Malware Analysis Report

2025-01-22 12:58

Sample ID 240626-jy3q6sthmg
Target 114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118
SHA256 f92beb2a4d338f69c1d6e5248ba6384e7c1dfc31a7f5f485c1ef5d2a71538720
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f92beb2a4d338f69c1d6e5248ba6384e7c1dfc31a7f5f485c1ef5d2a71538720

Threat Level: Shows suspicious behavior

The file 114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

Checks computer location settings

VMProtect packed file

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Kills process with taskkill

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 08:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 08:05

Reported

2024-06-26 08:08

Platform

win7-20240220-en

Max time kernel

140s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\JoachimPeiper.dat C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe N/A
File created C:\Windows\rxing.bat C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe N/A
File created C:\Windows\mssoft.bat C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425551007" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E0EDA841-3392-11EF-AAE3-46DB0C2B2B48} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c099dfe09bf0344ba71704b046502f8900000000020000000000106600000001000020000000eccf0c08b6a539dfa0a3870d183aa3c7b173c18d9a4c7e9d14b7628e6bafa4e7000000000e8000000002000020000000d97cc52f17acef32c0330369920f0941f0fcb77d076958807eb71b43cf271b152000000010835e88faedc6c1f573875cdd6038e322efd93646236842e05e93663cc3405140000000deb7884882837a3cc3c3b53ce9d3b9156e578f7dde10871eafd0d65fe353c800b17ac75478b766188c8c84c06934e21564b32fe2c3cc65a6d1ad7c48b6b7faec C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 60b586b69fc7da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c099dfe09bf0344ba71704b046502f8900000000020000000000106600000001000020000000eed203e39ae06105fdf4792871bb6ffb337e07b12ecefcbba0c7114bbdc3fc37000000000e800000000200002000000020103aede832f90fc9b58087caf7d4c3e14c4f3dfbe636d373bf2440684b136f90000000f70e60da2c97b662cab5683569ab1bef18a6edc0094a128bda8120b095ee4c3f8b1608ce38101ec168f83db3c0db57cc0ef041f523cb520f5bd0bcdf5ac4ba18905611ca7c02b1cd571e188334d765573c6b61fb3086d1f246ec80c4359d140b45ce258938f0e0b731fdc4ee5f1898029db5bcc3bd58d138aecff28a5d3e79b4cfc6625e560e843c1085450f543963d14000000028896ee658122dd92c24fbfc34d8eb6c0b8e49a981a9e098d0fceed34dc291c9a70131c7b3b2efdb8237f83630082f3e3373609f8ff523e645a58ffab4286152 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2064 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2064 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2064 wrote to memory of 1976 N/A C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2792 wrote to memory of 3024 N/A C:\Windows\explorer.exe C:\Windows\system32\cmd.exe
PID 2792 wrote to memory of 3024 N/A C:\Windows\explorer.exe C:\Windows\system32\cmd.exe
PID 2792 wrote to memory of 3024 N/A C:\Windows\explorer.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2064 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2064 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2064 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2064 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2064 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2548 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2548 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2548 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2548 wrote to memory of 2568 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2556 wrote to memory of 3052 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2556 wrote to memory of 3052 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2556 wrote to memory of 3052 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2556 wrote to memory of 3052 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\System32\explorer.exe" C:\nod816.bat

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\system32\cmd.exe

cmd /c ""C:\nod816.bat" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.google.com/

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\mssoft.bat" "

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im qq.exe /t

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2556 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.200.3:80 o.pki.goog tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 172.217.16.227:443 ssl.gstatic.com tcp
GB 172.217.16.227:443 ssl.gstatic.com tcp
US 8.8.8.8:53 clients1.google.com udp
GB 142.250.200.3:80 o.pki.goog tcp
GB 216.58.213.14:443 clients1.google.com tcp
GB 216.58.213.14:443 clients1.google.com tcp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.180.14:443 apis.google.com tcp
GB 142.250.180.14:443 apis.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2064-1-0x0000000000020000-0x0000000000022000-memory.dmp

memory/2064-0-0x0000000000400000-0x00000000004B1000-memory.dmp

C:\nod816.bat

MD5 c9c561c8d6c771461a8ffa1adfab82a1
SHA1 ab0d4ecd4e6750cd9c88d007dd39fa8e9abfff0d
SHA256 fc5f49def9045d1f16ed8b63ee17dc9ecb8813348070a5c34d4ae073184dd077
SHA512 1591a86ecb930b594b2b0be8ef8675dfad7b3b73fef28ebe95e9dfacb8fa4e743f1d3052b01d6bc009a86d12505be6098c698bee2ae52c911c6421c8e4137712

C:\Windows\rxing.bat

MD5 de9b364971e516df97025c91f56a52b7
SHA1 f2d0b2dc72cebc45855ba1ef830bdeda81bccf31
SHA256 55cd4824054e26f311118fc1630be26f33c1d8fda552fbe5146c9ca7dbad503f
SHA512 9777a6ce9bf44fd5d426acc1ddc73910908b9fef1ed942c72e7a4c77fa689f3f91c053cd61690e75b8ae59948ff36e937e5b4cbcd197dff574d32e4d11bc6e1d

C:\Windows\mssoft.bat

MD5 3d7c7b33e3c17d8a0ff01e4647ba538b
SHA1 1c6f75ddb631093d3f6563d00eb0e0b959779e38
SHA256 f2b5fcb625c6d60c62be2d371d45910506c4a650e6e1a994d0f284740d764c8e
SHA512 9ac3b3359c342f8d1d5c7b31abbe5a3797b1d642e907d3c1e8706dc632ac1d9215c4eeaeed454e552217a44cac6e71a3c6bbdb670f0df5450922777bf3b84a15

memory/2064-19-0x0000000000400000-0x00000000004B1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jw2rl61\imagestore.dat

MD5 46233ad2cf22df510f658dd54011d4af
SHA1 fd53a959cb42f466f31784a030def40d8a1af707
SHA256 af600d2fc5fd70ea395ba970a09b61d780046bf26cc93833bfaeca2b212c2f21
SHA512 e2a419b43dd594174b5cb4f03d0be39cdf20f02f4ee628652ffc5c55dae7452291b6ca74239c30484bd7e3d6cb57a571a5c77f7158c783e9745a823c12ca01fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3979d1316073141fe5fa0a8bfb048d61
SHA1 8816e091517017d51f6b4ff78e61e17dff66a806
SHA256 af96689cedb9b1dee3855119c27a2e2eb72d0a0ba9fa3c9e82db85ba6e3dc1b6
SHA512 02ccf8459937d55e345ad2dc41a8fbc0c520698e3c5142a9984a550f2ff381f0567fd48585990d5ff4ad31057caf3316f354864792f3e2636985d8d0422d84e5

C:\Users\Admin\AppData\Local\Temp\Tar6BD1.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\Cab6BC0.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar6CF0.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cfe0410c57e8ff93e25f5d05262d6d5d
SHA1 04625989cabc5c8db9d149d67ae7892be16872d6
SHA256 99b753b036f317f53373f290f83225ec019bf5808b65e9303e4fcd244ced447b
SHA512 71b14f4de28e57ba45be4c2429c29c20ece32e9b9ab21330d37960e917ed20ee8ec9b74962cfbec5c99881b0c12b5ee619b652c9861d8d23ae50a6c201d937dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fe2a98be24f383bb5ca9e4af73c4d7ff
SHA1 b5cae1937acc5f90c8058d4c2287ea320396dc56
SHA256 aece1842a2139a8adffbe00855dbfec87ab0f434dce28902a82966d3fafdee06
SHA512 6fd41f9b3b6a56811c58c1d86f34c9a7a368da0570bf7dbfde88d9cafefe430309d422327546ac9251f7ad3de32e920dec20172b15cc7f88211c1278a65cb80d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7f29e0959d0f1f83f6e9a6f4b4705a4
SHA1 59cb1dae1126b919f282cda6a0c76188f70e3ed3
SHA256 00686d2460bddfda37b862db1bd799aeafd4c804ec2c6df63be15610e78648fd
SHA512 c3cb8a4fd6c8e744338360e6761d34b646fcf03d06def9dce6686318c89f76a074a22961ed81f945d81ec25a7a0bae4dec0c8aee04be29efffe7ef49ef26db9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 724212399a190618eb1a63e907aa0547
SHA1 c9fbae28172195fe39a4082cfbf0594a5376ce11
SHA256 bd5089dc3151e76834a775e870944844e6a9079c2a9777df054a909e6bbd6508
SHA512 5845b10de333c485dd815d019104aaf98b7c7163e1fddd95a8b03924db64e959f8dd9722c03673e28c5a425e87bdb3f5090a12a06854a3c0a209e4c68ad6f89e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4bdbcc0dbe0044f7a639ecc8deee7c8e
SHA1 be8e15e70fd84db60ad8d2deb5a4d48af6f03646
SHA256 4c79de03c8d0972efaa2b90e4d36ade63abb17d72dce567c7144b264472f69ca
SHA512 d0dcb32f056e71a95eb07c9208eb9b699684e55b9219e91c220a7e1013405052cf4c33f32243d0aa9d33c7ffca30276cfbf7e97a6e00df526abaa19533745d4c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1be8e10a936b98305870dd82a14aa4f1
SHA1 d7cdc72d32323001acbbfe0df2ac8a71268b1635
SHA256 819c964030bfba50c605791788692d2693ebf3ad0ca442746086a05d9f18301c
SHA512 d0f3e492b8c487ccd8c491b83889bf4ea70c91cdad2fbf903a9e28aeed7d9fc8d7835085e521cf67371aa3046ca195445d98a32c32478dc5517e39554376700e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04d5002ce390461aaebaecf49f47be9d
SHA1 4857b53e1c59e2f7e2ce3adc7e5e4681a8ae4003
SHA256 9b36b5aae830968108e4e11af8f87ff98042df43910178b76b4a504ce9882b9e
SHA512 2d80f5b55a89e64daba9f60b92ccfcf86f001ab227ab878f1f35b2a098608a4427fce88981c9c6f182f5514251a5185db756ff9b55c75484629420ee21a5c029

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b4a1cdef8061576a92d9d62e7d150cdf
SHA1 b503783e62baed77db7a30ea3229402c287a81c4
SHA256 29db3e4053f09ca1106f93d7353f974bb67ecef2a3dafe510531dca0b43dd66d
SHA512 be344664ade3c907dd0515b7cbf0f963fe2b79f4beb4127ed114a08e6732d0b48c3b6086640de369e6d6bb551418b5f67e4fc2eef970e315a00f21bf4d637ee8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 975fdfe2ded48b212fb2873629d92bb1
SHA1 e6853a15ee47dc5d9a40626f34059891b6619416
SHA256 48eea2dbf74a772ae9705d8b1228f43601af1fdd8c461a7d0c75f8f416c9a4bc
SHA512 55dd21396af358f1960cdd0020e4a5a7ce752ddd8a098b3d45f33caf97f8462179e2a301982bc7086368c053c07181a83d05646033e1c000cc8c2afe218727f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5e7265cf5b62b568c7d879bb9afdc7b
SHA1 5e17fc5e78d8a2702f382dca75a82aa7117187d8
SHA256 7704999d1bdd261c7f382eb34693d9f5e84cb14e44c4d3f6629566e991de03aa
SHA512 9381f3fb51381855e0b9328ad48b1cc59f24f3bb215dc18e3991c88b48c75878394baa0cc93f51e62b44d9f74140754c83ff55ef263c442cc42e7ca9c0200706

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a0a98967930d8fa4605d0f66aeb14636
SHA1 0a579cf51a8952a546af1aae34d070d7ca4ea895
SHA256 c06e9997c65433758a97f10c7060a19bd414e657454b2b23e2b2a43f07d7e022
SHA512 5d7fd390c7dac56d7b81d44e191e68d8cc800fe78fe0435700abccc5cfe5f3cecfc546b1507ba167931880494a2d24cc0d5ad2b1c538cf11812e1f3b363665dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 761a57d227ca83c35dcc7e60e55f390d
SHA1 3d98bb1c71df3f7c1bdb80f4a45b3411c1e82056
SHA256 73c4740fdf5ad6d84029538f3c07ee50af9ae579850f0f251e1a40c42fda19ee
SHA512 be3aaa75245d0ac425d6175041f356a56529b229dcc6a14c2923de761ed43eb5c07e5504d672b25d8085b084db7f14f812b7395fd38d5d3b0f932504e7345c09

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 c864c4b65941f08f3488a315f989f4d3
SHA1 cf012c19b0d115c720ae72e82c9c64c73087d3d8
SHA256 934ed20fc587501f44a5a8a999aea80f1aa0a8267f6c97fecd639d130fbf3d03
SHA512 5a1d5c458d19956363c85578a5cf895f45dc7655e4f332d5e40e75a1d7124f395c1b5985b2edc2b5ceca13ce7287a150e1bb511e776163db37328a592e22fd41

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 08:05

Reported

2024-06-26 08:08

Platform

win10v2004-20240508-en

Max time kernel

141s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\JoachimPeiper.dat C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe N/A
File created C:\Windows\rxing.bat C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe N/A
File created C:\Windows\mssoft.bat C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115167" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3082769162" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31115167" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3080737750" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b2e58ab8bf361247b7301f68e304ddb2000000000200000000001066000000010000200000009068fb081f86ad7eff629c50e450ce6b221ccfed372cca03a599d9d406e6be10000000000e8000000002000020000000401f313e7c8bd28c8d1df82dee4000b6086d21aad1f3e8eaf5780de3af461f3820000000429a29119516307a954360e67029ad4df89ea5a6630d3065355d099266ac663440000000be1069ca3bbbb40ccdd55e1f04eb9dfaa1768d4f1be6baa9a5126b5eecc3815738cd0c7a0a213fd785cd0968f2b10928fb505ddaa4004f65aa85e4f711d10530 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f029b7b89fc7da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426154118" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b2e58ab8bf361247b7301f68e304ddb2000000000200000000001066000000010000200000005e309f62241fefc66debdd8e3ad6696760d397e2ee26b91ecac622d5bc23931a000000000e8000000002000020000000bfa224357e5ee513980ae2e7982640eb325b02f922c655beacbd7f62e3e48c2d20000000c81ced283989907b011dbb44277dd5a81f558e0e60bfe75a7a3abaea695c4ca0400000002c2ee1acc4705f8e7faade1bdd81186acffc5f5a9a0bcd5e66528d3f9dca59c3a17569f567ccbc580f3909c930cf37f2064fafe437822ef9012965b29ec6a387 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0e4bbb89fc7da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E335641E-3392-11EF-B8C0-E659512317F8} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3080737750" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31115167" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2520 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2520 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2520 wrote to memory of 4604 N/A C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe C:\Windows\SysWOW64\explorer.exe
PID 2224 wrote to memory of 1816 N/A C:\Windows\explorer.exe C:\Windows\system32\cmd.exe
PID 2224 wrote to memory of 1816 N/A C:\Windows\explorer.exe C:\Windows\system32\cmd.exe
PID 2520 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2520 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2520 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2520 wrote to memory of 668 N/A C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 668 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 668 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 668 wrote to memory of 2536 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\taskkill.exe
PID 2636 wrote to memory of 1164 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2636 wrote to memory of 1164 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2636 wrote to memory of 1164 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\114a2cbd4baa8f99839403dfdfa970a3_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3644,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\System32\explorer.exe" C:\nod816.bat

C:\Windows\explorer.exe

C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\nod816.bat" "

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.google.com/

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\mssoft.bat" "

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im qq.exe /t

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:80 www.google.com tcp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.200.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.200.3:80 o.pki.goog tcp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 3.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 172.217.16.227:443 ssl.gstatic.com tcp
GB 172.217.16.227:443 ssl.gstatic.com tcp
US 8.8.8.8:53 clients1.google.com udp
GB 216.58.213.14:443 clients1.google.com tcp
GB 216.58.213.14:443 clients1.google.com tcp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 14.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.180.14:443 apis.google.com tcp
GB 142.250.180.14:443 apis.google.com tcp
US 8.8.8.8:53 14.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/2520-1-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/2520-0-0x0000000000400000-0x00000000004B1000-memory.dmp

C:\nod816.bat

MD5 c9c561c8d6c771461a8ffa1adfab82a1
SHA1 ab0d4ecd4e6750cd9c88d007dd39fa8e9abfff0d
SHA256 fc5f49def9045d1f16ed8b63ee17dc9ecb8813348070a5c34d4ae073184dd077
SHA512 1591a86ecb930b594b2b0be8ef8675dfad7b3b73fef28ebe95e9dfacb8fa4e743f1d3052b01d6bc009a86d12505be6098c698bee2ae52c911c6421c8e4137712

C:\Windows\rxing.bat

MD5 de9b364971e516df97025c91f56a52b7
SHA1 f2d0b2dc72cebc45855ba1ef830bdeda81bccf31
SHA256 55cd4824054e26f311118fc1630be26f33c1d8fda552fbe5146c9ca7dbad503f
SHA512 9777a6ce9bf44fd5d426acc1ddc73910908b9fef1ed942c72e7a4c77fa689f3f91c053cd61690e75b8ae59948ff36e937e5b4cbcd197dff574d32e4d11bc6e1d

memory/2520-12-0x0000000000400000-0x00000000004B1000-memory.dmp

C:\Windows\mssoft.bat

MD5 3d7c7b33e3c17d8a0ff01e4647ba538b
SHA1 1c6f75ddb631093d3f6563d00eb0e0b959779e38
SHA256 f2b5fcb625c6d60c62be2d371d45910506c4a650e6e1a994d0f284740d764c8e
SHA512 9ac3b3359c342f8d1d5c7b31abbe5a3797b1d642e907d3c1e8706dc632ac1d9215c4eeaeed454e552217a44cac6e71a3c6bbdb670f0df5450922777bf3b84a15

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\7UY3WOJS\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\hbgcal3\imagestore.dat

MD5 9f1f214c16ae092065c5a1596033d25d
SHA1 654ae7c44a31f27b0ab6653764533f15e57733a5
SHA256 5296612f7fe8745dda58d4bb565cd8a6e004ddd6035392c5481625788bc48b62
SHA512 f9bfd9c544a5d91681db7b8f0d513de3d2c0e5dae7fa033dc53c591b0a5fd18f87e4439036328a85a639c2c61e8599c544d1bc61edb221dcdcb5e5f8ab939c68

memory/2520-61-0x00000000001C0000-0x00000000001C2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 c146dedfc5f3150f85d6a3c3d8578f12
SHA1 f4bbe6738ceec0d0ea01f7d259c8d812e7d44230
SHA256 0397b7a212674b4b75f1c94ee0e6eae8a38da894d2b91dd7425544f4d0952f0b
SHA512 90d36d369a14ad5f98e5ba08875a8c6cc71aca03b0857a26a9caccc719d3b0f4bde7ed0a366dd30a9a2f54a4ddee8934770ca5607ac053c4b717bacf2b2aca5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 b9b9f42ce6d2b20bf169d05480d239d4
SHA1 32b094cc2ff79f07fcd68d585846b919bc350e4d
SHA256 4d16bb8c9a34d4de9d39bb5f0e87095617b5ad551112db17b38b6cb752fbdae4
SHA512 36b45c544439c6b1fab4c2fa58712475a65ad467e3da61086c4a953d6587d35f5c6ae7de740863295ae0d3534cbf67d0bed6843d95b6786b50431bfeebcf1010

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YOJF4VYG\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee