14398857532863d41502ddffc50c23f980113a3334dd4464336d126708dcea83

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

188c8a9027d87b571b5130b195333177_JaffaCakes118.exe
Size

72KB
MD5

188c8a9027d87b571b5130b195333177
SHA1

f5003408e3d93c7eed6ea52f03fdd311f32e9ec0
SHA256

14398857532863d41502ddffc50c23f980113a3334dd4464336d126708dcea83
SHA512

a70256cca41fd39c368e4bf56d92ae2bf3e0f0592dafde4af03cf065ec7b6ac7e8f04e19ab2cf13b9ba7ed10ad70c96d2b75f2a71b174211601859d1071102ce
SSDEEP

1536:olfYR5Y/RG3JT5L2dwvmdrBGofxmpMTui+9MXELP8bRrytGj7tVhkseRaCOMd5nc:n5wGZF8COM8

Score

7^/10

persistence

Malware Config

Signatures

Modifies system executable filetype association 2 TTPs 5 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\ = "????(&0)"	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" http://hao.meiyingie.com/?0003"	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Internat Explorer.url	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 44 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\ = "??(&D)"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ShellFolder	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" http://hao.meiyingie.com/?0003"	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\Command\ = "\"C:\\Program Files\\Internet Explorer\\\\IEXPLORE.EXE\" %1 http://hao.meiyingie.com/?0003"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ShellFolder	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ = "Internet Explorer"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\ = "????(&0)"	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ShellFolder\Attributes = "10"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\Command	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\Command\ = "Rundll32.exe"	regedit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ShellFolder\Attributes = "10"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\DefaultIcon	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\Command\ = "Rundll32.exe"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\Command	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\Command\ = "\"C:\\Program Files\\Internet Explorer\\\\IEXPLORE.EXE\" %1 http://hao.meiyingie.com/?0003"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\Command	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)\Command	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\DefaultIcon	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\ = "Internet Explorer"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Z\ = "??(&D)"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\ = "????(&H)"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\Open(&O)\ = "????(&H)"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Wow6432Node\CLSID\{C42EB5A1-0EED-E549-91B0-153485860110}\Shell\??(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	regedit.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2568	regedit.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2276	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe
Token: SeBackupPrivilege	2276	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe
Token: SeRestorePrivilege	2276	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe
Token: SeBackupPrivilege	2276	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe
Token: SeDebugPrivilege	2276	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe
Token: SeRestorePrivilege	2276	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe
Token: SeBackupPrivilege	2276	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2276	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 1296	2276	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe	28
PID 2276 wrote to memory of 1296	2276	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe	28
PID 2276 wrote to memory of 1296	2276	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe	28
PID 2276 wrote to memory of 1296	2276	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe	28
PID 2276 wrote to memory of 1296	2276	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe	28
PID 2276 wrote to memory of 1296	2276	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe	28
PID 2276 wrote to memory of 1296	2276	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe	28
PID 2276 wrote to memory of 3068	2276	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe	29
PID 2276 wrote to memory of 3068	2276	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe	29
PID 2276 wrote to memory of 3068	2276	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe	29
PID 2276 wrote to memory of 3068	2276	188c8a9027d87b571b5130b195333177_JaffaCakes118.exe	29
PID 3068 wrote to memory of 2568	3068	cmd.exe	31
PID 3068 wrote to memory of 2568	3068	cmd.exe	31
PID 3068 wrote to memory of 2568	3068	cmd.exe	31
PID 3068 wrote to memory of 2568	3068	cmd.exe	31

C:\Users\Admin\AppData\Local\Temp\188c8a9027d87b571b5130b195333177_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\188c8a9027d87b571b5130b195333177_JaffaCakes118.exe"
1⤵
- Modifies system executable filetype association
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe advpack.dll,DelNodeRunDLL32 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
  2⤵
  PID:1296
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regedit /s "C:\Users\Admin\AppData\Local\Temp\TempIE.reg"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "C:\Users\Admin\AppData\Local\Temp\TempIE.reg"
    3⤵
    - Modifies registry class
    - Runs .reg file with regedit
    PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TempIE.reg

Filesize
2KB

MD5
a4866b9363434ee7c0ebe95ffca7f081

SHA1
b2a7c0ab99bed10f05db6549414644531e9c74d6

SHA256
07d7ddfc0526fda0116c96222a522c1f64f2c0516d3cba8d9ae3c5bb4eb0788d

SHA512
9969fae7ad2ef5260410ce95bcd015a6bbbe792e7157f11e940dc205c777a88bc05f66fb63fb2138d06f62afc8610943f965e1dd47597d0b63810d2a622f48dd

Download Submit
C:\Users\Admin\Desktop\Internat Explorer.dll

Filesize
91B

MD5
b11c0621838245efacf36414b2cc0cde

SHA1
77ac5a02290dbf2693c4c736e155d32f370148dc

SHA256
c1fbb7ce9a3ab335cba372eada1b2559e2beb002aff10bcd46d869e085900969

SHA512
39d4b2d3224961478f0594b506218bea3a8ddafade2a94e6d1ebb864b75bf9babf3d0ac402c2fc1d81e468bc785ca241b530510612a6123764c7f480ba2450a0

Download Submit
memory/2276-0-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2276-13-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads