d2c191efb48178d2a6839a88d12aa06a2ac290e2e0205cf41ada5c30c977dde4

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
27/06/2024, 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Size

614KB
MD5

16df3e18364b87c964faa0a3831a9139
SHA1

6aa62a43b4c155cfd559d8da772dfdeef81d5429
SHA256

d2c191efb48178d2a6839a88d12aa06a2ac290e2e0205cf41ada5c30c977dde4
SHA512

b6a8bb9b675b3d7230747cb242ab76bf753273f1c32293d2e69b02a0ded744c16666eee66c409693897d4fa93a1be9d581bb4d9f4b146abbdb9bcade7c4c9643
SSDEEP

12288:YaWz2Mg7v3qnCi8ErQohh0F4CCJ8lnyLQYn:PadMv6CYrjqnyLQ+

Score

7^/10

persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2828	cmd.exe

Modifies system executable filetype association 2 TTPs 12 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\ = "´ò¿ª(&O)"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Program Files (x86)\\Winrar\\Monitor.jse\" \"%1\" %*"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\SysWOW64\\WScript.exe\" \"C:\\Program Files\\Tencent\\cgi-bin.n\" \"%1\" %*"	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DROPHANDLER	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d1000000000200000000001066000000010000200000004e6800e49bf393ec85d0c89d1a9905bc0b2a8906ed4e79ad997f6370051f9c70000000000e8000000002000020000000c9fbc7a68fb3af4e46124d6ce8bdc6fd0572a44f0e5d7eee41c3195f24d2be0890000000e6ae8da517b6f1a4c4ad52c88fb6eecb73efe0bd6560241145bb1758467852050faf6967d36119e6b63feb60f9c2f8f3407ce917f9eaec472b53f4655039e1219a40513f50e91b78c471818d8e1d78504eeb4c7b812e5f2f7dc6b0b4e76e4ca1bdba8b0440c09de90d74d3ececb0ec4671399aa7d9ad5ac2dd5499591a2bfdc941d08fa90b50d1731aafa025ec49deb6400000001b3afa19207614b06c38076ef1b6fa975d7e50e6ca5fe4407fc5aa93cb61fa3c318d50b22a98cb1be83194b61dd2070c6f04d6064dfe359f4cecbb9401539482	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d7c7e73b934388418857a0db8be9c1d100000000020000000000106600000001000020000000fee390309ead15375ae2461faef4497912d4adcc602f467b5214446c0b34a453000000000e8000000002000020000000253eb834d9424d186ca8d52cf95be674c01276386980f7cfabc84c90ef76934c20000000be786d7b24dfd94ba178e9800de405f9274eb3aaa8354f5edf3a3fe2fe37d8dc400000007ce95d3c46c07733b24d9405a710994c213543a4fa9529db564719f3efbbb4883fd4acbc1607b7889e4a77d6a7cba683e3a3619b86f219993357f76d37cca0e4	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80bd379cb7c8da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D8488251-34AA-11EF-9A0E-5A3343F4B92A} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425671252"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Modifies registry class 50 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Print\Command	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046}	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\WScript.exe,3"	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open\Command	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ShellEx\DropHandler\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\FriendlyTypeName = "@%SystemRoot%\\System32\\wshext.dll,-4805"	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open2	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\SysWOW64\\WScript.exe\" \"C:\\Program Files\\Tencent\\cgi-bin.n\" \"%1\" %*"	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Edit\Command\ = "%SystemRoot%\\SysWow64\\Notepad.exe %1"	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open2\Command\ = "%SystemRoot%\\SysWow64\\CScript.exe \"%1\" %*"	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open2\Command	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Print\Command\ = "%SystemRoot%\\SysWow64\\Notepad.exe /p %1"	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open2\ = "在命令提示符中打开(&W)"	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ShellEx\DropHandler	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ScriptEngine	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.n\ = "Nfile"	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Edit\Command	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ShellEx	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\DefaultIcon	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open\Command\ = "%SystemRoot%\\SysWow64\\WScript.exe \"%1\" %*"	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ShellEx\PropertySheetHandlers\WSHProps\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DROPHANDLER	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ScriptEngine\ = "JScript.Encode"	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Edit	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ShellEx\PropertySheetHandlers	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214EE-0000-0000-C000-000000000046}	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Print\ = "打印(&P)"	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ShellEx\PropertySheetHandlers\WSHProps	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214F9-0000-0000-C000-000000000046}	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ = "JScript 已编码的 Script 文件"	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Program Files (x86)\\Winrar\\Monitor.jse\" \"%1\" %*"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.n	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Edit\ = "编辑(&E)"	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open\ = "打开(&O)"	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Print	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\ = "´ò¿ª(&O)"	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2056	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3008	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
3008	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
3008	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
3008	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
3008	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
3008	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
3008	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
3008	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
3008	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
3008	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1796	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1796	iexplore.exe
1796	iexplore.exe
2692	IEXPLORE.EXE
2692	IEXPLORE.EXE
2692	IEXPLORE.EXE
2692	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 1804	3008	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe	29
PID 3008 wrote to memory of 1804	3008	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe	29
PID 3008 wrote to memory of 1804	3008	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe	29
PID 3008 wrote to memory of 1804	3008	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe	29
PID 1804 wrote to memory of 1796	1804	WScript.exe	31
PID 1804 wrote to memory of 1796	1804	WScript.exe	31
PID 1804 wrote to memory of 1796	1804	WScript.exe	31
PID 1804 wrote to memory of 1796	1804	WScript.exe	31
PID 3008 wrote to memory of 2828	3008	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe	32
PID 3008 wrote to memory of 2828	3008	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe	32
PID 3008 wrote to memory of 2828	3008	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe	32
PID 3008 wrote to memory of 2828	3008	16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe	32
PID 2828 wrote to memory of 2056	2828	cmd.exe	34
PID 2828 wrote to memory of 2056	2828	cmd.exe	34
PID 2828 wrote to memory of 2056	2828	cmd.exe	34
PID 2828 wrote to memory of 2056	2828	cmd.exe	34
PID 1796 wrote to memory of 2692	1796	iexplore.exe	35
PID 1796 wrote to memory of 2692	1796	iexplore.exe	35
PID 1796 wrote to memory of 2692	1796	iexplore.exe	35
PID 1796 wrote to memory of 2692	1796	iexplore.exe	35

C:\Users\Admin\AppData\Local\Temp\16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe"
1⤵
- Modifies system executable filetype association
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Windows\SysWow64\WScript.exe
  "C:\Windows\SysWow64\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\monitor.n"
  2⤵
  - Modifies system executable filetype association
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1804
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.go2000.com/?g9
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1796 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2692
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -n 4 127.1>nul &del /q "C:\Users\Admin\AppData\Local\Temp\16df3e18364b87c964faa0a3831a9139_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 4 127.1
    3⤵
    - Runs ping.exe
    PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
222f00048751569db74d994e432a7e33

SHA1
c196a7c5748ae8458c0bf544c4d29bff42547788

SHA256
cdadcf03444c7b76ccce537606dfa31f5020cae9ef9d202f506565e755cd6290

SHA512
a8f8667d50601aef27614a93fca798fb3ffaade129b949c3abd99fa77f75479ed7abbcc0aaf33606f1b35592379c49088230bdb68031a3b7d9c7586c8d4284ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4098993b08f6d9b0fcf4e9ab9ca7d6a

SHA1
a8ca1508a8cc125aa19081977f43e7addb3ba6d6

SHA256
49faa4e6e8e8d229f76d40771573d8ffba3222f2c26894e4c0d2267f452c5a04

SHA512
7c371f555a2ee7404db84c46ab6d5fe557eb66347e9411459da1c588c176fcacf2d22c062efbc2d4ebd8883b8863daaaf96219aac7266d9fb9ba48075c82f312

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd3622a506d844d5951733535455062a

SHA1
540091cc819ab9999c73666f262af4b7fd59e9a2

SHA256
7f1acc08ca1218b2b1022220bb647d468f079c4cc53778400b976589dc578b98

SHA512
2a0189e60d40762fdcdbbcf8456fe539f6cc4986384b26675f7d2adc52664df136c66bf85761e585256d4d1193b2f16109520fce86f7f29a255086046ecd83f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b357b67b832b9251820180176a92e6c

SHA1
fa68fe7d9e0e0fba295146ef3d9abc0595596cc1

SHA256
9784cef3c9751e78da850a4f50f27e643f83d30ec4c318747a411f2112e0c143

SHA512
a0260a488fafe78f080f9704e6daac316034b87432373358fcbf9a2badf1e65a4a93ef4e3a339165ec58f699a6e183e83999bcd5787b28900599dab9ca20dc86

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a345f81f0fbfda4b7528b4e8d242bb2d

SHA1
8ff176a986879b646af0ae0887c49082f385a3e7

SHA256
c4bbce70a466cdd556e8361d21ebd003332e9d67ffe2d1044ff3853d67e885c1

SHA512
48ab57ecd9ad9842761ed25368401e1c418e1b2c4ab2c1ef3965bf84d620ef19357eee6767681ef7f8dc9f9c9a89252d0b92638ec8b17c6bec7ec64754ac5238

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc8c87fb88aa25072207bed8b9d4cb69

SHA1
fbcfc4443228004ddd65f387dae839ce9973dc9e

SHA256
4df4fc26ec87129e460a1530df440b4452fdcd5800c986f5ed68f0d81678a310

SHA512
479169879fa553ee60bdf2088fdec980889271f97d430babb8fdc1e7390a6bb700bee6050d8352ef366bfaa38069c0d70f19f8feaa33635f6b79f64b78b73875

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f47ed039c95c0b575508c3653dbbd4e8

SHA1
5d672ccaea19c2eeca6af1d9a70f3a771e8a2b6a

SHA256
9a3d4d56047ac2a0ab10e329cdb6d4426bad4bd574489933c95b4fee7db6315a

SHA512
e184d75d488073c7f6a3723a2ebdec33cb77ccb23877d1913346a7a58858a30f669e5f832287fe70e0d868589185f967e8a14380182904f0b91db5c8eb9c03b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
905ad100df7015103fd58b82240f7782

SHA1
08a40cc7c3b8f63797f6bfcf7704ae2357217e36

SHA256
fde9d56f43c576c3944bbabc46aae564fb00a7bede85e36d9c03f246558c59ae

SHA512
0b48090d5a9bc17422cb0cba8be9548820f80cdc0cd1eca4f2359c2fb9953c3a6edbfe4a107ca737b689bcf970df66ae274f0f87acf9ead9b83d0d112723943b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2627962fb6f0136ebe1b8cdec82f0d7d

SHA1
e97a23b9f98c0eeca88bfc22c040c5fc45b5d96a

SHA256
8f3f8531f7f6560748daf65128965cde716749f8a393516c8457bb347ae8f4bf

SHA512
6f3c561e49be0e20ce8b621939ca34504143d137d20fb6954524ee2aa1eebde62efaa69ae7d407ed1a14683f38ac83b032fe668127bb6a642047919ec159d322

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6113d2bf187fc34e0ca00a1606a5907f

SHA1
e3dbb2f5c9a7c19a681fbf1cc8739c3d1bfbfc55

SHA256
0df91ac88e212ff714bb4d10d42a4e23f434b946f69405d071de1ed78f650e26

SHA512
a9203f21e485bc70460e7c25eccd7262c96cd3686513c968bab857498f7d5a05124f05cfd8bfa0070682118a77f053d8df02af1af09f94166a4b854c0615f417

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b01243a53f2ef25fdaf48f62ed42806

SHA1
e3aceb19c7baba0189a36832e468a18477e24df3

SHA256
94ae6b935a9232a4d7f945df21f8c7fd76231a906828c93371875568f0add5ea

SHA512
513b1ed2f373df1a3c17c3fc82f1838182ac9e17ee24a58496165a78888d7f465b25cd11527c275229c054d5fa36357c5799c07ad9ce141d5e32ee47b87f8bc6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de1ab51c0c58b50bbc0587c1e9e28084

SHA1
dcb4849b5b00c9f69176206972a3816189a02945

SHA256
9400dade7562e8ec54f12052f5f94743edfde85d54c64427f771886034422eff

SHA512
56f3410581d2be86b5717770b76bc03acc95ec6ec28853459d76011ae4a7d35cdb136f7997bd6063e60212858311d1c5b1892dd0f71fe9fe6b69d18cd1bc0f51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbcf9e9293f9203655e2a1336352ff36

SHA1
3f6219e4585237ae460c41ffd2986848656776b5

SHA256
80e94a505dae1658d2443b8d6a76393cdf030b1b9779b90c52555f8bbd6856d5

SHA512
f8f9f49bf80c4c62a858ec91f8c5452dd51873879fcb70fef1f37d157460148bd324f958af1e1cdec0c982796da11b612e9880de65c3f67973e6b42520cb59cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea152f3acf265df7b129e5eb41f7b124

SHA1
6458121fea8ef1ac59bac1ad812064625afee7c5

SHA256
cf18923d8177a69c52af6329017c389d84b2b296011918fac15e8561fd364f1c

SHA512
ed865d08a9de5aa4c5bf046575c463b979110450848dc66f0e10eb03c9c60a7cea8184f0aa03f5b7b1ecb154621fc6935c593df2d3cfa336664d843d8973bdf5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0b21b47a4c53a120e01bd9b22558883

SHA1
567aee9248ddacd87613ce0acae0cf8d539e457e

SHA256
cd76a3e35aa14ca9041f596970a6bdb53f68935a24313d14f51d987b9d080967

SHA512
22f12d851ecbe39c36d7c6917a222b2e9d81557d174acc282d9c292a04d31ef16ff58680ea7699ee764b4e71bf1542ab50fa8cab7878ca6f1c6eb1388d77ac31

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e0a78c8857032e8a383c94204df89ca

SHA1
69a7976def11401109528ab639604e8277d6d486

SHA256
9ea7d1979628f75313b66bcaf55477e26d923b09452f48689f58c5f68b5d0140

SHA512
dfd94a1742d630c5dc8abb95753860dfd18fcef4f8e4459d85434d1fe3df8ce324fa95c23faaa9d037aabf059e6d36c87dfb218d7d34377909aadb98220050c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9191ba9c3a2e0756262f7e6f4257e5f0

SHA1
ae1d877296c41f925d8f6c00e53fbff66ab8f0bf

SHA256
84e31e9555f174548b94929441d2ba53763cbb2aa5754173fbc755e24f614320

SHA512
51707cdffdaed729532fe1d6bee041326f303be60e34d3bff5b8f8d5308db592b3be55c7d5b3252839cb271a175a39aee15c19944a47a854f292b55d415bfeb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
688df3de3eafe110b2359afc8091edbd

SHA1
8dc16848098480a63e17cb1c461b4aae333bbad2

SHA256
19bd0e926b66e1e1e7c89cf46debb832bcf8fc95619d389ef95c393a6c3a84b5

SHA512
8ae512170ee17ab1442fe0cf068b83792ede85c6477447a8b599eace4698858e5d4deb24c3e2eb28838f9d1554ccea61e276847f3083d11c00eee6ce21ed1f2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe105159c78acb8e6a40f27a38fc33c3

SHA1
d5670129dc9221b120639a28baaaa3ad551788bb

SHA256
dab697389a894422fed9256ae5095d744595a84a983e35526ca1b108be05bbc5

SHA512
1e017c05163d400cbfb890293b3268bdd7acf44f518db0a2fd017460529414abe9e7261f32810d28fd7fefd88e41442dc5907ebbedfef4effcfe2b4e3e323c8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f38f34c5c6040b5604d2a202c9596c0

SHA1
b42496a9d0cd9faa130fa8e8b444132e165b0bb0

SHA256
55bdabadc35a16d9c62fe562efde564177cbe0d7a4fa6191409f277b239cf603

SHA512
1e2cde6b352c40c96c053d274d79f630a3afd8d931a600f05d1afede1c15de364147ea76c9ee1a2a43ffbd1846329c4629a3379c9d6ac2993e00f091a9c0b3e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEA8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitor.n

Filesize
7KB

MD5
a4bf7f9ba9b3e741c3054dfa0b5325ee

SHA1
2d5810b2d46596b4bbd04b565806ea7ec99d9116

SHA256
72f10825026c2f8fa14aaaae7a3919f96c56e6e4d2fe650b0268efe3a9b0469f

SHA512
b7853a9e9f451ad96f4421cb8c5dd8847813a568dc056c309a4296cbf4de05eeead66236001eea0125cb7a6fa7c1baf5555221fa5d0b76e13e4698504e592eef

Download Submit
C:\Users\Public\Desktop\Internet Explorer.lnk

Filesize
1KB

MD5
9c5fc932e4b56cbd80b1e0ac3223274e

SHA1
a35c4378f5f93a2f7878549ef5fb9ebcabee9fd3

SHA256
da10e80a51f152f35cfd568ec51715f9d06c0c5c55e7920c59cd0dfcc4d62b5e

SHA512
3c8919894dce115667f73f24077c9cb9691cc788590d80740582a720b4ca3c2613b54754f5bb36d20325e12a859e72fba35445e259304d5d06a38f2ebeed3e11

Download Submit