Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11/08/2024, 02:03
Static task
static1
Behavioral task
behavioral1
Sample
8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Banner.dll
Resource
win7-20240729-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Banner.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
FunshionInstall.exe
Resource
win7-20240708-en
General
-
Target
8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
8891f4022ff23fbf7e4c783ecb318b46
-
SHA1
86a70dfca73d529d95c39418df80376b1e29de02
-
SHA256
ef35ac2b2e72a54b987a95682fc47faaa06ad0e93520e8122e933702dfdb117c
-
SHA512
b081a397077ed18e1c3fc6f0ffcbdae9282310db6d6483f32a8c37006ffe166bb265c2c6dcb20acff5a597c3b8785103091a7d6e21be301c6ab2cb5b736dbe9a
-
SSDEEP
24576:/RXutlSbt0UXW7ISMBG4ywCv0GRxrwaL8vHy3MGC:/kg+b7uIxwaLOS3Mx
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation FunshionInstall.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation 66.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\???-????????.lnk FunshionInstall.exe -
Executes dropped EXE 8 IoCs
pid Process 808 FunshionInstall.exe 3948 msn054.exe 4724 6.exe 1280 66.exe 4596 cfkk.exe 4452 p.exe 1588 z.exe 3244 coopen_setup_100067.exe -
Loads dropped DLL 7 IoCs
pid Process 1036 8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe 3948 msn054.exe 4724 6.exe 4724 6.exe 3948 msn054.exe 3244 coopen_setup_100067.exe 3244 coopen_setup_100067.exe -
resource yara_rule behavioral2/files/0x0007000000023443-79.dat upx behavioral2/files/0x0007000000023440-88.dat upx behavioral2/files/0x000700000002343f-99.dat upx behavioral2/memory/4452-105-0x0000000000400000-0x00000000004A2000-memory.dmp upx behavioral2/memory/1588-109-0x0000000000400000-0x00000000004A2000-memory.dmp upx behavioral2/memory/4596-94-0x0000000000400000-0x00000000004A2000-memory.dmp upx behavioral2/memory/4452-207-0x0000000000400000-0x00000000004A2000-memory.dmp upx behavioral2/memory/4596-206-0x0000000000400000-0x00000000004A2000-memory.dmp upx behavioral2/memory/1588-208-0x0000000000400000-0x00000000004A2000-memory.dmp upx behavioral2/memory/4452-242-0x0000000000400000-0x00000000004A2000-memory.dmp upx behavioral2/memory/4452-245-0x0000000000400000-0x00000000004A2000-memory.dmp upx behavioral2/memory/1588-257-0x0000000000400000-0x00000000004A2000-memory.dmp upx behavioral2/memory/1588-261-0x0000000000400000-0x00000000004A2000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
AutoIT Executable 9 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/4452-105-0x0000000000400000-0x00000000004A2000-memory.dmp autoit_exe behavioral2/memory/1588-109-0x0000000000400000-0x00000000004A2000-memory.dmp autoit_exe behavioral2/memory/4452-207-0x0000000000400000-0x00000000004A2000-memory.dmp autoit_exe behavioral2/memory/4596-206-0x0000000000400000-0x00000000004A2000-memory.dmp autoit_exe behavioral2/memory/1588-208-0x0000000000400000-0x00000000004A2000-memory.dmp autoit_exe behavioral2/memory/4452-242-0x0000000000400000-0x00000000004A2000-memory.dmp autoit_exe behavioral2/memory/4452-245-0x0000000000400000-0x00000000004A2000-memory.dmp autoit_exe behavioral2/memory/1588-257-0x0000000000400000-0x00000000004A2000-memory.dmp autoit_exe behavioral2/memory/1588-261-0x0000000000400000-0x00000000004A2000-memory.dmp autoit_exe -
Drops file in System32 directory 22 IoCs
description ioc Process File created C:\Windows\SysWOW64\fzluc\FunshionInstall.exe 8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe File created C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_240614250 FunshionInstall.exe File opened for modification C:\Windows\SysWOW64\p.exe FunshionInstall.exe File created C:\Windows\SysWOW64\coopen_setup_100067.exe FunshionInstall.exe File created C:\Windows\SysWOW64\66.ICO 66.exe File opened for modification C:\Windows\SysWOW64\66.ICO 66.exe File created C:\Windows\SysWOW64\66.exe FunshionInstall.exe File opened for modification C:\Windows\SysWOW64\66.exe FunshionInstall.exe File opened for modification C:\Windows\SysWOW64\z.exe FunshionInstall.exe File opened for modification C:\Windows\SysWOW64\coopen_setup_100067.exe FunshionInstall.exe File created C:\Windows\SysWOW64\msn054.exe FunshionInstall.exe File opened for modification C:\Windows\SysWOW64\msn054.exe FunshionInstall.exe File created C:\Windows\SysWOW64\cfkk.exe FunshionInstall.exe File created C:\Windows\SysWOW64\看韩剧-最新韩剧在线观看.url FunshionInstall.exe File opened for modification C:\Windows\SysWOW64\看韩剧-最新韩剧在线观看.url FunshionInstall.exe File created C:\Windows\SysWOW64\z.exe FunshionInstall.exe File created C:\Windows\SysWOW64\p.exe FunshionInstall.exe File created C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_240620890 66.exe File created C:\Windows\SysWOW64\66.bat 66.exe File opened for modification C:\Windows\SysWOW64\66.bat 66.exe File opened for modification C:\Windows\SysWOW64\fzluc\FunshionInstall.exe 8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\cfkk.exe FunshionInstall.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created \??\c:\windows\ppfilm.exe p.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FunshionInstall.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language p.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language z.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msn054.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 66.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language coopen_setup_100067.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x0007000000023447-41.dat nsis_installer_1 behavioral2/files/0x0007000000023441-113.dat nsis_installer_1 -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31124370" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31124370" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3185420736" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31124370" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3187920779" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000262c84e5c2a8b24db398d3ff1cc7357000000000020000000000106600000001000020000000834c40040bcbe1047fce16f3f421d38d9bbacd20edb1836cb13ef8b0e3fa0b5a000000000e8000000002000020000000746291a69cd0971b14f712b647ff531c353f27d169bd18b0b0d0f190e62a5e9b20000000a42864100ac1908e7bb93929aea9549be676365bab785daffb7d38867e9e298240000000bee0644737ed279166ae512e318a1de1be40700e6b85d7a4c12db4bfd9a12dcd2114c225508629932b459ac424de21601349d10c75d49c894345b6bbd37bfca8 IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3182451346" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3182451346" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3187920779" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31124370" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430106785" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 80e4b9bd92ebda01 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000262c84e5c2a8b24db398d3ff1cc735700000000002000000000010660000000100002000000053f5330e8ec11d3956697687c613fc9754881fd65d9f16ded3e3da54cdbeaca4000000000e80000000020000200000006f883f2232b9deec264e1cea89524e2c85d3b01fe7aaf5fc0e1a0dc679b8eae020000000701061ea2a6dfcfc16a218293eb0d1c7c776b464a49be74fbf19e825d41acbcc4000000044f9a1a07c1569900664d663a2d87dbaf980bc763d8ecb92a83d03f82cf25fac178e8b7cc68ae72eafcb36d10932052d9c141a5cf57dabc38bfac35b1a7b1015 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3185420736" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 702ebcbd92ebda01 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E8136794-5785-11EF-8D5B-5E50324ADEFE} = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31124370" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E8134084-5785-11EF-8D5B-5E50324ADEFE} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31124370" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE -
Runs .reg file with regedit 1 IoCs
pid Process 1488 regedit.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: 33 1588 z.exe Token: SeIncBasePriorityPrivilege 1588 z.exe Token: 33 4452 p.exe Token: SeIncBasePriorityPrivilege 4452 p.exe Token: 33 1588 z.exe Token: SeIncBasePriorityPrivilege 1588 z.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4912 IEXPLORE.EXE 4528 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 8 IoCs
pid Process 4912 IEXPLORE.EXE 4912 IEXPLORE.EXE 4528 IEXPLORE.EXE 4528 IEXPLORE.EXE 992 IEXPLORE.EXE 992 IEXPLORE.EXE 2776 IEXPLORE.EXE 2776 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 46 IoCs
description pid Process procid_target PID 1036 wrote to memory of 808 1036 8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe 86 PID 1036 wrote to memory of 808 1036 8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe 86 PID 1036 wrote to memory of 808 1036 8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe 86 PID 808 wrote to memory of 3948 808 FunshionInstall.exe 88 PID 808 wrote to memory of 3948 808 FunshionInstall.exe 88 PID 808 wrote to memory of 3948 808 FunshionInstall.exe 88 PID 3948 wrote to memory of 4724 3948 msn054.exe 89 PID 3948 wrote to memory of 4724 3948 msn054.exe 89 PID 3948 wrote to memory of 4724 3948 msn054.exe 89 PID 808 wrote to memory of 1280 808 FunshionInstall.exe 95 PID 808 wrote to memory of 1280 808 FunshionInstall.exe 95 PID 808 wrote to memory of 1280 808 FunshionInstall.exe 95 PID 1280 wrote to memory of 1900 1280 66.exe 96 PID 1280 wrote to memory of 1900 1280 66.exe 96 PID 1280 wrote to memory of 1900 1280 66.exe 96 PID 1900 wrote to memory of 1488 1900 cmd.exe 98 PID 1900 wrote to memory of 1488 1900 cmd.exe 98 PID 1900 wrote to memory of 1488 1900 cmd.exe 98 PID 808 wrote to memory of 4596 808 FunshionInstall.exe 101 PID 808 wrote to memory of 4596 808 FunshionInstall.exe 101 PID 808 wrote to memory of 4596 808 FunshionInstall.exe 101 PID 808 wrote to memory of 4452 808 FunshionInstall.exe 102 PID 808 wrote to memory of 4452 808 FunshionInstall.exe 102 PID 808 wrote to memory of 4452 808 FunshionInstall.exe 102 PID 808 wrote to memory of 1588 808 FunshionInstall.exe 103 PID 808 wrote to memory of 1588 808 FunshionInstall.exe 103 PID 808 wrote to memory of 1588 808 FunshionInstall.exe 103 PID 4596 wrote to memory of 4448 4596 cfkk.exe 104 PID 4596 wrote to memory of 4448 4596 cfkk.exe 104 PID 4596 wrote to memory of 4448 4596 cfkk.exe 104 PID 4596 wrote to memory of 3332 4596 cfkk.exe 105 PID 4596 wrote to memory of 3332 4596 cfkk.exe 105 PID 4596 wrote to memory of 3332 4596 cfkk.exe 105 PID 3332 wrote to memory of 4528 3332 IEXPLORE.EXE 106 PID 3332 wrote to memory of 4528 3332 IEXPLORE.EXE 106 PID 4448 wrote to memory of 4912 4448 IEXPLORE.EXE 107 PID 4448 wrote to memory of 4912 4448 IEXPLORE.EXE 107 PID 4912 wrote to memory of 2776 4912 IEXPLORE.EXE 108 PID 4912 wrote to memory of 2776 4912 IEXPLORE.EXE 108 PID 4912 wrote to memory of 2776 4912 IEXPLORE.EXE 108 PID 4528 wrote to memory of 992 4528 IEXPLORE.EXE 109 PID 4528 wrote to memory of 992 4528 IEXPLORE.EXE 109 PID 4528 wrote to memory of 992 4528 IEXPLORE.EXE 109 PID 4596 wrote to memory of 3244 4596 cfkk.exe 111 PID 4596 wrote to memory of 3244 4596 cfkk.exe 111 PID 4596 wrote to memory of 3244 4596 cfkk.exe 111
Processes
-
C:\Users\Admin\AppData\Local\Temp\8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8891f4022ff23fbf7e4c783ecb318b46_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\fzluc\FunshionInstall.exeC:\Windows\system32\fzluc\FunshionInstall.exe2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\msn054.exe"C:\Windows\system32\msn054.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Users\Admin\AppData\Local\Temp\6.exe"C:\Users\Admin\AppData\Local\Temp\6.exe" 78544⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4724
-
-
-
C:\Windows\SysWOW64\66.exe"C:\Windows\system32\66.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Windows\system32\66.bat" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\regedit.exeregedit /s 66.reg5⤵
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
PID:1488
-
-
-
-
C:\Windows\SysWOW64\cfkk.exe"C:\Windows\system32\cfkk.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.fzluc.com/explorer.htm4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.fzluc.com/explorer.htm5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4912 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4912 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2776
-
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.2d2d.net/qq.htm4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3332 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.2d2d.net/qq.htm5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4528 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:992
-
-
-
-
C:\Windows\SysWOW64\coopen_setup_100067.execoopen_setup_100067.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3244
-
-
-
C:\Windows\SysWOW64\p.exe"C:\Windows\system32\p.exe"3⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4452
-
-
C:\Windows\SysWOW64\z.exe"C:\Windows\system32\z.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E8134084-5785-11EF-8D5B-5E50324ADEFE}.dat
Filesize4KB
MD5230a4d147a770ec837e627302f18a9ec
SHA15b35c3328664914990501ce85e1a86a4837aa895
SHA2560dc5432c374a24061059544cf3adc474d51f7f7ef542b5d866480a534305a4dc
SHA512183fae0eb3b2185f54b63b10933434260cc194690bb386ffc838f3aa1474293f2c3b029d9dade36d4716dc4c73c64f6d4fae0d59b360886e1534bc0081909000
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E8136794-5785-11EF-8D5B-5E50324ADEFE}.dat
Filesize5KB
MD50f188e3adf949c74e7ac0c24cbc12e4f
SHA12613e279afc225f97d41f76cb1eb551752e01664
SHA256481e85f78de024642fcfabe24b41b789b15567e60b218bdb1362ce634a681726
SHA51271b734c96efe7a70916d44d452191d38d6ae2585e6bbd53dcdb5c862959176417efaddfed617ff4646a940c039eb14ef719d49ec75db86fe52fac8c2d451a359
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
53KB
MD50aa2eeba570f7fae09c21d5bc1a5ad55
SHA1add5347a2472a20aa2ce287fe26fbbdf0f6a40c0
SHA2568ad94ac212ba3d41195ea105478eb4a6cd134bfc1ad6a608b1a7c469293d1d70
SHA5121c2f617372c680110bbb9dc92d9c4163433c2e774625f45104dd2a2ed1f7b5dbf4a0876817da0f3a3247db06630cd32a3ee452bf67d98dae96712a947abadf1e
-
Filesize
4KB
MD55ce60830e6db34a33f12be5018b21ca2
SHA11a4f855b358884d0c67053ec606a5a68aadf75b8
SHA2568a039174ce882841a97df0871f94e22ebfc5111ac614eb05baf10cd1fd5d8c1a
SHA512e6590fc8c365e98c6eb59ffcfab6931423b0603ec68b5c10f38004b879c5f3af3ee05d89b88f6fc480236abc9af4945e3146e9017bbd94ca8deac02145b7d903
-
Filesize
10KB
MD5bf01b2d04e8fad306ba2f364cfc4edfa
SHA158f42b45ca9fc1818c4498ecd8bac088d20f2b18
SHA256d3f9c99e0c1c9acd81a1b33bc3dbd305140def90d10485c253cf1d455f0dc903
SHA51230ca1663d659c5efac7fed3d1aaba81c47d5d5fda77f30f021124c882b858732e17f917bfd0aa3ee7b269fad86e75b1b9388d8f916e7a4e2c9961669f2c772e7
-
Filesize
9KB
MD5afd989ef7eec6bf952bedfce541fe236
SHA15654b71c5b1089c2cec6381d8da5bd14a14e1a37
SHA2565e97602008ba004c72d58f71e77ffe0a0ea01103867eb12a9ec0f28e72f440d8
SHA512f4e3d88477d39218667dd482a08904b2b69435db7d1fdd492380544aff83895d393a288c329da69074b69c68f51db45f694dfea81fc12fa2042ed43b3d06440c
-
Filesize
12KB
MD508c82a46416a5e2b471d457968f53816
SHA13e3897c20b9e89b279b4764a633f67955bf8f09a
SHA256435baf3b7282c9110697a4916834ef9371dd29fae6b4cb8e19c19eb126562dc9
SHA51291e2055b91d04b2348a923cb298ac6ba3637de5038dc4f849c4d2f1665d17de9cd6eb6a97d42d0f894d65348c8fd8e79cd61b667ea5a78e8960347e8cc8db81d
-
Filesize
10KB
MD561151aff8c92ca17b3fab51ce1ca7156
SHA168a02015863c2877a20c27da45704028dbaa7eff
SHA256af15ef6479e5ac5752d139d1c477ec02def9077df897dadc8297005b3fc4999d
SHA5124f5c943b7058910dc635bdcfadfea1d369c3d645239d1a52b030c21f43aac8e76549e52fd28e38ba5341d32aefe3c090dd8377d9e105ad77f71ab8870d8e326e
-
Filesize
613B
MD5b554497fc4d1c48c7df8b5b42a4c210f
SHA19588c79c6a6968a6a9a9ee47714fba4fbe323152
SHA25639e11d5ba14d0158333d9d4bdb61cbfd72db37ea183ee31e99c8220ae6ef410c
SHA51242cb84d59d652c968eef920e0e88b3d263df5824771ed6d5419cadb7dd7ec1b11eb4b02135d39c9916d6c0f206d54e153c758592dc03a20f4645fdce6bce9633
-
Filesize
649B
MD57cff6a01ff7e1cb0abc31db676cb06f4
SHA1423dd9df3c3042e38c79cfaa6f84cb3dee6ddbdb
SHA2562e719cc0b168009d7f4ebd1243b9f09df66aaf01bd2bb8a31d0f84ab59a8f73a
SHA5129615ab6a8ac6b82250029188918f2cd75f576d7cb6f878d765c6d464779bec9e5c79da2a814efc5a11781cd5535a20edbfe3c77d1d592cb012686903f6133d68
-
Filesize
35B
MD525cbf5fe338535de8ee41ad00521c85d
SHA1974402d7af3ff2d99ce761ddac6936ece0d5f1fe
SHA25697bdb7035decc3eaaaee49e9c0cfaf938a8bf7cb18829e6aa64b08ba1e5fb8dc
SHA5121e867c9e3207eb7ddc962e19656ae36cef5ace44cd5be482df656dec69d70c8a485266b0e7d392e7fe85271faf8639bf0516b7a9827740b710f90cf94af33f68
-
Filesize
107KB
MD548ebcf8e1fb241b1606503681db0929c
SHA1181cdafb12492006328d44005e0176b0d5dcd659
SHA2568bc4dfec55f068786bed2a1823947c1bb69e92500105efc7ad7fe03aa1217e42
SHA5129cd2109a353c72b304dd63f4dac0b2a00aa931d32112af6fdff569fe6d0b408dbbc0ab2504a4cecc15cfcc3d6e5fa5da1ab6e4ddae893252593315f5e2e553de
-
Filesize
250KB
MD598d1fec11a0aecbc609b6e4f54605806
SHA1917e92c53496be174c3e7954d0035db5cd362acb
SHA2566c6911528124c524b77eba811c5e4e6783043daf138a19e17da68ea089debc62
SHA5128a62552b7ed0305ad955dd688aae8cb6c94c08f2dae7a004fa96fa834a1dcea5f0c9814a44686a719336e1a10be1f1e1ad11ca4e27657aacf253cf5b123ae99c
-
Filesize
914KB
MD50ed46aa6a317bf47a58ab95cc6761e93
SHA18f8bbebdf82c90748c7edc24a98b6390af6dd222
SHA2566ccc49b0d7c51a5d5bd95ab775d4f2047af0d3358396cf603f04bba28ab6a2a5
SHA512072706ac2790ab418c8e7c5d748a489a228ad63ff025e905d3ca29038ac7a9f9e816e254274067ff0b31cc64e8ed826ea226a5bdc0262a9254f48e6007aff244
-
Filesize
1.8MB
MD5246f26a450102b53e87f360c6c328f66
SHA1fa8f3a51d31b785c7865771fe78c1287f324b35a
SHA256ae36ddd69548deb664d26a0e2a800af4b01a04d13ea3e1b997da14c4a365c0b7
SHA512daff81fce5b947ec1ef7c336ad04da9556cb7fafc07d81408aaacedf2e41c398eaa4c2e2de9a076244a6812e9033db6426c2954d03008d0d857c55857ea7e7a7
-
Filesize
83KB
MD5d7d65643b8a2fac2f2ef6d8cb3d0a394
SHA1d4de8ef24f80a7182c3bc3075a5d5d5c08996951
SHA2566e4378b059b9a06e60b1d4692a7db8b27eebb612a736cdf6d24f2ec11ce5352d
SHA5121859244869b1ec338e2faef6d0682a1f1cc6da913cf5e215c544b0c861a5daa6669ec22b2a40e05e16c63925a63c9c5065c1383f6505900748eac0d6b4fb814d
-
Filesize
250KB
MD593df99ebeeb59896f862837c105c7659
SHA19cd0cf39ac2cd61a9a258cca6f3cef3379c22372
SHA25644d0be642cec26515473ad39a15f62dfb25efd5ab94a6b5e115d759b6338b7b7
SHA512b3a672878241bddc1c59cee4bcf16c9d437c721819a3a4e1c2f0db1b015847f9e85dec19570a83d2aa0a53afc57f1a26e42774a6d3ed3174d2d429594dc0f956
-
Filesize
250KB
MD5473801e9358ff5969ae840566001f278
SHA18593d24e6ac4069b58575b27e99c7a3db9c1d82f
SHA256cd00ea08b6966175f31e1f95fb20c8c8b5040018773c608981bfbf4e35ec415c
SHA5123672a5f0164635d64b1b4dcf18b10170f5641c53c60b10588ac4160e1a5565c563cdc9539e998f2839557afc0c1a8933ee6d13e22309ac8470fc91aad5b5f91b