1e6be0bb2b349e6be033cafb9a0f5ffa03eb23571b7e33b3b5d2a79251ed5c44

Analysis

max time kernel
134s
max time network
134s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 01:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
Size

1.4MB
MD5

1857ab9f2ecba98ec1fba4acfd8603f4
SHA1

1f20a317643367a75d4c7456fc96ff46e80f1855
SHA256

1e6be0bb2b349e6be033cafb9a0f5ffa03eb23571b7e33b3b5d2a79251ed5c44
SHA512

1d4e6009ef5bc2a8646dca8c34f7deb73e6b1ac229db7862dc72c7a941aeabde3644168a3a42e862a27281ff49aa93547d514105065af7d2b5192d13b5533540
SSDEEP

24576:TQr/4p6qO4pDlPJsZtZQk5p8hulbEwfDpBzjRvdsxlTShiVPIR:E/4Qf4pxPctqG8IllnxvdsxZ4U+

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 10 IoCs

pid	Process
1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\jishu_144706\dailytips.ini	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft144706\0620110606060611470614060606.txt	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft144706\pipi_dae_381.exe	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_144706\ImgCache\www.2144.net_favicon.ico	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_144706\sc\126ÍøÖ·´óÈ«ÉÏÍø×î·½±ã.url	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_144706\sc\»Æ¹ÏµçÓ°Íø-ÔÚÏßµçÓ°.url	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_144706\sc\Ã¿ÌìÍÅ¹ºÒ»ÏÂ-¾Û±ãÒË.url	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_144706\sc\ÍøÉÏ¹ºÎïÍøÖ·´óÈ«-Íø¹ºµÚÒ»Õ¾.url	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft144706\B_0620110606060611470614060606.txt	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft144706\CoralExplorer_200402.exe	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_144706\FlashIcon.ico	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_144706\newnew.exe	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\jishu_144706\jishu_144706.ini	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft144706\seemaos_setup_BC21.exe	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_144706\newnew.ini	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_144706\sc\2144Ð¡ÓÎÏ·--³¬¼¶ºÃÍæ£¬ÀÖºÇºÇ.url	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_144706\sc\GoogleËÑË÷.url	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_144706\sc\²ÊÆ±¿ª½±²éÑ¯-ÔÚÏßÂò²ÊÆ±.url	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft144706\a	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft144706\guoguo_144706.exe	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft144706\wl06079.exe	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{36A3AB51-34F0-11EF-B2C4-6A55B5C6A64E} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{36A3D261-34F0-11EF-B2C4-6A55B5C6A64E} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d69b9dd5d7112943a2558690e3c4b87a00000000020000000000106600000001000020000000da0858ca306b89d7af6b395d1767a5fbc14fa4ff5d140b640459179dc62c5d1d000000000e8000000002000020000000fb36cfe8b29313fd6fc738bf11bea1f2652687e1803ad4648b86f97c0d5ea758200000008abdc1cac473eaad75aa04deed2ebcfdaa01f08e456e2251ce1cbe4a875e05ca4000000072314bff12f19c44daa73b77e37e6458b0a859f2b35121a0ab0b65672928ba11f91aa1e824862800158fad788f5f08bccae953ad94586b6aa9bef1ee25a39e4a	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d69b9dd5d7112943a2558690e3c4b87a00000000020000000000106600000001000020000000112cbd6846a3e0b05738e90cb2e7e9d2ade9d9f2f64da73884101a3579418f49000000000e8000000002000020000000f6b8e972aaf2c1e92e746b658d6d686609ff4cec050413ec942ea2af6cbf81d6900000002c18b827106752e163768d777f17d53c731899469b18deaee7f5bf261eee32b9c1b78fae42d891094c29b56f79ab2197a123ce2bea6f4877529fb6b85c3dcba4c8d213fc3e11d902c3457f8732ba385c3b20c6ff7db76a620625a8f6f237925a2be2f5fbb5a7cf5c8298fbcdb5d0376b16f3f35698c0e26a9c8720f7686b18f68f975eb000b66619d1cbd00868fa697e40000000684bc2d986680ca1e44b6a9149bb180d1aeff914f4853bf66f91f58351bd26f5685016c62f3dc9df8c7123894fd5996d69b7bbbcd660c6de8165d10a3cfbe551	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40748924fdc8da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425701046"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2608	IEXPLORE.EXE
1728	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1728	IEXPLORE.EXE
1728	IEXPLORE.EXE
2608	IEXPLORE.EXE
2608	IEXPLORE.EXE
2524	IEXPLORE.EXE
2524	IEXPLORE.EXE
2532	IEXPLORE.EXE
2532	IEXPLORE.EXE
2524	IEXPLORE.EXE
2524	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 2216	1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe	28
PID 1744 wrote to memory of 2216	1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe	28
PID 1744 wrote to memory of 2216	1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe	28
PID 1744 wrote to memory of 2216	1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe	28
PID 1744 wrote to memory of 2216	1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe	28
PID 1744 wrote to memory of 2216	1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe	28
PID 1744 wrote to memory of 2216	1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe	28
PID 2216 wrote to memory of 1728	2216	IEXPLORE.EXE	29
PID 2216 wrote to memory of 1728	2216	IEXPLORE.EXE	29
PID 2216 wrote to memory of 1728	2216	IEXPLORE.EXE	29
PID 2216 wrote to memory of 1728	2216	IEXPLORE.EXE	29
PID 1744 wrote to memory of 2568	1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe	30
PID 1744 wrote to memory of 2568	1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe	30
PID 1744 wrote to memory of 2568	1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe	30
PID 1744 wrote to memory of 2568	1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe	30
PID 1744 wrote to memory of 2568	1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe	30
PID 1744 wrote to memory of 2568	1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe	30
PID 1744 wrote to memory of 2568	1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe	30
PID 2568 wrote to memory of 2608	2568	IEXPLORE.EXE	31
PID 2568 wrote to memory of 2608	2568	IEXPLORE.EXE	31
PID 2568 wrote to memory of 2608	2568	IEXPLORE.EXE	31
PID 2568 wrote to memory of 2608	2568	IEXPLORE.EXE	31
PID 1744 wrote to memory of 2472	1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe	32
PID 1744 wrote to memory of 2472	1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe	32
PID 1744 wrote to memory of 2472	1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe	32
PID 1744 wrote to memory of 2472	1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe	32
PID 1744 wrote to memory of 2472	1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe	32
PID 1744 wrote to memory of 2472	1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe	32
PID 1744 wrote to memory of 2472	1744	1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe	32
PID 1728 wrote to memory of 2532	1728	IEXPLORE.EXE	34
PID 1728 wrote to memory of 2532	1728	IEXPLORE.EXE	34
PID 1728 wrote to memory of 2532	1728	IEXPLORE.EXE	34
PID 1728 wrote to memory of 2532	1728	IEXPLORE.EXE	34
PID 1728 wrote to memory of 2532	1728	IEXPLORE.EXE	34
PID 1728 wrote to memory of 2532	1728	IEXPLORE.EXE	34
PID 1728 wrote to memory of 2532	1728	IEXPLORE.EXE	34
PID 2608 wrote to memory of 2524	2608	IEXPLORE.EXE	33
PID 2608 wrote to memory of 2524	2608	IEXPLORE.EXE	33
PID 2608 wrote to memory of 2524	2608	IEXPLORE.EXE	33
PID 2608 wrote to memory of 2524	2608	IEXPLORE.EXE	33
PID 2608 wrote to memory of 2524	2608	IEXPLORE.EXE	33
PID 2608 wrote to memory of 2524	2608	IEXPLORE.EXE	33
PID 2608 wrote to memory of 2524	2608	IEXPLORE.EXE	33
PID 2472 wrote to memory of 2804	2472	Wscript.exe	35
PID 2472 wrote to memory of 2804	2472	Wscript.exe	35
PID 2472 wrote to memory of 2804	2472	Wscript.exe	35
PID 2472 wrote to memory of 2804	2472	Wscript.exe	35
PID 2472 wrote to memory of 2804	2472	Wscript.exe	35
PID 2472 wrote to memory of 2804	2472	Wscript.exe	35
PID 2472 wrote to memory of 2804	2472	Wscript.exe	35

