1dddb7a1e327f942051b8cf5171286ae461d70149432fb06d1a284f8d69013a7

Analysis

max time kernel
121s
max time network
127s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
10/08/2024, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Size

614KB
MD5

84fbe5f66980d25fc61900119c12e729
SHA1

68b46a6adeba5e7c434cf6b4e9febc5c82fb168a
SHA256

1dddb7a1e327f942051b8cf5171286ae461d70149432fb06d1a284f8d69013a7
SHA512

193adaacaf7138b182da9235738ee41830a481395dd81b01e4923a25aa823d6272fdf0996d34bec5ef6c84972cab50121ae53628fa700f7979fd961532879054
SSDEEP

12288:SaWz2Mg7v3qnCi8ErQohh0F4CCJ8lnyLQYn:dadMv6CYrjqnyLQ+

Score

7^/10

discovery persistence

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2816	cmd.exe

Modifies system executable filetype association 2 TTPs 12 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DROPHANDLER	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Program Files (x86)\\Winrar\\Monitor.jse\" \"%1\" %*"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\ = "´ò¿ª(&O)"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\SysWOW64\\WScript.exe\" \"C:\\Program Files\\Tencent\\Obfuscated.n\" \"%1\" %*"	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2816	cmd.exe
2616	PING.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "429430486"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d990900000000020000000000106600000001000020000000833d74ac8c18d600e5a4341028c9cb372f258af8c2a7b4a5e7d6e9f5897a60aa000000000e8000000002000020000000b65e86a7f128a982b311cabc0ceb3978362fe9d8aff0c9e5be6dd93453ae13bd2000000006d2817759d1c22f28745bed50bfcd40cdd4c1d226d461ce39808e623470ac8640000000117a64630967633a46842ef4142a95fb78ccaa882a32b82a69a018edb4c9a1c6c88facf3656959534cb79202512528880e65d3ba8c90e929c423c6937fe6d9c9	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a044a043e8eada01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000002f8e41e3384fa749ac47329e409d990900000000020000000000106600000001000020000000acccc9a5f4f094723a64c9a81e391083c5221a19e7cfbc7d6b386bb970754881000000000e800000000200002000000098ca23c900f23173f0716a63959c324f02f35e44f9a5ff128e3a7558e89d50d690000000bdd2d4f77cfa8923a47cd4aa41cf7b8bd4ca512d05b88b9917447cfa51756247e5de372d69828a36db64ca898dfd5c6b2d660c2944b387dced954255b4e8cf70f46808d0e39fa222043cce653d4d8c1bcb388de239ea15092e43109ebb8ff9226e30a1c7aeca42b1b6f43f79dfa1f4691dc3f6da2d3178c4353e077b1c672f3c63cd61ab25b86f19f481e2b1b1b8da3b400000002d59589f21b8b6f0546d634d258a9de8cbaa7ec99b7bcbb6a467e9c639c1984901f6706e7b6ba32cd58fd0caec458a88799450fc5eb112ada78af69759adaaff	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7E38F031-56DB-11EF-B6C3-72D3501DAA0F} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3502430532-24693940-2469786940-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe

Modifies registry class 50 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.n\ = "Nfile"	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\FriendlyTypeName = "@%SystemRoot%\\System32\\wshext.dll,-4805"	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ScriptEngine	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open2\Command	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.n	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Print\ = "打印(&P)"	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ShellEx\DropHandler	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open\ = "打开(&O)"	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DROPHANDLER	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\ = "´ò¿ª(&O)"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ScriptEngine\ = "JScript.Encode"	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Edit\Command\ = "%SystemRoot%\\SysWow64\\Notepad.exe %1"	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open2\ = "在命令提示符中打开(&W)"	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ = "JScript 已编码的 Script 文件"	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Edit\ = "编辑(&E)"	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open\Command	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open\Command\ = "%SystemRoot%\\SysWow64\\WScript.exe \"%1\" %*"	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Print\Command\ = "%SystemRoot%\\SysWow64\\Notepad.exe /p %1"	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214F9-0000-0000-C000-000000000046}	WScript.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046}	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\WScript.exe,3"	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ShellEx\PropertySheetHandlers\WSHProps	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{BB2E617C-0920-11D1-9A0B-00C04FC2D6C1}	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Program Files (x86)\\Winrar\\Monitor.jse\" \"%1\" %*"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\DefaultIcon	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open2	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ShellEx	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Edit\Command	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Print\Command	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ShellEx\PropertySheetHandlers	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Open2\Command\ = "%SystemRoot%\\SysWow64\\CScript.exe \"%1\" %*"	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ShellEx\PropertySheetHandlers\WSHProps\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.lnk\ShellEx\{000214EE-0000-0000-C000-000000000046}	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\SysWOW64\\WScript.exe\" \"C:\\Program Files\\Tencent\\Obfuscated.n\" \"%1\" %*"	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Edit	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\Shell\Print	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Nfile\ShellEx\DropHandler\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2616	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
588	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
588	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
588	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
588	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
588	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
588	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
588	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
588	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
588	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
588	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	588	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2740	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2740	iexplore.exe
2740	iexplore.exe
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE
2924	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 588 wrote to memory of 2268	588	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe	32
PID 588 wrote to memory of 2268	588	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe	32
PID 588 wrote to memory of 2268	588	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe	32
PID 588 wrote to memory of 2268	588	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe	32
PID 2268 wrote to memory of 2740	2268	WScript.exe	34
PID 2268 wrote to memory of 2740	2268	WScript.exe	34
PID 2268 wrote to memory of 2740	2268	WScript.exe	34
PID 2268 wrote to memory of 2740	2268	WScript.exe	34
PID 588 wrote to memory of 2816	588	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe	35
PID 588 wrote to memory of 2816	588	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe	35
PID 588 wrote to memory of 2816	588	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe	35
PID 588 wrote to memory of 2816	588	84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe	35
PID 2816 wrote to memory of 2616	2816	cmd.exe	37
PID 2816 wrote to memory of 2616	2816	cmd.exe	37
PID 2816 wrote to memory of 2616	2816	cmd.exe	37
PID 2816 wrote to memory of 2616	2816	cmd.exe	37
PID 2740 wrote to memory of 2924	2740	iexplore.exe	38
PID 2740 wrote to memory of 2924	2740	iexplore.exe	38
PID 2740 wrote to memory of 2924	2740	iexplore.exe	38
PID 2740 wrote to memory of 2924	2740	iexplore.exe	38

C:\Users\Admin\AppData\Local\Temp\84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe"
1⤵
- Modifies system executable filetype association
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:588
- C:\Windows\SysWow64\WScript.exe
  "C:\Windows\SysWow64\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\monitor.n"
  2⤵
  - Modifies system executable filetype association
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.go2000.com/?g9
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2740 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2924
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -n 4 127.1>nul &del /q "C:\Users\Admin\AppData\Local\Temp\84fbe5f66980d25fc61900119c12e729_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 4 127.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df88f5e9b3c2f6e99a97c53a54fe38b7

SHA1
810d6876c787d3b39297c467acf31060c69926e4

SHA256
c0ffd209955b9b48b73cb0d41beb052113737745252d0edf63c02647b31f7af1

SHA512
94ad39a497c18aa19ed8cf320c9555a096d4d4712b05c00faae96ae5ecd2ed9d8e11bb58a6e8c15469a0320245d979c31f1e47aeb77360b40af1da13b930c430

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbd37b159b8cd464568747934498678d

SHA1
a6e76088cd189656c5a540f8c385a6af99e08629

SHA256
c08279d5144c0a270c7584a27902a23e035685cee1ddc665eb5d58d0b72b64b5

SHA512
370a838cd0e97a1c6f9b2f14f831bf9b1b14d1d243012610c11a35d17f904cf0d993efb17aa1c00a6b51cfa6116f4afbb10cb3f624e9df3fda420748c134fbae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dc8e7d18c154edddd3e77573c020b72

SHA1
b9e2689e48002fea5d2acc44878a998cb01fbda2

SHA256
52c6cf756beacaefe895eb7d8e21e141ba923f171d0456ceb6e83f3f3252c513

SHA512
36610c555aa5a53ea47087ee813dd73439504795d299b7a8782b2c70de4f22f60ac054e90f1a31e05b56869bd02363a921f8242571afdba2b8d5fb3b3fa98042

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8becd2081d4984beda4e3957acd5a2d

SHA1
0a463e3ebb343b8ef1498d0edd2562b4c7f436a9

SHA256
653cc8031824701971b391511c54fdf08877c117793a9ca0b1d8facd264340d1

SHA512
a25c41d7a98bc0d36865b8ba7cf69b675a82f8a4479f66d2853bc5fbcdf018e8e56b0f7ee28dac0bfe0fd66b30f2ce3a9846b02738a317ebac5a0027f02eca52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e6770edf8eba2b3aa18830932eb7b78

SHA1
ef57deb22fa6b10856e1e1ce9856e1e7c953b209

SHA256
d375743328d178540f16ad983df284de6c8eb0af48585ea437f6602d0c03b18e

SHA512
bafb5a9955f3d87cfae68d0abb17e6c2e0855408db8b43e4388955d0db5547024e2606a0b6ce15fef584f3b956457c2831320c74908f52e18d3e3a578e5773e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8a0d5364698bbe6cc67a5b5ee54ac62

SHA1
74a2ed41760877ab31956d827a7820a12dc37d38

SHA256
95da57813e9f6330230dc84b4e5251d177ffa0cf3c47bc322b92cdfb6f353145

SHA512
d6ebba9921530654d373767196aae64be8976ec3cecff76081a206d10fde6cd771689e7a1322973d9094adf006415dcf583422df5ec2c12c9c50b1d93e76af7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72f2f209aacbac325457b6de6dfb559b

SHA1
d2516cbd9c40b9d4a0109daa21ac57f47ed8f9ac

SHA256
4a726f1726c985ffb62d8c34ed652b5735c40911b9093d2ac1afcf49f30e0050

SHA512
0660ea27819b5656e0e7419b4024e4604c250cd3bf303136d4e264fa7e8c98e2749204a2c7ed1ef326312a3a567ec8cff958d127cc2d9741c6a7c7110cf9e263

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1d6ce0108c31f9485ae2af3db5e627b

SHA1
a86f2a5429fb0e9670467e1c5fe604a7c795c095

SHA256
12dda0f81cfe063b09f42f42cbb63b56878834aaddac8fce7de5210bd8c18d25

SHA512
8e6457376ed23ea7d1def9e838f725ac6337cc99b24bbcb9a799dce94b96f2b08e8b8d74674ff01937875d83e4e170187524ba8261ec1115c364629e72b366c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f02d4a164797b8e50f111893f9bf64a5

SHA1
538d30c9e7fe30f029e201d15987ba233784bcdc

SHA256
ec15695bdf7d3444a2d52d6006a36b3d141befebbdc8913eba7e41a156e986f5

SHA512
9bba85d068292e944529eacd3acd6383606d71161d3045147b1eff640208a8e29e034f22fac62776599594a467a52a2803664d61d82c5845a9eda7c8e990a808

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9bc02a89ff7e36d22f1df5b61b6dbf7

SHA1
992d1604c33e090f82057016ea3863d38923873e

SHA256
720d03e511f860f07096090616dc376fa93989847305f9fd4a6e59d0e769cb88

SHA512
68e329570afb6cd7bc6f726157761a290acf3e3ace408bd115badf52ae00eb0af491aced337ebfc81f80fd729e19b535b47d3f7a0604d2c16d4bd1b2deda99b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
256f84b24d4927db2ed5a16d90ac8175

SHA1
5e2f2ba203c2e2dfcae5e64ca312f9874c084d2b

SHA256
acd5b0b9e96d88d069c69176f223d1ccab7173c479eac9f1febfbd74d9fadf7e

SHA512
d46ba1d23923c0b3de5389fbac1ca3ae34137c4a6df0278216630b8dce0bee8448b355d167a5cc37bfee96a802b68df0aaa6bdc2c5ad790cb86eb7ec8cac18b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f34ffd30daaf5bd14e19d2a151f4dbd

SHA1
2d7edb14ad525991217f2f804830a01ab3eb128e

SHA256
d74a04076c5116c921020c97ecce53e59a8173169793ed786858273f0191b0be

SHA512
4a5711a9bf74c25c282038e76d2194314f34c8ecb4007db4828f36f8893b1969f65855767aea4fb829c395aab5ef34c5ea7d45f38eebe7972d4c61f4b36b4bf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9a609f66c04a5b9ec7062a0487301e2

SHA1
fafb959667dda55e22588224747995918a1943ea

SHA256
3aebbf287d621252cf989d63adfbbe4fb336352f9930133ef009b4623b092f10

SHA512
2611c58c8fdccdde52df41fd18aa8534dd90473a093ed4d6a3b49635acf86b7065cefba5132fe6d536ce3f083b39ac8eb59bc52cb7c5c0ad220153c84e88e787

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e35cb3a6d8cd3a569b20ba8b2a8b797f

SHA1
e3ce81fb964c6014cdcb288467e7264af8d02fdb

SHA256
2c2f2a29aa507e0f01a9ca8db274db3cd931707dcf6e12d9b2db0486c0a77a6f

SHA512
5aa7add665d7e382ee2ada9a688d3ce71bd15435414bf3ddc7d781796605d9993c508c03079db92e9eaac8d3d20fd4b0e316e80d0312ff672518724cfdd8c92e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e9aac935dccce83194c6139655c0fe54

SHA1
d5cc5feb9b02333ad95e26396656df2435300e03

SHA256
e72aec8fad2af36462024f0fa6ce3254474133cdfd4204d6fcf07392f1f29fe3

SHA512
a8bd78bc9f05309b0ea4f225de341d70d74fae200c6f8ca901bf81efd486910206ed9e338ef820d0903f26e3804541ddc78d8b5f96f2bde812f1a5e41d6da251

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94ac53f01495c48b6bd4c2e1d6c4bc21

SHA1
9b69167e2925cfd86b7dc9268d1e1acfc36ebdb3

SHA256
3406cf657574f67717ba89888231c6926a43e03be82b344ff446d37fb9ffd565

SHA512
0b63aeeceae2e434659f79226ee3f1ed533fdc7c55fb421e297d035b61265df17a7e78053559db8397b1599bbd212f21569718814995a6abb00d2c8e63c1098b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
898ad83ad397309b6bd02b69f5cdf3c6

SHA1
4d8f3737cfaf1395e005476c9418dc091ad15366

SHA256
2d960419d2f31713ef43eceb88fbbe74c2266a784ab0cfc3436c520ccf866631

SHA512
353848f7a967c0b4e2acb98287aa12cfcc756b9afde1d43d07f76156c037d4ef343bd4227ead70721412359c3738c6ee373ec991aa98d7b56bc101946a3ab067

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3906999d021b4562f3981f4f4aeaccdf

SHA1
da972542cbd10424ecd895dfffa9a3e177851508

SHA256
b9b6c41fac6675a655012525dd86e3106ecc881dbf45dd2868b5af1cde9ddf3c

SHA512
15745aebf1c1ec7b2e3c18ffc88ced843cc6d1657d49153218a4ed7948cf9690dab8aaee6ef4c110600c30c530169cf401ce91da89802c79d0b989710b5206ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96e30189bebc15de90173bd7551d2f1d

SHA1
fbeef27f82e22dce3c3dc6a175772a9ebaf9b75c

SHA256
81262bdadcd4c5d6c0582520707c30d243e2f5d0912e6146d83293fc080a3f28

SHA512
77ff58e53a1125575005e1b23ff23e679ec0619b111a7a1f24726d92966618f81d536ce4a46721db6e5786980c4ce3918118b5e3c47ee4738e2401d0ae6e97ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7eddc4b3181ece69ba5b89aaabc3879e

SHA1
ab095d9d46b40fa5ce47cb51dac1c7311d148a79

SHA256
cee3773b6fc39d7982e81c20091f6bc05d0709d67c2be52324b15b99f9bf1ef5

SHA512
2b90b83a623e3d6840eb0dc7995ca728209b2e8f7b96466dcb417ca9d5bed4f07d39e948824acd2a2a9f5b0410849b7c217d77c94e87883dd1bc092a2b8b4d7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c66f7e5210ee3b4e9af562fbd9e22ed6

SHA1
4ad40bb3dfd068f91d16754e65d0b4ad1c174829

SHA256
e9920cbdd99bce314bff575b177b859aaf5f781b07caddee5868a5a9f879a916

SHA512
084c6024f7577e84696782d5cacc011c5bb93b5d892e42e6f801c240d598092cd2a9f83559d4deb77c8ae4b8f4ad2db618b76e778fbaa9bd3c6d07e9dabc5b84

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE2C3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE2E5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\monitor.n

Filesize
7KB

MD5
a4bf7f9ba9b3e741c3054dfa0b5325ee

SHA1
2d5810b2d46596b4bbd04b565806ea7ec99d9116

SHA256
72f10825026c2f8fa14aaaae7a3919f96c56e6e4d2fe650b0268efe3a9b0469f

SHA512
b7853a9e9f451ad96f4421cb8c5dd8847813a568dc056c309a4296cbf4de05eeead66236001eea0125cb7a6fa7c1baf5555221fa5d0b76e13e4698504e592eef

Download Submit
C:\Users\Public\Desktop\Internet Explorer.lnk

Filesize
1KB

MD5
2b55b9940547415c65ea4d38fc6f3c9d

SHA1
9eac9d47f3d6cb079fbd435a2db249574c5d30b5

SHA256
a44355dc417b3d3568b289667b8c359c30024244016624c6d04895b11d93f9ea

SHA512
22dfa7314402c395f5db144a4810b775338423eed77510d4f54b66b138c7131520c1d85044fee5bb692f9416a65fac5aa6c29e672f6a2d3bf0488f6d9b4a0c6f

Download Submit