c779fe244913901f073f6488ce39a068cd24060b7e15de122c466e49f15cc29f

Analysis

max time kernel
138s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25/07/2024, 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
Size

1.4MB
MD5

6f90f6b49e8131b7bac8062fdea5f6e3
SHA1

7f4789e224d1c8890b203e157ff310ca37569f2f
SHA256

c779fe244913901f073f6488ce39a068cd24060b7e15de122c466e49f15cc29f
SHA512

622f850f9996cc0034484c3920a58dccef964be83b4894636496e7d6570e94d0b279afcd2e00c244639c2822e550c46d893e2cdd301a69434eb2e63e368d31c0
SSDEEP

24576:lUMr/4p6qO4pDlPJsZtZQk5p8hulbEwfDpBzjRvdsxlTShiVNjQ:7/4Qf4pxPctqG8IllnxvdsxZ4UFQ

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe

Loads dropped DLL 8 IoCs

pid	Process
2160	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2160	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2160	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2160	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2160	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2160	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2160	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2160	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\jishu_143901\FlashIcon.ico	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_143901\newnew.exe	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_143901\ImgCache\www.2144.net_favicon.ico	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_143901\sc\»Æ¹ÏµçÓ°Íø-ÔÚÏßµçÓ°.url	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_143901\newnew.ini	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_143901\sc\126ÍøÖ·´óÈ«ÉÏÍø×î·½±ã.url	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_143901\sc\²ÊÆ±¿ª½±²éÑ¯-ÔÚÏßÂò²ÊÆ±.url	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft143901\0120110105010108390114010101.txt	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_143901\sc\ÍøÉÏ¹ºÎïÍøÖ·´óÈ«-Íø¹ºµÚÒ»Õ¾.url	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft143901\wl06079.exe	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft143901\pipi_dae_381.exe	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft143901\MiniJJ_12318.exe	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft143901\d_1401.exe	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_143901\dailytips.ini	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_143901\sc\2144Ð¡ÓÎÏ·--³¬¼¶ºÃÍæ£¬ÀÖºÇºÇ.url	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_143901\sc\GoogleËÑË÷.url	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_143901\sc\Ã¿ÌìÍÅ¹ºÒ»ÏÂ-¾Û±ãÒË.url	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft143901\a	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 40c49ced8ddeda01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 307fa1ed8ddeda01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{10106987-4A81-11EF-BE68-423954E40A58} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31121037"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{10178FF5-4A81-11EF-BE68-423954E40A58} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31121037"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3833041157"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31121037"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3841791354"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3833041157"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007836378798d3c34984a02971cee2fa8c000000000200000000001066000000010000200000001a731c588cf2e0119c827bb79a61473882611bddc6c308b6e5f56b64c25f8a10000000000e80000000020000200000000452515c9adc6cb3b4e42aab90eaf3cc04ed3132ab6744535bdc7a4f5da2347520000000f762ec2d59f8c965ac820a7b4258d6d72792f44fdc86aa45703773271849b1b1400000002e81b15ac8be38cd370693caac4b5530349de26d1ef46810081d92a69aab26160782d44a1e7e43207d99baa13c2081ed24a3cffa31e5faed19f3cdca5b3e2c87	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3841323036"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3833041157"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31121037"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007836378798d3c34984a02971cee2fa8c00000000020000000000106600000001000020000000908f2e03440b6b61a34974c81fe1c9712c2ec2360a129f319f6a93cf588b9f2e000000000e80000000020000200000004eef91a1ae25b6d62ae62d8a37c95d0e768faec8b1d4e14ef1f48cb51c78318420000000656916cc2e43f97adac53214aeee6826c088d24864967b2576192ff3f6c61a02400000005eb2f9cc8fc95da38f480d3b588f5720cef9a00f6df9cab30ecf93ebd95c008a6abc3dcca01728b07346691708a15b1cbe9413fdbf73c419bf1cdf3cd5f1ccf1	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428675342"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3833041157"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31121037"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31121037"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2160	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2160	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2160	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2160	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2160	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
2160	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1432	IEXPLORE.EXE
4424	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
1432	IEXPLORE.EXE
1432	IEXPLORE.EXE
4424	IEXPLORE.EXE
4424	IEXPLORE.EXE
4896	IEXPLORE.EXE
4896	IEXPLORE.EXE
1632	IEXPLORE.EXE
1632	IEXPLORE.EXE
1632	IEXPLORE.EXE
1632	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 1040	2160	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	86
PID 2160 wrote to memory of 1040	2160	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	86
PID 2160 wrote to memory of 1040	2160	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	86
PID 1040 wrote to memory of 1432	1040	IEXPLORE.EXE	87
PID 1040 wrote to memory of 1432	1040	IEXPLORE.EXE	87
PID 2160 wrote to memory of 3856	2160	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	89
PID 2160 wrote to memory of 3856	2160	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	89
PID 2160 wrote to memory of 3856	2160	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	89
PID 2160 wrote to memory of 3932	2160	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	90
PID 2160 wrote to memory of 3932	2160	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	90
PID 2160 wrote to memory of 3932	2160	6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe	90
PID 3856 wrote to memory of 4424	3856	IEXPLORE.EXE	91
PID 3856 wrote to memory of 4424	3856	IEXPLORE.EXE	91
PID 1432 wrote to memory of 4896	1432	IEXPLORE.EXE	92
PID 1432 wrote to memory of 4896	1432	IEXPLORE.EXE	92
PID 1432 wrote to memory of 4896	1432	IEXPLORE.EXE	92
PID 4424 wrote to memory of 1632	4424	IEXPLORE.EXE	93
PID 4424 wrote to memory of 1632	4424	IEXPLORE.EXE	93
PID 4424 wrote to memory of 1632	4424	IEXPLORE.EXE	93

C:\Users\Admin\AppData\Local\Temp\6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6f90f6b49e8131b7bac8062fdea5f6e3_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1040
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1432
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1432 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4896
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4424
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4424 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1632
- C:\Windows\SysWOW64\Wscript.exe
  "C:\Windows\system32\Wscript" "C:\Program Files (x86)\soft143901\b_1401.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\jishu_143901\jishu_143901.exe

Filesize
1.0MB

MD5
e2590fb7bac27dbfa512820e9139f28b

SHA1
209d8d0b77c7a8863a3c68464ce47f6a3f00d454

SHA256
4369c213390dd318aaf57b841e338f0b781b16e61713c39e3d961d6065de1821

SHA512
a6b8cdac512c2d05eb2270f8b4f64248cc177785acbd8d4f0ad725acdd2c894f639e7e7259066a8014a79d69f213812dc09793a2bad7a3d6bd9a511f3ee57223

Download Submit
C:\Program Files (x86)\soft143901\b_1401.vbs

Filesize
226B

MD5
f5d581a03eaf0f849013caf6fc331051

SHA1
34df3d50820db304a34c11e8dc253af0f9eb3852

SHA256
a3c4995a6f382b9809bbcdddaca31f30b96c6fec9c3153cb5bfa62079ffab317

SHA512
1dfe1b5aafd2f4f931c8b4ff53f8e3934137e620b93ffc0e6979e94d3ab46c1cb9e4153bf7141b13363460eaad54d270edcde464bff74cf952c4bdbc8d32415e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{10106987-4A81-11EF-BE68-423954E40A58}.dat

Filesize
5KB

MD5
8dc80c8c73aebc7e24523f3300d100de

SHA1
60f8214d70f49ce8fcbe55fc9c9ecb09175b40a3

SHA256
75be84cfd2863382532c72534555eef1d48d864871ae86518a20dfa50cdb911d

SHA512
7a6ebe7172ab093eac0b9d60487c332eafd588a4a8294ff1dd94cc6f9489959aba20a8867740dea0ca09242c85bd2b35b9495b33e503e7c94b8b1f2b1676c559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{10178FF5-4A81-11EF-BE68-423954E40A58}.dat

Filesize
3KB

MD5
0079d9aa3c5b858801b9aea1ae700960

SHA1
ceef16f9da17c37a03c1d1cc8d98a52a8329488b

SHA256
4438d618c6a957caa2a96c739c9567911ff12975ff757374fa3f8e6eeec71637

SHA512
8b8d8c20f478e8855f846f96faee257364b68f31ad00ca5e80c954cf8c2c90dce8bb03b7424491ef4a008247dbc02c0992317b331c0a4a938ff8252c04822aaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verDF83.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UEL5ICRL\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd6802.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd6802.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit