2c0ec03da69bfc798db411be15c80a2370760675adf9d2b7a648ff0eaadba4b1

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24/06/2024, 14:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Size

212KB
MD5

091089f839a396d7712ba3fed484387e
SHA1

8a95e455951615fe3a5f5c5ee6da72340347c5f4
SHA256

2c0ec03da69bfc798db411be15c80a2370760675adf9d2b7a648ff0eaadba4b1
SHA512

c8814963c05e482aeac65b53e632299e3f4d9a863e0d549c70890d42c9adacf2ea843741ca84a173bd247d2a8025feb8ce48aa355577ad9ea1bf05a87b7371be
SSDEEP

6144:gdWGUhLim42UdKT0UbaUeUxP0Us+LneUHWqnwcIAKcEBRMjsf+cDXQDm4:goxm5qaZqwcIAN1

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2220	WScript.Exe

Executes dropped EXE 1 IoCs

pid	Process
1828	Program Files9924ZD.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\t.ico	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\d.ico	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3C716D41-3236-11EF-BA8B-4EB079F7C2BA} = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425401289"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a230000000002000000000010660000000100002000000037866f5311c5a86df7906a9535a7bb24f9719836534362b434d19ab15b0a4126000000000e8000000002000020000000b90305d25b1e3ebc20e0615db8e982eac408bf36e9c01664a41321480a90a63b20000000ff2883cf6c6ac8e27182703bddfed749671b35f224b04d8d9b4559509d06be5f4000000002b0090eb78569c053eb033b64a364cf3e2344f10ea0aac85e5cd862457a51e7c9a8e37ab5387f70b0a96b08687aafc557976c081e3cdc931de7a30e01b4b152	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{3C847841-3236-11EF-BA8B-4EB079F7C2BA} = "0"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f03e2d2243c6da01	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000587104b0d2f7da409208cf3ae9e77a230000000002000000000010660000000100002000000030df10f68dd512c59ad4df01e7bdf71a0912d87bd042ac1cfa496a335ef74aca000000000e80000000020000200000001dc7a1113f898914a8e900e3f997a99802c95ecb9786eea132add5f972fc03d190000000c465c3c9e2e8f723d3e599068258d2815777cf3be9568c7ec08510eaf3c94591931f10a62f53d3a7bc44fd1ac107c980580c1374addd36709cc1f0467fe07d9930d9f5d9fe1f133b4af6cc708af1bb865adeab03e8eb444264908abe78fb440c141bfb7b30a1e1c1be50b2a03ef19764f771fc2c5da6ec730f5feaf9cd7ec1d83bb89ee270a80f974846f027b8168f5c400000006e829a81d030d98a66defa6a6b726156678279b9f6bd9f6436e1b4408bda837abf48ec0c479aab6d8d3c9c6949b19799fdbfec1cf986025363e785cb8460dcb8	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon\ = "c:\\Program Files\\Common Files\\d.ico"	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx\ = "hyx"	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,41"	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,139"	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35\ = "h35"	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,130"	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon\ = "c:\\Program Files\\Common Files\\t.ico"	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command\ = "IEXPLORE.EXE http://www.henbucuo.com/?2012"	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf\ = "hpf"	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb\ = "htb"	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh\ = "hdh"	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command\ = "IEXPLORE.EXE http://www.d91d.com/?2012"	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command\ = "IEXPLORE.EXE http://www.5ijunshi.com/?2012"	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command\ = "IEXPLORE.EXE http://www.loliso.com/?2012"	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command\ = "IEXPLORE.EXE http://www.piaofang.net/?2012"	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command\ = "IEXPLORE.EXE http://taobao.loliso.com/?2012"	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli\ = "hli"	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2732	IEXPLORE.exe
2528	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
848	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
1828	Program Files9924ZD.exe
2732	IEXPLORE.exe
2732	IEXPLORE.exe
2588	IEXPLORE.EXE
2588	IEXPLORE.EXE
2528	IEXPLORE.exe
2528	IEXPLORE.exe
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 1828	848	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe	28
PID 848 wrote to memory of 1828	848	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe	28
PID 848 wrote to memory of 1828	848	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe	28
PID 848 wrote to memory of 1828	848	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe	28
PID 1828 wrote to memory of 2732	1828	Program Files9924ZD.exe	30
PID 1828 wrote to memory of 2732	1828	Program Files9924ZD.exe	30
PID 1828 wrote to memory of 2732	1828	Program Files9924ZD.exe	30
PID 1828 wrote to memory of 2732	1828	Program Files9924ZD.exe	30
PID 2732 wrote to memory of 2588	2732	IEXPLORE.exe	32
PID 2732 wrote to memory of 2588	2732	IEXPLORE.exe	32
PID 2732 wrote to memory of 2588	2732	IEXPLORE.exe	32
PID 2732 wrote to memory of 2588	2732	IEXPLORE.exe	32
PID 1828 wrote to memory of 2528	1828	Program Files9924ZD.exe	33
PID 1828 wrote to memory of 2528	1828	Program Files9924ZD.exe	33
PID 1828 wrote to memory of 2528	1828	Program Files9924ZD.exe	33
PID 1828 wrote to memory of 2528	1828	Program Files9924ZD.exe	33
PID 848 wrote to memory of 2220	848	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe	35
PID 848 wrote to memory of 2220	848	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe	35
PID 848 wrote to memory of 2220	848	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe	35
PID 848 wrote to memory of 2220	848	091089f839a396d7712ba3fed484387e_JaffaCakes118.exe	35
PID 2528 wrote to memory of 2796	2528	IEXPLORE.exe	36
PID 2528 wrote to memory of 2796	2528	IEXPLORE.exe	36
PID 2528 wrote to memory of 2796	2528	IEXPLORE.exe	36
PID 2528 wrote to memory of 2796	2528	IEXPLORE.exe	36

C:\Users\Admin\AppData\Local\Temp\091089f839a396d7712ba3fed484387e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\091089f839a396d7712ba3fed484387e_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:848
- \??\c:\Program Files9924ZD.exe
  "c:\Program Files9924ZD.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1828
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2588
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/PPTV(pplive)_forjieku_977.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2528 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2796
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe jies.bak.vbs
  2⤵
  - Deletes itself
  PID:2220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files9924ZD.exe

Filesize
36KB

MD5
5ac7b2c11ba54d8844c8ff3cbce0a461

SHA1
dd19031a7588ab534215b8dc95b1488a61e6e12f

SHA256
3465fa9521985a29c4d1dd6b1e009db85ee367fbb8afc77f2c011985ed4fdd99

SHA512
9d6f2bdc41d9a4cbf8c9b40a07b96a21c10131fa120c1696133523a90d7736bf991f338c1aa4a7c8cbad42633c711f72d075ffcbcdef5f6b386bf5593c046e6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{3C716D41-3236-11EF-BA8B-4EB079F7C2BA}.dat

Filesize
5KB

MD5
3e46d96d5a3b4343e71dee74beb6ea05

SHA1
fc5835719b612fc13aec1a0f53ce6fc0eddfbc72

SHA256
28644fceda5bc40a02794441f7fa7e0b8188273687716816c7e718657f0f8ac6

SHA512
4f2793a9e6cc97e9590d6314fa8c2fd42d69b5eb197ac2f6e65a4c4fcdbd4f46ca97a001caeb1f7ad2d3bdb3d12db3bc534dacef297fa7887fd2c0df67d5d1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs

Filesize
450B

MD5
a15881240abbb19107af44ace3c96d1d

SHA1
b0a315512a843b412329e305e7a93650ab5af491

SHA256
6a78a1bbc0599c1871f5d7b96ce8c3dd40ab49d540de77432f514f6c61393902

SHA512
d7b2b62bf441350d5c97d2a7a46679f1b450cb92e3abd2b3b0ea8a9f4134b387f64e6ef93e176898588aa068f7e3f61a86b00c1a8197e05c04f8dad4322536ec

Download Submit