68c6d76fecd30ed22bfc9b55424106b6b4f2f56081fafd8e0e0068e4d1b2989b

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 06:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe
Size

973KB
MD5

24fe407c8fcbb99bc19e24031847694d
SHA1

05db1cb7309a2faaa64df052ab3d6128b12a28b2
SHA256

68c6d76fecd30ed22bfc9b55424106b6b4f2f56081fafd8e0e0068e4d1b2989b
SHA512

e25516eafc1ac82df7c6589ed7a4fcb89d5be807f7ef69a6a5089359b78556f887161e9d73c1c88a84a6d9fc2cfa745d876275f815749f3b23182ffc2d7ca167
SSDEEP

24576:SEFB1hukUeAlGy7drn+fDWhvzJ15gyVwdqwF:SmXhVAzd6DW9JndVwcQ

Score

8^/10

execution upx

Malware Config

Signatures

Blocklisted process makes network request 8 IoCs

flow	pid	Process
11	1100	Wscript.exe
21	1100	Wscript.exe
30	1100	Wscript.exe
36	1100	Wscript.exe
55	1100	Wscript.exe
56	1100	Wscript.exe
62	1100	Wscript.exe
67	1100	Wscript.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000023443-7.dat	acprotect

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	kw.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	Wscript.exe

Executes dropped EXE 26 IoCs

pid	Process
4984	kw.exe
1456	SVCHOST.EXE
2628	SVCHOST.EXE
5040	SVCHOST.EXE
920	SVCHOST.EXE
3000	SVCHOST.EXE
4360	SVCHOST.EXE
1092	SVCHOST.EXE
4944	SVCHOST.EXE
4500	SVCHOST.EXE
1252	SVCHOST.EXE
2808	SVCHOST.EXE
1456	SVCHOST.EXE
4960	SVCHOST.EXE
2904	SVCHOST.EXE
2480	SVCHOST.EXE
4276	SVCHOST.EXE
4356	SVCHOST.EXE
4480	SVCHOST.EXE
216	SVCHOST.EXE
4584	SVCHOST.EXE
1760	SVCHOST.EXE
4556	SVCHOST.EXE
5096	SVCHOST.EXE
2600	SVCHOST.EXE
1396	SVCHOST.EXE

Loads dropped DLL 8 IoCs

pid	Process
4316	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe
4316	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe
4316	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe
4316	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe
4316	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe
4316	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe
4984	kw.exe
4984	kw.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4316-8-0x00000000026B0000-0x00000000026C2000-memory.dmp	upx
behavioral2/files/0x0008000000023443-7.dat	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\smss.exe:1123538714.jse	Wscript.exe
File opened for modification	C:\Windows\SysWOW64\smss.exe:1123538714.jse	Wscript.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\emule58\62.txt	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe
File created	C:\Program Files (x86)\emule58\66.txt	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe
File created	C:\Program Files (x86)\emule58\kw.exe	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe
File created	C:\Program Files (x86)\emule58\top.jse	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\explorer.exe:1123538714.jse	Wscript.exe
File opened for modification	C:\Windows\system\SVCHOST.EXE	Wscript.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023448-37.dat	nsis_installer_2

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426840550"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0e092f9ddcdda01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8082a3f9ddcdda01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout = 110000005c00000000000000340000001f0000006e00000001000000a0060000a00f000005000000220400002600000002000000a1060000a00f000004000000a10000000f02000003000000a10200003b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4036839942"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4036839942"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31116765"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 130000000000000000000000300000001400000016000000010000000007000080010000030000000103000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1C2C98D9-39D1-11EF-9519-5AA21198C1D4} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef8626000000000200000000001066000000010000200000004e9d609101c1f3ad82a3912718a15a9be0917dab2a22c58e6204d1d6b86b38cd000000000e800000000200002000000000b9321116f76ee2d071e95e551ee16bff9d3355d7d3e85745354a4cec904a9b200000004c11dc1f633dd4f6c31408968be5fff9406a022810351c047ab3043b35a79c0d400000004070e8860fe1c27408a2beb0ae0938ae7395df0fe630cfe078f3c1aca4a902b1bc97ee8c89993d760b6dade3918dfc70a0845903a2b46316da68ad804f062963	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116765"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4041214974"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31116765"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078f1237f04e5404da848d5bad8ef8626000000000200000000001066000000010000200000004ad426dd38873820a34d2563de37d1763bed14cdb07fa4b98bf4de4ccf61a02f000000000e8000000002000020000000a4d32c7f474620f9c777a7428adb6bf67ead1a07875151a578b0a8356cb8831e20000000270083eb66e188b99afb608177173d88050eb21a61101aeeaa3a58785c125f5e40000000bac560fede454207cfa83fe60b0c1258841936080bda0396f26587a79f3a2d039595b9889854a812b5049313a481fed10932966156bec5e1245b4ab7019b60ba	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Wscript.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Windows\explorer.exe:1123538714.jse	Wscript.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4984	kw.exe
4984	kw.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4312	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4312	IEXPLORE.EXE
4312	IEXPLORE.EXE
744	IEXPLORE.EXE
744	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4316 wrote to memory of 4992	4316	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	81
PID 4316 wrote to memory of 4992	4316	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	81
PID 4316 wrote to memory of 4992	4316	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	81
PID 4316 wrote to memory of 3092	4316	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	82
PID 4316 wrote to memory of 3092	4316	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	82
PID 4316 wrote to memory of 3092	4316	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	82
PID 4992 wrote to memory of 4312	4992	iexplore.exe	83
PID 4992 wrote to memory of 4312	4992	iexplore.exe	83
PID 4312 wrote to memory of 744	4312	IEXPLORE.EXE	84
PID 4312 wrote to memory of 744	4312	IEXPLORE.EXE	84
PID 4312 wrote to memory of 744	4312	IEXPLORE.EXE	84
PID 3092 wrote to memory of 1132	3092	Wscript.exe	85
PID 3092 wrote to memory of 1132	3092	Wscript.exe	85
PID 3092 wrote to memory of 1132	3092	Wscript.exe	85
PID 4316 wrote to memory of 4984	4316	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	87
PID 4316 wrote to memory of 4984	4316	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	87
PID 4316 wrote to memory of 4984	4316	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	87
PID 4316 wrote to memory of 1100	4316	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	88
PID 4316 wrote to memory of 1100	4316	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	88
PID 4316 wrote to memory of 1100	4316	24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe	88
PID 4984 wrote to memory of 1464	4984	kw.exe	90
PID 4984 wrote to memory of 1464	4984	kw.exe	90
PID 4984 wrote to memory of 1464	4984	kw.exe	90
PID 4984 wrote to memory of 2668	4984	kw.exe	92
PID 4984 wrote to memory of 2668	4984	kw.exe	92
PID 4984 wrote to memory of 2668	4984	kw.exe	92
PID 1132 wrote to memory of 3392	1132	cmd.exe	94
PID 1132 wrote to memory of 3392	1132	cmd.exe	94
PID 1132 wrote to memory of 3392	1132	cmd.exe	94
PID 1132 wrote to memory of 760	1132	cmd.exe	95
PID 1132 wrote to memory of 760	1132	cmd.exe	95
PID 1132 wrote to memory of 760	1132	cmd.exe	95
PID 1100 wrote to memory of 1456	1100	Wscript.exe	97
PID 1100 wrote to memory of 1456	1100	Wscript.exe	97
PID 1100 wrote to memory of 2628	1100	Wscript.exe	98
PID 1100 wrote to memory of 2628	1100	Wscript.exe	98
PID 1100 wrote to memory of 5040	1100	Wscript.exe	101
PID 1100 wrote to memory of 5040	1100	Wscript.exe	101
PID 1100 wrote to memory of 920	1100	Wscript.exe	104
PID 1100 wrote to memory of 920	1100	Wscript.exe	104
PID 1100 wrote to memory of 3000	1100	Wscript.exe	107
PID 1100 wrote to memory of 3000	1100	Wscript.exe	107
PID 1100 wrote to memory of 4360	1100	Wscript.exe	108
PID 1100 wrote to memory of 4360	1100	Wscript.exe	108
PID 1100 wrote to memory of 1092	1100	Wscript.exe	111
PID 1100 wrote to memory of 1092	1100	Wscript.exe	111
PID 1100 wrote to memory of 4944	1100	Wscript.exe	112
PID 1100 wrote to memory of 4944	1100	Wscript.exe	112
PID 1100 wrote to memory of 4500	1100	Wscript.exe	113
PID 1100 wrote to memory of 4500	1100	Wscript.exe	113
PID 1100 wrote to memory of 1252	1100	Wscript.exe	114
PID 1100 wrote to memory of 1252	1100	Wscript.exe	114
PID 1100 wrote to memory of 2808	1100	Wscript.exe	115
PID 1100 wrote to memory of 2808	1100	Wscript.exe	115
PID 1100 wrote to memory of 1456	1100	Wscript.exe	116
PID 1100 wrote to memory of 1456	1100	Wscript.exe	116
PID 1100 wrote to memory of 4960	1100	Wscript.exe	117
PID 1100 wrote to memory of 4960	1100	Wscript.exe	117
PID 1100 wrote to memory of 2904	1100	Wscript.exe	118
PID 1100 wrote to memory of 2904	1100	Wscript.exe	118
PID 1100 wrote to memory of 2480	1100	Wscript.exe	119
PID 1100 wrote to memory of 2480	1100	Wscript.exe	119
PID 1100 wrote to memory of 4276	1100	Wscript.exe	120
PID 1100 wrote to memory of 4276	1100	Wscript.exe	120

C:\Users\Admin\AppData\Local\Temp\24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24fe407c8fcbb99bc19e24031847694d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4316
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" "http://www.admama.cn/g/?1017"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" "http://www.admama.cn/g/?1017"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4312 CREDAT:17410 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:744
- C:\Windows\SysWOW64\Wscript.exe
  "C:\Windows\system32\Wscript" "C:\Program Files (x86)\emule58\66.vbs"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:3092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\emule58\62.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1132
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser" /v "ITBar7Layout" /t "REG_BINARY" /d "130000000000000000000000300000001400000016000000010000000007000080010000030000000103000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" /f
      4⤵
      Modifies Internet Explorer settings
      PID:3392
  - - C:\Windows\SysWOW64\reg.exe
      reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser" /v "ITBarLayout" /t "REG_BINARY" /d "110000005c00000000000000340000001f0000006e00000001000000a0060000a00f000005000000220400002600000002000000a1060000a00f000004000000a10000000f02000003000000a10200003b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000" /f
      4⤵
      Modifies Internet Explorer settings
      PID:760
- C:\Program Files (x86)\emule58\kw.exe
  "C:\Program Files (x86)\emule58\kw.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\ProgramData\smes\u.bat"
    3⤵
    PID:1464
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\temg_tmp.bat"
    3⤵
    PID:2668
- C:\Windows\SysWOW64\Wscript.exe
  "C:\Windows\system32\Wscript" "C:\Program Files (x86)\emule58\top.jse"
  2⤵
  - Blocklisted process makes network request
  - Checks computer location settings
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:1456
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:2628
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:5040
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:920
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:3000
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:4360
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:1092
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:4944
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:4500
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:1252
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:2808
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:1456
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:4960
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:2904
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:2480
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:4276
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:4356
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:4480
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:216
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:4584
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:1760
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:4556
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:5096
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:2600
- - C:\Windows\system\SVCHOST.EXE
    "C:\Windows\system\SVCHOST.EXE" C:\Windows\System32\smss.exe:1123538714.jse
    3⤵
    - Executes dropped EXE
    PID:1396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\emule58\62.bat

Filesize
6KB

MD5
e4b15a37363b2c78c25d1285dbf525fe

SHA1
1f13b61970790a7a6aac07af4d27e55d8b5cbfca

SHA256
3638bc42e5c2e6bc146a71b47ab36a04e61d55837a095ca1fc89bf08e89b2c14

SHA512
2dc17802adba070def32a7d007d481c77294197790689e584f9e6ed8266ee5431228619a2530191a331f5bba15b38a4eec4207086539ab1e338f3979b5e0d98e

Download Submit
C:\Program Files (x86)\emule58\66.vbs

Filesize
215B

MD5
c278aa8da3a6ca9fb9fb32b6532c518a

SHA1
bfc77de51b03ec6c484ac7effd873bafe2877a2c

SHA256
6cb036bbc95cb445bf0c3674cf1e769a669252cc1759820e69d0bc986b2ba598

SHA512
6ed07fafcb97a35b96f0486144e58a5655bec452d430cd3fd1c33f55772e8882875a750c0488d3bd9c050f7ae5946dd8f935556c4d7a4314f73309c2dd30301d

Download Submit
C:\Program Files (x86)\emule58\kw.exe

Filesize
912KB

MD5
0e434ae78033051350fb80040a2643eb

SHA1
1a7cdc5d12553a74991633caeddcc1318a7ad021

SHA256
2f6da9d3d5abf30789d2caa8ca82f086dfd4e14fd9b087cf1ef9942895db2b73

SHA512
06e7917a90760cde31356c752f3a087a9c2f07f8097b65d80cee8bc00e90ce45bea9ff591525c90cb3fcd3bf9d595c4edbe50c1c4abde408b826495aeecb771b

Download Submit
C:\Program Files (x86)\emule58\top.jse

Filesize
34KB

MD5
309a7bfd0ca4128da7a55da61ab85edb

SHA1
9c4a6aa60161da78cc8e9732e9e668c766b2f765

SHA256
5cd85e4b0ae12d00fca69642abc342e2cb4bf95ca3ea45d7ec3915dde0457637

SHA512
b4750e066eb62636824baf35caac7c1f59e60823246b8cf9d1bb14004fb6dddc132b9d4f72bc021584766160ae88e9d044a8efa23c7733478168cda84267a76f

Download Submit
C:\ProgramData\smes\u.bat

Filesize
44B

MD5
704efba1aee1454561da552dda430498

SHA1
d20fb96683f769eb9cef1b0a068bcba70aeab9c2

SHA256
80b08d35bd27636e0774ce35ab57306f76edc6a0f7058cb1f93733cdf88bf94c

SHA512
7e0c9ede686238703af4893af8842c05c48ab1681ae273b32d8085cf1a17aae946c0c823a0a418787522a551d684367259ff8203ebca6e4ec69b6ded95231bd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
63a2d2b4cdc269762fe4bdb8cdfde7f8

SHA1
5cce14e5285ce9844b164d37de9f4ad0acc7880f

SHA256
8e323e0354939fd301d8db011a0b007476c93e0e048100922e3e59e34b04f716

SHA512
db3b35b23c3088fdf8f5215d8f9149e717d871be0c7b69541aba232e6f829e18d9d074b53f173387985a3ba4df1c016ec5b75f4387d6123c6c1ba3113c43dec9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
67afe4fe020dbeae122bd1c1fc05f0c7

SHA1
8343d4ff042e554c9fd9feb9f1dbda10e01bdad8

SHA256
bb7d3d9d2a2f5d6729a357cef346d823ba79aa9cc878b7ce2705f19f1bd47d22

SHA512
1e6febfd8729d427e3fa507db565ee17f5d79af799960f6095e8495c4cbbfc9dcb171b91c3f142cab081495f5e8ce4c910ad212bf5bcc11a32640f6212a66c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\D5DFSS0T\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi4FA7.tmp\nsRandom.dll

Filesize
21KB

MD5
ab467b8dfaa660a0f0e5b26e28af5735

SHA1
596abd2c31eaff3479edf2069db1c155b59ce74d

SHA256
db267d9920395b4badc48de04df99dfd21d579480d103cae0f48e6578197ff73

SHA512
7d002dc203997b8a4d8ec20c92cd82848e29d746414f4a61265c76d4afb12c05bce826fc63f4d2bd3d527f38506c391855767d864c37584df11b5db9ca008301

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj51CA.tmp\AccessControl.dll

Filesize
10KB

MD5
055f4f9260e07fc83f71877cbb7f4fad

SHA1
a245131af1a182de99bd74af9ff1fab17977a72f

SHA256
4209588362785b690d08d15cd982b8d1c62c348767ca19114234b21d5df74ddc

SHA512
a8e82dc4435ed938f090f43df953ddad9b0075f16218c09890c996299420162d64b1dbfbf613af37769ae796717eec78204dc786b757e8b1d13d423d4ee82e26

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj51CA.tmp\FindProcDLL.dll

Filesize
3KB

MD5
8614c450637267afacad1645e23ba24a

SHA1
e7b7b09b5bbc13e910aa36316d9cc5fc5d4dcdc2

SHA256
0fa04f06a6de18d316832086891e9c23ae606d7784d5d5676385839b21ca2758

SHA512
af46cd679097584ff9a1d894a729b6397f4b3af17dff3e6f07bef257bc7e48ffa341d82daf298616cd5df1450fc5ab7435cacb70f27302b6db193f01a9f8391b

Download Submit
C:\Users\Admin\AppData\Local\Temp\temg_tmp.bat

Filesize
131B

MD5
d14d69465f21336de8e638e62b5d8889

SHA1
4b7652617ad7360cde575f6d394a81effd500fa6

SHA256
c5ab4e6cd61c958ef041a1a1bdc871f60615b2f66a0628f982a4b4be7adfc98c

SHA512
82f62edf2fef74286bee99618eb21985d3a013d54d38a84035fe183ce303beebd1dbb1df51ddfb71e8233980647633f274e593f3a022388dcc099df601ef7a2b

Download Submit
C:\Windows\System\SVCHOST.EXE

Filesize
166KB

MD5
a47cbe969ea935bdd3ab568bb126bc80

SHA1
15f2facfd05daf46d2c63912916bf2887cebd98a

SHA256
34008e2057df8842df210246995385a0441dc1e081d60ad15bd481e062e7f100

SHA512
f5c81e6dc4d916944304fc85136e1ff6dee29a21e50a54fe6280a475343eccbfe094171d62475db5f38e07898c061126158c34d48b9d8f4f57f76d49e564e3fc

Download Submit
memory/4316-22-0x00000000026B0000-0x00000000026C2000-memory.dmp

Filesize
72KB

Download
memory/4316-21-0x00000000026B0000-0x00000000026C2000-memory.dmp

Filesize
72KB

Download
memory/4316-8-0x00000000026B0000-0x00000000026C2000-memory.dmp

Filesize
72KB

Download
memory/4316-23-0x00000000026B0000-0x00000000026C2000-memory.dmp

Filesize
72KB

Download
memory/4316-24-0x00000000026B0000-0x00000000026C2000-memory.dmp

Filesize
72KB

Download
memory/4316-5-0x00000000026B0000-0x00000000026C2000-memory.dmp

Filesize
72KB

Download
memory/4984-43-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download