Overview
overview
7Static
static
335e10c5323...18.exe
windows7-x64
735e10c5323...18.exe
windows10-2004-x64
7$(LSTR_76).exe
windows7-x64
5$(LSTR_76).exe
windows10-2004-x64
5$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDIR/INetC.dll
windows7-x64
3$PLUGINSDIR/INetC.dll
windows10-2004-x64
3$PLUGINSDI...nk.dll
windows7-x64
3$PLUGINSDI...nk.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDIR/ad.html
windows7-x64
1$PLUGINSDIR/ad.html
windows10-2004-x64
1$PLUGINSDI...sh.dll
windows7-x64
3$PLUGINSDI...sh.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ON.dll
windows7-x64
3$PLUGINSDI...ON.dll
windows10-2004-x64
3$TEMP/NSIS...Ex.dll
windows7-x64
3$TEMP/NSIS...Ex.dll
windows10-2004-x64
3$TEMP/NSISTrigger.dll
windows7-x64
3$TEMP/NSISTrigger.dll
windows10-2004-x64
3CrashDumpC...or.dll
windows7-x64
1CrashDumpC...or.dll
windows10-2004-x64
1GOMProtect.exe
windows7-x64
1GOMProtect.exe
windows10-2004-x64
1GomVR.dll
windows7-x64
1GomVR.dll
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
11/05/2024, 18:08
Static task
static1
Behavioral task
behavioral1
Sample
35e10c53232112b1193880e5b3ef36bc_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
35e10c53232112b1193880e5b3ef36bc_JaffaCakes118.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
$(LSTR_76).exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$(LSTR_76).exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/Dialer.dll
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/Dialer.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/INetC.dll
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/INetC.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/ShellLink.dll
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/ShellLink.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240419-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/ad.html
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/ad.html
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/advsplash.dll
Resource
win7-20240215-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/advsplash.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
$PLUGINSDIR/nsJSON.dll
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
$PLUGINSDIR/nsJSON.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral23
Sample
$TEMP/NSISPromotionEx.dll
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
$TEMP/NSISPromotionEx.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral25
Sample
$TEMP/NSISTrigger.dll
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
$TEMP/NSISTrigger.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral27
Sample
CrashDumpCollector.dll
Resource
win7-20240508-en
Behavioral task
behavioral28
Sample
CrashDumpCollector.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
GOMProtect.exe
Resource
win7-20240508-en
Behavioral task
behavioral30
Sample
GOMProtect.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral31
Sample
GomVR.dll
Resource
win7-20240419-en
Behavioral task
behavioral32
Sample
GomVR.dll
Resource
win10v2004-20240426-en
General
-
Target
$PLUGINSDIR/ad.html
-
Size
191B
-
MD5
8464f87975aa647c253e5403534f228f
-
SHA1
0a1d2571a454b76ff43ade320631853650ba448d
-
SHA256
85af9fb1cd755893365f5b0eb6fdb37533084dd8fea0245a12a83a4c1fa69540
-
SHA512
d3a38b949eb81fa35fd7d3b9af65093fc70c53348d7f472bc2bb6a2af3fb9d0a45604965e06c13d365b82838f85d24bfd7bd5ced6832bd3b9572a2adf7845a4d
Malware Config
Signatures
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421612815" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000bbe846ee35db8790cf8db882226c6f120756bdd29ce4e96bf2116577d00f474c000000000e800000000200002000000034e495295b274ae93dae5a69d24a412e7767c6cf9af2efa00c838a139038c3ab20000000eb31abbb634723ecadb5e51634348b98dcdf41806106e43db9e8c5997258cd3e40000000f8a1cae5680984e373aea18d769db0b4d8f288a27fb5d515a8958f0c3b5711bb9dc7a18701f826b39e94daa4fe4b887fc7975d90b1df570bcb8b7836e0e8d399 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c00cef59cea3da01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000225a642e0feb9c7bdcaca0316514154714bc1ecc3bd7fe072d88b3b509b804d6000000000e8000000002000020000000d3b71f21e31f748dcb0c9ae9bd359fac7ce468bbcd0bc21a9405843de886a37b90000000939713995898d6da777907ed9b2addeb829f083fa980c87b194eb489f92145a7311972ca0e2581f714eebfd115a7e1d49fd9d1fd28bc691635884a8988f708a703fa6e4148ac0c3760ab3f59aa93b0abcd1af6d37743598a6d051874b6dba8032b72f67e825e7987698591efc610270ba37bac80cd6637f2260b33eef4c440ef2d1d4c73329446ead4e53f36a4b63fc840000000a084abc836d27027692aff23570e9bf4fcad45ec98c0bf1f114519d786c41fbfb1c91c92d46e6912f9d482f526995d9243ef0027e60e95c9a64efbf77ce463dd iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{85682351-0FC1-11EF-8C71-D684AC6A5058} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2068 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2068 iexplore.exe 2068 iexplore.exe 3008 IEXPLORE.EXE 3008 IEXPLORE.EXE 3008 IEXPLORE.EXE 3008 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2068 wrote to memory of 3008 2068 iexplore.exe 28 PID 2068 wrote to memory of 3008 2068 iexplore.exe 28 PID 2068 wrote to memory of 3008 2068 iexplore.exe 28 PID 2068 wrote to memory of 3008 2068 iexplore.exe 28
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ad.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2068 CREDAT:275457 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3008
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58281a7fb5e11b1a2e42fea844108f930
SHA18e5ef60bd8a5073e04438c70aa538682885f69a5
SHA256d7f368d42a44100f0481f6c3df5fd9b7f0594c2b38d60d48f65d768871af4e65
SHA512779d75e3bc3da6c45a058554784bcca1d66b55a63093821aa53216a42f6471f816c196afd88faad821609dffa130b0a60cc5faeb2181b130c3025b7f29e3c725
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54160cc812a990caf1b927e68c7f5145f
SHA1472975c722a4024ae4ee6f7b5e72071d434677b9
SHA25683b457afaeae906b1ad009a10679e90a0b9361af3c79e40157806b110b056ce0
SHA512c843d166c8f52e784ad201c2207255b786dfe97f02982e39e6c2e9f1750fb450da836ff16d7b5fd26789f418dc0895d04e1c38d8332292f62fa747505d5d5ba8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5992e29264185f722b390b4f182d21226
SHA1dd11e2269ae50c6ec5281de7ccd4ede69766d6e8
SHA25694ec07ac6bb728e2da278da80cd8e54f7e1022cfc55110f06524774446b6c80e
SHA512e62696c1111703b46b9d87dc418aa27189d0250355dd16c2ab6cef9b0b36ab33f8e88d33991e60cbfe92f58ae3dac7581a7dd921d23b06177d553e55fba8d658
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c4f55c5015fa9d447f733e6b97b3cc78
SHA1203ef53131f343e23d182a8ccffe3d58d0158975
SHA2566e54109a97b1dd94e022776947d04731c596ed50d41b311f71d4c244af9f3004
SHA512335f7e12f197e48ebf459618a8a78f1c0eec307d118af1567d50e26e1888ca95f9aeb65024a4497eb968134cdae18bba1f34849cfe285e5ffaf5ed690335c8cf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e9f027094a933b088837c8be8c215a18
SHA1c6bf04e8ceeea0634e851ef5d736e99e343a67c2
SHA2560aaf923ab1cbb752f627e10f59e3915ac08ee3b1c296af23f197854845916c96
SHA512cbc8d79c0da51c3e113df374d794408707f0ffaee8f7c299e0b95bcbe53000c0525bc79328dcd8c26e9b8c850d4b76593daf9574ea92548cd219149213a9ab22
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50b6258cea97124fe48cf8ba9fe9d753c
SHA1b0fe197c6b7685923ebca7dd6c2a6a8a0f24d3e3
SHA25671f66867e7a869f0cc873892a7eb958a7a2c3b4eb5b08f641175fa7e4dadb19f
SHA512888ab54cb9a447728148cc648861871d2601aa3e81b903fbb5fd452bc9a8e3c75bb1347e443082433a48604292c626f3f2abd1a61884408639b02151f625c70a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD590937612ecc8d300abb62abcc0a2da65
SHA1a8e07f71af23d9b54376a87b7257d7ab88041b35
SHA2564e1a048f790d8e1f53564cc0f4e7e75ddd34c19fe8e7a44c3fd1f5fbbc985bcb
SHA512a219a29aea8b823a2a48dc872dc244e554a5cb1e963ca019eae4245e62145d20dd23e3d0f4e7859384805f9006b4f3f7ec55191ef335f4dff3dead4ef141a224
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5321cf0fcec9c9f22b192095d2803cead
SHA1a308860ae32d5b1e5a0c3247b9e9a430d8eef48b
SHA2565c39538dda9f9c25be476e8fda4026c251f18d55bcea7e6569c5235b22a32524
SHA5121320185cd36c61c95a257a70bae470000ead7bcb44a9d1e7963c9ccb9fec02266b8cb7322901dc7c0827b7d85c7748c0a6052d71bcd68febfd51558805598227
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b68fe45db02dda82da28e8ba7c3398bd
SHA1c19ffba617b591d4286fb11a0c973113f454afd9
SHA256672aa4610e9bb9e7f59e7f42bcf592c6c12ed48654b1329831f3c62e568a4153
SHA512dc90ff681a9d850c5d6bacca7e8b65ac58a3a9d0cecebdcd366730b7041ed606f60daece2d25d633050e7ead0d3ac31e6f22c9b0f9ffec409a116216488857a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5ad39b2fab8bb9ed647da58fc5efcabd4
SHA1851eb5ccaf3a46ac4a99149c2569bc93f614c0dd
SHA256110831cdd51e88d206aff4881676feac43939a770ddffa32ceb685799aaef63b
SHA5123e915687d4c3ef93b0cc710f9ae937022a31c42c9794f7b796033baa6c4dcd6c4d0f90758be3e7e1e32e143ecc7ec9e81667f028f31b5e0427a65f10bb9c4733
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a