Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26/07/2024, 13:23
Static task
static1
Behavioral task
behavioral1
Sample
743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe
-
Size
59KB
-
MD5
743c70dc9d04d9b39f681a13658a3953
-
SHA1
22379799d963acd5a88707518bb798965e3cab3e
-
SHA256
0765299e68651128f2edf3a3f849ce4d38ee4982a81379890cd3e129a9fe92e5
-
SHA512
8b877f07e1878e0d491f3a65585c8ce410fa31561f47b92d0203ff6de19fa0d6d877294d34bd31ea43fcfe67da3db429cfa587f082c59d953df27938f4a8046f
-
SSDEEP
1536:gS9sf3ewWNlLC+U1xf4Trnm4GDvJO7kEy:gS9sfuwqBU1B4TrmBOAh
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2172 attrib.exe 1456 attrib.exe -
Deletes itself 1 IoCs
pid Process 572 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 1140 inl81FE.tmp -
Loads dropped DLL 2 IoCs
pid Process 3012 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe 3012 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\PROGRA~1\\FREERA~1\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 15 IoCs
description ioc Process File opened for modification C:\PROGRA~1\FREERA~1\1.inf cmd.exe File opened for modification C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe File opened for modification C:\PROGRA~1\FREERA~1\2.inf cmd.exe File created C:\Program Files\FreeRapid\4.bat 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe File opened for modification C:\PROGRA~1\FREERA~1\╠╘▒ª╣║╬∩.url cmd.exe File created C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe File opened for modification C:\PROGRA~1\FREERA~1\╟º═┼═┼╣║.url cmd.exe File opened for modification C:\PROGRA~1\FREERA~1\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E} attrib.exe File opened for modification C:\PROGRA~1\FREERA~1\tmp attrib.exe File created C:\Program Files\FreeRapid\1.bat 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe File created C:\Program Files\FreeRapid\2.bat 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe File opened for modification C:\PROGRA~1\FREERA~1\┐┤┐┤╡τ╙░.url cmd.exe File opened for modification C:\PROGRA~1\FREERA~1\░╦╪╘╔½═╝.url cmd.exe File opened for modification C:\PROGRA~1\FREERA~1\├└┼«└╓╘░.url cmd.exe File opened for modification C:\PROGRA~1\FREERA~1\3.bat cmd.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.app.log rundll32.exe File opened for modification C:\Windows\INF\setupapi.app.log rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grpconv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inl81FE.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language runonce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5B7F42E1-4B5C-11EF-960D-6A8D92A4B8D0} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main reg.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428166420" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.82133.com/?o" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?o" reg.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H) reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\PROGRA~1\\FREERA~1\\3.bat\"" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} reg.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2900 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
description pid Process Token: SeRestorePrivilege 2900 rundll32.exe Token: SeRestorePrivilege 2900 rundll32.exe Token: SeRestorePrivilege 2900 rundll32.exe Token: SeRestorePrivilege 2900 rundll32.exe Token: SeRestorePrivilege 2900 rundll32.exe Token: SeRestorePrivilege 2900 rundll32.exe Token: SeRestorePrivilege 2900 rundll32.exe Token: SeRestorePrivilege 1808 rundll32.exe Token: SeRestorePrivilege 1808 rundll32.exe Token: SeRestorePrivilege 1808 rundll32.exe Token: SeRestorePrivilege 1808 rundll32.exe Token: SeRestorePrivilege 1808 rundll32.exe Token: SeRestorePrivilege 1808 rundll32.exe Token: SeRestorePrivilege 1808 rundll32.exe Token: SeIncBasePriorityPrivilege 3012 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1140 inl81FE.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2924 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2924 iexplore.exe 2924 iexplore.exe 1280 IEXPLORE.EXE 1280 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3012 wrote to memory of 788 3012 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe 30 PID 3012 wrote to memory of 788 3012 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe 30 PID 3012 wrote to memory of 788 3012 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe 30 PID 3012 wrote to memory of 788 3012 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe 30 PID 788 wrote to memory of 2536 788 cmd.exe 32 PID 788 wrote to memory of 2536 788 cmd.exe 32 PID 788 wrote to memory of 2536 788 cmd.exe 32 PID 788 wrote to memory of 2536 788 cmd.exe 32 PID 2536 wrote to memory of 2924 2536 cmd.exe 34 PID 2536 wrote to memory of 2924 2536 cmd.exe 34 PID 2536 wrote to memory of 2924 2536 cmd.exe 34 PID 2536 wrote to memory of 2924 2536 cmd.exe 34 PID 2536 wrote to memory of 2900 2536 cmd.exe 35 PID 2536 wrote to memory of 2900 2536 cmd.exe 35 PID 2536 wrote to memory of 2900 2536 cmd.exe 35 PID 2536 wrote to memory of 2900 2536 cmd.exe 35 PID 2536 wrote to memory of 2900 2536 cmd.exe 35 PID 2536 wrote to memory of 2900 2536 cmd.exe 35 PID 2536 wrote to memory of 2900 2536 cmd.exe 35 PID 2536 wrote to memory of 2600 2536 cmd.exe 36 PID 2536 wrote to memory of 2600 2536 cmd.exe 36 PID 2536 wrote to memory of 2600 2536 cmd.exe 36 PID 2536 wrote to memory of 2600 2536 cmd.exe 36 PID 2600 wrote to memory of 1976 2600 cmd.exe 38 PID 2600 wrote to memory of 1976 2600 cmd.exe 38 PID 2600 wrote to memory of 1976 2600 cmd.exe 38 PID 2600 wrote to memory of 1976 2600 cmd.exe 38 PID 2924 wrote to memory of 1280 2924 iexplore.exe 39 PID 2924 wrote to memory of 1280 2924 iexplore.exe 39 PID 2924 wrote to memory of 1280 2924 iexplore.exe 39 PID 2924 wrote to memory of 1280 2924 iexplore.exe 39 PID 2600 wrote to memory of 3044 2600 cmd.exe 40 PID 2600 wrote to memory of 3044 2600 cmd.exe 40 PID 2600 wrote to memory of 3044 2600 cmd.exe 40 PID 2600 wrote to memory of 3044 2600 cmd.exe 40 PID 2600 wrote to memory of 2036 2600 cmd.exe 42 PID 2600 wrote to memory of 2036 2600 cmd.exe 42 PID 2600 wrote to memory of 2036 2600 cmd.exe 42 PID 2600 wrote to memory of 2036 2600 cmd.exe 42 PID 2600 wrote to memory of 1904 2600 cmd.exe 43 PID 2600 wrote to memory of 1904 2600 cmd.exe 43 PID 2600 wrote to memory of 1904 2600 cmd.exe 43 PID 2600 wrote to memory of 1904 2600 cmd.exe 43 PID 2600 wrote to memory of 2296 2600 cmd.exe 44 PID 2600 wrote to memory of 2296 2600 cmd.exe 44 PID 2600 wrote to memory of 2296 2600 cmd.exe 44 PID 2600 wrote to memory of 2296 2600 cmd.exe 44 PID 2600 wrote to memory of 2172 2600 cmd.exe 45 PID 2600 wrote to memory of 2172 2600 cmd.exe 45 PID 2600 wrote to memory of 2172 2600 cmd.exe 45 PID 2600 wrote to memory of 2172 2600 cmd.exe 45 PID 2600 wrote to memory of 1456 2600 cmd.exe 46 PID 2600 wrote to memory of 1456 2600 cmd.exe 46 PID 2600 wrote to memory of 1456 2600 cmd.exe 46 PID 2600 wrote to memory of 1456 2600 cmd.exe 46 PID 2600 wrote to memory of 1808 2600 cmd.exe 47 PID 2600 wrote to memory of 1808 2600 cmd.exe 47 PID 2600 wrote to memory of 1808 2600 cmd.exe 47 PID 2600 wrote to memory of 1808 2600 cmd.exe 47 PID 2600 wrote to memory of 1808 2600 cmd.exe 47 PID 2600 wrote to memory of 1808 2600 cmd.exe 47 PID 2600 wrote to memory of 1808 2600 cmd.exe 47 PID 2600 wrote to memory of 672 2600 cmd.exe 48 PID 2600 wrote to memory of 672 2600 cmd.exe 48 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2172 attrib.exe 1456 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\xcodewget2.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\1.bat3⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?821334⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2924 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1280
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\1.inf4⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2900
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\2.bat4⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:1976
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:3044
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f5⤵
- System Location Discovery: System Language Discovery
PID:2036
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1904
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\PROGRA~1\FREERA~1\3.bat""" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2296
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\PROGRA~1\FREERA~1\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2172
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\PROGRA~1\FREERA~1\tmp5⤵
- Sets file to hidden
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1456
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\2.inf5⤵
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1808 -
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:1964 -
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵
- System Location Discovery: System Language Discovery
PID:2436
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\jni.mp3,MainLoad5⤵
- System Location Discovery: System Language Discovery
PID:672
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inl81FE.tmpC:\Users\Admin\AppData\Local\Temp\inl81FE.tmp2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1140 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl81FE.tmp > nul3⤵
- System Location Discovery: System Language Discovery
PID:2348
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\743C70~1.EXE > nul2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:572
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Indicator Removal
1File Deletion
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5b7c5e3b416b1d1b5541ef44662e1a764
SHA18bff7ea2be2f3cf29f2381d8007198b5991ca3ae
SHA256f1a2f9fdebb3cac24756e53fa5e1628b2bd1cc130480c1878e3b3bc880575cd1
SHA51265dbd6a7a7cf6fec00e6b0f1d7d5655769e6087ad09cad74c91c5a3395e675ac8f9df5c7185327e6f8dd03ddb60504400f54237d9e4b53c8b08e7e3d41ee61fc
-
Filesize
492B
MD534c14b8530e1094e792527f7a474fe77
SHA1f71c4e9091140256b34c18220d1dd1efab1f301d
SHA256fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713
SHA51225bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2
-
Filesize
3KB
MD56cbd1848e570354769fb56efd38f3594
SHA1d17d48036cdbd6a928729a16a34babc2bd49708a
SHA256cd0076ca521c3a3a8845fb6dac00fc93da9803bca9e03c904516b3493f7ba13d
SHA512ff8502603849d56807be7a4990d4f17459a7a60c446283e8656dc69b5dae6b4ef833e521f4b6a24a69e7867a03d8688bac14498a21c7aa950d9d889b61d8e2e5
-
Filesize
230B
MD5f6dcb2862f6e7f9e69fb7d18668c59f1
SHA1bb23dbba95d8af94ecc36a7d2dd4888af2856737
SHA256c68fe97c64b68f00b3cc853ae6a6d324b470a558df57eac2593487978592eb2c
SHA512eefe630b776d2144df39e9c385824374b3d546e30293d7efe10cc2d6bf6f2c932162bf80add1c8ca58afcc868ad02b3ffc104c0f111f3827f4385ee9f26f5e75
-
Filesize
12.3MB
MD51cebbf1ea053e6ca5fa204755e865959
SHA1ec1f5acf0c7cb172404043290a667e8fb0741c92
SHA256653815953b008c2c59fcf056ce870fea5a9aca34734bf2f9e0fe33c65d31d8d1
SHA512632eddf26a4a5730c1d6f6bc4d0ad92152f8b45cc29882db75a0991bdf234f17faabdff2a61f28463462c3f34e7707f4f9a4b6893af422f22d59bfe3723ae95c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c85e8b8d7749bba986853538b232b8b9
SHA1f6bb12ba0c7884bf79151012d9ab5a39a30ce144
SHA25620fba2372eb6f0b7b8cecd261fb6e8294f468c4471822a1764b400c1fbbde7d3
SHA512a0f6cd33ec2649fde2165abdd04c914e3b341b3eec76a7586c2270fa34de842b72956ec37d7c82c94138ca19e01bdf6eca10217bb7b70b6416f5779f73941648
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d0222c305193d902004e845e0841cbf8
SHA1c0614debe5eba8dc77d03e1b3e14576e989d84d5
SHA256412cd08c1e83b4162e706619953764e95e51fb5e7fb7c5203d16133e3bfef5f5
SHA512b1d94edd79f83268cdc577451afb808b514f773498c0cc3da2db48e3617891a42bcf48ec30a21fde459b06221b9aa460bf8231a97a94aefa4e2535606de039ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51a5fdb550579be2fe45f796a0b161c13
SHA1af6675c83c3346d290e0801cbd691215d3b6af20
SHA256b47abbeaa75c53aaecdfa0e87628fe82d1bc06ab5ccfce72e9004483ce8b5ff2
SHA512e2eead7f61a398e0e7c03ca67ccbcdd4625f28f66dd127a160e038112a20bda2a31d98652f6a5c9f7f409e78bc77bc8e28f00b9ce75fcc2b431255405bb95e7e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5780c81cbd83469996ea6bb4258c6d113
SHA1766546abcf1da445f785bf53383860d739e63bd8
SHA25641b7d43bc04b79024e53a6f51662d838d714c48ef6378c37a05f11bab05d5492
SHA51239742e34dd8db78b9c0678f89b19e392a3cd73d46aa1705adc2ff6299dcf2cd2c89c3c518c9599d0fdb5bf27e2078e51e5570f11f21765dae09d1db92567f4a1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e562f4a723419dfc7a192450179f9c75
SHA1f49f41cef7d9efc1a1d099d3651233f3b06d3ffb
SHA25620626177859cded309a91d7152aef1f04464573e479699d078416cfee29e87e4
SHA512cfd4c960d3500debad20307d1ddc1d0657c0156fa87637c4e8364e45c0e767953df4057f1d8f94bb4d0b6537a5ad7c4bf997ec3f9dffc57920a611002a3fe544
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD533370f144ae982c45d8d47376a780128
SHA1363f6883e9acc371905102222dae528ce1665679
SHA256489dc07ce68a23d5b862f13d432ad7f6adfcc201b7af433b6557755441d5576a
SHA512e2137e11bbc4fabe19e7782170d48303887c21437d7fba32fe7338c61dc3ced7b3cbb6f385ba3e5107edfa655f046816d1dc4ba95c5fee0d114ab6e069b3c0d8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ffea77f83e256988d31e8199674648d0
SHA166e5648bd7eb3013df74990c7e0591d6a93f6379
SHA256841ea93519f7421cea60fb079680b655d7f1cfac725ffcf64ad4df54ba13f8d5
SHA512fe2b56ea90529c531727a4cf21727c04ba628732336c558013096100cc10739313cf48eacbf838fca6cc58144d8850537761f9487968556e3a85ccdf5c4fa6d8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f762ac1d1428c6465dc792536839ff14
SHA15c193038aa6fae42cc94ef5378c1b09ff39f5117
SHA2568d05832c522a563c47f04f591c7660b8efe36477c6cf88ee1c34f358ab6a1977
SHA5123c5527b4df294229b905b0e5dc196ac02a27297de085b63cb3bd23335e95ef7b2f389edfcb8f1495e3d1b690a38bb79791daee2db42e6067477573ed72c44a35
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51f1e558040e70a0274a2bb37eeaec712
SHA14e2b903eb978de76007c17e3af6ca686ff9ff40a
SHA256c7b564d0cc4356dc64c8f1c8259baedc8b41b5478c007ada90f64378d1544834
SHA512a4270a4ef49d5c7d9bdc3e48885bcfe7d879523943edb3233546b0c9975189a40baa9360538376b74d2a8b3e2a091cfb4c421ab3ed45ed3e12fc86924c9df21f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b34fb7a77ae9b3bf22825d42a289872f
SHA17f72142774fb88a3186c4c383456bd1d946a6164
SHA256b6524a006e4921b2a200475b12ae063ea2a470f189420cfdaaa8c4e156363d93
SHA5122837af42df0e8c860e6f210556ea2ac87e53beb4f4e3046c5784eb1d9d83db21341b805d1f28097b87c2298e9703521c9bf5069ea1e388754d7e3c27c83d1a16
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD561f2e4288a765bf927b62cb6a4f19030
SHA16754717123252b2c3082c9471ee6eb486d6a2698
SHA256d2fd1092fedfac4f71b3e95f2bd9b4157b09b422fab2cae783cad80de520dd87
SHA5123812d6c1baec6e10d3ab8d4a7b76bdce25c8ba17832de9b7529a7afb1d46160a67f06644bc69bab52ed79066c3038878534592b52ed41e6291193d4fc68bef31
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56038349cee3c3fff15cb21c04920a834
SHA1db1d47ffd0d8eff72aae0860d5786cc11a0dca2c
SHA25657515fe21c27125b368d321f734f3a78de666a8684f4c8b4049090410ae54ab5
SHA512c1f121a25e36638e6d66a73940830b89d3cc6f8f7121665acdbe1d1934ce1135896cd3e149adba376e63a2f9f93449b0d706072ef434697dbb288081cac24cdf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cb52d7aa3daaf3c11767c3734a07f649
SHA1f3e51958dc13ce7cb6ed63b8e7b5a3f4b31e98aa
SHA25689e90c0b70507e0cd3895af9144edc3aa652da729985f2ebc03ea0befdbb7fda
SHA512c4178d05331a2f80b957e2b9be08366802618484911e4a3113bb0be8f87c572756fe416a297584598e1a9261ef5b3b4ca170b979c9c49fe58af9a99eb49ee507
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD567d7d699338c7b652a7142dde896ffdb
SHA1db88c40fd4dcf07a19454dda195db65f0cfb5f74
SHA25606e98adace2f3fc0dc52bcbc72d7a962160a497693257460e63388ead5278700
SHA512326f25a27c0b8953851d2bbe16849077ca3518c796c645ab9cf79d79e6618f5a462fb8091f9f6211b9656278212df45dde7fa2ebe605dd463ad18e1aa435d5f3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52ec5aa9c8990188c5e0e7a929baa145e
SHA1c657f0ff9610e2542d50f5418f3b0d8e5c85fc06
SHA2568ce7618af7703d1c74f32d442131e76d2b6019932e9173dc4be793734a7801e7
SHA5129db7f05467e5ebf14d0a8d0a33f0f5e95d6f7befb47ee50463a16d5e0fcae1bf0a6012fd33bb7c3dbdc2eeee6b21ba86c3f1cf10cfd95b0baf3e1bab64833274
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bd1e903dd769a81fc62433a868b82ca9
SHA1efbd54e4b179f01ec2bb8bdd0098c5ef67dfa9f0
SHA256c5a2f68a7bc8779473753b80c591b8c8ff8d7db4fa30f947abbf126f62de9228
SHA512c4492d2ef144bc564552e849a49e2907832a2f7269bde4dc3e399590bf183c7403fb63468a18c751f37eac9d07a52f0942cfce799f63b4c3c3c8c16d083b5209
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5971a8786d670228a824af71c92c5e956
SHA14e8d9ef918afa1cb43cb17c6140a3aa11c2b98fb
SHA25636aef124b0688fd6e70d38b25d9f0b0c697040045109848cd28141c47ffa8623
SHA51231013d536c7d0e887fc55547cc188eea367ccb4059a22dc65ebfc9c1765f89cc071f434395486996d3dcae1c346325e6f1c1823efa0f20abfcd8900202de3f2a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54fce1a2f1cbe046613b7889a325b5bf7
SHA193c5596eb89abf1ab5028277fee2838ab06ffcdc
SHA256b39d229b2c00384047db3984cbaab0a8a9238805861cc4ac3ceb4567dc9f2d6c
SHA51269466bd6e8eed10f7db02e8e1930a321aa14e703b93ba509e3c2ec3eb67c8a802f666cad7b57cb998bfb8a24dff7ef7d0024eefd61ef382daf01d15fa778669a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52ffeb5d5892bfa69cc84ae38812ad06e
SHA147f2f0ba8831fc6161f5b59f4b04dfa6522f531d
SHA25618cfc7369d48fcb380ed3a6e6858526a4be4c4fd20c2b1712cc625a9fc3cf232
SHA512000aa1b3c9b99ca79fe85443ed47bad50e0f98ce36ea1202bea0d0c8872f8ee37b7fe5c6477224277f50842d0fd1bbb6f8a72c4173e1b95aae63be4ba0d3d4fc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\NFAY0EOS\favicon[1].htm
Filesize802B
MD5b4f7d6a0d3f6605440a1f5574f90a30c
SHA19d91801562174d73d77f1f10a049c594f969172a
SHA256e3b1510526757baa753c916ababce951be64146e04f74c631c6503531d83c6cd
SHA512c852ff3b51db00184bcfb0d6609a2791cb81efdb0d8d5aaed1c5b9e576b17b19804affe6ea7b5db575179c166543db5dcd828b3fcbd90e8baabb47c166da7c3f
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
629B
MD57c51a3cd196c154af76f7d57a475487d
SHA1f2067dc3665cf3c7269eaec7022642bdc4a6a375
SHA256ea89a5077fca265853fb87b8dbfc7c1c9bbf6a8d360cb0a01e6a6ce133086937
SHA512efc22e2a44b93210aa1a5e44e98e01b57fff75b24023e093d75886c6103102e4e12f9e7a16b40f29d3fe63393e02b196df0c05aca9ae2eb29b8279950ba08f1c
-
Filesize
36B
MD50b53221b1332efb76ebd2ab7120ff78f
SHA1e3dda4d21e35819eaf50e50c2aab2950ff1505b5
SHA25605bbda79058985c35a48637dcbc66c73176e1f7e4c95e8aef8b762066b780388
SHA512877637688f255d94b94feb3b2444678836db41644f6e1a7d1f902c8c12bab45785393a8f210215eebcdcb3526002632863bf54f026047aa1edee8481b26dddcd