2a89459711143eb3a814b6b5fddc27789c6fe25559475d3b1c097d09266c0d39

Analysis

max time kernel
140s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe
Size

14KB
MD5

2663fc4b3c9dd5d12e77acbdc765061e
SHA1

2e89cdcb745638f03b8a6567601082d9864ffe14
SHA256

2a89459711143eb3a814b6b5fddc27789c6fe25559475d3b1c097d09266c0d39
SHA512

ac5755746f0c050d62954da47e63a96e2c230cdb72fdf92a2ff43486099508ef2a92718725ca444821edabff95a5619a2399d477bc6f28fcb62661a45eb51efa
SSDEEP

384:/THplgohc2uWgty5+PIqMvE1HWjBfe/2ZOWw3tKWFl:/FlgoSSgtfIUdWFe/PNn

Score

8^/10

evasion persistence upx

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\disableregistrytools = "2"	reg.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1552-0-0x0000000000400000-0x0000000000411000-memory.dmp	upx
behavioral2/memory/1552-5-0x0000000000400000-0x0000000000411000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost.exe = "C:\\Program Files\\Internet Explorer\\svch0st.exe"	2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\svchost.exe	2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\svchost.exe	2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 63 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426895689"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062632f928728194692a4b61bc57d3e8f000000000200000000001066000000010000200000007e333825b4f97a85b28675c497d079b69e2951cfffa868abb142d88e7cb6581f000000000e8000000002000020000000168ff1d67c2f11809e5b9566c73d57d64179120c39aa1bb6b5b212d058a65f66b0000000043c2277b040aefe745ab4770fdc99cbc265752316e231b971e4fc8907d3f3734324f05ddf0d445fc145e3cd91bccb9203c00306ec6e9b064d68bab71d63000acddc30195e32864c2a15a2c5178a233e8be48e4aeaad041a73ced4465f83b4cd941fdaa30c83a71b1447e734f35ac42acf33914b1397444dd6ceed4503c32ca4ce6bd85f32a1e93b7ee09b2e75448c372609ee30aeb5ff7ac13fd56a5de171e07598acc43051cb4c6b7b8864942fa04440000000df382cfdedb6b08267a1b59012cd3e4c7a7556e827c8d654be025293452db4058d1e3426ad4a38b5e11b0d53defa192068e7ebbaa10edf991fb601d2637a293b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062632f928728194692a4b61bc57d3e8f00000000020000000000106600000001000020000000a0847eb66b8a4de86c593492e7e123411ab0c7a81937c00e98dd36ac1bb0669a000000000e800000000200002000000059a6c8440ae4ec1c82346eb57aba7528ecd6cc275781e6b46a182f67d75f00bfb00000005b33d9ddbf1c4e18365885d4b9c1b982260cb591d362e0636ee0b1df60de8ccc50ea0cbd58bbfa2ff21c271652dc7a019e02ac760ad5aaf5c2837fb5bfa4d06a8f0f041e22a9eb1ce20a95b0523f743bb31e206507df6ee50d4130975e451b4cf9f8b86f940140c429ec4e8de985492edb3ed63b7f54f5b8533319c1d49241deee0678035c9953a8723579973eddd932724f05caf0497821decee8d4e9b9f657b4951856a2f4de1c3658e6b58de7ee3f40000000fe36727b0c40e38d3b871955caf9d437983588c37f18b89d2589e36fc0009a0bfa6728954a965b1cfa761e96742ae29b7d4c24b6375f44d9772a41bcad9c44d3	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062632f928728194692a4b61bc57d3e8f00000000020000000000106600000001000020000000343499b44d6e0f6bc65e2a8557008e8ac28db49956f1fe57531e990a54db2790000000000e8000000002000020000000740a79b5dbdc6e92b12f034e0ac7fabc4fba0f6f99ddbc6515568bf92b735a9d20000000bf241d05b439d80894b6f7d17dead328e6f50d13a4936b99b1d61ba0167448ca40000000e687da0f6e321f3fce12943b116d5f1593676424d5fa6dcfc6da7b556b4b179d0565dde188b1c72504bd8d2b6ac5fbc6cf5da809f167b99385778e2ef0011a90	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 708973485eceda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062632f928728194692a4b61bc57d3e8f0000000002000000000010660000000100002000000010554fe88fdcd23812f41f857410d56f675fda3f0ef7fbc0741e1658b4f16704000000000e800000000200002000000056eeee253f690e168e834df33d145bcf5fda25a7bc12ad9dce44b029843d8e12b0000000e9517b4cb17a7f03ede979d98f31a652be3731745acec6d5dd2fa502008dfc142db166a22d2c0a36ffbc269fa2de8bb5145c0d492505e0234fb9e84aaf8468dbd3f7c04c61ac62bd274babb46356541de5ab481c2d61d6fca8cfb1033981cce3a63b0c46bd2035a9e68f252e62ea9be769cfde6bf02fb4e81345aa2b281cd3d9f3f6586f3687f5a1120559f375ff816009754c1ac588ebd891c852e517b90c9adb4aa1e3f4d94f6e20f4ed92461bafd8400000007ec1b998ec5fcc7fe3da5dd277eaa4fd88b5d5ac45fe69c8ef804bdc1cedc7312197548a9e1cc4562b7257ba8543f714157c43d6359998d5d9015f3ffcaa9296	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062632f928728194692a4b61bc57d3e8f000000000200000000001066000000010000200000007dcb31d2d67c4e09cb6c7c1cdf42b37a0ad90fb41bec30807da0fe69b5b45258000000000e80000000020000200000006d298896028a6eb3e84b6fddee6fc16e0b03e2bbcaa45a616e5fbabcc364d34d200000000e53431ecd7a1a961ffcc54585545c8ba7804257baf0c9c9e29b2b11aada8c6440000000976522721d45d7748ca2a84c35baf48578ea2670e2e47237542809759614bc488959dd90ea0e092635badaa5630067ed8369cacc30cbdc9276535c28f87588f9	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062632f928728194692a4b61bc57d3e8f00000000020000000000106600000001000020000000e01bac922a659464c824303ada94e8504514fddbcef473b5bba47c11063c39d5000000000e8000000002000020000000aea266a695e3d21932719a82da8ee9bf435335e1b75de50b99c7f5d2460484cbb0000000ffd2919ddafa47ac96b02fa76a700e0ea17d633a5eaf80cd250a8906f6af814fffe18f4f0a76c667c9903d6008e7f4dc5f1549bc6c699d8ecc21338952d0ea0b4be7d36bacac1c1c9aa44116073bf31aa53c25d1e3580ce7bd98c122f96292924efa0d006100aa92a9c9ff3db018ee1878d4fb0691bee374e3c9be4b4b66840da59591d05ecee930eb4b8aee8aba6d716742abbdd6013656bd03840e669f66755a3f2bd64f546f761664a9efca3ae34440000000305a98c6451237e8980b2dcde0f0db835c2fcd8057d3ea84fd8addf7abc5bbdd2719ce643eb6ed12dcd89f1cec296c8100aaf38d7bdf4d32ecf9a2e795735a9d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7D95EA79-3A51-11EF-8BF0-766F49B4A79A} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90a267485eceda01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062632f928728194692a4b61bc57d3e8f000000000200000000001066000000010000200000004b04af21d1476cb4dbc683b5a90093ba08ca3bf33cbd72a8290e994e17227a5c000000000e800000000200002000000003500fc0bf7f7bf08111960247f1ff68c1de4ac50e03269507ed18747a80e8f9b0000000796e69be64c28305a07422369d726891817b0df4c216c5ab4c6468ab628b13c67260aac6fb948ee1afed1efa4ce94a93f3b03930292fad852fdf1c72af32c21ff733793c2f3a0ef964452120e9434534bb8e0fdf000e97c28cde263f8fe47653876a278b4ea81b31ea2b1c4176265ab364ccd4062290d98bde914a48bee1c271ff8399bb94a37060b317d5acf92fa08e71365b6945524f81da583bc774ede6e820a731f0739e82216daf3a2e5d009fb440000000fa5fea8318fdb601f47e0661d4d33731c341e08e6d9ea577c66d30c1582b66149765c812ff6769ad8a90b585cde3bf124c414307df0924f9bc603bc24262df84	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2480455240-981575606-1030659066-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2540	reg.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
4340	iexplore.exe
4340	iexplore.exe
4340	iexplore.exe
4340	iexplore.exe
4340	iexplore.exe
4340	iexplore.exe
4340	iexplore.exe
4340	iexplore.exe

Suspicious use of SetWindowsHookEx 37 IoCs

pid	Process
1552	2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe
4340	iexplore.exe
4340	iexplore.exe
3684	IEXPLORE.EXE
3684	IEXPLORE.EXE
3684	IEXPLORE.EXE
3684	IEXPLORE.EXE
4340	iexplore.exe
4340	iexplore.exe
4340	iexplore.exe
4340	iexplore.exe
4340	iexplore.exe
4340	iexplore.exe
4340	iexplore.exe
4340	iexplore.exe
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
4340	iexplore.exe
4340	iexplore.exe
4340	iexplore.exe
4340	iexplore.exe
4340	iexplore.exe
4340	iexplore.exe
628	IEXPLORE.EXE
628	IEXPLORE.EXE
4908	IEXPLORE.EXE
4908	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
628	IEXPLORE.EXE
628	IEXPLORE.EXE
4908	IEXPLORE.EXE
4908	IEXPLORE.EXE
4432	IEXPLORE.EXE
4432	IEXPLORE.EXE
4432	IEXPLORE.EXE
4432	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1552 wrote to memory of 2540	1552	2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe	82
PID 1552 wrote to memory of 2540	1552	2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe	82
PID 1552 wrote to memory of 2540	1552	2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe	82
PID 1552 wrote to memory of 4340	1552	2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe	85
PID 1552 wrote to memory of 4340	1552	2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe	85
PID 4340 wrote to memory of 3684	4340	iexplore.exe	86
PID 4340 wrote to memory of 3684	4340	iexplore.exe	86
PID 4340 wrote to memory of 3684	4340	iexplore.exe	86
PID 1552 wrote to memory of 232	1552	2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe	87
PID 1552 wrote to memory of 232	1552	2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe	87
PID 1552 wrote to memory of 1632	1552	2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe	88
PID 1552 wrote to memory of 1632	1552	2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe	88
PID 4340 wrote to memory of 1584	4340	iexplore.exe	89
PID 4340 wrote to memory of 1584	4340	iexplore.exe	89
PID 4340 wrote to memory of 1584	4340	iexplore.exe	89
PID 1552 wrote to memory of 3208	1552	2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe	90
PID 1552 wrote to memory of 3208	1552	2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe	90
PID 1552 wrote to memory of 2072	1552	2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe	91
PID 1552 wrote to memory of 2072	1552	2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe	91
PID 1552 wrote to memory of 2408	1552	2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe	92
PID 1552 wrote to memory of 2408	1552	2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe	92
PID 1552 wrote to memory of 4376	1552	2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe	93
PID 1552 wrote to memory of 4376	1552	2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe	93
PID 4340 wrote to memory of 628	4340	iexplore.exe	94
PID 4340 wrote to memory of 628	4340	iexplore.exe	94
PID 4340 wrote to memory of 628	4340	iexplore.exe	94
PID 1552 wrote to memory of 3104	1552	2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe	95
PID 1552 wrote to memory of 3104	1552	2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe	95
PID 4340 wrote to memory of 4908	4340	iexplore.exe	96
PID 4340 wrote to memory of 4908	4340	iexplore.exe	96
PID 4340 wrote to memory of 4908	4340	iexplore.exe	96
PID 4340 wrote to memory of 4432	4340	iexplore.exe	97
PID 4340 wrote to memory of 4432	4340	iexplore.exe	97
PID 4340 wrote to memory of 4432	4340	iexplore.exe	97

C:\Users\Admin\AppData\Local\Temp\2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2663fc4b3c9dd5d12e77acbdc765061e_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1552
- C:\Windows\SysWOW64\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\system /v disableregistrytools /t REG_DWORD /d 2 /f
  2⤵
  - Disables RegEdit via registry modification
  - Modifies registry key
  PID:2540
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4340 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3684
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4340 CREDAT:17416 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1584
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4340 CREDAT:17420 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:628
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4340 CREDAT:17424 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4908
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4340 CREDAT:82954 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4432
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.xiuzhe.com/VIP.html
  2⤵
  - Modifies Internet Explorer settings
  PID:232
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.okxiaoshuo.com/index.html
  2⤵
  - Modifies Internet Explorer settings
  PID:1632
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.okxiaoshuo.com/index.html
  2⤵
  - Modifies Internet Explorer settings
  PID:3208
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.okxiaoshuo.com/index.html
  2⤵
  - Modifies Internet Explorer settings
  PID:2072
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.okxiaoshuo.com/index.html
  2⤵
  - Modifies Internet Explorer settings
  PID:2408
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.okxiaoshuo.com/index.html
  2⤵
  - Modifies Internet Explorer settings
  PID:4376
- C:\Program Files\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.506013860.com/mama/vip.htm
  2⤵
  - Modifies Internet Explorer settings
  PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
98f9ac4c9fce1d97505db04985429753

SHA1
374b2b3964b14d4533998bcb4073f7e78bdf825d

SHA256
df3c22e29b5fb2b98bacdd98c84c4ee067717cef369d029a61139776fa1bedaa

SHA512
5c1cd5aa01db5a7532eb3124dd3b3a029ea83d15aef226a986061a8549e8c92ffc5895347810123dbd8d1b29074f1e66461e361f67b03a588549e9f83b6089c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3994DEF8228AE1D7767ABF85A3741D99

Filesize
472B

MD5
454c630d2b72f5019d75f6bcc82be756

SHA1
e3612c9e8f02c75c9fc767a50e6be5c1202fa97c

SHA256
06d9b3cfd6def758909e1467720aaa12a8c526131d42475e9d166bdc0bed1828

SHA512
2a41af0534da6703bc28f1f2c80d24b28077aab10592862fefb054f05c5e3a2b9b40180a54353a05b0f59b3822dffd35e8ad26f2d31942f538311723b7da72ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
09018b283356d2a4207b9533f19e2a31

SHA1
34a611ea4043e78352e50fbebfc707bf3a1321ad

SHA256
7b737396178f650052961b694d56765a9b6695d51ca2c1bca96a875cf7bddf98

SHA512
3871540f7609a410c54ec5c41e1576997b666db86681a666d3e5c4fb02661306459410fc55c3a5b3d3ded427d565841f23fbc9473a0b05cc65ca7979af029c3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
6566aef97226dde1bd3716a0e86fef88

SHA1
0efaf8f47087c989ed252fa1a23c5a5ee2ae0ddb

SHA256
97521de5a92ca784f7daf9f75768f6c06ce8c56bc5154f4356e2848b29aaacb4

SHA512
9c144971a73a864568c513ac148447870946583536703f0b836fad005c95f4bc5a300ac40761da51d4fbe70b4becb9ec6711e82fabdafa769b0158abf2da3805

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
18055f062a53f1441886c9e96e50044f

SHA1
5487af536d25ded1a7dda6e5f3f9e5a98d08c7f6

SHA256
8a0645fa1538441b56dddcfeb1d3c3c57695384f78ef0267da8c1903c57be6f8

SHA512
0c71ccead77173c513d977a0ab749ef237d992d0d3fdf7c0c5a355982faae3fd9310732444731b7b0b9c9e8550fbc13d49e9c9fc91c6251dd3c1fe5a5adcf256

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3994DEF8228AE1D7767ABF85A3741D99

Filesize
484B

MD5
cea5bfe66bfb6defd5a847cc9283c0cb

SHA1
a3931b4506245d09ac043b3d8db507ed1b4ec5e7

SHA256
244c0e0475c5245c14d25a81406e33b6afde300da4284bf66c35a35d946b79d1

SHA512
c0b47e016c1ff69ef2e57be6ac8e5a7bcc54f8d8100e5866637ccdc86682f5640c5cdecba5e00ac64307361a6a4753813eee255a63a3e618ffcd9126c304cbcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3994DEF8228AE1D7767ABF85A3741D99

Filesize
484B

MD5
b29b1b598c6df6231e7636876b7ec63f

SHA1
79a6c1cfeb29992e61fe888590e32aed7cc23ab9

SHA256
93dbb05d7b3eaa1f157ef81f70ffb4a748abbce412e8619c919729ec9c35ff15

SHA512
ee4b0b763e59b6adc33aecbe17dbb1b35522f2a9aecdec12624aa6bcdfe25a4a57765ace65ac0c2e8a6398971f1a7e678ab83014f48f4fd88e770f10e5380610

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
6093f0050b86ce9703570a19117954a4

SHA1
46836270ab2be72f30dac7e12bf3a0d3723c9913

SHA256
5369bef704ecadd60bf7e8d5b71fbde9fdbc0d850d32c4efa3ef41414f655d3a

SHA512
b6a5608657c54a86e7070e2ef82bbd7ccaa07839e7ca3d608a6066852c92618c97b71b31a1591b7363d2bae34eed4404690fbcfa9ccae4211999061bec253c37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
957f2405946e3e944918e538492d62ba

SHA1
b0cf27db1b4e7c37e217b087f9efd452a13ff6d1

SHA256
9d095ec1a08641ba1b37b5d83c10a35850be08abc4cc89e3bf35369247c3bd13

SHA512
2cac4ba862344e935d4c5d37325bfc86d7c346b8b07c760e972cbdac4c5f40dab5c331232916908f12604ae7048dd286dbcf3c2396e2bb67ca4a637be6e175bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
a14dab2e47c9951fcde4e2300b3b423a

SHA1
e35ed7effabe37e5bf3df4eed38b30ebb0fd0a47

SHA256
78429545f801f1352d41d94330647acb33252f469ae0193737e2a6b3ddcb644d

SHA512
fbfc99324943664af0942fa0b60bd70226554efb58748954e74065316a8fee51b49502fd0547f645955f0ddad6db330f24991b0a3c2ac0a81195db76a2ce07ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8P5ERGGJ\index[1].htm

Filesize
985B

MD5
a6d4a72f6894f3963ce90032da518aec

SHA1
464eae231cadfed89ef6db9b010d5e82ab8d6038

SHA256
874a410af24e2cd4761c054565c768b03898c09940aba283df223a51378aed28

SHA512
bef6a7676fb650d633d4ea3ca862d27c26d1e2795ae2b4b6b89861c14d116f856db21a79e46d6be839318f4fbb8ac784425bee4a2d3bbfc61fef4bb8f0210ff4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FXFUSUTP\bootstrap.min[1].css

Filesize
114KB

MD5
eedf9ee80c2faa4e1b9ab9017cdfcb88

SHA1
ed29315e0ffb3f14382431f2724235bf67f44eb3

SHA256
f04b517ba5d6a0510485689a3e42dac000f51640fd71b986804cba178eae42a5

SHA512
ff9296270da6bcc3b664ce5f9dd5715109a954fa9ac59c9845332b5edae9aecc90db3334a3434c8d4d3623c6495de04fb6b9ab3cee0803208246cc9d1b4049a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FXFUSUTP\bootstrap.min[1].js

Filesize
35KB

MD5
b6d6c550cb657155feb06fdcd34b73cb

SHA1
27947c0c0fa837da9bdfdfc36f649c25f54bd1c0

SHA256
267a83092a5fd6ec5fb746bce12d440abd37f1d649c072f653e17d0c800eb647

SHA512
f57baade307d54d9e4b7c820d1b5ef32e948df73789c8fcd51bf0b1ac7d282f05b540d14ddb0b5644c44bdc6f991ae67c9f4a78595f4b33bd91601a24aef1402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WCI4PPHE\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
memory/1552-5-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download
memory/1552-0-0x0000000000400000-0x0000000000411000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads