74a6bf982d64547e7a290503c8bf80708df7f749a35bbb5168b8119b9f950a2e

Analysis

max time kernel
149s
max time network
133s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
23/07/2024, 08:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Size

188KB
MD5

66c910db68b98751290cdb4d6835da7f
SHA1

9a6e817e398795da5fc0de48f30a6f446da5ecc7
SHA256

74a6bf982d64547e7a290503c8bf80708df7f749a35bbb5168b8119b9f950a2e
SHA512

e7ac6f4ca3910ac1538b981f6087bd2507ef7fadbf0db2e86dec557dfb425c60697e780762289b0dd954f7711ec58f3768676a579d99722fc910031b8cdc4cd6
SSDEEP

3072:Z/FDc0Cbdss/q+RxKd9u1Wb/4/8uL6suQ14Zvop4lhdPupdoK0QCcLq2XrDmQt:fc4+RId9ui/4UuOjQuomhupdoK0QCcLX

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2592	WScript.Exe

Executes dropped EXE 1 IoCs

pid	Process
3052	Program Files224U2K.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\t.ico	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\d.ico	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d9909000000000200000000001066000000010000200000004e0c5397582509a0eb2a9ac5766d3042b9384302f2b3fcae8c71ebb724eb5424000000000e8000000002000020000000957f4786cf3d2538f045e4b613858a41c8ecd6996c4b225b95cdd280d741346b9000000073d86c649ced5fab1be513b90de86217f19cfa6245046551fd3dae5c5580947f32abb5512e072ecb780b1612f843eee37576b1fb5018da83299386b69885898de2862dea544dce1e4bb06ad367aecf80e67a896e0bf9ce9aa57cfe0bde3defcc18c26dc2095cfbe8532d63f306960997853c21bb247ef7e4f34411e7ffc458071119fb250b1d0eb9b69abd1ef40885074000000097534e22f6fa5106043f7e2aedafdac8ca207c0ad046c2b40edf9849e20b7ef23a14b55f8786ffd30498ebbd7c4d70534b73e8a1e75cabaa7fb5c67a82ad73b3	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2BF5FED1-48D0-11EF-B6C3-72D3501DAA0F} = "0"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d99090000000002000000000010660000000100002000000001fadb655cab4710ad79f3269b1da746448dbb3383e332dbf3c123ae09b26af0000000000e8000000002000020000000f5ee6fe133f53319533392230cbad3bb24b3db57ae936497850934376e0870db20000000ed9209421a8ae18f49d134235b2046d36e90ff3bff317271df5ec1b88f3846764000000044cf0057024bde652557dc0e8687d03e4b7a3afd8e76ea066dffb99a08e8593446df9943d4041afeb522b3722e3969df10d891ea1c16e514c14928d6842e3936	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 102cd804dddcda01	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427886307"	IEXPLORE.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command\ = "IEXPLORE.EXE http://www.loliso.com/?1193"	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh\ = "hdh"	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35\ = "h35"	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,130"	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli\ = "hli"	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx\ = "hyx"	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon\ = "c:\\Program Files\\Common Files\\t.ico"	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf\ = "hpf"	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command\ = "IEXPLORE.EXE http://www.t17t.com/?1193"	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,41"	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb\ = "htb"	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command\ = "IEXPLORE.EXE http://taobao.loliso.com/?1193"	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command\ = "IEXPLORE.EXE http://www.piaofang.net/?1193"	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command\ = "IEXPLORE.EXE http://www.henbucuo.com/?1193"	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,139"	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon\ = "c:\\Program Files\\Common Files\\d.ico"	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command\ = "IEXPLORE.EXE http://www.d91d.com/?1193"	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2716	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3056	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
3052	Program Files224U2K.exe
2716	IEXPLORE.exe
2716	IEXPLORE.exe
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE
2740	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3056 wrote to memory of 3052	3056	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe	31
PID 3056 wrote to memory of 3052	3056	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe	31
PID 3056 wrote to memory of 3052	3056	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe	31
PID 3056 wrote to memory of 3052	3056	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe	31
PID 3052 wrote to memory of 2716	3052	Program Files224U2K.exe	33
PID 3052 wrote to memory of 2716	3052	Program Files224U2K.exe	33
PID 3052 wrote to memory of 2716	3052	Program Files224U2K.exe	33
PID 3052 wrote to memory of 2716	3052	Program Files224U2K.exe	33
PID 2716 wrote to memory of 2740	2716	IEXPLORE.exe	34
PID 2716 wrote to memory of 2740	2716	IEXPLORE.exe	34
PID 2716 wrote to memory of 2740	2716	IEXPLORE.exe	34
PID 2716 wrote to memory of 2740	2716	IEXPLORE.exe	34
PID 3056 wrote to memory of 2592	3056	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe	36
PID 3056 wrote to memory of 2592	3056	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe	36
PID 3056 wrote to memory of 2592	3056	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe	36
PID 3056 wrote to memory of 2592	3056	66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe	36

C:\Users\Admin\AppData\Local\Temp\66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\66c910db68b98751290cdb4d6835da7f_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3056
- \??\c:\Program Files224U2K.exe
  "c:\Program Files224U2K.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2740
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe jies.bak.vbs
  2⤵
  - Deletes itself
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files224U2K.exe

Filesize
36KB

MD5
d34e0b5daf9837e400f0674b7eccf72d

SHA1
1262d0100083dc5406a6dde040dedc9d3cde8252

SHA256
f6aadd81f1c79ddd9800a45f7e1852443a4badfe3502004d1746bde9aa35e48e

SHA512
bbb7cd8dbd2ea662ff8703cf8a0c88a1a34fbd66e9bcb93bde99148477dfbf9ea570739e2a81b50e4c9694eec8b60d7c00066d40429730b4f13ef192db853f2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
389daad7711c0cdb7165acb4fe2a8d7c

SHA1
9e52eab1d3655a98468b1c5c71c61ac104131cf1

SHA256
d2ef15dfd67293b46a14c2d5f106218a341c5be13e245850eb8ef119bd3f3c88

SHA512
caa72f9177e161520d440817e8dc5978603906586989390614d7c2900c1e502f6ab3c17c0695e01bc1e1c47019fa7bd3077aa88dd4552b4d0e86c30de4e1afb5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f032de52d32ff7f0358289dfb8c1ea4

SHA1
de1916e6583e43757e5c456259d73b69dc947f4f

SHA256
58c2ad9a981981078c14608f89152263fee7c7a3100d472f1748480b96f8d603

SHA512
a183313fb88eed45f9a80206e99ac486713c26a671a7f9d5ad1f9d2aded5317ab12d20317df0835221a164364f3c80b08f976cce39ea91bb457bbe82d4a6609e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36c79dc1fffc8f314c1780bfe306000b

SHA1
5b455a0b86e8aaff0df09579a5d9b3833c416347

SHA256
913683b7476f514b0c087f0c07c47eb2959ea35bde8cdcde7520aa7e57ebf267

SHA512
d6d770b600b4a147a1af85f0e5f4b5266dfb18cde1c564c851a87f46714579e064becc471bc2ef811a4973016227be091d6d05de8b409312b1c09b21f4567cfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
81b399bb1da3c1acbfc1a58d070a8f24

SHA1
32b791b04d7bb63313463abd790b227577224b66

SHA256
df927ef948cd89f5498ef8d08c7403385856fdf208b9ec60e7638f69ab3560e3

SHA512
5f2e46e3ce19e736e2c3827e3ab985e96172fb0b0ea3e022f80dfb935d99e523b9121eab73aec66dfc29cbf9906046ed807ed98e76c319a728804af0b31b38d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9f52f3b4db0882538eb18bbabbaa523

SHA1
44e53de31ac05b23f8a15ca93a763ccd162d6528

SHA256
f83f8783cd83ab2bbc7e95df95753f4827d15e20d5c5e19ebbe6adf1e83aab34

SHA512
fd3322fa9f5421984a115f21de5bdcb234035f9fc94e41927671c0393f596015e40f04d369b672e9dc7b31e22d2ff6ea50f41c67f8840c3a24f06805bd775008

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b070c5388d8a809b1ba2425fd4c9995e

SHA1
96cc0b0e5415f98fcecf0bea1b1a072d074d5ff8

SHA256
5008f9faa5fb25af59d9ccc18b47ec0879dba48a1ab5f568f9752f61263dc49f

SHA512
5b2d67853be5a090c5d7bb7a63adc33c79e349dc7b24fa2a7c3cf5ebf9f8d1f8d0305fb22fd298eaf1f65f1b3b5bcd78e2fed50054ba93e5ea0c9319f77c21bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d23716c3935cd046b61e83a97dcbafa

SHA1
291c6de6735a23c64c81fb47818532c0f85d40ba

SHA256
152502ba77532de44dcc7b82d5b69b71e4cded8876a1fbb73ee94714c128095a

SHA512
cb70259be09b1c0830bd99d0fea6f1ee064c6155ee8f55e6a0ae782c2c0edad7dcad45bb077cad2b9cf04d9481d9b8290d2297f0d0828e451d67bf007d6f385f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfeff810cf1c5acfec25ef324cb5e8dd

SHA1
d4ca3405b2be75365d9bde28b5cbcc5edf895f48

SHA256
91435b839ddb2829644d7c26a16f10dd9e966733b24b7049bc144ce2efc9f1b7

SHA512
d78e13130c9397c5432f6a6c36ae9cb2898690365bf3eb2a9ffe21fb385ea4e57965d493422536a927f79b7f629680acaf94dc5bca7f9bc64f019961b80cbfe3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b6694881f6214854291015ad97d4530

SHA1
4d2d570df8ee35584b08983123373d2db083d6fc

SHA256
256a3d4627913e2aaf46e295ee320cf82069e50219a09b056e72c2c7053a758b

SHA512
32ee43fa47d897d3f5686efbcf206b4bd89500c61254d859042114b5d4b0df9f741e723dafe058a6c7e37238aa79ae8c27f358209f2f317524f9d7e0c5bc17e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fef2beeb0afecaf1b548708014d0870

SHA1
9b111057b4bc032c7b02f4d1a84b8f22bddae517

SHA256
4187aacbc40658c28614fcb0933856ad115ba1aa2c459e2df97c87e8b237084c

SHA512
ab36d4458857a99fbe143b14e09d575fbe75ac11585f8fd5fe126f1a1fb67c69649f9da952505cf754004d595c718dbbdf381e22f0e1a2c2deebfec23c904ad5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c6be21033607e487a2a1fa0c4bc8ad5

SHA1
8ed51dc3c2030cc4ab431179cd14a533b854068e

SHA256
fe834d3bb434d83e9bdd2a652b76d11a1bea048db6045fe3398eaae102071396

SHA512
5adb0783ec21405f11f5600b22bc74b77a0c5107fb5bfe81901fcd1b6bb535cbf037b8def8c73aaf3f68cc39c5b1b7bb63f228dec082ce94102c062459cb1339

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9590bbe5392f64ba4ab38c56eac569bd

SHA1
cf498c9bd6fdec2a76f893558d6907a9afb423b1

SHA256
df0ef88396d1106bba4ae9cd9aa616e53a4a3455d5f9fac075b1916ea6267131

SHA512
24cc0268828f5b9355871e64ceb6a949f5e19f28209f035b2750317fa907d1e7080e1ea6d193e52610d5b8a58185a600e8c37d22bc4bfb41d85de520530aef3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87b9790be4124173ead24d3ee965c76e

SHA1
1cd9545ad2027d95b46ddb190eb98405f1f4c6aa

SHA256
3ad771ef00abf09b7975b49a5d66d1d60fcf5860aef27a9da49de33acc8873cb

SHA512
87d581c8f6eaa145a2ffbfa80c08f4fbd5f11854afd22eabf5bc1d5b07db388e6ad14fd1a8952608cb92176181d2cad0c8e3dbbdfb2924f6cfffd6285ede7aec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0ac2fdf8ecbc12ce41fa86079f0a954

SHA1
e5541f56dd5e91be316ea21cc1a6fca1f3e8da99

SHA256
e5cd2275cc3bae4e77b0b0d35fd3e9c1751566879a0b0de43d10d0fba4bcddd3

SHA512
69c9de7ea17e067c1c0540bbf0b1a3e32691f3b43fe7761785aca2423b3e4be7cb644b5066c84fdc0042c9c8438e60b705f2f53caa6f55f4ae364fae182281de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ecc962c202169b73684a8a778052dbee

SHA1
e762681e97bf63bc22e76eb8db8bbcf315972dc8

SHA256
dcb234bd8b6dea11ecd997f36131989d5f243f16ce6e90ca13676b30ca38b4e1

SHA512
6d9135284d3dd709cbda6d0256f9d45328aeb998cc97641cabe1863e4d4625b05dd75365eeae7d5e0a2b58fdcab0710707c466c5a90379bf33e34a076d7b3425

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e6348a1cd2dab55dd2727e9e5053358

SHA1
534e6061dd8bcabc0b835388bd66edad9f99763c

SHA256
77cf582147a4e70cd29a6b9697ce650f62d98d89a4f34b6a7eea80779476c821

SHA512
299530dc65158be0ea75be5c937c07be3cf77b9e779805776a09014a74981de279c0d573acfe884e7f55e77a561390750f8692bf5bbb6deeffbcca17d27ca843

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5b1481e7df2b29e17335deb075262b2

SHA1
727b7bb8c13c7730d3b40e632559f2acb33384fd

SHA256
63695f90fff62dc0d91bf1d738e8480351bead028e4dd73b8eeaf7ee2d46bf06

SHA512
deaba246723664c323c8b42f9c448eb5603915bd09a4832f75dfe6a52718052b24ef447c775f7462cb52c57d68c658218902bdee33845f619793e45672ecc66d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b70c6ed9d92ee151d9a4b69dbc60e21

SHA1
69de3f4c76308439390a2ac97199c8fe914578bc

SHA256
ce6b76b1c0e770e234ecf17ed85c02875fb236c9eaefabc053db640b84a60af1

SHA512
064468d573c9c40084be71afe479672c28f17af8e2d42be23d87d8578c1bd696bdff373511982f653a6b5a8f5949e06c5baed1d65a3c6221a0aaba695a3ac613

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1AC4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1B34.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs

Filesize
450B

MD5
183925c527aefe488a03e1d645ef8a1d

SHA1
52d67fe7586c37c3f9c21d140f3b55281675be04

SHA256
4474a711e1dcdf6c36ab7c3d02b685a83187b872dcb58eb425750d497a5ddb97

SHA512
5a08b94ccb0634a814e2dca6797108d20b2171c4b3eda09a0abee4e9c54f5500309393756aaff5fc18041e791801535d0c8a5bf10b03cc8432eb00fa71bc3121

Download Submit