C:\Users\Admin\AppData\Local\Temp\1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1857ab9f2ecba98ec1fba4acfd8603f4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2216
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1728
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1728 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2532
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2568
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2608 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2524
- C:\Windows\SysWOW64\Wscript.exe
  "C:\Windows\system32\Wscript" "C:\Program Files (x86)\soft144706\b_1406.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files (x86)\soft144706\300.bat" "
    3⤵
    PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\soft144706\300.bat

Filesize
3KB

MD5
03b9da607492c4f217cbd9698b5477da

SHA1
4c94f968617d93bb419d5806d6eca50f71ecceb2

SHA256
8a6c0444f6a95b8f40c13c1bdded685523b891c7f9a4dbd869328b90a3416710

SHA512
cb738a8753d164cabac41a5cc595ca4ea4b3e4428d3327c0b6c67ec6a2b26f29dd79e44485ece2753865b010c57777fd9a3abe7701580aa854990208bcf88d24

Download Submit
C:\Program Files (x86)\soft144706\b_1406.vbs

Filesize
348B

MD5
2deab3459692f7d5d5989b27a53fce44

SHA1
73519af1e302075e571ecce79ce2cfc6b957fe0d

SHA256
b9a6a99942ade52c9e3383a3136c5cd1973740fcd3efb2b88ace346cba548c42

SHA512
170623fcc27702140be4ea6eff70b8088de8c09f8c792a3eb8bec2fb9c4796fb35e31692552389d2a4c6689443ac4af3a21582100473d1c583d2a10cf8cc307c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efd16d4409a13f8f3b8abce9ea15b828

SHA1
ff4cbef1945a987f61849ad569c8324401b83e01

SHA256
fa5732bc5e1b55a3d3b8d9260911934a9e5d3427a8f11a6fec16685ac7787e59

SHA512
39875b771d67b1a17917a3fed5401d3ab79593c8e2629d10a3221f4c5e6a487821db6f25533f75a5a08ae2edf3017aaca013e08cec494c54a9ec33f4eab6ea12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb569616c02e4ca8745530b66d3009ca

SHA1
f3243802bf8846824e831882741cd3c7e8b6fba9

SHA256
c424cb44df7b3607504ed8f81818df4cb25449e24513a010436b4f5948a47fd0

SHA512
5b866990f37445eb025e730b45ede09139a16445daf15e2b83bf8f813ce7f6d0a03a8c9d9526b2e87bc0f15b7f94bba4691bf7772a0ff4b1b68254bb77b78b82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d03d23a0633aa16629c0d10f809bbbd2

SHA1
fb282535a6738a58a6e1250de6b4f1a36b0e1d74

SHA256
3b3eba1f5e2f6669c4a08ddd2034392a79755593abecb7e781c5067f710783f0

SHA512
e407c0c443defd2c5d047ea3bbeef701bebd0d88483fd749958332d6c4a7c66f4dbdf0ea6bef042404c81e0174021ded13a41908252e71f748e1e712e2cbfceb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1a8ae0dc50f35aa75971a57e1223a73

SHA1
29e320adae06d06054201567af072bfdc4f325b0

SHA256
d4efc7f90330287ebb6c5b502d30bcb6ed2b821d382561b58abc3c961f70129e

SHA512
5b0040862848d72642f7a3097baeaa3e4f196327e15e6fd68ce4e270cfd2bc1896d6d838661c6ea60d0153d4fd5d710c3d3b7964f653d7e6f9161c1c4bc2e824

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93e3bbb65ce166173719f87506a74860

SHA1
d6f898e51fef06ea010ea8018f78c5899257a105

SHA256
3c1c7ffad7b439ddf1b167b958dca472434c06cad87b70d9f6f701f2ce3453ee

SHA512
17ca7d7cb87ab52728eb5f090c32b2900b307a58935a13beeffdf60dc306338f565742d79dcb46461fb1b25810a6fb517b8be1de9406a978260b11ef1dcc047d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05b4e174cdb7d40862cdc55dc2edbcd2

SHA1
b3ba0aa8b2301960984807445fd03cf6e323f0f8

SHA256
dbb479f0d599a3e3a61f8e07bf70988cf76777c1d1722e239fee6492f86d59be

SHA512
49bb50458341658c616cd2ebe5860942bd7bc8c95373cfeefd7447cb4f4b8ab1f7d714689d33f864607401bab2acb7883835224070bf53ad507a725cb09e547b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42a6206ba8a65790e2afabef385e58d8

SHA1
ac166ab2802a12b01bb794c4eb7d92a6a68bfcb6

SHA256
99b3b74fdaa4af5fda65addea29f81e29fc69a595bc2e6c262f7baaae176a8d8

SHA512
c960b84f520a15711858b9778715fec2b4a4c625c0b1afeabbdd1fa2d521a3965f68f0058a44ee4c7d0d63d1b8ba94c11eea9cffe5e1ada0a61473f71e70b59f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9190ffa72c5fba00e78d8f27a1966f0

SHA1
1bc2200d0e5c8d2315ae36ae817b0ab15c185113

SHA256
ccf901600174eed156c7bbe259f134d5b49d731b2a6069aa6d74441fd91263cb

SHA512
f57d566594f37a5dbc2a28c457f86517e094f4f2143c8f4e03c585cef0781fb0df96e3a904f03e9017942cb0af29874510f05a131555a3a0d90f34a15fe4be19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46b05497896aa3b50f5179aa58517c3c

SHA1
c7800339859d2c2a0b25efa09de7d7ecdbe9ecbf

SHA256
cf8dd7bb4787d9093d59f1b1683e860c285851dd319abb6f1df6c46a29d092a0

SHA512
5a2544a4d98568fc758ee992024a9efc49d7ade26f61ec1a7d9ef72f124c4a10b321fdf2996942111deca8818e4752516932594d368b30e4b9bd57ee5c18c5ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14a325a25d7cab7aab47c68ab13e5c9e

SHA1
c430b29b900460efcc70274278d280045b63b092

SHA256
9a65ab0c76dbda16b28916819905dde7b725f1e30e0665f8d5ddd856c6bc8ee0

SHA512
0e0bbe5d56cee6e67fb89a3354325919f8ea32794c66860607e7281f07245379ddce51628ee7ef8393fe05b584898c8c39ac3cad19f12491341adcdc36f63359

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5af7e5f621799d346ac832b4a417b32d

SHA1
d5ee37172df0157468a94235b3eaa683d862ded2

SHA256
403c5ff9d09bef4e5a449421efb99696c59273675e80c2eb5cc2dae14127d45d

SHA512
e258700920889909234d2bed58df0184e50601f987e9843fc4daf102f0da07dc4f320e39b7298472845e710b5f3490a9d5d6bd5ee7bbbe3173bb6cf821535c7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d6e6facac62608fe93a7579680e2558

SHA1
d97ae7b8321d25e42cdd2c7694ab073cb555e2ca

SHA256
17ab43e3a5a1faabe2bd1c8e27573cb4dfdbb3210f3eab49979db9e16a479da7

SHA512
0a6b887834790fe0065f746a966d2e239f549e3c4b7af1899b0af6e148b976b9c1e3d35d6d4bf18c18dd4a5439fc78cfa9d1af921ea716fd288f111324948e83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0a21bdcfe1ec0b016f6f570ff4eb7b9

SHA1
087990e617652e149747a0ae3e00a1344e8bb1c1

SHA256
8fce47eef63d9c600971960267eb9532a4a1eb18e3df2f8ecd609644c073bc4c

SHA512
50e0525c25626785e831f45ae1d5a2ab4f8b09a44e433bbb8c0b1cca0cc51af9160b18eb4251ea7763c6df4b387a1061ec99d41a04cbcf4f3eb50369215ff883

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9731dd89375356e9ed504fc74108847f

SHA1
e5671c5cf1006a4b00d6b60cec7721d607804cec

SHA256
221c2d41e9a4acb8b89ead182f7c08401f3a35b65b9e411af90a14bcb889b232

SHA512
612bfc08f56db3bd277605a00694fcde5f50aca78d869472978134c5fc1114860c7fcd4e95df34b2750a80e8a05dcb2cdc6b552df1e5258b939f0bfff6ca8b2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f5789871fd85479ef8228ba5a6cef4b

SHA1
9a4746eb2351b14d5079416059971c33ec4caaae

SHA256
47e9c222643e1a5e1b0ab34ca5cc6d437d70e7329adc5592e751413ebe18b025

SHA512
ce484ab4c920335024eed8e5a2784a6fac0ba9361b830740b7d58b83f21a15f3127f3bd0fa1e0ace1fc615bb3d61b79ecf4edef41ed900c75ecda51586c1a67e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{36A3AB51-34F0-11EF-B2C4-6A55B5C6A64E}.dat

Filesize
3KB

MD5
39ebb0ff5d52e353d0f8e4f281f4a935

SHA1
91abdd156f773f938ff6119e0e73ed2680193147

SHA256
0cda847841b9035582131e2b26ab96838e32c14b9ae6e882555d7cc7d73e565e

SHA512
6e5eb4e62fa3a800e1887b660636f475cf43f6829c494e194413d147c0dc0d236fd824446ef114c25a6dfda0133fa97c96fac906f4f73bf6d3f45581dc72dab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{36A3D261-34F0-11EF-B2C4-6A55B5C6A64E}.dat

Filesize
3KB

MD5
b578b61cb110f34c3ed505f4118e2bea

SHA1
a2e1f5726eab7eb3b1287d5d68c48090363dd814

SHA256
e3f74a84f0d2fde5eb797b5a81e064a6d4b4683ed880764a3fc57c6cdcf2b518

SHA512
0abf66e42d1f29af1663f9b0427dc4e7a3c411beded3eb1cafc36b5d52d6f9ab76005e06a73fe2c809b96d3cfb2678db2deace3753726ff2b0150b5e4598a627

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabECD2.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEE20.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\ Intornot Exploror .lnk

Filesize
1KB

MD5
7e57e517ed32a90d1045e6833e4c37c3

SHA1
ba16a123704f0a3e09d05f196ee545debdc77db6

SHA256
ccedeae40ae4564a85f3e6e4853dd03374a6755da3aca807373da4b1c32571a9

SHA512
e4b1baf12f53f106709217854975a9d3233965941fa714dc178cbb16f10def1c75755e8016df8861409759789c3c9bfa79d90f826f042a94343ceba7a6ca37b3

Download Submit
\Program Files (x86)\jishu_144706\jishu_144706.exe

Filesize
1.0MB

MD5
e2590fb7bac27dbfa512820e9139f28b

SHA1
209d8d0b77c7a8863a3c68464ce47f6a3f00d454

SHA256
4369c213390dd318aaf57b841e338f0b781b16e61713c39e3d961d6065de1821

SHA512
a6b8cdac512c2d05eb2270f8b4f64248cc177785acbd8d4f0ad725acdd2c894f639e7e7259066a8014a79d69f213812dc09793a2bad7a3d6bd9a511f3ee57223

Download Submit
\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nst2F8A.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit