d77764463477b39e55d0fe482c14774e3bd08fce9c06f45c433a92f7741b8a80

Analysis

max time kernel
127s
max time network
129s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
Size

1.4MB
MD5

5a53eaee706bcc014a160571243b5743
SHA1

3aa579209c5e542b756a964a5267a0ba6083fe0e
SHA256

d77764463477b39e55d0fe482c14774e3bd08fce9c06f45c433a92f7741b8a80
SHA512

dbc5286b161cae6d9ebd64a05e631fdafe4da7e57d9ea302f3d51b857cc6bf306a81d849139d44fd079ce5f23a1a3c9ea50cc32e653317d71363106b038f26c4
SSDEEP

24576:5UBr/4p6qO4pDlPJsZtZQk5p8hulbEwfDpBzjRvdsxlTShiVN9i:O/4Qf4pxPctqG8IllnxvdsxZ4U/i

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 11 IoCs

pid	Process
2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\jishu_180002\sc\Ã¿ÌìÍÅ¹ºÒ»ÏÂ-¾Û±ãÒË.url	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft180002\B_0220110205020221000218020202.txt	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft180002\seemaos_setup_O7A4.exe	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_180002\dailytips.ini	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_180002\newnew.exe	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_180002\sc\GoogleËÑË÷.url	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_180002\sc\²ÊÆ±¿ª½±²éÑ¯-ÔÚÏßÂò²ÊÆ±.url	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_180002\sc\»Æ¹ÏµçÓ°Íø-ÔÚÏßµçÓ°.url	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_180002\FlashIcon.ico	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_180002\ImgCache\www.2144.net_favicon.ico	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_180002\sc\2144Ð¡ÓÎÏ·--³¬¼¶ºÃÍæ£¬ÀÖºÇºÇ.url	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\jishu_180002\jishu_180002.ini	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft180002\wl06079.exe	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft180002\MiniJJ_12318.exe	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft180002\d_1802.exe	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_180002\newnew.ini	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_180002\sc\126ÍøÖ·´óÈ«ÉÏÍø×î·½±ã.url	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_180002\sc\ÍøÉÏ¹ºÎïÍøÖ·´óÈ«-Íø¹ºµÚÒ»Õ¾.url	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft180002\a	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft180002\0220110205020221000218020202.txt	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft180002\pipi_dae_381.exe	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d990900000000020000000000106600000001000020000000a424d1750fa1b644ccc3ff7a75da4c877020ec9583705c70db05b61670cdf8f7000000000e8000000002000020000000e227d63851049973f2e0ac57ac920831df93bbff172693019a3604b4f8434a7290000000df52edf3478aaf7984336761284980db5aa7fb39c85b40046cdfb3ed8ef708eb8c1cd75c8829b4d391ea012780bb7156a7e8e3f6d452706bc718120d846a882e96d14ab41e10e7a63edf171cb8a09fa4a049c92b2d8a33b4d85188c87978d923048545bd87cd1f9fde26a851637ab061f56a861b241da4e54bc492cc905ae3f4d82d8c4a2655da944fe938b6a8f74daa400000002d9c476593238c5d3c8dcae86e55d77d874c820a8a77da1f79f6f479943d66ad27fb158c8083e2a7c94968910c7719a0a5c173355b3fd79626ab266c9d731c1a	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427522351"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C46A9B11-4580-11EF-B2F9-66F7CEAD1BEF} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C465D851-4580-11EF-B2F9-66F7CEAD1BEF} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d99090000000002000000000010660000000100002000000017ea76533ec98e57d002cb604d60f61db5c33d803d310734300697d437d4dca8000000000e8000000002000020000000ae1a43bdd8f5f09b0487f62b58d7a404cc4350026bdd13e33abfe3c555ebb51f2000000075aba50fad68a8a083ae7d98568393c7e72dc41ee6382e70d83944139425de9e400000001b4210eb15ef35fff4f97642b5c98df6a1e1a52317eb4e50d59cb7fa6b1beef7aa8a52b8dc9b75f7ecb2cd5b09a6c41a069cd1cb0a0e67fe2ed368c685cfc02b	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5046aeb38dd9da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2992	IEXPLORE.EXE
2308	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2992	IEXPLORE.EXE
2992	IEXPLORE.EXE
2976	IEXPLORE.EXE
2976	IEXPLORE.EXE
2308	IEXPLORE.EXE
2308	IEXPLORE.EXE
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE
2044	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2408	2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe	30
PID 2392 wrote to memory of 2408	2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe	30
PID 2392 wrote to memory of 2408	2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe	30
PID 2392 wrote to memory of 2408	2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe	30
PID 2392 wrote to memory of 2408	2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe	30
PID 2392 wrote to memory of 2408	2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe	30
PID 2392 wrote to memory of 2408	2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe	30
PID 2408 wrote to memory of 2308	2408	IEXPLORE.EXE	31
PID 2408 wrote to memory of 2308	2408	IEXPLORE.EXE	31
PID 2408 wrote to memory of 2308	2408	IEXPLORE.EXE	31
PID 2408 wrote to memory of 2308	2408	IEXPLORE.EXE	31
PID 2392 wrote to memory of 2888	2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe	32
PID 2392 wrote to memory of 2888	2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe	32
PID 2392 wrote to memory of 2888	2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe	32
PID 2392 wrote to memory of 2888	2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe	32
PID 2392 wrote to memory of 2888	2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe	32
PID 2392 wrote to memory of 2888	2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe	32
PID 2392 wrote to memory of 2888	2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe	32
PID 2888 wrote to memory of 2992	2888	IEXPLORE.EXE	33
PID 2888 wrote to memory of 2992	2888	IEXPLORE.EXE	33
PID 2888 wrote to memory of 2992	2888	IEXPLORE.EXE	33
PID 2888 wrote to memory of 2992	2888	IEXPLORE.EXE	33
PID 2392 wrote to memory of 2816	2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe	34
PID 2392 wrote to memory of 2816	2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe	34
PID 2392 wrote to memory of 2816	2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe	34
PID 2392 wrote to memory of 2816	2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe	34
PID 2392 wrote to memory of 2816	2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe	34
PID 2392 wrote to memory of 2816	2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe	34
PID 2392 wrote to memory of 2816	2392	5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe	34
PID 2992 wrote to memory of 2976	2992	IEXPLORE.EXE	35
PID 2992 wrote to memory of 2976	2992	IEXPLORE.EXE	35
PID 2992 wrote to memory of 2976	2992	IEXPLORE.EXE	35
PID 2992 wrote to memory of 2976	2992	IEXPLORE.EXE	35
PID 2992 wrote to memory of 2976	2992	IEXPLORE.EXE	35
PID 2992 wrote to memory of 2976	2992	IEXPLORE.EXE	35
PID 2992 wrote to memory of 2976	2992	IEXPLORE.EXE	35
PID 2816 wrote to memory of 2792	2816	Wscript.exe	36
PID 2816 wrote to memory of 2792	2816	Wscript.exe	36
PID 2816 wrote to memory of 2792	2816	Wscript.exe	36
PID 2816 wrote to memory of 2792	2816	Wscript.exe	36
PID 2816 wrote to memory of 2792	2816	Wscript.exe	36
PID 2816 wrote to memory of 2792	2816	Wscript.exe	36
PID 2816 wrote to memory of 2792	2816	Wscript.exe	36
PID 2308 wrote to memory of 2044	2308	IEXPLORE.EXE	38
PID 2308 wrote to memory of 2044	2308	IEXPLORE.EXE	38
PID 2308 wrote to memory of 2044	2308	IEXPLORE.EXE	38
PID 2308 wrote to memory of 2044	2308	IEXPLORE.EXE	38
PID 2308 wrote to memory of 2044	2308	IEXPLORE.EXE	38
PID 2308 wrote to memory of 2044	2308	IEXPLORE.EXE	38
PID 2308 wrote to memory of 2044	2308	IEXPLORE.EXE	38

C:\Users\Admin\AppData\Local\Temp\5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5a53eaee706bcc014a160571243b5743_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2308 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2044
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2992 CREDAT:340993 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2976
- C:\Windows\SysWOW64\Wscript.exe
  "C:\Windows\system32\Wscript" "C:\Program Files (x86)\soft180002\b_1802.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files (x86)\soft180002\300.bat" "
    3⤵
    PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\soft180002\300.bat

Filesize
3KB

MD5
7f4ee82601d1562b3b4095f6bd2153d1

SHA1
60c8701e312d4a77fe263416f52d33f647865697

SHA256
85111bce943211273f35f1ecd22a9e79e94baa666735e92272f3dfb4e1e8d358

SHA512
c842c599c236f7c7476cb144b6b63038d41b4a210c493de660aa92330297c6b255bd7e99bb98acc5b965297cd11045a16282787fab5c5d8cd62395e1c2dd7bb0

Download Submit
C:\Program Files (x86)\soft180002\b_1802.vbs

Filesize
247B

MD5
85c8141ad4d9cc77f45cfeb25579f0b8

SHA1
59db762db654325c7708f8c9591f331d351cb2f4

SHA256
03e65cc52079471aa71a7f41930380acb5325dd770684d91f4131f2a4f727348

SHA512
76b504ba09e622181534c18f8ade2a983eec968c9d47bf31da9e2121cd6dd4ab701ffffa551efebf8d8fc3b830522c9d51ddaefd961037d6f401524ad777e1a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fbd843ad4f3120c21a51f204c701398

SHA1
6230038a451c39d436a7cca321bb4bff64dd9e0b

SHA256
5683cba4759b59ea4046e424daeece65efa7f1d0d93ba444ee6f577f4fc9a7a0

SHA512
f8520771873b0fa2baf10a7849e91b5103c534cb776b30b4a6ea1bcd55cef752edc1214f31f8410937afd7de277829669595d12a4a4f2761f42bccb253364374

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de4cf99c5ca06c60742cffb8c1f1ea1a

SHA1
170a97a81a5af368812dbd6561ef3f445e675e08

SHA256
7b741a7f5124b8add263b1aa24f7ff6823302380f3c848426adb352a5e78ff54

SHA512
40f77b7461432fa715b43d2527ba5804fff28e50fba6a6aed79bebfd1b97f93c8674e39968f60c1177523b2278bb2fe361e975f1fefed122c763b9dfd1ccabbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e886c2c448a523b942a12fba463f651

SHA1
3775a296e47d533d6d0df0b60302edfb54b14949

SHA256
6432d3fb8e4f4c9a9d2598ae2bb2938b2a2c83d6d014f26a697396812ffb63a9

SHA512
9a926350bbdac4fdea16d36cb280e24c11179541423f96f1f8717939ed22d6dfe662f2ad68eeb7e60e831dad94c69201eb6b1c056bba89031e2c790263425462

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5512465ead1fa29c47c11fbb5ea8a45

SHA1
33333e562e987b4da9edf253d2835b134ba4411d

SHA256
426536c69c9f627598146ffe5290832746e31edd0226090c3303ed8b56cbcb11

SHA512
ad36a93a4c39c3d55c5cd874c5194a5bb17aed39eba61e95f03c8afda074803d59517d93ed59cdbe70fc2e3b3723b7fcd75eacc2185cdc52e9e4d11048ae4569

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e178a7a86450b0e91c07c4cd73462a3

SHA1
9352e64ee9136a38d032aaf8bc995ffd8dd01d20

SHA256
1411a2d387b9c6a96a2e6bca017e4e2a0bb1d653672d75f86f3aa442b224f117

SHA512
dbba19f5ffca28d1ad65cae07f5f0a381464c2f2b2f88d8600eb29483dec0f7c50a79f80e9f343d4f6b8786985ba17cc8cbb22f0ca506f1054a37826305a47c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e0a6ec6d1325be1b7a2aec9a077b1f3

SHA1
fea806ea953b6d86f7642b83155f08822ee03ce1

SHA256
0c21394f69be6e967083c6ba962b6809636352067f84f48034c43f4384289733

SHA512
5d08815eec83977c991473fd15022503c26ba788bf5988b773079583c13b609ddc86d7ec03fa3ca2dbedd1e6339573991fb31f01e63022dacb6b73107d6a2176

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a634272167909a27b1684fbc4521400c

SHA1
e052d3697114fb045a3604163e62033c7389412c

SHA256
5afd0d6ceb88fa54ecdabbff55556d46531e3d28da61d0ada2688ccd70e5fae3

SHA512
fa75b7e1e35c5d931cf0b8c844869bcf5f1f08539f588bc0d6c7429e2469ec710b0ab7874b0992f1e875f679c21976e62555bce33199cece630cf60d370301c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f13ea6d86b295b0bf5a9fd56f987fbc

SHA1
9f1ddae3ed3fb4f1f24929c74034e393b3e8dff1

SHA256
f93d3d625a091a5fcb9e7b2fc51c6689b21be3dbf3106dfca6b27be0d10e2c60

SHA512
7fc908ee5dad00a5aefd6443950668782a683ae56529118f63148ac479dadcc28f208621b4e2374331fc190491590b6755ed27e1b393b369095b17421cdd0fa2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7354016da9d422f22f02233a40527e58

SHA1
bf0d8701825d69e3ccf48c28f53461ae2a9e92f7

SHA256
96989a1567047e3a1094e509434028965e6dc8982c7bf29f09b0cf831cac4ea3

SHA512
450d8a4d8750a55a00c9283b089273a7146d753246ccfb00b7c3b144fa30a4fc119e798371655ebfe1fbb699797bd877ae97fe0adca642875fa6b0784cf4da26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b39235d4d18961bdb3e566d41c309ad

SHA1
eebc8fe1d12d1fd32a62d6105586dc38c282a1e3

SHA256
fe589934e368e88ce6d8d200c02dc5bbed14275f50bd56a8dd3635c8fc389e91

SHA512
a5be65eeb063ef339b9ae99f91ab66da0e755a573785aa85edea043c153ebba99f291b741c47d3c19329f854e5dc1b9cc18424c8f70622b513e1c54356797081

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b903906e7b05d6dcb451520c65651efe

SHA1
00f8bf706a016bf9d9b748227d2a71c84891d2ae

SHA256
221cd67e80117baba847c2bec1be2185a6507a7d56f7da838b7a4f3367fc028c

SHA512
49bd423517105507197958e509ec2560be946182654dddb8b673d6b328d053c333b3a96d08edd55a83cacd43d5b7b5bde9429b973d29d126907f395d21341156

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14fb970c16915c01620b7fe17e1f31fa

SHA1
e65515abea222b9bd9ae663806985a2d999ed39d

SHA256
3f89aa0dfdfb85c41be72657b806e56fc08f8488f56d4419de5c2190a292fc25

SHA512
aaf56a6d4788f8d65b657ecef794bfaa2a59c1c0192ac00ea4e083d75d1cf48c944f84b96993949d34a6b54d949921c27ca0bc3c616c7b228cee2904d27fb091

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b67e098925bc1769603debdcb5ac5b10

SHA1
f1793ee6a963988e9381ba8086f9878f21ccc482

SHA256
e60ebb7294dd5e4fc5b8c108775de6689eae679f882cfb41dfafe95cb4c0f748

SHA512
5e5053b7e3ace0d7fdde35bf10f2b3b2cfd961bd5e154bcc65dae032d79fa05cd8ef8ff0e81cf8868033920f4e906756c639487e1b2caa0de3ff0da90c5d29a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
949b928d769bd4ee72484aaed445a006

SHA1
f89d98341b028c33571308cccb5019429b566669

SHA256
ac0d56992baff8817eba99c88ea70ff6ab9cc4d64a5d7e11498f84344be18462

SHA512
1297be2577166cf5df7fcfe24e309b6894eb70c5885a836706fec6444ffc7ecfac0bb0d32e0f46aecbe55d38c74262cf8276716dbf77ffa2cb87312f2f06f3b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
139a6e4b6340d45cc0a97dbce46bf286

SHA1
c899eee5b814a0395b849c2701bd66c21957f9f9

SHA256
a71e8af1b7bbd1b32deb49fa949246a33a1b204e912c2e9cf6ae5539cd2d503a

SHA512
43de0400870900ca4370033121b411e75ed87d7d5938582a15440ad3131bf31c7300451bcdfa07e9c47c8c1bf6d99061c8f32bd3d0748ce8c4bf849870279c22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79373e2ce26581a057dce2a179e733f4

SHA1
5533518410f47dcc4a77bda811779b022bb76198

SHA256
8c7e80b73aa8f578e87f63bc575456e5b9d2b092b6b96c0f7baf04689cdb4e7f

SHA512
b049437ad3a2b03f81cd942333f5a41387ed4b55a24b3db21e95a914cce118499ed4216f3edbda2bc45c28152a325ca5a6539e6f83e9b227a95acd3ed05ba526

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{C465D851-4580-11EF-B2F9-66F7CEAD1BEF}.dat

Filesize
5KB

MD5
f4bb973bee4d5ea1c0eb3dee26e0b034

SHA1
ea3ae96f676864eb6db619d7871ecc250603a6ae

SHA256
cf31a33b7ccc9851ba6b4e5f86e8eabfefa340eafe713bbaca7e4a4a4a4e383f

SHA512
04c0e95c5ea67a1d2b8258709165e090fd6b234d598b30c502234d55dc29e6a9c2d4f91a28d94148d0d86e1ffe56348c94d8e3286fb5d05711fd5ccd774d1ac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5322.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5392.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\ Intornot Exploror .lnk

Filesize
1KB

MD5
4c3fe4dc311f4826ab138f044ff4d05a

SHA1
ff3dc1a0a9ce4cab62e6d574c9585dc4fe8dbfc7

SHA256
3ac5b3204b49b78ee5af1437f60f8be3fc348b11a470d36c2d7510e1a7c479b7

SHA512
faafaf751a406ae7faf3ab0ecf37e4eed7c917a56a61c652a8f5798eeab7bbdb7d8e699f4d2094e08251bbe59ab702ac66a90d782b053d73bb87e9dd04ad32e3

Download Submit
\Program Files (x86)\jishu_180002\jishu_180002.exe

Filesize
1.0MB

MD5
e2590fb7bac27dbfa512820e9139f28b

SHA1
209d8d0b77c7a8863a3c68464ce47f6a3f00d454

SHA256
4369c213390dd318aaf57b841e338f0b781b16e61713c39e3d961d6065de1821

SHA512
a6b8cdac512c2d05eb2270f8b4f64248cc177785acbd8d4f0ad725acdd2c894f639e7e7259066a8014a79d69f213812dc09793a2bad7a3d6bd9a511f3ee57223

Download Submit
\Users\Admin\AppData\Local\Temp\nst8D62.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nst8D62.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit