674049156118fb5825b23bbec90bbf45206bff87500c2e737ce3e39c2aafa821

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe
Size

15KB
MD5

01565253bcdef0f3fcaf57e128ceed1b
SHA1

08acd74c35b7e9fd0031a414275af3d90fd029e8
SHA256

674049156118fb5825b23bbec90bbf45206bff87500c2e737ce3e39c2aafa821
SHA512

b648b0cef885c08a6d7393ca312bffd81ef0a24fbc9f1e8dc1136c6b95ea89d70b5db1eee25bf832de2af0920ea6b87883f4c768298a637d6d37dc2512e7d13d
SSDEEP

384:/TxnIAW4urbiml2WAGVF3Y4Eux0Dzh8WaWw3tKGdb:/V7YXDl5P3MNb89R

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "2"	reg.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2204-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2204-20-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/2204-502-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Program Files\\Internet Explorer\\svchost.exe"	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\svchost.exe	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\svchost.exe	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\ftp.bat	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe
File created	C:\windows\ftp.txt	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006b9a83f764ab844b8cb7df2087a7d52f00000000020000000000106600000001000020000000ee1a6d808b62aa912ac0d4988d6d94e4b320f0a47a876cb6bee153828e7116ee000000000e8000000002000020000000583c2c9be125f5d8dee98a2b181a91faac6bc5ea851847c612e2d06a94ff7f9690000000724ab7a6376d62837a24236a4b55d7b20816bfd84994e92016b47ca227a3262b142a280d282ca8590872f4bedd1d34b79cccbc0376670dbd93c993e7368bacc3ef573b01cf7c90e3a98c87b7cc98f580e31b68e0ae6fd9bc725cea32a410e843982ba94a41463557c18927377c8fb9c2b04fbfb437e85d9460fa8c5155766c57bae9732b864a9d0139190723b56cc658400000002a8e2671dc330e7768da9b2382daaccb21fe59f72b415cd9c1fc9b5db6e20be5c848dac9eafa1a6f9da6f25680016cc7d9f8372750f01ff154a7dd0399885900	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425003806"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D34390F1-2E98-11EF-825B-FA5112F1BCBF} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000006b9a83f764ab844b8cb7df2087a7d52f00000000020000000000106600000001000020000000e48b250bf97e9ccd2949f32221e54e1a887ee324642dc32df3c4b2d888cbd980000000000e80000000020000200000001ba6ca8718beb9251d351bda22f7a1a2723cc60be33fba70b5552302f9b949f320000000165afef14c8ef91b1632dc4051d19a14aac9cb32cc44d7424d710c2138e377f34000000015ca42f08c8500bc468a10d98c56109e7375ad7fa1e6cb1701ddfc0949f3c69ebedd98a552b1d2ad6e02d2bdb176e394ac124d600baead57c94616827fc43350	iexplore.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2208	reg.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2528	iexplore.exe
2696	iexplore.exe
2564	iexplore.exe
2528	iexplore.exe
2528	iexplore.exe
2528	iexplore.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe
2528	iexplore.exe
2528	iexplore.exe
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
2696	iexplore.exe
2696	iexplore.exe
2564	iexplore.exe
2564	iexplore.exe
2904	IEXPLORE.EXE
2904	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE
2528	iexplore.exe
2528	iexplore.exe
2528	iexplore.exe
2528	iexplore.exe
2028	IEXPLORE.EXE
2028	IEXPLORE.EXE
1212	IEXPLORE.EXE
1212	IEXPLORE.EXE
1212	IEXPLORE.EXE
1212	IEXPLORE.EXE
2528	iexplore.exe
2528	iexplore.exe
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE
2712	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 2208	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	28
PID 2204 wrote to memory of 2208	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	28
PID 2204 wrote to memory of 2208	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	28
PID 2204 wrote to memory of 2208	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	28
PID 2204 wrote to memory of 2528	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	30
PID 2204 wrote to memory of 2528	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	30
PID 2204 wrote to memory of 2528	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	30
PID 2204 wrote to memory of 2528	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2712	2528	iexplore.exe	32
PID 2528 wrote to memory of 2712	2528	iexplore.exe	32
PID 2528 wrote to memory of 2712	2528	iexplore.exe	32
PID 2528 wrote to memory of 2712	2528	iexplore.exe	32
PID 2204 wrote to memory of 2696	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	33
PID 2204 wrote to memory of 2696	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	33
PID 2204 wrote to memory of 2696	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	33
PID 2204 wrote to memory of 2696	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	33
PID 2204 wrote to memory of 2536	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	34
PID 2204 wrote to memory of 2536	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	34
PID 2204 wrote to memory of 2536	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	34
PID 2204 wrote to memory of 2536	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	34
PID 2204 wrote to memory of 2564	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	35
PID 2204 wrote to memory of 2564	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	35
PID 2204 wrote to memory of 2564	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	35
PID 2204 wrote to memory of 2564	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	35
PID 2536 wrote to memory of 2432	2536	cmd.exe	37
PID 2536 wrote to memory of 2432	2536	cmd.exe	37
PID 2536 wrote to memory of 2432	2536	cmd.exe	37
PID 2536 wrote to memory of 2432	2536	cmd.exe	37
PID 2696 wrote to memory of 2904	2696	iexplore.exe	38
PID 2696 wrote to memory of 2904	2696	iexplore.exe	38
PID 2696 wrote to memory of 2904	2696	iexplore.exe	38
PID 2696 wrote to memory of 2904	2696	iexplore.exe	38
PID 2564 wrote to memory of 2952	2564	iexplore.exe	39
PID 2564 wrote to memory of 2952	2564	iexplore.exe	39
PID 2564 wrote to memory of 2952	2564	iexplore.exe	39
PID 2564 wrote to memory of 2952	2564	iexplore.exe	39
PID 2204 wrote to memory of 2460	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	41
PID 2204 wrote to memory of 2460	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	41
PID 2204 wrote to memory of 2460	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	41
PID 2204 wrote to memory of 2460	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	41
PID 2204 wrote to memory of 1132	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	42
PID 2204 wrote to memory of 1132	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	42
PID 2204 wrote to memory of 1132	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	42
PID 2204 wrote to memory of 1132	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	42
PID 2528 wrote to memory of 2028	2528	iexplore.exe	43
PID 2528 wrote to memory of 2028	2528	iexplore.exe	43
PID 2528 wrote to memory of 2028	2528	iexplore.exe	43
PID 2528 wrote to memory of 2028	2528	iexplore.exe	43
PID 2528 wrote to memory of 1212	2528	iexplore.exe	44
PID 2528 wrote to memory of 1212	2528	iexplore.exe	44
PID 2528 wrote to memory of 1212	2528	iexplore.exe	44
PID 2528 wrote to memory of 1212	2528	iexplore.exe	44
PID 2204 wrote to memory of 2036	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	50
PID 2204 wrote to memory of 2036	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	50
PID 2204 wrote to memory of 2036	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	50
PID 2204 wrote to memory of 2036	2204	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	50

C:\Users\Admin\AppData\Local\Temp\01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system /v disableregistrytools /t REG_DWORD /d 2 /f
  2⤵
  - Disables RegEdit via registry modification
  - Modifies registry key
  PID:2208
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" Http://
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2528 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2712
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2528 CREDAT:209930 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2028
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2528 CREDAT:537608 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1212
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.xiuzhe.com/free.html
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2696 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2904
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\windows\ftp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\windows\SysWOW64\ftp.exe
    C:\windows\system32\ftp.exe -s:"c:\windows\ftp.txt"
    3⤵
    PID:2432
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.okxiaoshuo.com
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2564 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2952
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  PID:2460
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.okxiaoshuo.com
  2⤵
  PID:1132
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.okxiaoshuo.com
  2⤵
  PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc4a94ca0e4b48b4cc11bc7ad642c6e8

SHA1
1cb1ab3120860276f1101b87bd55dde402d23a8a

SHA256
e5da30a5b6d73ffba43322d23d20586267753e4e037b0f0229ccc0917991c7d1

SHA512
59225cb3785a8ed2f13494154c14e516d2ee04abc6e5b115f2ed24a911dd7e29e1d03ee3ca52285c41b426551e29c226aef9a6c613e2042204cb609958a2613e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1179b7274e8b5bab4cd411658a2f728

SHA1
556f7652ce7b3d9928e2e8fc5da0ee8b50daed4c

SHA256
f1007f1d2ab95726570f30da3e0ae0f2682d0fe999ce84d3b2300ceefba1075b

SHA512
17d174ca79c2292745f84020fd7477806d9f25f2be7acb0ec30df243df6bed9faf3ff04ed5aefd094ec16bfe6892c87b910bf02b84e09dea8a225992cfac3d29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
001ffc08c1311f3589fdf12774007317

SHA1
9fe1fb5db832eff12561ab37efcb0a54dcfbdfbc

SHA256
a5f46efba257a75edd9035c059f6eba642b214404b7dac85bd18b0c401138e9d

SHA512
8577b4754fef252de249c1b8ed1495fb4dfa49da31e44f6e4c51516fa9e2f87d766f6a65cdd4e8ca0a1fe27f0ba1959ebdfa68f96cfe59978f05b61b8099209c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9ebfd83137d480fa1181397e48aebeb

SHA1
b647797e5d4260b69342ba86726fb08ce1ae0a58

SHA256
69582e4b619f347e596e75e4f95faf43bee7070307d63441e79cf97348fc5188

SHA512
a3a08de8da4e739c279d64449cfee6fc3a385987124f4d8ed4ddb7205669988bf4d854211df9c8b3fd8b9e48535ac6dc2fd9fde2347fd6d622a282b5f4539548

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76ffb9488d8736398e1edcbb82a0eba5

SHA1
d7f1403a836918ff99ea92b2705efe61b9b2357e

SHA256
3a0b18ab474bdbc82611de82d29fc61d09c8b77600ebdc65650f87bd1a289ffe

SHA512
0478379b11e1f2d137a119183a25b2c1cf126a1680fa39b906906b3f24d48d0e7e8d1a3690d3ba088d157733fe56e939df2b7d03540856f9a758579f86bc9555

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3d3ebc29731326cb24a11d4cecc43e6

SHA1
b791e63de8a8c58a5a9bd831175ca963c9efb361

SHA256
3d8b4690d60b1717bd04fb7fe190da6073fc8e53fbf2ab079b94a82a4cc87f3f

SHA512
594d17315dfd3153a6f1b1daa15749a8aabb228a423e2ce6047949084bed0d25a537b67adf251af5115dcadf0c91cb8f171faec9f40be24d9ae791d098360525

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4782894e9a3b18ceab5fc602f878a12

SHA1
80fb0bf329603f5b38ed069cc31499f06fad9c48

SHA256
132a02c0436909ea313b2d40414dee2533ed95fdac538a1f4620d517781aff32

SHA512
a15573768a82229d25df78b870080a4cc1ce916c1fe258e73d1a35b7c4d995e3c3f425078e8a3a152e976bf697323c7648a3b84aa91e9854c74a53601b785eaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e83f67cfdc2f2ee2673f980108d88a2

SHA1
3f81584fb1db38651093f95fd76997626cdebd35

SHA256
2957745a164862aa8626c10933dd4e3ebd2d02fe8550c5ed158fa657ebf9b074

SHA512
4abbf113c2767ace056df33bf0a8c4e4a2ca43d08270191385eac3a76ae13f1e67d3351526205496b0f845c388aacdf1697eb1e18861985bfa1e4b95547ccb37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
925c5fde6983c7e6b67b3b846bc078b5

SHA1
50c2d8a110118e56e0701c88aee7a8081d7f23cc

SHA256
e9d8108a9c58495ba035f8efb2b79ba6eebcfc16e61cdb697ef7f78279d74509

SHA512
b9cabbcbb2641e0fb3d981075b49b9bb4813aa7eb8bf56d304ce5469fd8025416c9bb18a0eca9d4e92507e44ed796c393bd4acdfb978969086775d0ae3f7a82d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97c134ce2e80c7a67a545aa1697ce950

SHA1
d5eff88d19603a813445a4ffdac629088fb32aca

SHA256
b71818ccc66731fb474f17991601e7971743acedc84996407abf38a95e3d5360

SHA512
45e42404cb5ce6515d647e8bd2e5d7511be746f6153f80b86850f66f3cd774f0d876ee3327fccbdec588ab293157d1314b29d610b3ba0b94c4bac47ec8fe4ccf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c043b62669b429fb839740a0d86f470

SHA1
448bc5c0b4597967e44b8d3db555b3159aa6c994

SHA256
24c0def6089d515ebbb13b8cfc5a51315d134b8e14c41e8ebad287d4d3b5f1b8

SHA512
6a37e17886bc869d0310b8cd7434812225cf7ca7fbb12aeb3840e463bfc233da858b7eb2b13ff5467cbfe52cb6aa6ed0e07094fae8cfc820452c28df54850d20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4688a02c21f34be4186f3474b4726a99

SHA1
d19e793a3de5ddbebf8ce3467458d1d192e4460a

SHA256
2d3dd28f740cc18e8f8568ec97eaee749bf1d3c1c113f0ac5392f52e8786365b

SHA512
6101d8006ae0dd5394480adb630f3d38f70155164cbc34b75432385258e354eec492efb806c53bcb6ae81cf281efa8051e496a343a8df4594386207c72f9c951

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ddf7f285df285fe10f1f4d9d5925d59

SHA1
d0a92073d9a4087b6b874a3b81e58ba282c45535

SHA256
7668a815ec10540151dba23bf9858bbd082673609f8ed6bdd7dd16c4d97d14d4

SHA512
71acb1b19e89e4259d5178a6da0a3e643359c7c18aacd9a2299bfb1ef59f09e878f89481ac89f5e1e53f7df004d950279d76a4a76b6d774c3390f6116880812c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9293926da9b2271940383eaa5f6e698c

SHA1
97c8bda353f90308a960a879f61c8e333ae70cdb

SHA256
468e1f90ccea730f0494852cdfc88fa8b0a68d2c78f0662d752e30df4c100da6

SHA512
7c79a7a8539d06265197787a5cdcac3278e33a51f682f1de323e97f45d359ac9b3213955d09ced760b1e4b31046ce9d9d364dc5abc3e2cbfe4c936118136ec25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea9614c1c302777f7e036673f67ab359

SHA1
f16e0d8da9852e7e31f2a32eb16c9aaf9e1790a8

SHA256
4a79976d6367fe5539390f94a6459075b22ea569fe062feffb77ed09ff3beea7

SHA512
eaf17926b670e0b7119dc24ea5d8bcef4773250a08938e5e57bdfba2396ded734aae8013b71ca39983958634a46fde7c8561f511559d9b7705790755d3ec57a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a3a60142adeddf0f07950cf0c776802

SHA1
8814379bc4350c6fe25be36e0de645ffe65429c5

SHA256
90b3e6bed2528004aa1471d29ec78bd8487e63f481c79743e746012eeefa2ac6

SHA512
8c52740ed12b672c1ea040f69189555d061f5c198825456f0da3203236c9942f52ceb6d6fd3060b29a6bd42074985db6107eaf32e084d014aa1dff433b2e8aa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b60eebd064f161670ae4058139c8d540

SHA1
a0251e423a65c1c15e3a1339a84a59e1bffb0158

SHA256
a8663ee9c8bf1b7e77660fa2061078557f28d8e0cfd659368a4803377abd5c93

SHA512
70776d495542ed6233c6eb251683f74da7f39aa3e5c63f91c4b7bbc22b17435c0384392b4412b41685e6d45dfcbb67b0cdf185856c95ae5e1bf8276cf1af39b4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
181b5c9adb546898ab655fd5b17abaab

SHA1
648d64315932150eb13f3b4b8684435f8ada2763

SHA256
6ee99491bee3b8b40c74a572c5d530396d4589084261a710681c61631414904b

SHA512
6a01849b05bf9f228fa3eca8a2932a795483e71305a435c0d5443419a17116839c765e1930c80c23ec84476d7413a83d86037e7ab1b5497bc35ebcea39b5f346

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92b7ed564847b82c56963b6c62009d8b

SHA1
189bd1924527af45eb249534d8e70ae56d21dcbf

SHA256
c77d1eb59210ceaaf56f5ee3abc3e18f515986938a121e0df81ec2fdb49d0a21

SHA512
842baad2adfc5c5dc37086c46861f0d74b768527b56f6e0006265df615bcb20e524f4db645cc74a8478f7525e636d763ced851299e8c73835e3f16c5f291e6a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D33ECE31-2E98-11EF-825B-FA5112F1BCBF}.dat

Filesize
5KB

MD5
841174e8bcbc0ed23a1004a98e07eb68

SHA1
fae20775fc2dc76e5328d059171add933ea7d50c

SHA256
377362d1e3d376690bb92b10fbb0eb37f164e7ef4fc78aa1c389aec459b06cbd

SHA512
c12e82b2754d1baa391fe6a4f8d835cb563bc79ed0fc3aae5cca61f40971c2cd54dd395de9a7530eb30ce2ced011da9227d174ea0076272bc33e74ebca734ce7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D34390F1-2E98-11EF-825B-FA5112F1BCBF}.dat

Filesize
4KB

MD5
25087bb08de4a12f16ad0150c33decf7

SHA1
66d64ada9a441386654d104e002a827e1b0193b2

SHA256
72726da76122d50d493a8911017479abf9c33faf7438a3e01a2a4f2b06212443

SHA512
e14aa18b5636615868021bcfef0281ee19d7e8920c58695713913fe1db8fb985f6559d8067e420e8931f2871c0c92cec534561a257108a863b4efbbacc50f84d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9ZQLLOZN\clipboard.min[1].js

Filesize
10KB

MD5
f06c52bfddb458ad87349acf9fac06c5

SHA1
ee60ca5ba9401456105ef703a98092369b579c80

SHA256
1626706afc88d95ebe1173b553ec732c6dc82a576989315fdf5e7779af738a44

SHA512
e80151e5171dc24ce0c1a1ae4fe54826c4fdd2a8908efb2bcbcd0a6d731e13c54b29bc16e111b91b8e536615a968956c69a11e238b0ea68c253ae56017b8e1eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6970.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6A71.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\ftp.bat

Filesize
53B

MD5
8f2c89200ee65d9d082b9d77853f1859

SHA1
87539509609fa22e0085a135cf2f0feda33c3c2e

SHA256
9717e9026eae402fae08713f0da7ed86fecf804c7d4c9c2a2020c8e5bcd3ea64

SHA512
7d4fcf33bf7061cbbfa9b09432cc113f0f9aa57e43434b1b7c6c32f00bf22ba285a4fb310fbbac0a40179742e810276ae39ac99ad073ed587a8026586308e4b0

Download Submit
\??\c:\windows\ftp.txt

Filesize
76B

MD5
1c98763b64e29828316643dcbae341d5

SHA1
8719a329fd5945e412d99e89c5f99b41ab566f45

SHA256
b24a9be1f5d3f017ffc55ad2f6427a33abaeccb4ce0fcfca025793f92a46318a

SHA512
de82674faa37db26e5ba0af13a2ec45a1f34074f7dc4ed955b5722e6231c1abbc6424ced9c77695f736ac15d4e31240801a767784a1d4c7baa8aebb12a5b1254

Download Submit
memory/2204-20-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2204-502-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/2204-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads