674049156118fb5825b23bbec90bbf45206bff87500c2e737ce3e39c2aafa821

Analysis

max time kernel
148s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 00:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe
Size

15KB
MD5

01565253bcdef0f3fcaf57e128ceed1b
SHA1

08acd74c35b7e9fd0031a414275af3d90fd029e8
SHA256

674049156118fb5825b23bbec90bbf45206bff87500c2e737ce3e39c2aafa821
SHA512

b648b0cef885c08a6d7393ca312bffd81ef0a24fbc9f1e8dc1136c6b95ea89d70b5db1eee25bf832de2af0920ea6b87883f4c768298a637d6d37dc2512e7d13d
SSDEEP

384:/TxnIAW4urbiml2WAGVF3Y4Eux0Dzh8WaWw3tKGdb:/V7YXDl5P3MNb89R

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "2"	reg.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4480-0-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4480-5-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4480-11-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral2/memory/4480-29-0x0000000000400000-0x0000000000410000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Program Files\\Internet Explorer\\svchost.exe"	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\svchost.exe	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\svchost.exe	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\windows\ftp.txt	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe
File created	C:\windows\ftp.bat	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0b4d0b4a5c2da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 606c7ce5a5c2da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2929045816"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000459fd011085857499198b2c61f84605a00000000020000000000106600000001000020000000b56b0cf83fda02607dcd7821fff9685721772b17c457e4e733ddc0708a46c85f000000000e8000000002000020000000f6ba71883badff5814889df6bcb0710d8e89f9e865b0b2a220aec82eb5d06c542000000040076baf88bc7e96967f5795bd1ff572099ca2df4f9be78a0d05c445aee4aec8400000000e6f5938d87ee1a8976650d981f52c8dba3b9980211c57f3076ea619db5967b7d4eb709fa540359028077ad3e0a7ef77c7c6279c4011195b25d2f387e33a1f69	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{ECB7110B-2E98-11EF-B9F7-DA3E94F6CD86} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425606927"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2955764660"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000459fd011085857499198b2c61f84605a000000000200000000001066000000010000200000008573f65436f02bbe2883cf8c6cd2b9f32798b9b2bd8c2a3336bd1bee7c41d8fe000000000e8000000002000020000000b7037630ba97c833c48921b3d775030071cae8d885545b28c9ab61b73429649720000000446184734ca99d6e051c31453eb753e70bdac26ad9bc27cad10d92b0ab4331d84000000076a1427032672ff5bfff143aacfb92558519bef5349af9cc0df99953d7f3f230a9c1ef2b3ba06c83220ceb2c836ead17e26f10f6e9f4b992d815bc92cad2b341	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31113893"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2929045816"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000459fd011085857499198b2c61f84605a000000000200000000001066000000010000200000008e1fc512c3208d925e06f2af1ad795b5f30da844d867edc3448f71ebb16b3a7d000000000e800000000200002000000001026a8bf569fa4be76c6eea228ec11390f700691a886942c428e956ccc726332000000031c7486f196875a42774f11213a2d3d5bf70d55afc8a0e6eacfc474e324ddd0540000000ce5ef92c866a4781945b3360093d3c48e65e953e58b261d24b66cf6bc4b78aaab0b8132fbacc5ba1c323c9ed1dba9058faa8fbb478e06de30ae1582eaa34993b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31113893"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31113893"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{FEABC603-2E98-11EF-B9F7-DA3E94F6CD86} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80f8f1b4a5c2da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D9DFDECC-2E98-11EF-B9F7-DA3E94F6CD86} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4400	reg.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3976	iexplore.exe
4692	iexplore.exe
2496	iexplore.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
4480	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe
3976	iexplore.exe
3976	iexplore.exe
3548	IEXPLORE.EXE
3548	IEXPLORE.EXE
3548	IEXPLORE.EXE
3548	IEXPLORE.EXE
4692	iexplore.exe
4692	iexplore.exe
4780	IEXPLORE.EXE
4780	IEXPLORE.EXE
4780	IEXPLORE.EXE
4780	IEXPLORE.EXE
2496	iexplore.exe
2496	iexplore.exe
3528	IEXPLORE.EXE
3528	IEXPLORE.EXE
3528	IEXPLORE.EXE
3528	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 4400	4480	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	92
PID 4480 wrote to memory of 4400	4480	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	92
PID 4480 wrote to memory of 4400	4480	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	92
PID 4480 wrote to memory of 3976	4480	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	94
PID 4480 wrote to memory of 3976	4480	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	94
PID 3976 wrote to memory of 3548	3976	iexplore.exe	95
PID 3976 wrote to memory of 3548	3976	iexplore.exe	95
PID 3976 wrote to memory of 3548	3976	iexplore.exe	95
PID 4480 wrote to memory of 5044	4480	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	96
PID 4480 wrote to memory of 5044	4480	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	96
PID 4480 wrote to memory of 1484	4480	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	97
PID 4480 wrote to memory of 1484	4480	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	97
PID 4480 wrote to memory of 1484	4480	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	97
PID 4480 wrote to memory of 2540	4480	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	98
PID 4480 wrote to memory of 2540	4480	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	98
PID 1484 wrote to memory of 1004	1484	cmd.exe	100
PID 1484 wrote to memory of 1004	1484	cmd.exe	100
PID 1484 wrote to memory of 1004	1484	cmd.exe	100
PID 4480 wrote to memory of 4692	4480	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	111
PID 4480 wrote to memory of 4692	4480	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	111
PID 4480 wrote to memory of 5116	4480	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	112
PID 4480 wrote to memory of 5116	4480	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	112
PID 4692 wrote to memory of 4780	4692	iexplore.exe	113
PID 4692 wrote to memory of 4780	4692	iexplore.exe	113
PID 4692 wrote to memory of 4780	4692	iexplore.exe	113
PID 4480 wrote to memory of 2496	4480	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	114
PID 4480 wrote to memory of 2496	4480	01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe	114
PID 2496 wrote to memory of 3528	2496	iexplore.exe	115
PID 2496 wrote to memory of 3528	2496	iexplore.exe	115
PID 2496 wrote to memory of 3528	2496	iexplore.exe	115

C:\Users\Admin\AppData\Local\Temp\01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\01565253bcdef0f3fcaf57e128ceed1b_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system /v disableregistrytools /t REG_DWORD /d 2 /f
  2⤵
  - Disables RegEdit via registry modification
  - Modifies registry key
  PID:4400
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" Http://
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3976 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3548
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.xiuzhe.com/free.html
  2⤵
  - Modifies Internet Explorer settings
  PID:5044
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\windows\ftp.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\windows\SysWOW64\ftp.exe
    C:\windows\system32\ftp.exe -s:"c:\windows\ftp.txt"
    3⤵
    PID:1004
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.okxiaoshuo.com
  2⤵
  - Modifies Internet Explorer settings
  PID:2540
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4780
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.okxiaoshuo.com
  2⤵
  - Modifies Internet Explorer settings
  PID:5116
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.okxiaoshuo.com
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2496
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2496 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8
1⤵
PID:4400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
a20dcdd581a69f44e7dcbeeab5084fb4

SHA1
61e152b89ab8a04af1843bbfee557d193924ec51

SHA256
009768e52ded8da33ac7d96d521e882eef9765278997f2ce47311f637696d9c7

SHA512
77de84bf9c5480e704991bc16d8f555dc10891e3a5a7044fe2b133cc49d20ebb78c68bbdd4c9a4acd8e7424bce28a00bd3651f3b852a2a726f3f879a741cc7ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
081f29c30ab2463f4c8e539a1ba0f0f2

SHA1
2aa9fbd67cb99a4d2ad5c43db473183d12a87b70

SHA256
14fc231e36c63f53e7acd6f89de33dcbc275d2914a5fa7d72e1d60646fa3a844

SHA512
88d75e9437b656560ff822f73b2ffdac57d94b633a7c2609783779493c776e4d12e3bf081ade49c50fc2c7b4159ce9d478cbe4d8cc8449e503a1fac64aa3e759

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{D9DFDECC-2E98-11EF-B9F7-DA3E94F6CD86}.dat

Filesize
5KB

MD5
2b59e82363d6261a465beb28531581da

SHA1
9922b784a3e50e8bb87348c251423aedd34131db

SHA256
d98580ae2163c483ffecb362eb3ede803e988795cd13f1bada80ae49bf1c5aeb

SHA512
08450c15b08ffddd4f647a0157f3f9abcf642c73186674da3215584abced1c564d4e86df7e1f77ed22c880739a035ee7118edb67e76815a1d4da4ce96cbd9c8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{ECB7110B-2E98-11EF-B9F7-DA3E94F6CD86}.dat

Filesize
5KB

MD5
b05d091f09dc62da3cd4f448d91c3187

SHA1
cfdc61f750c427fe8443694d27c951237d3c6f3e

SHA256
d73805b4350e6d99be2b3d723532660c852ce3c1e1f106a7b658babe077e53a2

SHA512
164f422a7a8df27ab2c162389dbf3c8c9166bc2c4b9e6342d5149c80955f21b8ad64646ea711f524d5fdfc6d4a95ca7d225a38736c630a6f642d1b25665dcc70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BHC2O5WS\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\windows\ftp.bat

Filesize
53B

MD5
8f2c89200ee65d9d082b9d77853f1859

SHA1
87539509609fa22e0085a135cf2f0feda33c3c2e

SHA256
9717e9026eae402fae08713f0da7ed86fecf804c7d4c9c2a2020c8e5bcd3ea64

SHA512
7d4fcf33bf7061cbbfa9b09432cc113f0f9aa57e43434b1b7c6c32f00bf22ba285a4fb310fbbac0a40179742e810276ae39ac99ad073ed587a8026586308e4b0

Download Submit
\??\c:\windows\ftp.txt

Filesize
76B

MD5
1c98763b64e29828316643dcbae341d5

SHA1
8719a329fd5945e412d99e89c5f99b41ab566f45

SHA256
b24a9be1f5d3f017ffc55ad2f6427a33abaeccb4ce0fcfca025793f92a46318a

SHA512
de82674faa37db26e5ba0af13a2ec45a1f34074f7dc4ed955b5722e6231c1abbc6424ced9c77695f736ac15d4e31240801a767784a1d4c7baa8aebb12a5b1254

Download Submit
memory/4480-0-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4480-5-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4480-11-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4480-29-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads