4b05ce1e4ef18ab3bc00027ae248873deae51c58191edddb2440b434e4a3bc17

Analysis

max time kernel
140s
max time network
145s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 12:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d5661b29467f8eb4bf83f6ba7c1e8ce_JaffaCakes118.exe
Size

39KB
MD5

3d5661b29467f8eb4bf83f6ba7c1e8ce
SHA1

d6eca5824ef7671cb1bcb9e33fd445da9cf1622c
SHA256

4b05ce1e4ef18ab3bc00027ae248873deae51c58191edddb2440b434e4a3bc17
SHA512

9b7e8cff2816fca59ec8b34ff68557f95b165e032443f44f6933d9d950c3df7897896771475adcfa5ffb66e310ca8537348f56bea8052a075fa12302a070167b
SSDEEP

768:eNnXyiS9KHnxaVL322sRutEftKWHyNxQzTjiD72U97/zCFF7bWx:GyGHnxap23uoE8yXKjM2s/zAF

Score

7^/10

evasion execution persistence trojan

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2844	2.exe
1244	2.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\OptionalComponents	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	3d5661b29467f8eb4bf83f6ba7c1e8ce_JaffaCakes118.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\L7S7WL4UJO\0G6K9TS9D8V.exe	2.exe
File created	C:\Program Files\L7S7WL4UJO\ORFFQBN.exe	2.exe
File opened for modification	C:\Program Files\L7S7WL4UJO\ORFFQBN.exe	2.exe
File opened for modification	C:\Program Files\L7S7WL4UJO\ORFFQBN.exe	2.exe
File created	C:\Program Files\L7S7WL4UJO\0G6K9TS9D8V.exe	2.exe
File opened for modification	C:\Program Files\L7S7WL4UJO\0G6K9TS9D8V.exe	2.exe
File created	C:\Program Files\L7S7WL4UJO\0G6K9TS9D8V.exe	2.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\DisableScriptDebuggerIE = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Play_Animations = "no"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Play_Background_Sounds = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Display Inline Videos = "no"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	reg.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A1-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\Implemented Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\INPROCSERVER32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\ = "JScript Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\OLESCRIPT	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ = "JScript Language Authoring"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\CLSID\ = "{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2 AuthorJavaScript1.3 Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories\{F0B7A1A2-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\ProgID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JSFile.HostEncode	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript Author\OLESCRIPT	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\OLEScript	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\HTML.HostEncode	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript Author\OLEScript	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c262-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}\PROGID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CC5BBEC3-DB4A-4BED-828D-08D78EE3E1ED}\Implemented Categories	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F414C260-6AC0-11CF-B6D1-00AA00BBBB58}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWOW64\\jscript.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ECMAScript\ = "JScript Language"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{cc5bbec3-db4a-4bed-828d-08d78ee3e1ed}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.2\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact Author\CLSID\ = "{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\ = "JScript Language Authoring"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Scripting.Encoder	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.1 Author\CLSID	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LiveScript Author\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Encode\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{F0B7A1A3-9847-11CF-8F20-00805F2CD064}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32\ = "C:\\Windows\\SysWOW64\\jscript.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{f414c261-6ac0-11cf-b6d1-00aa00bbbb58}\ProgID\ = "JScript Author"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JScript.Compact\CLSID	regsvr32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2948	reg.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
2064	3d5661b29467f8eb4bf83f6ba7c1e8ce_JaffaCakes118.exe
2064	3d5661b29467f8eb4bf83f6ba7c1e8ce_JaffaCakes118.exe
2064	3d5661b29467f8eb4bf83f6ba7c1e8ce_JaffaCakes118.exe
2064	3d5661b29467f8eb4bf83f6ba7c1e8ce_JaffaCakes118.exe
2064	3d5661b29467f8eb4bf83f6ba7c1e8ce_JaffaCakes118.exe
2844	2.exe
2844	2.exe
1244	2.exe
1244	2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2844	2064	3d5661b29467f8eb4bf83f6ba7c1e8ce_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2844	2064	3d5661b29467f8eb4bf83f6ba7c1e8ce_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2844	2064	3d5661b29467f8eb4bf83f6ba7c1e8ce_JaffaCakes118.exe	30
PID 2064 wrote to memory of 2844	2064	3d5661b29467f8eb4bf83f6ba7c1e8ce_JaffaCakes118.exe	30
PID 2064 wrote to memory of 1244	2064	3d5661b29467f8eb4bf83f6ba7c1e8ce_JaffaCakes118.exe	31
PID 2064 wrote to memory of 1244	2064	3d5661b29467f8eb4bf83f6ba7c1e8ce_JaffaCakes118.exe	31
PID 2064 wrote to memory of 1244	2064	3d5661b29467f8eb4bf83f6ba7c1e8ce_JaffaCakes118.exe	31
PID 2064 wrote to memory of 1244	2064	3d5661b29467f8eb4bf83f6ba7c1e8ce_JaffaCakes118.exe	31
PID 2064 wrote to memory of 2936	2064	3d5661b29467f8eb4bf83f6ba7c1e8ce_JaffaCakes118.exe	32
PID 2064 wrote to memory of 2936	2064	3d5661b29467f8eb4bf83f6ba7c1e8ce_JaffaCakes118.exe	32
PID 2064 wrote to memory of 2936	2064	3d5661b29467f8eb4bf83f6ba7c1e8ce_JaffaCakes118.exe	32
PID 2064 wrote to memory of 2936	2064	3d5661b29467f8eb4bf83f6ba7c1e8ce_JaffaCakes118.exe	32
PID 2936 wrote to memory of 2148	2936	cmd.exe	34
PID 2936 wrote to memory of 2148	2936	cmd.exe	34
PID 2936 wrote to memory of 2148	2936	cmd.exe	34
PID 2936 wrote to memory of 2148	2936	cmd.exe	34
PID 2936 wrote to memory of 2788	2936	cmd.exe	35
PID 2936 wrote to memory of 2788	2936	cmd.exe	35
PID 2936 wrote to memory of 2788	2936	cmd.exe	35
PID 2936 wrote to memory of 2788	2936	cmd.exe	35
PID 2936 wrote to memory of 2788	2936	cmd.exe	35
PID 2936 wrote to memory of 2788	2936	cmd.exe	35
PID 2936 wrote to memory of 2788	2936	cmd.exe	35
PID 2936 wrote to memory of 2956	2936	cmd.exe	36
PID 2936 wrote to memory of 2956	2936	cmd.exe	36
PID 2936 wrote to memory of 2956	2936	cmd.exe	36
PID 2936 wrote to memory of 2956	2936	cmd.exe	36
PID 2936 wrote to memory of 2156	2936	cmd.exe	37
PID 2936 wrote to memory of 2156	2936	cmd.exe	37
PID 2936 wrote to memory of 2156	2936	cmd.exe	37
PID 2936 wrote to memory of 2156	2936	cmd.exe	37
PID 2936 wrote to memory of 2976	2936	cmd.exe	38
PID 2936 wrote to memory of 2976	2936	cmd.exe	38
PID 2936 wrote to memory of 2976	2936	cmd.exe	38
PID 2936 wrote to memory of 2976	2936	cmd.exe	38
PID 2936 wrote to memory of 2948	2936	cmd.exe	39
PID 2936 wrote to memory of 2948	2936	cmd.exe	39
PID 2936 wrote to memory of 2948	2936	cmd.exe	39
PID 2936 wrote to memory of 2948	2936	cmd.exe	39
PID 2936 wrote to memory of 2952	2936	cmd.exe	40
PID 2936 wrote to memory of 2952	2936	cmd.exe	40
PID 2936 wrote to memory of 2952	2936	cmd.exe	40
PID 2936 wrote to memory of 2952	2936	cmd.exe	40
PID 2936 wrote to memory of 3024	2936	cmd.exe	41
PID 2936 wrote to memory of 3024	2936	cmd.exe	41
PID 2936 wrote to memory of 3024	2936	cmd.exe	41
PID 2936 wrote to memory of 3024	2936	cmd.exe	41
PID 2936 wrote to memory of 3024	2936	cmd.exe	41
PID 2936 wrote to memory of 3024	2936	cmd.exe	41
PID 2936 wrote to memory of 3024	2936	cmd.exe	41
PID 2936 wrote to memory of 2176	2936	cmd.exe	42
PID 2936 wrote to memory of 2176	2936	cmd.exe	42
PID 2936 wrote to memory of 2176	2936	cmd.exe	42
PID 2936 wrote to memory of 2176	2936	cmd.exe	42
PID 2936 wrote to memory of 2176	2936	cmd.exe	42
PID 2936 wrote to memory of 2176	2936	cmd.exe	42
PID 2936 wrote to memory of 2176	2936	cmd.exe	42
PID 2936 wrote to memory of 2932	2936	cmd.exe	43
PID 2936 wrote to memory of 2932	2936	cmd.exe	43
PID 2936 wrote to memory of 2932	2936	cmd.exe	43
PID 2936 wrote to memory of 2932	2936	cmd.exe	43
PID 2936 wrote to memory of 2344	2936	cmd.exe	44
PID 2936 wrote to memory of 2344	2936	cmd.exe	44
PID 2936 wrote to memory of 2344	2936	cmd.exe	44

C:\Users\Admin\AppData\Local\Temp\3d5661b29467f8eb4bf83f6ba7c1e8ce_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3d5661b29467f8eb4bf83f6ba7c1e8ce_JaffaCakes118.exe"
1⤵
- Checks whether UAC is enabled
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2064
- C:\2.exe
  "C:\2.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:2844
- \??\c:\2.exe
  c:\2.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious use of SetWindowsHookEx
  PID:1244
- C:\Windows\SysWOW64\cmd.exe
  cmd /c c:\2.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v DisableScriptDebuggerIE /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2148
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s msvidctl.dll
    3⤵
    PID:2788
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Images" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2956
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Animations /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2156
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Disable Script Debugger" /t REG_SZ /d yes /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2976
- - C:\Windows\SysWOW64\reg.exe
    reg.exe delete HKLM\Software\Microsoft\Windows\CurrentVersion\Run /F
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:2948
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v Play_Background_Sounds /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2952
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s itss.dll
    3⤵
    PID:3024
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /s jscript.dll
    3⤵
    - Modifies registry class
    PID:2176
- - C:\Windows\SysWOW64\reg.exe
    reg.exe ADD "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Display Inline Videos" /t REG_SZ /d no /F
    3⤵
    - Modifies Internet Explorer settings
    PID:2932
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s vbscript.dll
    3⤵
    PID:2344
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s scrrun.dll
    3⤵
    - Modifies registry class
    PID:2740
- - C:\Windows\SysWOW64\regsvr32.exe
    regsvr32.exe /u /s scrrun.dll
    3⤵
    - Modifies registry class
    PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\2.bat

Filesize
1KB

MD5
e320cdbb09e69f422f8b2ff9113bc394

SHA1
15e3a293095376f5051230ad12269feac82e8fa3

SHA256
05582d2e555c46a37578076a9a668205241b6612b2064c42c920980be300e926

SHA512
c5a7b4ad79ef44f24991237992e9e01d64b9d5c7fed8354035863c9ceffd1ee271dbd58b1fad7474de372f2c5c7867208720fbd0928c58b15f3e94dc2a6e35a1

Download Submit
C:\2.exe

Filesize
21KB

MD5
cbbb57932d0871df880e866c47daff4e

SHA1
0f87729b8d9727bf0e65886798305928fe8ce598

SHA256
2260745a9d6815f9c750a9761a189f9469a5a464caba555416c90ba94b8652a6

SHA512
86e354781f4b984cceb36a8ff5e2a6698d26eb35999a06eefe5fae451fe67edd954f88bc012e5905e1595a8971b502ae3f8b667322600b27580ce3265d5c222d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LQOQ02MG.exe

Filesize
9.0MB

MD5
de9d5f8459619377b8834b885e0433f3

SHA1
8c89a214f6b65af31e9a12aceb00c554920beeee

SHA256
99721df4bf9b121901e9014aceeb4c43bb629268f21238a21e1b29034ee1fb9b

SHA512
4269ca8b0d15269c150fde21f74a8b1659131022bbc8e081280c9ced4911604143d735f66da418ced7b9a82247651ab492440b2c1e2bdb91da9a62300431aaae

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads