Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26/07/2024, 13:23
Static task
static1
Behavioral task
behavioral1
Sample
743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe
-
Size
59KB
-
MD5
743c70dc9d04d9b39f681a13658a3953
-
SHA1
22379799d963acd5a88707518bb798965e3cab3e
-
SHA256
0765299e68651128f2edf3a3f849ce4d38ee4982a81379890cd3e129a9fe92e5
-
SHA512
8b877f07e1878e0d491f3a65585c8ce410fa31561f47b92d0203ff6de19fa0d6d877294d34bd31ea43fcfe67da3db429cfa587f082c59d953df27938f4a8046f
-
SSDEEP
1536:gS9sf3ewWNlLC+U1xf4Trnm4GDvJO7kEy:gS9sfuwqBU1B4TrmBOAh
Malware Config
Signatures
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 540 attrib.exe 4920 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation inlE83F.tmp -
Executes dropped EXE 1 IoCs
pid Process 3836 inlE83F.tmp -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\PROGRA~1\\FREERA~1\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe" rundll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o" rundll32.exe -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in Program Files directory 15 IoCs
description ioc Process File created C:\Program Files\FreeRapid\2.bat 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe File opened for modification C:\PROGRA~1\FREERA~1\├└┼«└╓╘░.url cmd.exe File created C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe File opened for modification C:\PROGRA~1\INTERN~1\ieframe.dll cmd.exe File opened for modification C:\PROGRA~1\FREERA~1\╟º═┼═┼╣║.url cmd.exe File opened for modification C:\PROGRA~1\FREERA~1\1.inf cmd.exe File opened for modification C:\PROGRA~1\FREERA~1\2.inf cmd.exe File created C:\Program Files\FreeRapid\1.bat 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe File created C:\Program Files\FreeRapid\4.bat 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe File opened for modification C:\PROGRA~1\FREERA~1\┐┤┐┤╡τ╙░.url cmd.exe File opened for modification C:\PROGRA~1\FREERA~1\░╦╪╘╔½═╝.url cmd.exe File opened for modification C:\PROGRA~1\FREERA~1\╠╘▒ª╣║╬∩.url cmd.exe File opened for modification C:\PROGRA~1\FREERA~1\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E} attrib.exe File opened for modification C:\PROGRA~1\FREERA~1\tmp attrib.exe File opened for modification C:\PROGRA~1\FREERA~1\3.bat cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language inlE83F.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language runonce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language reg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language grpconv.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 runonce.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz runonce.exe -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1966077691" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1951389897" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\Main reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1951389897" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "428770072" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000474a65013f51fa4ea7512bf38b7b79300000000002000000000010660000000100002000000001c2fb63430bc7410d6e4e8858938a712ab38d4a6aa16f2d6f4f72a09a660471000000000e8000000002000020000000a44b4f721fcae82b84cbdcfcae347612528256d4f8b418aaf1b7d0face1b9fb120000000124cda75dc3f167204f54621a12aa21d89d7b6666d6657ff8b4e695e980b7f2940000000f07bd7acbe91b379a9306dacaa17a4a9ed196501989812e87243513ae95510e562aeec28db1ae8fbd955d325f0581b0dff67ef14115c19157632c6f27cf5f7ea iexplore.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31121258" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31121258" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main reg.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31121258" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000474a65013f51fa4ea7512bf38b7b79300000000002000000000010660000000100002000000065ecac12c17b8fe35684371e33e7eabfe7efbedbd05ef390448bca0fb6ff7cd6000000000e8000000002000020000000f8b892808e64ce24a52e8af091ca56c7df2b0661a8f1989b8421c91adb13897b200000002eb1b6bb9af93d65464134597d6f92aa896c639362aa3608b2edbbae3e42312740000000cb69b2b93f4068cda4867c258d1de8ac17331b387edff810340615dc33fec2c36f5e8e6899f85247c40e2282417442e3785735d277532f6e36a517ba2a80362c iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50040e8b6adfda01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20351c8b6adfda01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{9FE8BA14-4B5D-11EF-96F8-DE54A6AF116A} = "0" iexplore.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?o" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?o" reg.exe -
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\PROGRA~1\\FREERA~1\\3.bat\"" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H) reg.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2388 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3836 inlE83F.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3288 iexplore.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 3288 iexplore.exe 3288 iexplore.exe 1528 IEXPLORE.EXE 1528 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 2388 wrote to memory of 3516 2388 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe 95 PID 2388 wrote to memory of 3516 2388 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe 95 PID 2388 wrote to memory of 3516 2388 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe 95 PID 3516 wrote to memory of 3368 3516 cmd.exe 97 PID 3516 wrote to memory of 3368 3516 cmd.exe 97 PID 3516 wrote to memory of 3368 3516 cmd.exe 97 PID 3368 wrote to memory of 3288 3368 cmd.exe 99 PID 3368 wrote to memory of 3288 3368 cmd.exe 99 PID 3368 wrote to memory of 1596 3368 cmd.exe 100 PID 3368 wrote to memory of 1596 3368 cmd.exe 100 PID 3368 wrote to memory of 1596 3368 cmd.exe 100 PID 3368 wrote to memory of 4332 3368 cmd.exe 101 PID 3368 wrote to memory of 4332 3368 cmd.exe 101 PID 3368 wrote to memory of 4332 3368 cmd.exe 101 PID 3288 wrote to memory of 1528 3288 iexplore.exe 103 PID 3288 wrote to memory of 1528 3288 iexplore.exe 103 PID 3288 wrote to memory of 1528 3288 iexplore.exe 103 PID 4332 wrote to memory of 4936 4332 cmd.exe 105 PID 4332 wrote to memory of 4936 4332 cmd.exe 105 PID 4332 wrote to memory of 4936 4332 cmd.exe 105 PID 2388 wrote to memory of 3836 2388 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe 104 PID 2388 wrote to memory of 3836 2388 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe 104 PID 2388 wrote to memory of 3836 2388 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe 104 PID 4332 wrote to memory of 4320 4332 cmd.exe 106 PID 4332 wrote to memory of 4320 4332 cmd.exe 106 PID 4332 wrote to memory of 4320 4332 cmd.exe 106 PID 4332 wrote to memory of 5052 4332 cmd.exe 107 PID 4332 wrote to memory of 5052 4332 cmd.exe 107 PID 4332 wrote to memory of 5052 4332 cmd.exe 107 PID 4332 wrote to memory of 4560 4332 cmd.exe 108 PID 4332 wrote to memory of 4560 4332 cmd.exe 108 PID 4332 wrote to memory of 4560 4332 cmd.exe 108 PID 2388 wrote to memory of 2544 2388 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe 109 PID 2388 wrote to memory of 2544 2388 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe 109 PID 2388 wrote to memory of 2544 2388 743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe 109 PID 4332 wrote to memory of 732 4332 cmd.exe 110 PID 4332 wrote to memory of 732 4332 cmd.exe 110 PID 4332 wrote to memory of 732 4332 cmd.exe 110 PID 4332 wrote to memory of 540 4332 cmd.exe 112 PID 4332 wrote to memory of 540 4332 cmd.exe 112 PID 4332 wrote to memory of 540 4332 cmd.exe 112 PID 4332 wrote to memory of 4920 4332 cmd.exe 113 PID 4332 wrote to memory of 4920 4332 cmd.exe 113 PID 4332 wrote to memory of 4920 4332 cmd.exe 113 PID 4332 wrote to memory of 4504 4332 cmd.exe 114 PID 4332 wrote to memory of 4504 4332 cmd.exe 114 PID 4332 wrote to memory of 4504 4332 cmd.exe 114 PID 4332 wrote to memory of 2864 4332 cmd.exe 115 PID 4332 wrote to memory of 2864 4332 cmd.exe 115 PID 4332 wrote to memory of 2864 4332 cmd.exe 115 PID 4504 wrote to memory of 2196 4504 rundll32.exe 116 PID 4504 wrote to memory of 2196 4504 rundll32.exe 116 PID 4504 wrote to memory of 2196 4504 rundll32.exe 116 PID 2196 wrote to memory of 4884 2196 runonce.exe 117 PID 2196 wrote to memory of 4884 2196 runonce.exe 117 PID 2196 wrote to memory of 4884 2196 runonce.exe 117 PID 3836 wrote to memory of 3412 3836 inlE83F.tmp 122 PID 3836 wrote to memory of 3412 3836 inlE83F.tmp 122 PID 3836 wrote to memory of 3412 3836 inlE83F.tmp 122 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 540 attrib.exe 4920 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\743c70dc9d04d9b39f681a13658a3953_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xcodewget2.bat" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\1.bat3⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?821334⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3288 CREDAT:17410 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1528
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\1.inf4⤵
- System Location Discovery: System Language Discovery
PID:1596
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\2.bat4⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4332 -
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:4936
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
PID:4320
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f5⤵
- System Location Discovery: System Language Discovery
PID:5052
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4560
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\PROGRA~1\FREERA~1\3.bat""" /f5⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:732
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\PROGRA~1\FREERA~1\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:540
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\PROGRA~1\FREERA~1\tmp5⤵
- Sets file to hidden
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4920
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\2.inf5⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵
- System Location Discovery: System Language Discovery
PID:4884
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\jni.mp3,MainLoad5⤵
- System Location Discovery: System Language Discovery
PID:2864
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inlE83F.tmpC:\Users\Admin\AppData\Local\Temp\inlE83F.tmp2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inlE83F.tmp > nul3⤵
- System Location Discovery: System Language Discovery
PID:3412
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\743C70~1.EXE > nul2⤵
- System Location Discovery: System Language Discovery
PID:2544
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Indicator Removal
1File Deletion
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5b7c5e3b416b1d1b5541ef44662e1a764
SHA18bff7ea2be2f3cf29f2381d8007198b5991ca3ae
SHA256f1a2f9fdebb3cac24756e53fa5e1628b2bd1cc130480c1878e3b3bc880575cd1
SHA51265dbd6a7a7cf6fec00e6b0f1d7d5655769e6087ad09cad74c91c5a3395e675ac8f9df5c7185327e6f8dd03ddb60504400f54237d9e4b53c8b08e7e3d41ee61fc
-
Filesize
492B
MD534c14b8530e1094e792527f7a474fe77
SHA1f71c4e9091140256b34c18220d1dd1efab1f301d
SHA256fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713
SHA51225bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2
-
Filesize
3KB
MD56cbd1848e570354769fb56efd38f3594
SHA1d17d48036cdbd6a928729a16a34babc2bd49708a
SHA256cd0076ca521c3a3a8845fb6dac00fc93da9803bca9e03c904516b3493f7ba13d
SHA512ff8502603849d56807be7a4990d4f17459a7a60c446283e8656dc69b5dae6b4ef833e521f4b6a24a69e7867a03d8688bac14498a21c7aa950d9d889b61d8e2e5
-
Filesize
230B
MD5f6dcb2862f6e7f9e69fb7d18668c59f1
SHA1bb23dbba95d8af94ecc36a7d2dd4888af2856737
SHA256c68fe97c64b68f00b3cc853ae6a6d324b470a558df57eac2593487978592eb2c
SHA512eefe630b776d2144df39e9c385824374b3d546e30293d7efe10cc2d6bf6f2c932162bf80add1c8ca58afcc868ad02b3ffc104c0f111f3827f4385ee9f26f5e75
-
Filesize
5.8MB
MD566e9fcf7b704c5d5a927ec325abeb35f
SHA138eb04e8badf8639bf94e2bacab1ae07f444ed08
SHA256b975c6436a235afef309488701cb53d521af49181d09c085d1f73c1110582900
SHA512a5a619db7df71d81ba25753855e280b59a26d414862cc4f61733f2a40013e683a3c7fe97403b1698680a991eca015ce0134ab994a18718a79fcb82bd24bb94ed
-
Filesize
802B
MD5b4f7d6a0d3f6605440a1f5574f90a30c
SHA19d91801562174d73d77f1f10a049c594f969172a
SHA256e3b1510526757baa753c916ababce951be64146e04f74c631c6503531d83c6cd
SHA512c852ff3b51db00184bcfb0d6609a2791cb81efdb0d8d5aaed1c5b9e576b17b19804affe6ea7b5db575179c166543db5dcd828b3fcbd90e8baabb47c166da7c3f
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
629B
MD57c51a3cd196c154af76f7d57a475487d
SHA1f2067dc3665cf3c7269eaec7022642bdc4a6a375
SHA256ea89a5077fca265853fb87b8dbfc7c1c9bbf6a8d360cb0a01e6a6ce133086937
SHA512efc22e2a44b93210aa1a5e44e98e01b57fff75b24023e093d75886c6103102e4e12f9e7a16b40f29d3fe63393e02b196df0c05aca9ae2eb29b8279950ba08f1c
-
Filesize
36B
MD50b53221b1332efb76ebd2ab7120ff78f
SHA1e3dda4d21e35819eaf50e50c2aab2950ff1505b5
SHA25605bbda79058985c35a48637dcbc66c73176e1f7e4c95e8aef8b762066b780388
SHA512877637688f255d94b94feb3b2444678836db41644f6e1a7d1f902c8c12bab45785393a8f210215eebcdcb3526002632863bf54f026047aa1edee8481b26dddcd