthon2\imaxthon.exe"3⤵
- Drops file in Program Files directory
PID:4624
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c copy "C:\Windows\hot.exe " "C:\Program Files\360\360se3\360s.exe"3⤵
- Drops file in Program Files directory
PID:664
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Windows\updateLnk.vbe" 03⤵PID:4112
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c copy "C:\Windows\hot.exe " "C:\Windows\google.exe"3⤵
- Drops file in Windows directory
PID:3220
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c regedit.exe /s C:\Windows\system32\reg.reg2⤵
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\regedit.exeregedit.exe /s C:\Windows\system32\reg.reg3⤵
- Installs/modifies Browser Helper Object
- Runs .reg file with regedit
PID:1960
-
-
-
C:\Windows\SysWOW64\qq.exeC:\Windows\system32\qq.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysWOW64\del.bat3⤵
- Suspicious use of WriteProcessMemory
PID:4424 -
\??\c:\windows\s\smss.exe"c:\windows\s\smss.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v "smss" /d "c:\windows\s\smss.exe" /f5⤵
- Adds Run key to start application
PID:1036
-
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lnk.vbe" 02⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2868
-
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\Windows\XUNLEI.DLL"2⤵
- Loads dropped DLL
- Modifies registry class
PID:4704
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dll.vbe" 02⤵
- Checks computer location settings
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\System32\regsvr32.exe" /s C:\Windows\XUNLEI.DLL3⤵
- Loads dropped DLL
- Modifies registry class
PID:3780
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" /s C:\Windows\bhoreg.reg3⤵
- Installs/modifies Browser Helper Object
- Runs .reg file with regedit
PID:2644
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5ac426679bceba77a1d2d9f2755387f37
SHA19ca63a59a805799bb92dbb1500970408ef918ae5
SHA256090f3cd8b3d1b0232a340b1b32cb1c5d25d16218f047b11c05213e12a3ff51b8
SHA5125fd657aef38640cb4e5525cc7a986f2150e1b3b00dac1b1782b862d1ff5a5e4da26f59e64db1ecd1f41a4c2a26d34e201837de3e81977da93fc25a402832f702
-
Filesize
2KB
MD532ad14609ab972a8063fca62fef35295
SHA167fa67b824671ffb35418f30863607fc0a5f2a59
SHA256f5b7139c4dbf533334ad46e03d7b69d28d5a6505b6ca1866ac9541423da04bca
SHA5127bbc1b6f9ab42d8a64a17721239ca63f2233f4b3173d0b41bfa2fcb900d7de85b6491038ceff4b30dcedbeb7b78ee8586b271d15d9e22557534bd2a0d26d3c3c
-
Filesize
1KB
MD53840df4f59fc8472804d6534ee47c86f
SHA1cb5df88f2a661c72edcdf8461e95e5ae7aa529d3
SHA256fe35a7171754b3368aea0fb7fa4a57fe17d49a4fc95645286c599fd2223b8166
SHA512c0bd0c72c43088a96f289492ba3c8076531d858255579fbe15a447a80e317eb4eaff818c0d5e5e42cfeedf4c6257887ca49c284efda6becb2a5e572eb7132c28
-
Filesize
104B
MD584058ffb298449cd911b8ed3e382352e
SHA18a7a77f0dae04c4e7fc850bc50a749135feb4c78
SHA256f2ddd8a2652810d07d8fd85ec3dedad84a1595bce6f2dec13e01607cc1c3171c
SHA512fc6c59c8b56d46a551d613253e5ec0c973c48185efb4fbe82000fb21dbe48f9b8a5750c7ab04f07f8abd83d727e85f3b847e2b3f644bfc22d0865409f5e709cf
-
Filesize
84KB
MD51222247a98269a3f305840c7cccd8d02
SHA18aba585b8c9d7737b411c5ef008513c6bc3fe222
SHA2565e9f2a7a2bb8e43b5b7ad6c472e9100dc6fc4a982634b96c968ca649fa76589b
SHA512ef576a047b23adf876730ccac1f645e89ac0019a3208c74c0cd17a0565958e5af9b6f37328a1eeb481fd2e7d20b86ff480eda2375e9b770d327b661ca01b307a
-
Filesize
185B
MD506384c898003bd123646056e835eb171
SHA192906b2a8c0112c29374352644871873de00208a
SHA2561a74f3572ff21f2967f6043b7e77bfd769beba2a226a182904e8d35924e1e304
SHA512a2c4a781090b93dcb87e30b34e485fb5109f6398f21a0483cc15f9b0b9cedde73f4f107c8e10f0a629a730a0085f3b36cea61a466d7089fff972b44bda235e59
-
Filesize
28KB
MD57b339e9e67773d0622ef801afbd28b8d
SHA16c5cd55f56ba8d01d7c68b64540bb9ef9e0fcb12
SHA256b2334d85640afb8b617b2e8a04d35474dc2b46376b30429314772eee363f6747
SHA512cf3a571c3fff7e6eca3cb5b04ad30faa3a7ed1fb19f8a5792d49a095e43265032d37a863b8a6a778433ffc033ae78274ab09e9096013ec944f162fd0aad298fb
-
Filesize
173B
MD55445be71fa6b294bbbc40f3025197a45
SHA12b67ceef71dfb405424d91ca21d864a300ef2fec
SHA256e9d2aa5fca34c11fd1fd3b1f73607e0b8004e14de835e95252394f4e5a96ed97
SHA512481b8547790491d3a61c42ac1906e519d6ed244cdf92088ad72cd319e8bb56fd0cf73579e9e8d35fd5d53524469b29465c350e0e4c5ba94434d661c9943409ff
-
Filesize
56KB
MD5e87bd49ad0363b5112570021264e88ce
SHA16b879a50ab9528f863870d319a0b1d66ec5f1b36
SHA256a25164ad33196d13c50a6998440d66baaabc403a02fddf0ebd408ce700e2bb69
SHA51264a74c43f665125b9febe0523429d1e390a835d7a801a9bf8f6011f265c7f740e5cdcefa9292f6287eb6bf54bced51c9484f28c0570740f6e7ce8e7c67c06826
-
Filesize
4KB
MD5e8636c3313b44fd3012050a201114200
SHA18511dd23b85cf9b356235771cbd4302f449f4a08
SHA25687851c5b11f3cd1f894c4a47b9a787cfb2b18c8934d86047a5901c81a4215e34
SHA51254d156a85068e5e621147b100ec45f579e74ddd5d7e5f39a71b687a255a953563a2eda33a3b5c77bc8f428e62b3a68e3581b0bb68a1658dcac456c3e66863f3a