71d7c7dbd1e3c3053da20948ec26d9f4f523d598a75b5552a026d7a5f2dbce70

Analysis

max time kernel
133s
max time network
127s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
25/06/2024, 15:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe
Size

799KB
MD5

0e83d13c4760d6780bdf61df96615446
SHA1

08b09de9147697adaaa66df1ca5a828c48e69f0f
SHA256

71d7c7dbd1e3c3053da20948ec26d9f4f523d598a75b5552a026d7a5f2dbce70
SHA512

6d2daeae984eb2e4586c98600f69d177b24de032a18bde7b825d986c4eafc5a8985bc6989a3ec4ded3229a91bcb0d556cb94b8f3152ecbf73800a48e9462d3c8
SSDEEP

24576:UQvPrOqokz3NBA7T/jjTYwqRrzPMpVraLVwdFUZZog:bvTO6BA7TMBRPIVraLVw4Zj

Score

7^/10

evasion persistence trojan upx

Malware Config

Signatures

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2428-0-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/2208-2-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2052-1-0x0000000000400000-0x0000000000442000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Windows\\system32\\svchost.exe"	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\svchost.exe	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\svchost.exe	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2916 set thread context of 2428	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	28
PID 2916 set thread context of 2052	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	29
PID 2916 set thread context of 2208	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	30
PID 2916 set thread context of 1896	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	31

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7DFC57B1-3304-11EF-9FC8-F6C75F509EE4} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7DF9F651-3304-11EF-9FC8-F6C75F509EE4} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7DFC7EC1-3304-11EF-9FC8-F6C75F509EE4} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7DFA1D61-3304-11EF-9FC8-F6C75F509EE4} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2428	IEXPLORE.EXE
2208	IEXPLORE.EXE
1896	IEXPLORE.EXE
2052	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2428	IEXPLORE.EXE
2428	IEXPLORE.EXE
2208	IEXPLORE.EXE
2208	IEXPLORE.EXE
1896	IEXPLORE.EXE
1896	IEXPLORE.EXE
2052	IEXPLORE.EXE
2052	IEXPLORE.EXE
2660	IEXPLORE.EXE
2660	IEXPLORE.EXE
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE
2552	IEXPLORE.EXE
2552	IEXPLORE.EXE
2756	IEXPLORE.EXE
2756	IEXPLORE.EXE
2552	IEXPLORE.EXE
2552	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2428	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	28
PID 2916 wrote to memory of 2428	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	28
PID 2916 wrote to memory of 2428	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	28
PID 2916 wrote to memory of 2428	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	28
PID 2916 wrote to memory of 2428	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	28
PID 2916 wrote to memory of 2428	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	28
PID 2916 wrote to memory of 2428	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	28
PID 2916 wrote to memory of 2428	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	28
PID 2916 wrote to memory of 2428	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	28
PID 2916 wrote to memory of 2052	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	29
PID 2916 wrote to memory of 2052	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	29
PID 2916 wrote to memory of 2052	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	29
PID 2916 wrote to memory of 2052	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	29
PID 2916 wrote to memory of 2052	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	29
PID 2916 wrote to memory of 2052	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	29
PID 2916 wrote to memory of 2052	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	29
PID 2916 wrote to memory of 2052	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	29
PID 2916 wrote to memory of 2052	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	29
PID 2916 wrote to memory of 2208	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	30
PID 2916 wrote to memory of 2208	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	30
PID 2916 wrote to memory of 2208	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	30
PID 2916 wrote to memory of 2208	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	30
PID 2916 wrote to memory of 2208	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	30
PID 2916 wrote to memory of 2208	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	30
PID 2916 wrote to memory of 2208	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	30
PID 2916 wrote to memory of 2208	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	30
PID 2916 wrote to memory of 2208	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	30
PID 2916 wrote to memory of 1896	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	31
PID 2916 wrote to memory of 1896	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	31
PID 2916 wrote to memory of 1896	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	31
PID 2916 wrote to memory of 1896	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	31
PID 2916 wrote to memory of 1896	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	31
PID 2916 wrote to memory of 1896	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	31
PID 2916 wrote to memory of 1896	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	31
PID 2916 wrote to memory of 1896	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	31
PID 2916 wrote to memory of 1896	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	31
PID 2916 wrote to memory of 1896	2916	0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe	31
PID 2428 wrote to memory of 2660	2428	IEXPLORE.EXE	32
PID 2428 wrote to memory of 2660	2428	IEXPLORE.EXE	32
PID 2428 wrote to memory of 2660	2428	IEXPLORE.EXE	32
PID 2428 wrote to memory of 2660	2428	IEXPLORE.EXE	32
PID 2428 wrote to memory of 2660	2428	IEXPLORE.EXE	32
PID 2428 wrote to memory of 2660	2428	IEXPLORE.EXE	32
PID 2428 wrote to memory of 2660	2428	IEXPLORE.EXE	32
PID 2208 wrote to memory of 2796	2208	IEXPLORE.EXE	33
PID 2208 wrote to memory of 2796	2208	IEXPLORE.EXE	33
PID 2208 wrote to memory of 2796	2208	IEXPLORE.EXE	33
PID 2208 wrote to memory of 2796	2208	IEXPLORE.EXE	33
PID 2208 wrote to memory of 2796	2208	IEXPLORE.EXE	33
PID 2208 wrote to memory of 2796	2208	IEXPLORE.EXE	33
PID 2208 wrote to memory of 2796	2208	IEXPLORE.EXE	33
PID 1896 wrote to memory of 2552	1896	IEXPLORE.EXE	34
PID 1896 wrote to memory of 2552	1896	IEXPLORE.EXE	34
PID 1896 wrote to memory of 2552	1896	IEXPLORE.EXE	34
PID 1896 wrote to memory of 2552	1896	IEXPLORE.EXE	34
PID 1896 wrote to memory of 2552	1896	IEXPLORE.EXE	34
PID 1896 wrote to memory of 2552	1896	IEXPLORE.EXE	34
PID 1896 wrote to memory of 2552	1896	IEXPLORE.EXE	34
PID 2052 wrote to memory of 2756	2052	IEXPLORE.EXE	35
PID 2052 wrote to memory of 2756	2052	IEXPLORE.EXE	35
PID 2052 wrote to memory of 2756	2052	IEXPLORE.EXE	35
PID 2052 wrote to memory of 2756	2052	IEXPLORE.EXE	35
PID 2052 wrote to memory of 2756	2052	IEXPLORE.EXE	35
PID 2052 wrote to memory of 2756	2052	IEXPLORE.EXE	35

C:\Users\Admin\AppData\Local\Temp\0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0e83d13c4760d6780bdf61df96615446_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2428 CREDAT:275457 /prefetch:2
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2660
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2052 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2756
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2208 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2796
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1896 CREDAT:275457 /prefetch:2
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2dcb5e5bfdb2be9521894d9c7bb98cdb

SHA1
d8ffb6de435252db80f5c4a1ff640782ed0c7bd6

SHA256
71ae3e4c8b6a10ba21d5ca7fb81496bb94e81b49ef9753593c52740d70b0e9f5

SHA512
c460131814fc4cebbcdbdc0b962875c5e3ecc31781dd825c43e62c17af957ab1d77cbf2f6c539b4f58d9f566458de5799b85b4b196e3cdb9b7ca334df95700e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2204fbbc96a3039a76b39fbd11a8c51b

SHA1
fe7084ca0eefaca9d8c6b575cbfceeaf2ff41575

SHA256
d371acf7d6fec1d3163e2fd1d99b89770eb93ef4865d5ad8f663c4732d4f1f3a

SHA512
795535df1d3e5791633003fb0e30285138df68564ba94125d30ef65bd8ab38fa513747f65a643d233858382d79f02c4d7e24187ccf67f5623e7628f012cbc353

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39ef2d7a393a6874d1eee689388fd5ff

SHA1
a2385ec99ba11fc00e3513c72b9cd9219bcaf1af

SHA256
25343f3f0d53cb1f2eea0f3bb83696421df714415b4f254d0b44832519e41b62

SHA512
0572fd93011968cd55d29b283d9b57259830a9022f89af51a99a8f6aee2646fa206b1f37c46fecbd906ee2e1988bb66f71b1797a76364016fe90052ea99b6059

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
535ea9fbeda555eef3f25752f277bbd9

SHA1
0aad4f4f72d2f42c398a2a477acc57f0fb83139d

SHA256
b45ae4a2f17dcfe0fedb6bce51c86319e11d5d2107ebb00fa19595d1c3a47405

SHA512
19bcdef352a818bcd29f59f403d39e498b451b95050b26794c31223a9274a05fc16f35b0a72d37760ebd35d4a2a25c49fefdfb38385e11905378b500bc9719f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa0de40474e2b4ea23820ff801a86cc7

SHA1
9646711c4651a3c8074a92560f22eecd4ec40013

SHA256
0698941b2d761e7599a023bc31074d3c4d2adfac02dfa9a28862750bb4148fe2

SHA512
391594b7b46cc5c3fbe96ca975b69f8f64bbc8a2855bd4ed00ab37d3b721e20b027db7f2235e48b3942d3123349dabc32591d98937dea33963de9ab7638b0552

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c968af0b7ec63be7ede516f6b53aa33

SHA1
c773f9058691c2230b00583a4e59bb5e7ff2b251

SHA256
4679b9b51a9f39f374da012c9f3552399b469f7fa2ac6c7118aa7b8d8ed5fe5c

SHA512
8672b42c462cc9ccf1277daa23b08f81a952cc9151104dae249ee390f3a62a0ecf590409d855d559b0ee27e0c182892738e8bb6abd19210e65453f4f823f1ce5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0eaa5518bfdc92fe94caa53869629890

SHA1
8842d4d2b982561558a9591946c436f1cdc4507c

SHA256
2c36eed21c370bed21f5555e2a08830e57efcaba3e5fd753c3fb7dca8aabedd9

SHA512
ce30bacc3db5fb5d0d7f2df0ec4940c1889e14df8e6a89f48a5c579a3c1f403ecd76623965100d5d843b2d71a03cc772b83dba465dfe33f552b239a30b1d51b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8da19bba2bbff33426b68a72d543b0e

SHA1
2b9769cee0da73978971d6ffdf3e9feb9c2b6554

SHA256
e90e8058a69622aff0a7c81ccf45dabb4f5cd1232f9e01fdaa463be53fcb7428

SHA512
8fe49be17b767abb75779e642f8f0f5a407fa26f52c1bb4cd0237bb8a9724069a9c45db9058c7b831deef560ae262b634860117530c8bf4a859ab3be5b75bf70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d4e5f18e806cfcd8fb3c10df702d971

SHA1
4a8b609205d86e08fbd6c1ff8d084998040e7360

SHA256
17c255e5d3c4cbe48246ddd69cd437ee5c9535c74140e801bf6f280f46a885b1

SHA512
d5acf289671638322e110bad6aa32b30fde2e4a9273ae75cc56b9810972b12036012bf07bece0c91be4d8dabd0d7d38f97263b184f51e44bee1a7f064d5bf054

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72ef7d8976d30ab5f65e0360e5714caf

SHA1
08b14334fee4eafe39a238ac1b4f16f4f29e09a1

SHA256
64e2592203b1dc2b3390fe9eae716c179ba80f66c6203b5581647e1546c5fc52

SHA512
767e5dcb8c02cd4999c8e2ad9153e40e9dcbdb8df80618b2f588aa013fead4269c3335750b9deeb379239225cecd2d05ad430d08d2ddc46740ab3e40f05bd37b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6c5ee6779b2b67b4e1f1e09beede592

SHA1
2b6af3a76b0cbd8a5fc59c8e2aaa42c8fb6518ef

SHA256
55e1c57beea08de61fd5687f353d8361fbc3a10149fc10f16a87d71299c01ddb

SHA512
f7db9d3992a801c4a0801eac6471628d82b25e7ee5847103cfb97a13bf9c3df1926cf158c18d8553eb0cdaca5bd56c82342fdbc508c8f3527dcf336601335793

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
879512641d0a7ff878659a04c328f837

SHA1
6cb7e9e6029e12422927dbe7e5fd4079db4f9c99

SHA256
17ce94a1099952160882e8ee200c5007326a703ebced01b6da30e4661ffe32ea

SHA512
e4ab92e89e46cb90411f1f7c74152c3d9998fbb05afeb504af9bbf1beeecc1370a374928ada703ad84e49ab376f1d12afe7f948fca335a63ff5951201fb035e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79e71609a2b1b7309e1f5e8394ef639d

SHA1
344efb25386fbf6e0d6b74b5404e6a59f457e8c1

SHA256
906cad57b52b36f3772bafbc69b94dbcff3fc41d81e2a05e589330bcac5004bf

SHA512
bf8e08178461173beaee50c96996d919065b256ae80ebf75b9eeb04a89b32fdbe83c4ff268d27cecd15637d0cb906aaa14981565268049e0ed95ea9a1427736a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2bbcde811ac71b8cef14d3567b464a0

SHA1
9a84cb1404a33955b37525e0cb537c699d2b266b

SHA256
9449b70f75eb304d82e5231b2fae6fb7960124b9c8c49a4699a2ae3b3e9fa68b

SHA512
da17f1486bc3bce8430f62cc66565a24cd64784c8771bb2c5615b7c6045f442f7f6bfac3e2567815df949942b0d49f49c2611fb41fc1e928d6d2491a72350c52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60f755b461919b48c30e669710aef65c

SHA1
c772323113386f890f2bb3ee9a1c18f9a2133509

SHA256
e3a4f006a0fe4e11f4eff1192c24754857324adebdfa23f528a7f537344ef393

SHA512
737b4323c8ccd3ed84a66b622d91171df7adb3ee96e4dc112ea8c361531a3e4106d1df1a4769f570d34c0a5b2d71e7d730e4c29aa0fdf9b9eef8b3f57625ca4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
66ef8c35dd5816b9b5673e740f3632c4

SHA1
9ac3ac23d97d5da681b0e3433bae956005fa507c

SHA256
15fc795ba0aa5e9e293b16fcce7f66a896979ef0bb7666c16e9eb991e743f582

SHA512
d04418645c018a4c1f7c6f3d3773badde4e5a8bb7aed972bf97ff7cf2392a04e833c025a2e73bc2d9353a16cc81cc0ca828ad25653633f527528e24638291973

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
adc6471802c07eb82c58e612ace6bc76

SHA1
47f9fc687903ed5cecfffb3b6dca9a7a0f58e1e3

SHA256
23497205f5f70a4c1a75a4672395f45a068b70c745f5c967fd6691e0242e832d

SHA512
191ab846ec0a3e42e42071daa737dc87c3c6cba23546f956f67240c3034ba3c630a6cc7ee00206cff7805a721c078cfa8b27ade07d0d692ee804d12d3aa96dbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff8310389acdd6e71811684ea18579ed

SHA1
f0270f4d8d868d4e1b6b75707cb64d5c02389cb2

SHA256
e0c33ba256fb6af784cfdb0ab6fe562b98272c9ce7219f941de43ed7dc76445a

SHA512
da68331ad3a0931b788ed2fe9fa545607212835fa04dc8004f47300d5080481ea2eba17b65974e1474aa3a45dd975cab89adb70557c33411f37522bc11779acb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e890d56c278cafa598b0e600568b6ca3

SHA1
a286aa2c78d14bbb1406cdc6050c726318cca8ee

SHA256
d82272ee1a63d9116e1109d0b68f30840e805639b41360895ff7d91bd743b97b

SHA512
dbf0732fa6b2895424340b128b37a6d00de4416be70da7b6b17ec1b17fd6422f8cc9f2cc1276f7f0bed42f94267d1853d537ab685af04904e3c5ff385c3cc676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7DF9F651-3304-11EF-9FC8-F6C75F509EE4}.dat

Filesize
5KB

MD5
9657e1e6d3f07d77c1103acfc0f91550

SHA1
94ad71265e3f636f5d611e06980405a15813fa25

SHA256
e122365a8afe552508a3c7cb8370657b01e7fd2e51206817718a2bcc02950ec6

SHA512
41a4c6d0c443ef264b16c98740dc3bef2b0554080dd343ac3cdf610f53fc9356092851c9b44678c0982acbda03a7cfc228925437f26556e10a6ca2c38936c907

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7DFC57B1-3304-11EF-9FC8-F6C75F509EE4}.dat

Filesize
4KB

MD5
3526fbec6db90f672637f07cb6042bf4

SHA1
0a43a3dc73fe26932083070a429e7424f151aeea

SHA256
c11dcf8a8e9342f3044e2b0997338bdf58f5e7fc40864f7f7711a16217b4dd76

SHA512
d7786efa635750e91d38bc6e1724e9ef14c4ad661bc749068c3d067f698123144f33a9a991d3b92c84cbe7829576bcc595935c7cf2c555b4b322f99b3dd0b08f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7DFC57B1-3304-11EF-9FC8-F6C75F509EE4}.dat

Filesize
3KB

MD5
1d34c99b5d52596ecd61fbcf5086b212

SHA1
d2a2e025bba9b5cc02e84ca7f308869c4cc645b8

SHA256
48f966bfee904c60bfa8aae4ceecc55266f9d3a8d7ec257aedc001163cbf6820

SHA512
777ca6fc7af1387d4dd6f7308d36056742ff3f275ee906408224bb38e99ea04333046af0bbd0a66e86cf9a49411f27a798d254f331ab2a977fbf8fdad4971525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7DFC7EC1-3304-11EF-9FC8-F6C75F509EE4}.dat

Filesize
5KB

MD5
0ebfb69e19236000a54f8bc905c0094e

SHA1
84e5d746fc8fa1ba6228ac5fc8bad3d1c426613a

SHA256
c0dee2952a14d2eec340f1d0480a30f5fdf8de451b9619a0d4128950ca2c8aea

SHA512
c58f326722d3df4d8c3e0cc322fcd0ac2c4ea79be9510e11aa5b234cf116e93d2d9d3dd2900fb94f2c5eee6932c6b681f4578a7e7d891fe6e7bfc9d474f9b31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2618.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar26C8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1896-3-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/2052-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2208-2-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2428-0-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads