Malware Analysis Report

2025-01-22 12:45

Sample ID 240622-3mzpxstfqr
Target 046997c4d35f39904d6fcf1d38952489_JaffaCakes118
SHA256 d7680f6572553bad5a5734d106e42aace4338b0a15ae584681481d3802b9eb8b
Tags
aspackv2 evasion
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d7680f6572553bad5a5734d106e42aace4338b0a15ae584681481d3802b9eb8b

Threat Level: Known bad

The file 046997c4d35f39904d6fcf1d38952489_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

aspackv2 evasion

Modifies visiblity of hidden/system files in Explorer

Drops file in Drivers directory

ASPack v2.12-2.42

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Runs .reg file with regedit

Modifies Internet Explorer start page

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-22 23:38

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 23:38

Reported

2024-06-22 23:41

Platform

win7-20240221-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\WINDOWS\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
File created C:\WINDOWS\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\msscp.reg C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msscp.reg C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\taobao.ico C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\System\taobao.ico C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\web\Inde.html C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
File created C:\Windows\web\Index.htm C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
File created C:\Windows\web\Index.html C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
File opened for modification C:\Windows\web\Index.htm C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
File opened for modification C:\Windows\web\Index.html C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TYPEDURLS C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.a585.com" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.a585.com" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Pz\9 = "1" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ɾ³ý(&D)\Command\ = "Rundll32.exe" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Pz\9 = "0" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÖØÃüÃû(&M)\Command\ = "Rundll32.exe" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder\HideFolderVerbs C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ = "ÌÔ±¦Íø£¡" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ɾ³ý(&D)\Command\ = "Rundll32.exe" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÖØÃüÃû(&M)\Command\ = "Rundll32.exe" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÊôÐÔ(&R) C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder\WantsParseDisplayName C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43} C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÊôÐÔ(&R) C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ɾ³ý(&D)\Command C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder\Attributes = "0" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÖØÃüÃû(&M)\Command C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder\HideOnDesktopPerUser C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\Open(&O)\Command C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\DefaultIcon\ = "C:\\Program Files (x86)\\Common Files\\System\\taobao.ico" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÖØÃüÃû(&M) C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ɾ³ý(&D)\Command C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\Open(&O) C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\Open(&O)\Command\ = "iexplore.exe C:\\WINDOWS\\Web\\index.htm" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÖØÃüÃû(&M)\Command C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ɾ³ý(&D) C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42} C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ɾ³ý(&D) C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\Open(&O)\ = "´ò¿ªÖ÷Ò³(&H)" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\Open(&O)\Command C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\Open(&O) C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder\HideOnDesktopPerUser C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÊôÐÔ(&R)\Command C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder\HideFolderVerbs C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pz C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\Open(&O)\Command\ = "iexplore.exe C:\\WINDOWS\\Web\\index.html" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\Open(&O)\ = "´ò¿ªÌÔ±¦Íø(&T)" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Pz\5 = "11423" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÊôÐÔ(&R)\Command C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder\Attributes = "0" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder\WantsParseDisplayName C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Pz\1 = "20240622" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ = "Internet Explorer" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÖØÃüÃû(&M) C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 2664 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 2664 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 2664 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 2664 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe
PID 2664 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe
PID 2664 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe
PID 2664 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe
PID 2924 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 2924 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 2924 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 2924 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 2924 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2924 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2924 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2924 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2460 wrote to memory of 2496 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2460 wrote to memory of 2496 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2460 wrote to memory of 2496 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2460 wrote to memory of 2496 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe"

C:\Windows\SysWOW64\regedit.exe

C:\Windows\regedit.exe /S C:\Windows\system32\msscp.reg

C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe

C:\Windows\SysWOW64\regedit.exe

C:\Windows\regedit.exe /S C:\Windows\system32\msscp.reg

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" C:\Windows\web\Inde.html

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Windows\web\Inde.html

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.a585.com udp

Files

memory/2664-0-0x0000000000400000-0x00000000004DD000-memory.dmp

memory/2664-1-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\SysWOW64\msscp.reg

MD5 2d06a424ad1c7611ea9caad93892ea26
SHA1 a901e15c2ecea498f1ca8ffc5d5c32bd3f0169d8
SHA256 8c19027357bcb3170b6844aec44cd4c143c7b795d5df52ff89426615010f715c
SHA512 3199dffce9d7625d9e01d7a06c912d3629e5f3d98d3935763df6b323807d46f24a40876d78d5ae7f7ac83c90e498e7c4810d88993904dbca1036e8c06833ccdf

C:\Program Files\Common Files\System\taobao.ico

MD5 468fada123f5548ac87e57bae81f6782
SHA1 edb8f012c25906e6afd8bf335b495e16c440243d
SHA256 091c882bb307d57f2c7c42309e7ba8740130fef8c3ed772b0bc5e5505e37034d
SHA512 635ec26c88c2394dd4f2a81b9aea8f429a91adfeb37ae34e51b03f3cf8e503c123c3685938f40cea07d6146e0c7113aadbe62fa528f1f6d8b995e617fd68a4aa

memory/2924-11-0x00000000001B0000-0x00000000001B1000-memory.dmp

memory/2924-10-0x0000000000400000-0x00000000004DD000-memory.dmp

memory/2924-25-0x0000000000400000-0x00000000004DD000-memory.dmp

C:\WINDOWS\system32\drivers\etc\hosts

MD5 8ebaaf110f51a5d473bf713e602cfe70
SHA1 91dda6b9145553391117ea584b1baa94d757d74c
SHA256 9bb7d86f074b7941b97dadd516e7e53bc6304d11393bea53b0682df651e96fc3
SHA512 af842df53c7bbccb8fda1c95d8a8bce9a68376c1754bc7105459e7d86b723baba62625ccf9c5c2bbf32b18aa915e5779cd739c71892b629ceb6400c9fbc9d856

memory/2664-27-0x0000000000400000-0x00000000004DD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 23:38

Reported

2024-06-22 23:41

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A

Drops file in Drivers directory

Description Indicator Process Target
File created C:\WINDOWS\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
File created C:\WINDOWS\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\msscp.reg C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SysWOW64\msscp.reg C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\System\taobao.ico C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
File opened for modification C:\Program Files\Common Files\System\taobao.ico C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\web\Index.htm C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
File created C:\Windows\web\Index.html C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
File opened for modification C:\Windows\web\Index.htm C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
File opened for modification C:\Windows\web\Index.html C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
File created C:\Windows\web\Inde.html C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\TYPEDURLS C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.a585.com" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.a585.com" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\Open(&O) C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Pz\9 = "0" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÊôÐÔ(&R)\Command C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Pz C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÖØÃüÃû(&M)\Command\ = "Rundll32.exe" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder\WantsParseDisplayName C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÖØÃüÃû(&M) C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÖØÃüÃû(&M)\Command\ = "Rundll32.exe" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÊôÐÔ(&R) C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ɾ³ý(&D) C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\Open(&O)\Command C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Pz\1 = "20240622" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder\HideFolderVerbs C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\DefaultIcon\ = "C:\\Program Files (x86)\\Common Files\\System\\taobao.ico" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÖØÃüÃû(&M)\Command C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder\Attributes = "0" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ɾ³ý(&D)\Command\ = "Rundll32.exe" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\Open(&O)\Command\ = "iexplore.exe C:\\WINDOWS\\Web\\index.html" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\Open(&O)\ = "´ò¿ªÌÔ±¦Íø(&T)" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ = "Internet Explorer" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ɾ³ý(&D)\Command C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÖØÃüÃû(&M) C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43} C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ɾ³ý(&D) C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder\HideFolderVerbs C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder\WantsParseDisplayName C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder\HideOnDesktopPerUser C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\Open(&O)\ = "´ò¿ªÖ÷Ò³(&H)" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder\Attributes = "0" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Pz\5 = "11423" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÊôÐÔ(&R) C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ɾ³ý(&D)\Command C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Pz\9 = "1" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42} C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÖØÃüÃû(&M)\Command C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ɾ³ý(&D)\Command\ = "Rundll32.exe" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\Open(&O)\Command C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder\HideOnDesktopPerUser C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\Open(&O) C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÊôÐÔ(&R)\Command C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ = "ÌÔ±¦Íø£¡" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\Open(&O)\Command\ = "iexplore.exe C:\\WINDOWS\\Web\\index.htm" C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\regedit.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5060 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 5060 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 5060 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 5060 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe
PID 5060 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe
PID 5060 wrote to memory of 1524 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe
PID 1524 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 1524 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 1524 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Windows\SysWOW64\regedit.exe
PID 1524 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1524 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1524 wrote to memory of 2188 N/A C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2188 wrote to memory of 2516 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2188 wrote to memory of 2516 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe"

C:\Windows\SysWOW64\regedit.exe

C:\Windows\regedit.exe /S C:\Windows\system32\msscp.reg

C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\046997c4d35f39904d6fcf1d38952489_JaffaCakes118.exe

C:\Windows\SysWOW64\regedit.exe

C:\Windows\regedit.exe /S C:\Windows\system32\msscp.reg

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" C:\Windows\web\Inde.html

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Windows\web\Inde.html

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.a585.com udp

Files

memory/5060-0-0x0000000000400000-0x00000000004DD000-memory.dmp

memory/5060-2-0x0000000000680000-0x0000000000681000-memory.dmp

C:\Windows\SysWOW64\msscp.reg

MD5 2d06a424ad1c7611ea9caad93892ea26
SHA1 a901e15c2ecea498f1ca8ffc5d5c32bd3f0169d8
SHA256 8c19027357bcb3170b6844aec44cd4c143c7b795d5df52ff89426615010f715c
SHA512 3199dffce9d7625d9e01d7a06c912d3629e5f3d98d3935763df6b323807d46f24a40876d78d5ae7f7ac83c90e498e7c4810d88993904dbca1036e8c06833ccdf

C:\Program Files\Common Files\System\taobao.ico

MD5 468fada123f5548ac87e57bae81f6782
SHA1 edb8f012c25906e6afd8bf335b495e16c440243d
SHA256 091c882bb307d57f2c7c42309e7ba8740130fef8c3ed772b0bc5e5505e37034d
SHA512 635ec26c88c2394dd4f2a81b9aea8f429a91adfeb37ae34e51b03f3cf8e503c123c3685938f40cea07d6146e0c7113aadbe62fa528f1f6d8b995e617fd68a4aa

memory/1524-8-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/1524-25-0x0000000000400000-0x00000000004DD000-memory.dmp

C:\WINDOWS\system32\drivers\etc\hosts

MD5 326c3d8f4d8f540387319cb0113ca6c1
SHA1 c8d3e3455cb685ce5148301463190ef994efb095
SHA256 88c184f604ea2e4087edf314af5c1dffc91cee2a2560ea59374f95964a1a428d
SHA512 9c512df37f4330f2a68ded9994a94d787f00d90c0ba2635c85254ff8a80c0687366c445e5b0aeeb4ce3163f8b62c4af9d947e021d18460a582d545e1abee4215

memory/5060-27-0x0000000000400000-0x00000000004DD000-memory.dmp