10fb746298864930cb185c15343a2bf68ad050a7e159c169ca07e482bb66ab0b

Analysis

max time kernel
119s
max time network
129s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 16:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

07e625e7822aea2617c43791442dec86_JaffaCakes118.exe
Size

148KB
MD5

07e625e7822aea2617c43791442dec86
SHA1

e8bef818f8d7ecf0bd384c12a9004caae17fb19c
SHA256

10fb746298864930cb185c15343a2bf68ad050a7e159c169ca07e482bb66ab0b
SHA512

af2798ae0e409c1a89a76b348536374187c904209a9c0905bcbd99cdf2f82ad19eda4b98b7b674aa309ef268cf734213babd4f94563d40c69f07978ee20d842e
SSDEEP

3072:8dpckuDkxPa3wQWuD3gse48yrtZJsok/fH:YpitZJg28+I/f

Score

7^/10

adware evasion execution persistence stealer trojan

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2200	5GC4RN6QU.EXE

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	07e625e7822aea2617c43791442dec86_JaffaCakes118.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{72000669-841C-D39B-8178-A1AEC41A9DB3}	regsvr32.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\WHXKH2G\ZQXX77UED5KH.EXE	5GC4RN6QU.EXE
File opened for modification	C:\Program Files\WHXKH2G\ZQXX77UED5KH.EXE	5GC4RN6QU.EXE
File created	C:\Program Files\WHXKH2G\UGHZ8HISW8S.EXE	5GC4RN6QU.EXE
File opened for modification	C:\Program Files\WHXKH2G\UGHZ8HISW8S.EXE	5GC4RN6QU.EXE

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\FDONSZUYCQS.txt	07e625e7822aea2617c43791442dec86_JaffaCakes118.exe
File created	\??\c:\windows\fdonszuycqs.dll	07e625e7822aea2617c43791442dec86_JaffaCakes118.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Play_Animations = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Play_Animations = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Main	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\OLESCRIPT	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\InprocServer32\ = "C:\\Windows\\SysWOW64\\jscript.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CurVer	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{97EFC6B7-C73A-423E-8458-82C589CA7E3B}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWOW64\\jscript.dll"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72000669-841C-D39B-8178-A1AEC41A9DB3}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\OLEScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{11D9AE74-3FC1-41D6-911B-F5F503BBD8FE}\TypeLib\ = "{97EFC6B7-C73A-423E-8458-82C589CA7E3B}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\ = "JScript Language Authoring"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\ = "JScript Language Encoding"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C261-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{0AEE2A92-BCBB-11D0-8C72-00C04FC2B085}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xunlei\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72000669-841C-D39B-8178-A1AEC41A9DB3}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2612	reg.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2232	07e625e7822aea2617c43791442dec86_JaffaCakes118.exe
2232	07e625e7822aea2617c43791442dec86_JaffaCakes118.exe
2232	07e625e7822aea2617c43791442dec86_JaffaCakes118.exe
2232	07e625e7822aea2617c43791442dec86_JaffaCakes118.exe
2232	07e625e7822aea2617c43791442dec86_JaffaCakes118.exe
2200	5GC4RN6QU.EXE
2200	5GC4RN6QU.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2200	2232	07e625e7822aea2617c43791442dec86_JaffaCakes118.exe	28
PID 2232 wrote to memory of 2200	2232	07e625e7822aea2617c43791442dec86_JaffaCakes118.exe	28
PID 2232 wrote to memory of 2200	2232	07e625e7822aea2617c43791442dec86_JaffaCakes118.exe	28
PID 2232 wrote to memory of 2200	2232	07e625e7822aea2617c43791442dec86_JaffaCakes118.exe	28
PID 2232 wrote to memory of 2588	2232	07e625e7822aea2617c43791442dec86_JaffaCakes118.exe	29
PID 2232 wrote to memory of 2588	2232	07e625e7822aea2617c43791442dec86_JaffaCakes118.exe	29
PID 2232 wrote to memory of 2588	2232	07e625e7822aea2617c43791442dec86_JaffaCakes118.exe	29
PID 2232 wrote to memory of 2588	2232	07e625e7822aea2617c43791442dec86_JaffaCakes118.exe	29
PID 2232 wrote to memory of 2588	2232	07e625e7822aea2617c43791442dec86_JaffaCakes118.exe	29
PID 2232 wrote to memory of 2588	2232	07e625e7822aea2617c43791442dec86_JaffaCakes118.exe	29
PID 2232 wrote to memory of 2588	2232	07e625e7822aea2617c43791442dec86_JaffaCakes118.exe	29
PID 2232 wrote to memory of 2704	2232	07e625e7822aea2617c43791442dec86_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2704	2232	07e625e7822aea2617c43791442dec86_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2704	2232	07e625e7822aea2617c43791442dec86_JaffaCakes118.exe	30
PID 2232 wrote to memory of 2704	2232	07e625e7822aea2617c43791442dec86_JaffaCakes118.exe	30
PID 2704 wrote to memory of 2920	2704	cmd.exe	32
PID 2704 wrote to memory of 2920	2704	cmd.exe	32
PID 2704 wrote to memory of 2920	2704	cmd.exe	32
PID 2704 wrote to memory of 2920	2704	cmd.exe	32
PID 2704 wrote to memory of 2920	2704	cmd.exe	32
PID 2704 wrote to memory of 2920	2704	cmd.exe	32
PID 2704 wrote to memory of 2920	2704	cmd.exe	32
PID 2704 wrote to memory of 2652	2704	cmd.exe	33
PID 2704 wrote to memory of 2652	2704	cmd.exe	33
PID 2704 wrote to memory of 2652	2704	cmd.exe	33
PID 2704 wrote to memory of 2652	2704	cmd.exe	33
PID 2704 wrote to memory of 2600	2704	cmd.exe	34
PID 2704 wrote to memory of 2600	2704	cmd.exe	34
PID 2704 wrote to memory of 2600	2704	cmd.exe	34
PID 2704 wrote to memory of 2600	2704	cmd.exe	34
PID 2704 wrote to memory of 2600	2704	cmd.exe	34
PID 2704 wrote to memory of 2600	2704	cmd.exe	34
PID 2704 wrote to memory of 2600	2704	cmd.exe	34
PID 2704 wrote to memory of 2604	2704	cmd.exe	35
PID 2704 wrote to memory of 2604	2704	cmd.exe	35
PID 2704 wrote to memory of 2604	2704	cmd.exe	35
PID 2704 wrote to memory of 2604	2704	cmd.exe	35
PID 2704 wrote to memory of 2604	2704	cmd.exe	35
PID 2704 wrote to memory of 2604	2704	cmd.exe	35
PID 2704 wrote to memory of 2604	2704	cmd.exe	35
PID 2704 wrote to memory of 2756	2704	cmd.exe	36
PID 2704 wrote to memory of 2756	2704	cmd.exe	36
PID 2704 wrote to memory of 2756	2704	cmd.exe	36
PID 2704 wrote to memory of 2756	2704	cmd.exe	36
PID 2704 wrote to memory of 2756	2704	cmd.exe	36
PID 2704 wrote to memory of 2756	2704	cmd.exe	36
PID 2704 wrote to memory of 2756	2704	cmd.exe	36
PID 2704 wrote to memory of 2748	2704	cmd.exe	37
PID 2704 wrote to memory of 2748	2704	cmd.exe	37
PID 2704 wrote to memory of 2748	2704	cmd.exe	37
PID 2704 wrote to memory of 2748	2704	cmd.exe	37
PID 2704 wrote to memory of 2772	2704	cmd.exe	38
PID 2704 wrote to memory of 2772	2704	cmd.exe	38
PID 2704 wrote to memory of 2772	2704	cmd.exe	38
PID 2704 wrote to memory of 2772	2704	cmd.exe	38
PID 2704 wrote to memory of 2628	2704	cmd.exe	39
PID 2704 wrote to memory of 2628	2704	cmd.exe	39
PID 2704 wrote to memory of 2628	2704	cmd.exe	39
PID 2704 wrote to memory of 2628	2704	cmd.exe	39
PID 2704 wrote to memory of 2084	2704	cmd.exe	40
PID 2704 wrote to memory of 2084	2704	cmd.exe	40
PID 2704 wrote to memory of 2084	2704	cmd.exe	40
PID 2704 wrote to memory of 2084	2704	cmd.exe	40
PID 2704 wrote to memory of 2760	2704	cmd.exe	41

C:\Users\Admin\AppData\Local\Temp\07e625e7822aea2617c43791442dec86_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\07e625e7822aea2617c43791442dec86_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232
- C:\5GC4RN6QU.EXE
  C:\5GC4RN6QU.EXE FDONSZUYCQS
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:2200
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "c:\windows\fdonszuycqs.dll"
  2⤵
  - Installs/modifies Browser Helper Object
  - Modifies registry class
  PID:2588
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\LNU949NEI94B.BAT
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s itss.dll
    3⤵
    PID:2920
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2652
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s scrrun.dll
    3⤵
    PID:2600
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s jscript.dll
    3⤵
    - Modifies registry class
    PID:2604
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s msvidctl.dll
    3⤵
    PID:2756
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2748
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2772
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2628
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2084
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s vbscript.dll
    3⤵
    PID:2760
- - C:\Windows\SysWOW64\reg.exe
    reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2612
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:1208
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\5GC4RN6QU.EXE

Filesize
10KB

MD5
19595de7fbed86bc29d5d9547073ca63

SHA1
8fa2edaa9e3edefeb672bb3139436fddc5bb3d27

SHA256
e3c841c3b05305890c2496dadf759a8077860f4b1e6a73a12e90bd97cfd95b44

SHA512
740d859c835fd168b6f9951475fd5054515fd83150e655ab6f3d24b320ef235a6af711a08adc615b1186c06c0c2ef5480152c6b53cfcafbd8fa79a5133916747

Download Submit
C:\LNU949NEI94B.BAT

Filesize
1KB

MD5
91d17ba69c29686ec8929044ff7fcf56

SHA1
db0f273606c7eb9825f57caf9338abf0981d477f

SHA256
2f62c3275b2af56b9801147a9c876bbb9b4cd9ed284f4355d9b66dd557c41eb7

SHA512
171213b4095a7fb299a2ba35da4ed7ac201844b05d5329b08a0f5fc297a1971751f04579a9e7925d5d2c3438696eb8fecf4f27869cda16fca030c1a50cb301dc

Download Submit
C:\Program Files\WHXKH2G\UGHZ8HISW8S.EXE

Filesize
148KB

MD5
07e625e7822aea2617c43791442dec86

SHA1
e8bef818f8d7ecf0bd384c12a9004caae17fb19c

SHA256
10fb746298864930cb185c15343a2bf68ad050a7e159c169ca07e482bb66ab0b

SHA512
af2798ae0e409c1a89a76b348536374187c904209a9c0905bcbd99cdf2f82ad19eda4b98b7b674aa309ef268cf734213babd4f94563d40c69f07978ee20d842e

Download Submit
C:\Windows\FDONSZUYCQS.txt

Filesize
148KB

MD5
c0cf92e9183b14bc1828b44e82cb9f81

SHA1
9a4b43dd795fd04cbc8c44c3eae5bd29959c6348

SHA256
574aa82a40def0ffd1e2b2786f670249e5f94e3faaf0c369f9790d16c88caf9a

SHA512
d59d534e1215efeac94b94cd7fc8fe85784dc1d39a10666817323cfc6398d1ca3c5f1e59d6a4d0eb1c9e6428d1279e8c11d06f98a2e0c467fa2a1b6c7ad46a3a

Download Submit
\??\c:\windows\fdonszuycqs.dll

Filesize
28KB

MD5
ecfee270c2d71fbfe96568bd1e214665

SHA1
c6ebebe2e6313fee775454451fe8cf460733939b

SHA256
fcfba5ab83249f8335eed513d3541833fa612d6e483bc77417c55ac6732b78b8

SHA512
2ef6e08a7fd7915e857877ce5bcc0812fbb18bd69c840fce57d01363b70ea503ecfffde3b03af576655011220dd4f4e730d56be5f9985c240d08303b23564078

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads