fbfc5032d3c93018f23e3b30732398cccbf5d9bb3fc488f63cf6bb8ed92110ed

Analysis

max time kernel
124s
max time network
127s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
20/06/2024, 17:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
Size

1.4MB
MD5

0831da30ca95215a9a2886af9a5f5bfb
SHA1

8dd3ca21fe053cd8c1a17354596cf94f77e313a1
SHA256

fbfc5032d3c93018f23e3b30732398cccbf5d9bb3fc488f63cf6bb8ed92110ed
SHA512

e4e8f62678090a1d21f2e4eaadf3cdbcb5160622ecb8a567c41097cf8ccbdfbb7c4b557ae96753ab993b8f57e44123fd408ada6332c0abe5f4e20ee17ef04bf0
SSDEEP

24576:9L8r/4p6qO4pDlPJsZtZQk5p8hulbEwfDpBzjRvdsxlTShiVNbw:e/4Qf4pxPctqG8IllnxvdsxZ4Upw

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 10 IoCs

pid	Process
2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\soft141808\0820110805080816180814080808.txt	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft141808\pipi_dae_381.exe	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft141808\d_1408.exe	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_141808\dailytips.ini	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_141808\sc\126ÍøÖ·´óÈ«ÉÏÍø×î·½±ã.url	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft141808\a	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft141808\B_0820110805080816180814080808.txt	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft141808\wl06079.exe	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_141808\ImgCache\www.2144.net_favicon.ico	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_141808\sc\»Æ¹ÏµçÓ°Íø-ÔÚÏßµçÓ°.url	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\jishu_141808\jishu_141808.ini	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_141808\sc\Ã¿ÌìÍÅ¹ºÒ»ÏÂ-¾Û±ãÒË.url	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_141808\sc\ÍøÉÏ¹ºÎïÍøÖ·´óÈ«-Íø¹ºµÚÒ»Õ¾.url	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft141808\MiniJJ_12318.exe	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_141808\newnew.exe	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_141808\sc\2144Ð¡ÓÎÏ·--³¬¼¶ºÃÍæ£¬ÀÖºÇºÇ.url	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_141808\sc\²ÊÆ±¿ª½±²éÑ¯-ÔÚÏßÂò²ÊÆ±.url	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_141808\FlashIcon.ico	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_141808\newnew.ini	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_141808\sc\GoogleËÑË÷.url	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000b0522d89471e4d5d323ec96657a0f08b068ebb0bf215d6a541948202005e66db000000000e800000000200002000000043630dcf211850fdc1bcc429f03cea90cd0cba0032a113e8b23d3ccf048e5d249000000030ee3dc04d989d97b465254bb96ba803411bbe13f7317e910ca44992f7b8dee0529abc59b4d9eba40bf81f015e9a6c6d216cdd0252fccc6cd527da5b25498ac33c34452b9e99a79cc0328c2f6a5ef22825108e6f4253af224ac733881d8d18fca2943de2e35878b00981e83e1f380994909f8d8c4542512870005fa1d044338ea3886f5868331405ca10621b0411b5c340000000faa362fd0c2648e642f170396677992d3832ab04dd52b90ec45431873868dc2f061492cbb03b57482c64bb3b39e6410380eb8c4cd9ff9fbfb75b98132a8a5615	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bd2a7708e9798e4fa0b20f3efd8e936100000000020000000000106600000001000020000000163a1285b4c92afcc6d852b126b2441a60697df35d2f89b6f50ea8bd00f17f03000000000e8000000002000020000000a2f66cbb2f2f9d5735781007f597e8ec87faa067b7667a2c16cd54fa3e8de7d320000000e8e03f7485a6ad9bddc2c9f7da5144f29eb28640ffd0e938acaaad791905c98a400000001e86018b146a0eef8af4f0cd9f3c0da2cd5a68bc2ba51643c4dc6b26f3e1a9ba90b32566356833dd3d81f6ace6a0004b15557973ddcbb699b54cc0a9d66eb0eb	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E48A9251-2F29-11EF-A649-4E87F544447C} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10a826d236c3da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E479E8B1-2F29-11EF-A649-4E87F544447C} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425066112"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2308	IEXPLORE.EXE
2544	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2308	IEXPLORE.EXE
2308	IEXPLORE.EXE
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE
2340	IEXPLORE.EXE
2340	IEXPLORE.EXE
2340	IEXPLORE.EXE
2340	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2416 wrote to memory of 3004	2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe	28
PID 2416 wrote to memory of 3004	2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe	28
PID 2416 wrote to memory of 3004	2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe	28
PID 2416 wrote to memory of 3004	2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe	28
PID 2416 wrote to memory of 3004	2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe	28
PID 2416 wrote to memory of 3004	2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe	28
PID 2416 wrote to memory of 3004	2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe	28
PID 3004 wrote to memory of 2308	3004	IEXPLORE.EXE	29
PID 3004 wrote to memory of 2308	3004	IEXPLORE.EXE	29
PID 3004 wrote to memory of 2308	3004	IEXPLORE.EXE	29
PID 3004 wrote to memory of 2308	3004	IEXPLORE.EXE	29
PID 2416 wrote to memory of 2808	2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2808	2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2808	2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2808	2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2808	2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2808	2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2808	2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe	30
PID 2416 wrote to memory of 2276	2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2276	2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2276	2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2276	2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2276	2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2276	2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe	31
PID 2416 wrote to memory of 2276	2416	0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe	31
PID 2808 wrote to memory of 2544	2808	IEXPLORE.EXE	32
PID 2808 wrote to memory of 2544	2808	IEXPLORE.EXE	32
PID 2808 wrote to memory of 2544	2808	IEXPLORE.EXE	32
PID 2808 wrote to memory of 2544	2808	IEXPLORE.EXE	32
PID 2308 wrote to memory of 2796	2308	IEXPLORE.EXE	33
PID 2308 wrote to memory of 2796	2308	IEXPLORE.EXE	33
PID 2308 wrote to memory of 2796	2308	IEXPLORE.EXE	33
PID 2308 wrote to memory of 2796	2308	IEXPLORE.EXE	33
PID 2308 wrote to memory of 2796	2308	IEXPLORE.EXE	33
PID 2308 wrote to memory of 2796	2308	IEXPLORE.EXE	33
PID 2308 wrote to memory of 2796	2308	IEXPLORE.EXE	33
PID 2276 wrote to memory of 2984	2276	Wscript.exe	34
PID 2276 wrote to memory of 2984	2276	Wscript.exe	34
PID 2276 wrote to memory of 2984	2276	Wscript.exe	34
PID 2276 wrote to memory of 2984	2276	Wscript.exe	34
PID 2276 wrote to memory of 2984	2276	Wscript.exe	34
PID 2276 wrote to memory of 2984	2276	Wscript.exe	34
PID 2276 wrote to memory of 2984	2276	Wscript.exe	34
PID 2544 wrote to memory of 2340	2544	IEXPLORE.EXE	36
PID 2544 wrote to memory of 2340	2544	IEXPLORE.EXE	36
PID 2544 wrote to memory of 2340	2544	IEXPLORE.EXE	36
PID 2544 wrote to memory of 2340	2544	IEXPLORE.EXE	36
PID 2544 wrote to memory of 2340	2544	IEXPLORE.EXE	36
PID 2544 wrote to memory of 2340	2544	IEXPLORE.EXE	36
PID 2544 wrote to memory of 2340	2544	IEXPLORE.EXE	36

C:\Users\Admin\AppData\Local\Temp\0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0831da30ca95215a9a2886af9a5f5bfb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2416
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2308 CREDAT:340993 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2796
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2544 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2340
- C:\Windows\SysWOW64\Wscript.exe
  "C:\Windows\system32\Wscript" "C:\Program Files (x86)\soft141808\b_1408.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files (x86)\soft141808\300.bat" "
    3⤵
    PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\soft141808\300.bat

Filesize
3KB

MD5
c158bd4db295c7dfb7b5422119cd349d

SHA1
08f28f932a61969a1ce43e21b8cd88b51f5634d1

SHA256
57ff2f529ed05c4705f33e1150099536fc6823858bfbc6eb5b684325b5bfed3f

SHA512
c74a3a76a4580f85f3894905b9d401b97399905e6a0bd6a5f47d3336f5e1edd15ee17e9f1073fd69f8eb4843c4b624d1a3fb6af68177d47fa5d5aecf6730c1bc

Download Submit
C:\Program Files (x86)\soft141808\b_1408.vbs

Filesize
247B

MD5
c0e83acbc9cbf8c5db5b4fba3e85ddb8

SHA1
d6ae84528a5d4b2377d1ad05ed3bba961792a198

SHA256
a4f8f32b3a452e7315e2218644e32040dd49f2b665f9612f00bc34479a96385c

SHA512
d42f55d192225bcf6c5f590114152745fe061449c6f8b3a0b1872c396db15962a82ea01d00288f83caef5bab8f63b0b43d5b4d11b923997e40c638c6fc25f60f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17a5b54c6a16d7878d65a21757899076

SHA1
ef3b6cabd4878e22d9288bf1e015bdfa7a7c90f0

SHA256
8a4d813ad55d93903e961b9c0cf77927994be7424a5083caf3b1b74c6616146f

SHA512
bbf0db5a547acebb9f270203c9f2e213c8cdd08fe89e613b65989bc9b9fe4fa14e986d759a443b691d9a45c97e6cf736e4c2d5bdfb5208268f726cb0be2a302a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
962ff9c2cf32aa26648ec5d59a1e206f

SHA1
6e7d7f23a691f2b8d4d35a8564bdeb4beee4d691

SHA256
c4e2f337ef069baff47db3fb20e9ee60e4c1d1c5edf952c739d40f670353c751

SHA512
19c84609d8750f6aac30dc4f30b167d66e75005702145ac32048d872650611e4e41f8491f0bca6d83a3fd9c1be22e6eaf601f0c15e55c77d15e6199da2c071b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ae95c757f36ef2160b82c991549f587

SHA1
b439013aa20e2427ec84bf3b1dc128d83ea5a0f7

SHA256
7344e71e72bad36da9c1303603b294e3efebc9fe27eac01fe09aa2df3757e39d

SHA512
9d941c293486c46a54a942551e5d6d42eaa34596eda8679f821b59c8b20994bf537383d8d7196e141ae46e940458c4f5734028e3e53d0f59e4e5553e3c4461ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
572b6b21167509fab2cf2ecee794eae5

SHA1
23fa6859e3ad7f93a4b830f05d47ac441fea8aa3

SHA256
47ea35a14cbe6b2d4e3a0224c8e6f6a836e5c994bb96609fcb8ceb3a9fc94c50

SHA512
1e8dad38854a4dfe07033a380bd620bb3ec6dfdaf2c07044a072d9b2f8e1459135f5df38dabf73db7d2a881e636e5cfd450119263283fd76b2e021835a74ec44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9a7d56ee0be18cb6b51b90656227c11

SHA1
14fe0bbfbe4e7ad0d4bae348ef8c28a54383ff61

SHA256
fea76eeafead7dad1630aa25da908b3f778e559e3336b06919dc445581bcc79f

SHA512
79569ea318220049d78c8773cf3f0f3e5ec93edd76c9dbfa06bba267494a46c2e745867ce6c4a3a3128d900374c8c346dafc31e6d297cf4ac1a9906bce840210

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8fdf4bf79099513cd193b89be78b2cec

SHA1
d45b6bec58c9798811247ab6a66051ff12b81519

SHA256
4bbe5f2e955adf0c050a68ff799af6963598c6d7b60afa3fcc26eb44b9226e6e

SHA512
cf28cc202d75837dfeb150deb118cd7b1b91e1193384eaf4d2629722f3bb179547dcf844f12c5341c08f1e1b21b4afa983c0eaac2725a003e10dec7fde965476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dff6df08a086bbd8e2070eab32f04d36

SHA1
bcf0a06a5e6556dd67f7fd45b91d30d361204656

SHA256
e46e48c5602b8aa5cacd57b15d1ce4f16cedf8d23ffdb2f435598f74ffca0b71

SHA512
dfdc2ca61851bfbde5a6b05f382afb989194488271d04771b6b4d0fa0f05611d8482a8457abd47cf0b9826ad8df48b7e33b1d020621fa67fbea9ee643cf71ecf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c422b1da6cf4ef9a0ce2b24dedb03ae

SHA1
3fd330b615e6026f9b393a6b568416baf114da74

SHA256
8ced64ea9c15f767847d04feff6194747f5f2125ff4478a605656c24a6ec4d60

SHA512
b84250846dee92e1132ac473fac0e420676314be3e2633fb0c1f52dee04970463f9250f529bb1f9f6654c0ff59c54cc1d7d8914b2f179b12eede1e2026affccd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
297b81b318938a99cf621ec2af040827

SHA1
059dfde3914d96ec390f91fa1094aefd40c3e204

SHA256
f62162785160e60e3e46328ba0e49000f6ae59dac63217b12f4c7f803108b5ea

SHA512
0deb98499658ff18c82ac367acffc9da22c5a7827a86e4d86a61dbad05d0f01c5340b36a6238a59ce957771e1237a5bfbbeef12bed753a539aded960ca89a60a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
856561f7473595b36b271952ef2335bd

SHA1
26c61e25b1227a224672b2fbbcb1d0f4fdfa3469

SHA256
831623804e4bfb3873fb1961190816fd88f0fe0744978b3ca506a0c702e708fa

SHA512
b21d1175fb6dc855bfb183c3b34f1d5cf9417154aa18d78cc61c2e3d50ba1d8cb0326a2a408841f4e302e27cc44800524232c458855755c63b423cc2d3a0819b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d7a92beb7a5ab706c713daaadcd49a95

SHA1
f7ec80d830ac640341baf0177cca171c5ec238d2

SHA256
c28308039ef434c02b8ae1f7369b8b5c809b163ad02445a2f69dfe39fb0c3de8

SHA512
3d3d5df78f12c15230599f132c121437a10198f58cc000061758c7a6825a385cc797da7a6bb398e6740674881ed9d83c2823287b52e575700bbba15d77cbf0ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
689c9de3b62ae87b1c50a07536a56fb0

SHA1
afbed2d219614ce1aed0aa9774c7b5f2b83f892f

SHA256
6116eb24c72d400035c27f2e2bdf4db72f6c917cd8c44cc6ff0437a030fbb5b7

SHA512
ff0b183d17f71e6cd55c33a2e02ae2b8d2884721a0a701ceb0d84d3cdd4583fe17fac661928747810db5d26d3faacfbd1d7ba004277abf854e9c3bbdd31c5e1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d5266375e8d7ef69f5ba0db67eab544

SHA1
1385c7455a09d94a3a98ddf6790d23db6b4c9dc1

SHA256
ff44a44fe4a34498363ddabf8cce7d9c8704bb5a227966de49589312870b9a95

SHA512
21f5f95918de583d17770b9d6b07175b922336b3739d097ec62287fb6859300932338af5903a7f97ea771697ebfabd1a35f4d51033e0837ece75b5a4fedb4ae5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
413d294ea54dc33ed5486848793d0896

SHA1
d0fdf8923bd1929f68f702fe6eda582bbbdf4cf9

SHA256
e454a6d906a8287f5afb142cb5f6f71f09c771277cb5c4fedfa31be898087868

SHA512
96f9c138cea63204fa60f65bb3bda5c66de3605057aba6f4ff7bb54927a64c4b813b409a0a22552b59e233795b0813df31eac7ed42d1ae4b43a8a6d913e9d892

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e96927261ef6cd55e06f7b99ba10c78

SHA1
0f09e2593041ba96aa8f34880a4f575764b9714f

SHA256
cfd0f76b55d94ea3ee6393bc86819b6f94633d57d38e7f619f7ee606688fa9ea

SHA512
912516db0a76b69c588a2efeba68e4dffbfa473df7ea5ba6f5be743a5942311aeb0f3aa84b27485e640e8d51b5b687f67b7a2ee88275417ea97e96e44183e570

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3744e1989127b366255b56a197f23704

SHA1
6e15fd538b1c3b30380c68ee064a3cda6f6ad588

SHA256
b9aef80678b98ae74612a68b80e45fdb85761e5d8cc8872b9a38f4142409e63a

SHA512
233396d376e7de288d9b6007f5dc6be22ad1693c0068f98c5b9cd9075f7338327cb6a76d1209bde6a094d3192d1d4bdb3a17e8b5b968228038a83ffeb170d2a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8feab3bf3bb28d73649cd0a935f5956

SHA1
9cc3d13642feae77e9753ab5f53caf7938bce677

SHA256
5f5d50d3641563285641260959d9b4ce67a7b797779cdc510ec13489af9358c0

SHA512
889d1bc218c446def6dd68b0563f3d55de89bcb35066da772f2d670b0bb0b9bf11065ee34b4a2050a2e70cdac02d0f1fea1d06d95588c94ca435c024e93872c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f86c6f0ea6dbc4887191d5e5cc141cf

SHA1
f430acb939d2f998f459853495a43c0f7b89c2e6

SHA256
3d01eec5495365206f0dbf27d07613172e978b26c1d681c480bb7d04ebf98c0c

SHA512
cbf2556d681ae2ef5d39c45c1cb355ceb562e30afb4508db23b78d42602a1120cf7e08591db94d5979e696817b8163b5e556b5e31396f571091a3be0dce79b5a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6642ff8ed08b070cbf390200f79ea3e7

SHA1
afcf6872c40fd4b862407fc13ecc62241ec22c9d

SHA256
77fcdce20a392f2442db1f54694fa9a028875fe79f2df34b624509193e3ab119

SHA512
b2788f10937965901a9c857c39186eae37684f4fec2bad04a8e8532f4ce85b1381bb2fd34b9897373190dcd310fe7ce304d1d338d90f983819e9e448e1535829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E479E8B1-2F29-11EF-A649-4E87F544447C}.dat

Filesize
5KB

MD5
574ef70e4929b6dc946b7e8a76e3acb7

SHA1
5722d1cc6000b7be9eadc61675a85097357d3f67

SHA256
6e187d279ec42b646ae674047ecffee4ac1bcfc6aa43f3a787c992549c61bb02

SHA512
d640fdcb643becaf5e160f3870e4271303e231f2edca8fb1521cadc64d1d185bcd0f949848aa571777bb566bddca1a02684297dc469b905049bfe729ce9015e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDAD8.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDB66.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDB7B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\ Intornot Exploror .lnk

Filesize
1KB

MD5
7d85bc835c3f75e491a19af5cc0ea8de

SHA1
e301add65b358c75cf60ef2335be7d8ef19b5785

SHA256
8a7a888af26a1b78ba214e1df07c79444a384fb01b7ed31edea8862b77c6e00c

SHA512
d9d56bcb5363d44306587097004deacf64d33c2ceef450db4131a7a6efdf5620909e7e344eb809ee9c5e0dcddee02c2769a595d655d49b609e68eb409039ccd3

Download Submit
\Program Files (x86)\jishu_141808\jishu_141808.exe

Filesize
1.0MB

MD5
e2590fb7bac27dbfa512820e9139f28b

SHA1
209d8d0b77c7a8863a3c68464ce47f6a3f00d454

SHA256
4369c213390dd318aaf57b841e338f0b781b16e61713c39e3d961d6065de1821

SHA512
a6b8cdac512c2d05eb2270f8b4f64248cc177785acbd8d4f0ad725acdd2c894f639e7e7259066a8014a79d69f213812dc09793a2bad7a3d6bd9a511f3ee57223

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1F73.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1F73.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit