c779fe244913901f073f6488ce39a068cd24060b7e15de122c466e49f15cc29f

Analysis

max time kernel
141s
max time network
138s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
25/07/2024, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
Size

1.4MB
MD5

6f90f6b49e8131b7bac8062fdea5f6e3
SHA1

7f4789e224d1c8890b203e157ff310ca37569f2f
SHA256

c779fe244913901f073f6488ce39a068cd24060b7e15de122c466e49f15cc29f
SHA512

622f850f9996cc0034484c3920a58dccef964be83b4894636496e7d6570e94d0b279afcd2e00c244639c2822e550c46d893e2cdd301a69434eb2e63e368d31c0
SSDEEP

24576:lUMr/4p6qO4pDlPJsZtZQk5p8hulbEwfDpBzjRvdsxlTShiVNjQ:7/4Qf4pxPctqG8IllnxvdsxZ4UFQ

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 10 IoCs

pid	Process
2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\soft143901\d_1401.exe	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_143901\ImgCache\www.2144.net_favicon.ico	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_143901\sc\2144Ð¡ÓÎÏ·--³¬¼¶ºÃÍæ£¬ÀÖºÇºÇ.url	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_143901\sc\»Æ¹ÏµçÓ°Íø-ÔÚÏßµçÓ°.url	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft143901\wl06079.exe	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_143901\sc\GoogleËÑË÷.url	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_143901\sc\²ÊÆ±¿ª½±²éÑ¯-ÔÚÏßÂò²ÊÆ±.url	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_143901\sc\ÍøÉÏ¹ºÎïÍøÖ·´óÈ«-Íø¹ºµÚÒ»Õ¾.url	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_143901\newnew.exe	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_143901\sc\126ÍøÖ·´óÈ«ÉÏÍø×î·½±ã.url	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft143901\0120110105010108390114010101.txt	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_143901\sc\Ã¿ÌìÍÅ¹ºÒ»ÏÂ-¾Û±ãÒË.url	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft143901\a	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft143901\MiniJJ_12318.exe	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft143901\pipi_dae_381.exe	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_143901\FlashIcon.ico	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_143901\dailytips.ini	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_143901\newnew.ini	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062974e5b5f804e45b98349be16bffb7800000000020000000000106600000001000020000000bea5838b712e2573ed90f1d1b5de9f129822a8d3f6ee7a61a58657895fdca094000000000e80000000020000200000006c713ca17d905eca8561dabd3d932da5b4cac478cf2285e840893f60bd7284b7900000005a99c66f839c5f6bf410151aa68adb9780be8a1d2722e8b710ed2d322980176630ae776e9643078ce10fd38949efea998dfba62b555cdcf702596d4f1db4930b25061d05ed8b8a1c0c12f6cfe3b011a38948305cb9b141263b0542bfa502920dc2f9d1927989e4c408a890c22b225e1a031d407057ce6ccfbf02ea9ea06a0a0af43022db2ba4ff28eeff8da548450e7040000000cb7e513df7e3ca3b967eb608ac3438f01512626b870e35c399b2a042ed3bfb33caf02a4b574130abb99f56fed8933fd0d03c8aa47018ed1b3d479ee9da83ee2c	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000062974e5b5f804e45b98349be16bffb78000000000200000000001066000000010000200000002bfb992c27f31736d1cd4d9b6401a6d058bd7297185dc50c7bc9c040b55ae833000000000e800000000200002000000023816a0673d700457c99fb9a6af5a5e76822983771ba2bdc5a89670533db8d1420000000b653e2578c220a49aaab34a89a80746e258a3cb1e0d12083a3c99854a883220e40000000bf9ed36be3bc255b0d6c1e9a027ab62b1489931db649ca101e9be0978eea2e51d8e77b3b09ea2219ca8017b3784c83257a76fbd9ba01b8a9021d7827dfbf163e	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0E7EAC51-4A81-11EF-B65B-6A2ECC9B5790} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428072231"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0fd35fd8ddeda01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0E8A9331-4A81-11EF-B65B-6A2ECC9B5790} = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2892	IEXPLORE.EXE
2608	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2892	IEXPLORE.EXE
2892	IEXPLORE.EXE
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
2608	IEXPLORE.EXE
2608	IEXPLORE.EXE
2860	IEXPLORE.EXE
2860	IEXPLORE.EXE
2860	IEXPLORE.EXE
2860	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2844	2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2844	2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2844	2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2844	2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2844	2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2844	2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	30
PID 2556 wrote to memory of 2844	2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	30
PID 2844 wrote to memory of 2892	2844	IEXPLORE.EXE	31
PID 2844 wrote to memory of 2892	2844	IEXPLORE.EXE	31
PID 2844 wrote to memory of 2892	2844	IEXPLORE.EXE	31
PID 2844 wrote to memory of 2892	2844	IEXPLORE.EXE	31
PID 2556 wrote to memory of 2772	2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	32
PID 2556 wrote to memory of 2772	2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	32
PID 2556 wrote to memory of 2772	2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	32
PID 2556 wrote to memory of 2772	2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	32
PID 2556 wrote to memory of 2772	2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	32
PID 2556 wrote to memory of 2772	2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	32
PID 2556 wrote to memory of 2772	2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	32
PID 2772 wrote to memory of 2608	2772	IEXPLORE.EXE	34
PID 2772 wrote to memory of 2608	2772	IEXPLORE.EXE	34
PID 2772 wrote to memory of 2608	2772	IEXPLORE.EXE	34
PID 2772 wrote to memory of 2608	2772	IEXPLORE.EXE	34
PID 2556 wrote to memory of 2328	2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	33
PID 2556 wrote to memory of 2328	2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	33
PID 2556 wrote to memory of 2328	2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	33
PID 2556 wrote to memory of 2328	2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	33
PID 2556 wrote to memory of 2328	2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	33
PID 2556 wrote to memory of 2328	2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	33
PID 2556 wrote to memory of 2328	2556	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	33
PID 2892 wrote to memory of 2680	2892	IEXPLORE.EXE	35
PID 2892 wrote to memory of 2680	2892	IEXPLORE.EXE	35
PID 2892 wrote to memory of 2680	2892	IEXPLORE.EXE	35
PID 2892 wrote to memory of 2680	2892	IEXPLORE.EXE	35
PID 2892 wrote to memory of 2680	2892	IEXPLORE.EXE	35
PID 2892 wrote to memory of 2680	2892	IEXPLORE.EXE	35
PID 2892 wrote to memory of 2680	2892	IEXPLORE.EXE	35
PID 2608 wrote to memory of 2860	2608	IEXPLORE.EXE	36
PID 2608 wrote to memory of 2860	2608	IEXPLORE.EXE	36
PID 2608 wrote to memory of 2860	2608	IEXPLORE.EXE	36
PID 2608 wrote to memory of 2860	2608	IEXPLORE.EXE	36
PID 2608 wrote to memory of 2860	2608	IEXPLORE.EXE	36
PID 2608 wrote to memory of 2860	2608	IEXPLORE.EXE	36
PID 2608 wrote to memory of 2860	2608	IEXPLORE.EXE	36

C:\Users\Admin\AppData\Local\Temp\6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2892 CREDAT:340993 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2680
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2608
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2608 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2860
- C:\Windows\SysWOW64\Wscript.exe
  "C:\Windows\system32\Wscript" "C:\Program Files (x86)\soft143901\b_1401.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\soft143901\b_1401.vbs

Filesize
226B

MD5
f5d581a03eaf0f849013caf6fc331051

SHA1
34df3d50820db304a34c11e8dc253af0f9eb3852

SHA256
a3c4995a6f382b9809bbcdddaca31f30b96c6fec9c3153cb5bfa62079ffab317

SHA512
1dfe1b5aafd2f4f931c8b4ff53f8e3934137e620b93ffc0e6979e94d3ab46c1cb9e4153bf7141b13363460eaad54d270edcde464bff74cf952c4bdbc8d32415e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f8b7f18ed426a30177bf4d492b99477

SHA1
e633bae1007aead9bbb84b87f299f7b9814e0492

SHA256
88793170a6c9124c53baf27f65bfa4af68f26a3111ab65523777b8cdc3cefc07

SHA512
5c02cc2e665f10002bf7f50757bf4ecbb78f64ef346196d1f7fa6c9cb56269541213021482868d6704c0d3b3db1d4a5d74ab9612cfa678dfc644112714ef70d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d2f2ad6bd28dc7d552dece2d21170a4

SHA1
196efa73a4356fcb0f9807604cc749729e073c93

SHA256
e6e12438f4206ca6d8acf2377cacc8aac533407c3f949d576197db2e0542a01d

SHA512
3bec9f8af1dd28baf1d505b50e10911073e189bc3fa6989c0b8a2954fa6967bc760a5b0263d8de040b7ecf9cb8b5d9a95ea74b590b71b33b9b7911376d923909

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83dd49622fcfeae26ff126118c259e8d

SHA1
ce78ade0fba415bd457bf606e6c91b897e706d79

SHA256
803c8df5f70d870707dcc3ff705d4c7f899f432a35c62e723f8b8e719f0ef8f3

SHA512
f6f2adfda566bf29b5695b19ac3896ec114e81699b457a9eb6f4770b8bce251ba98e7c05e293d0e87a965b878b235a5604eab071931607631d9b6bab349e1b07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a36828c00ec32ecf7bae3c436e2c27a

SHA1
01450b84b66f096ea5bfb7b5429674bfa377549b

SHA256
479540440ceafffaf9a5daf265ff1cd98d5b37c879905d2e1c64168b4466a454

SHA512
059a323c5a6dd1f7cc50ed83b75b79efd2111801ff1c0e96b10a11240d5f3eed46fdce351d7259ad8922026b6c2c48cdcb863a888feccbb7082cfdc22750cb71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2708310593d21dda1781f777ad1b180

SHA1
720ac35fe532c79e82f218e33dbf912ef9a89f92

SHA256
df559392bb8477bf2bc92bd874bddda641335fc521c54f6fd97b613657fa0f07

SHA512
dcb3b9ad175ee5bd21551bae470b6f3b94a84ff443d2f3336b0a784acb84fc64b88e6709e2537484125310fd7d97a9148116bf914efd53ac9a7347a3854c2178

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9061173308e9f6431a2c8c7b41af9ddb

SHA1
8044000e77106ffc39f541b150ef9a429a400f3b

SHA256
2bd11930623f9f583a8462d8dc28248519565d4913fd4e82025b0ac54ba72fd1

SHA512
f36ea702101795e157a3f461bdc47ea77a6983dbffbce8f761534a72500ef1536c47fd02d0610b3042e97882807a3ce1436fa0c8f2a68ab10f3bc5aa8462445f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
895dfd06fd469882571bb396401e5435

SHA1
2ad95bda4316b83529c323cd73566cae25e9700a

SHA256
16d35a3e728128cf23e1e88dc22aa189e1b8d33469325050213ee2c2090b60c0

SHA512
ab43084d0de6a85d170753c7e76cc304d0a9502a91c9f70d0042bd817bd006a15d6f60dcc151d8e86ba25397f6cb88a339254790cbb5d363011f38bde037ab5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01f9f722dc61afe5566c846f06da7b27

SHA1
9f99afe55445a09fd76b3daf80951ca4f0381b49

SHA256
049ac745eeeee38db3cc3bd51590c91c10c256f29c608360f324aff88537c245

SHA512
3ac4be2dcff226cc4db4c769416c1bc544ad96517fbe2a08b72815ffab58d89e2a84c03fd63006fcbea11c6da49c11a82fc5998c9ffc196567024ffd1fe096d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2287a0c6afb45ed70486293d4e91c90c

SHA1
bc4ea14abf78c889da26a82be4f2cd6bcfa8d7dc

SHA256
6637fadd6316319883ca51698633cb6fac5f3d2b66c7877924cae6e00bbde3d0

SHA512
d6ddadd9879daacc8d68d06f8e6f3457e69942aa5cc6473f1ca07581eceb44ead7381cac0f0cfb0c79e8868260ce212bd0b71ce9ed09089ad5f68827aeac20c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1eb7b9cebec0d68c4322947b3e12428e

SHA1
d48c4d15290dcdbc2affb15c295a90da43e136f2

SHA256
ea2730ca8eccf30bcb534a1c26b62c1088a69d017444a66622c18a6968115081

SHA512
0bacb191dfd76bc5c4acedc8d66dac47a6fb2773ea6569ac6e3c1fab51d3168c1a1ea87e10b9bb8a9dbeb3fb1443537eefac808f2570aa8be435804421e617e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aed547651a5a7aa4075bc9bbbc472fb0

SHA1
2e4fddaaf7e095db17844bd28e70bbd9c87d9e7f

SHA256
cfa9b1ab974fcefb1c25b2ff51b1e80f9f471f326b8c2045100a03a2006d20d5

SHA512
e2dc8034f078578d01d638da9e2419f2333601d56a9ae29968430e24552df6135d2fd3e8c29e8a613c2d1b228645e11ccf0f272172b7788e0c1660a51bb5aa63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2659d01c13d6d709dcbb7b4b39713e36

SHA1
7fe47bfafdc29efbf7cada38931f450da31d446a

SHA256
dd26090ab444fe4f9229fc71d543b07149285583b94b4fd25bf11cfbbf0c305f

SHA512
fb916fa6908db408d73a147b16cd1bdbaa38a1955b45848de9a039f8fdf6d30ac321b624d9dfd73317b261ac2ae9a90594a5ed80da500a4fd802f95ec3959e7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{0E7EAC51-4A81-11EF-B65B-6A2ECC9B5790}.dat

Filesize
5KB

MD5
ea87e1a8a83611b3244f0c71d8f0b36e

SHA1
83ef1f8a3688284aac5956bfdb1266a30eaedcc6

SHA256
53b0f606fe06ae29b10601101a7ce0d1afeec61fca9f6a583da1332c43f44bac

SHA512
a870434247dfe760ca82a199b0fd9913a9d9980a1d3f594b1176d045e3dd8a11e374685379ac7b2399b920a0aabb18b10e90c5b4dcb5fbbf3c94e6253ca6fa7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3D9F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3E1F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files (x86)\jishu_143901\jishu_143901.exe

Filesize
1.0MB

MD5
e2590fb7bac27dbfa512820e9139f28b

SHA1
209d8d0b77c7a8863a3c68464ce47f6a3f00d454

SHA256
4369c213390dd318aaf57b841e338f0b781b16e61713c39e3d961d6065de1821

SHA512
a6b8cdac512c2d05eb2270f8b4f64248cc177785acbd8d4f0ad725acdd2c894f639e7e7259066a8014a79d69f213812dc09793a2bad7a3d6bd9a511f3ee57223

Download Submit
\Users\Admin\AppData\Local\Temp\nsj7A40.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nsj7A40.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit