747e6eea83e778cc68e510480617e7a35aa9228d6c05ff02386311772614325b

Analysis

max time kernel
148s
max time network
156s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
18-08-2024 22:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a870e1b362ddfba23848ea83d023b339_JaffaCakes118.exe
Size

168KB
MD5

a870e1b362ddfba23848ea83d023b339
SHA1

1fb91af66eb1ea7a233922464862aae08797ed43
SHA256

747e6eea83e778cc68e510480617e7a35aa9228d6c05ff02386311772614325b
SHA512

1d275f5723c8bb09cc31d92a449df8466bcef5a95e5b383bfd4bcf2878e62aa48acd12f58c7c052943edc7b23af697cb7b2042055b1d857c83179cb0a302ea7b
SSDEEP

1536:aHob+TnkkpRNGojAbnXlkjZ2G+7ErBnOZn2KcGO3Ekm+7UmNhG6n3+T:sOukkJGoEbXldaE5eAt

Score

8^/10

defense_evasion discovery evasion persistence

Malware Config

Signatures

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2384	attrib.exe
2280	attrib.exe

Deletes itself 1 IoCs

pid	Process
1688	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2068	inl9B29.tmp

Loads dropped DLL 2 IoCs

pid	Process
2424	a870e1b362ddfba23848ea83d023b339_JaffaCakes118.exe
2424	a870e1b362ddfba23848ea83d023b339_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hsdfasd = "\"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\tmp.\\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}\" hh.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	rundll32.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe
File opened for modification	C:\PROGRA~1\INTERN~1\ieframe.dll	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a870e1b362ddfba23848ea83d023b339_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runonce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	inl9B29.tmp

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430181479"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{07DC63F1-5DB0-11EF-AF97-4E18907FF899} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.82133.com/?o"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.82133.com/?o"	reg.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\IsShortCut	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command\ = "wscript -e:vbs \"C:\\Users\\Admin\\AppData\\Roaming\\PPLive\\3.bat\""	reg.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2828	rundll32.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeRestorePrivilege	2828	rundll32.exe
Token: SeRestorePrivilege	2828	rundll32.exe
Token: SeRestorePrivilege	2828	rundll32.exe
Token: SeRestorePrivilege	2828	rundll32.exe
Token: SeRestorePrivilege	2828	rundll32.exe
Token: SeRestorePrivilege	2828	rundll32.exe
Token: SeRestorePrivilege	2828	rundll32.exe
Token: SeRestorePrivilege	2748	rundll32.exe
Token: SeRestorePrivilege	2748	rundll32.exe
Token: SeRestorePrivilege	2748	rundll32.exe
Token: SeRestorePrivilege	2748	rundll32.exe
Token: SeRestorePrivilege	2748	rundll32.exe
Token: SeRestorePrivilege	2748	rundll32.exe
Token: SeRestorePrivilege	2748	rundll32.exe
Token: SeIncBasePriorityPrivilege	2424	a870e1b362ddfba23848ea83d023b339_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2068	inl9B29.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1536	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1536	iexplore.exe
1536	iexplore.exe
2576	IEXPLORE.EXE
2576	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2688	2424	a870e1b362ddfba23848ea83d023b339_JaffaCakes118.exe	31
PID 2424 wrote to memory of 2688	2424	a870e1b362ddfba23848ea83d023b339_JaffaCakes118.exe	31
PID 2424 wrote to memory of 2688	2424	a870e1b362ddfba23848ea83d023b339_JaffaCakes118.exe	31
PID 2424 wrote to memory of 2688	2424	a870e1b362ddfba23848ea83d023b339_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2560	2688	cmd.exe	33
PID 2688 wrote to memory of 2560	2688	cmd.exe	33
PID 2688 wrote to memory of 2560	2688	cmd.exe	33
PID 2688 wrote to memory of 2560	2688	cmd.exe	33
PID 2560 wrote to memory of 1536	2560	cmd.exe	35
PID 2560 wrote to memory of 1536	2560	cmd.exe	35
PID 2560 wrote to memory of 1536	2560	cmd.exe	35
PID 2560 wrote to memory of 1536	2560	cmd.exe	35
PID 1536 wrote to memory of 2576	1536	iexplore.exe	36
PID 1536 wrote to memory of 2576	1536	iexplore.exe	36
PID 1536 wrote to memory of 2576	1536	iexplore.exe	36
PID 1536 wrote to memory of 2576	1536	iexplore.exe	36
PID 2560 wrote to memory of 2828	2560	cmd.exe	37
PID 2560 wrote to memory of 2828	2560	cmd.exe	37
PID 2560 wrote to memory of 2828	2560	cmd.exe	37
PID 2560 wrote to memory of 2828	2560	cmd.exe	37
PID 2560 wrote to memory of 2828	2560	cmd.exe	37
PID 2560 wrote to memory of 2828	2560	cmd.exe	37
PID 2560 wrote to memory of 2828	2560	cmd.exe	37
PID 2560 wrote to memory of 2832	2560	cmd.exe	38
PID 2560 wrote to memory of 2832	2560	cmd.exe	38
PID 2560 wrote to memory of 2832	2560	cmd.exe	38
PID 2560 wrote to memory of 2832	2560	cmd.exe	38
PID 2832 wrote to memory of 580	2832	cmd.exe	40
PID 2832 wrote to memory of 580	2832	cmd.exe	40
PID 2832 wrote to memory of 580	2832	cmd.exe	40
PID 2832 wrote to memory of 580	2832	cmd.exe	40
PID 2832 wrote to memory of 760	2832	cmd.exe	41
PID 2832 wrote to memory of 760	2832	cmd.exe	41
PID 2832 wrote to memory of 760	2832	cmd.exe	41
PID 2832 wrote to memory of 760	2832	cmd.exe	41
PID 2832 wrote to memory of 1156	2832	cmd.exe	42
PID 2832 wrote to memory of 1156	2832	cmd.exe	42
PID 2832 wrote to memory of 1156	2832	cmd.exe	42
PID 2832 wrote to memory of 1156	2832	cmd.exe	42
PID 2832 wrote to memory of 432	2832	cmd.exe	44
PID 2832 wrote to memory of 432	2832	cmd.exe	44
PID 2832 wrote to memory of 432	2832	cmd.exe	44
PID 2832 wrote to memory of 432	2832	cmd.exe	44
PID 2832 wrote to memory of 824	2832	cmd.exe	45
PID 2832 wrote to memory of 824	2832	cmd.exe	45
PID 2832 wrote to memory of 824	2832	cmd.exe	45
PID 2832 wrote to memory of 824	2832	cmd.exe	45
PID 2832 wrote to memory of 2384	2832	cmd.exe	46
PID 2832 wrote to memory of 2384	2832	cmd.exe	46
PID 2832 wrote to memory of 2384	2832	cmd.exe	46
PID 2832 wrote to memory of 2384	2832	cmd.exe	46
PID 2832 wrote to memory of 2280	2832	cmd.exe	48
PID 2832 wrote to memory of 2280	2832	cmd.exe	48
PID 2832 wrote to memory of 2280	2832	cmd.exe	48
PID 2832 wrote to memory of 2280	2832	cmd.exe	48
PID 2424 wrote to memory of 2068	2424	a870e1b362ddfba23848ea83d023b339_JaffaCakes118.exe	47
PID 2424 wrote to memory of 2068	2424	a870e1b362ddfba23848ea83d023b339_JaffaCakes118.exe	47
PID 2424 wrote to memory of 2068	2424	a870e1b362ddfba23848ea83d023b339_JaffaCakes118.exe	47
PID 2424 wrote to memory of 2068	2424	a870e1b362ddfba23848ea83d023b339_JaffaCakes118.exe	47
PID 2832 wrote to memory of 2748	2832	cmd.exe	49
PID 2832 wrote to memory of 2748	2832	cmd.exe	49
PID 2832 wrote to memory of 2748	2832	cmd.exe	49
PID 2832 wrote to memory of 2748	2832	cmd.exe	49
PID 2832 wrote to memory of 2748	2832	cmd.exe	49

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2384	attrib.exe
2280	attrib.exe

C:\Users\Admin\AppData\Local\Temp\a870e1b362ddfba23848ea83d023b339_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a870e1b362ddfba23848ea83d023b339_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\teacher2011_check.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\PROGRA~1\INTERN~1\iexplore.exe
      C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?82133
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1536
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1536 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2576
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf
      4⤵
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      PID:2828
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat
      4⤵
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:580
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Modifies Internet Explorer start page
        
        PID:760
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1156
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:432
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:824
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2384
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2280
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf
        5⤵
        Adds Run key to start application
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
      - C:\Windows\SysWOW64\runonce.exe
        
        "C:\Windows\system32\runonce.exe" -r
        6⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:1596
        
        C:\Windows\SysWOW64\grpconv.exe
        
        "C:\Windows\System32\grpconv.exe" -o
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1164
    - - C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 D:\VolumeDH\inj.dat,MainLoad
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1356
- C:\Users\Admin\AppData\Local\Temp\inl9B29.tmp
  C:\Users\Admin\AppData\Local\Temp\inl9B29.tmp
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl9B29.tmp > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2320
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A870E1~1.EXE > nul
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5bcd6de9ac7925c9a17b6d829189b0e

SHA1
f137aa8121945ed03d3e035255921eea3774d0e3

SHA256
00bd9e3ab419a677431c30e86901be10ba5714b60fe0d6fa30ecd69a8f102e05

SHA512
a53ddfa1db9ebd8dc168784549ddfe54819e6bdce32f8f7d1fa5e92486a1e39f1de77121e834e9a4ebeb3fc2fd3e5920f9dc1a6ce805c9af87886cddbaa1916b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cafdbcb8eb51549bf614ab50a4d4383a

SHA1
d743928c0889501fd9c7a03fc7a1aa49e21461ab

SHA256
f2a7d8175525996245843a55636384e4165501ffbc2ca813c658efd70d02c41b

SHA512
de4e32bf89c7fcf558582a75a87eb3e7960907370bbea5fe3a95d3bdc4febcc69229a58258a3ae29a6ae62df3b708e72a8aedf9d7b269ee65146e8c6968bcb33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
235418787df5b54d3f17a1b8cd8f83d9

SHA1
87b473ea0ee190a6d267657f56285f38860c8673

SHA256
795cf176362d24dff8ca65afb90445ae2be902365b21be88c007ad67720e31ed

SHA512
aaca0f2b232610636fe5d63a010a0f0f7eff64b2459fc721c69f7c0986d3d413967d571c3c954f27a6fddf03f07985b0a2d8285aaf82a97dc07e5563722e29ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2af108cf27318e20b719852a3c4a08fd

SHA1
fdce624c76b7a521ed2c1751c724266ae242cf65

SHA256
090cce5bc1053075baa38a7ee6776f87f3239c3b3152bbf473ab8a9a053312da

SHA512
c00e289f2c79bd3c35b9d7dfbe72936d090f1707347fd323c670eff730d60a7b4f92970447e4e5495710d28f281eabe8baecf724961e8013b023d4f805436199

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
454bc9fb6bf9168305d9010999b41d9c

SHA1
96b01d69ba5fbf8996e5ac6fc7477f2871d8fea6

SHA256
979f22e7d5d8857c7f54cd4dd3eab2cec65c0550be4ec268c3111a3cb82b5874

SHA512
0e4f6101fdfbaacdac5a383fde35eeae17407cd75cf83d98d12f322308d63a406366eecfd629f3d88fdd019848a8a97c25c3f817ddce032b2ef50aecca0e04cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3d053e1247647df16e5953765c41427

SHA1
5ef6b98711306b8f7d718fcc0ef5fe37a268b2fc

SHA256
9398b45ec39eec2e7dc3782f46e612685e5eef3735daa135ab7a2fbdb1f7662e

SHA512
ea28711efaf46837bb6aff3bd74fc3f7ead87bfb2bf62f9af38db80131b59b61e233211e2d686b72bf4b2492e5b0fbb19e03d903a9971a4de0d4cc75c8a094c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c0c71b96eb78d3476a243ed5abfc4d5

SHA1
e9f5d031d93716f6add45ba938f6329044dd8f57

SHA256
86d2ad5e1b2201241da1dbb3643215a5e5488af172b6661b06a2e4bbd562af80

SHA512
7efac860cd96c980977961d9b30c5fd9a554cba55b828fc1142228b21191560c9251bb812fcf70f5c165233de522dbbe7ffe173c92fac7a4fe562ff306d65ba5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44689070607b986f2e4b43234f345fdc

SHA1
95700242f5421f212cdac5ca5ca49317bd067a9c

SHA256
4256b4cafe530d58ddfaa48044050f7df1014725f8471ab9af49d376b29383f6

SHA512
552cc396a4fe222d71dd5f96674fa993e3801248e8c8532111a8b4d9bfcff71f80e6df2cfb515d54a10396860627f1d8d4704397d046ce51f3efd0d681cb795b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6711ac293e746999c2632ba2a7f722c8

SHA1
a24a1880ac161536eba1dc5b5526d5f76f72cd3a

SHA256
f74e21904ba2bf08a9e4a863eb02b6a7340afd725811b283af112ca307035f52

SHA512
deda622ce98ad3d52bc5592d9208e968abc7dad40f17231d4e737f100d3753f31d65d14caca8c280e0e7ce9ce65f4d629b8a7d49420f61d4f3e4727f748a5251

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a8b93b1a2feaf60f4f7feb91b250dd8

SHA1
3c8ad1fe55e47940d810c9b1fa77a03664348f4b

SHA256
3b5bf1db04fad064237c75d7ced24119166afb72b21b1932eeb17c1f75ec82bd

SHA512
0a54d345a2030a72494b88462ee9cf2f35980857656e1d0d4ebde1fb1c08d61100fb72ac8d17cc155c6c72b09b47f7ecf5b75692ba6abdf2634b03a1d7f306eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
233702a232a669f7bfe11bd70c5e2976

SHA1
c89a80936dc599955ee9bacff9ab3bb1e1064075

SHA256
fc3ff3895a56d9da09a6fc17f9f0f60769f7abb3637f4285fafd4290858b37e8

SHA512
6e63c9f77a97c962a461118a9a6ce0bc52f27b0083d47d56d782b7f30a0a6614f4e92240048dc7940259f8dc1ca15433f00f199c205babc1d34ace4f4779215f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
310737e889bf267f8fb0a9fcd921fd80

SHA1
33168a6e268d796be3f8b4b3ebffa540a32bda59

SHA256
0a67cfef068f3cdfc0510dc67aee0bb2f35878618000655fa4dc953ae25b89cf

SHA512
e4258392c4514b598e1721b98552f3d5c08b8636ff18217f2ee96e1ff994f1426b83bc2cb5b9d0023b20d815b084e6391ea246d53b2c07b31f3d4f2fa95637fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2f38320feb668115d7dea5c040b461c

SHA1
35fe66baea346577e6784ebcca60b3aaa5783de9

SHA256
1439da583a943af915c05194c53f2cece51265742d540bd0782c3864bebc85f4

SHA512
5ea33f3b8098e1876b46c84752f9acd2b14a585563c7f590b438867d3765830fdda6f0b727d3800e6f41da6491ef78e0ff9bd4137cee60e18e4c8754ed9b3340

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e14eebc65e2c2592a87fae7a26f4d008

SHA1
c9a74ebfbd617c4e6531018e8e6e1138909fc80b

SHA256
5f6a7f305aca377601d9f544b4dc7ac94b7c5631e52ac2e7135d11132bd533c7

SHA512
6d00414ce66d0c56e0ecf5e3640f6c2b64a44b572c2fd7c85012a590a998e29594921a0c7ba0d961ba68f304ff5b83308d654fa8f865d875b9ce9db7f51697b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
873617ca969a7f1d2fac93ab198bd4e8

SHA1
d541ba3b1415ebfe464136812a828974c62e1bb5

SHA256
c11f19d528d3899de0b1744b3ec61f6a40358cb12c59c5c262e40847e9f0cdaf

SHA512
1df643a02eb53c000da00e9e4ce36f1ae184cea528ca75d5bfe45a239dce8c0e8aa2f0891978f5098d8649bd29b9a1b08da99ef4cac9cad562473fa161e19980

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd68c66c63bd8ba4f4c1bd7a6d7b265b

SHA1
9999407596578bb4b1ee5768810e658410e6d805

SHA256
4ea5e09bdb8791ff71dba3366880c9cf3da1b6473e26de96b14572ba00b48119

SHA512
4d5d753acb12c26136667db3037a1bcaedf77ff1e43d682a8b3998e15b11ed3b10010ed93a751aaa428c717c20bf19dec135d808bc01ca8bc7b15c235730ef5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ef077e5451ef39b18b1d01ac91148f6

SHA1
e2f11554df5ecdcb7be32d54ef8116032d7a695d

SHA256
fa193be71afd7ce694ba38fb4eeaaed3c00e493a17fbfa6a0a794e419f2a98c7

SHA512
e6ae7e40eba35c1de2226184003a8c5774d1fff88fe5b7e2c04295fa26e0d44a008bc4a147f5b8efcd53ead048509c71e12a4b0dd034ebd39458a369887ce592

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d398fa11aa4edeb3376147e0a867547

SHA1
923aee813f95680565fedb228abb44f00b0758f1

SHA256
bb17f7689fa1f1a09b7cf34c0affc78b0ab36796afb4ecfafdf16689be0c2fc4

SHA512
b8b2b2e1614019b4f66aaaffd55d8363c59545f36204f25d0071533395378f6df6bc26bfa99f3911a16240dcd67946aba470bfeb8e9875050dd2fe2d51676184

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88d80f296fc3d3e78d5b8d5a354db01f

SHA1
2b8cf3d6366938efbeda6aece59d24ae6d7c4825

SHA256
6bbf498d1c2a2a1560bb02d39bdb018b4512657f4ba6b776bee03f0a3b9dc6ab

SHA512
e94499cc35b57a995441f4e253185c116a98786ce627e88117f707c590ca56c69656f61ce2af459f921e49c612b884a4b03213459442e78e22063e1f32f8ebab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XWMUP5AI\favicon[1].htm

Filesize
802B

MD5
b4f7d6a0d3f6605440a1f5574f90a30c

SHA1
9d91801562174d73d77f1f10a049c594f969172a

SHA256
e3b1510526757baa753c916ababce951be64146e04f74c631c6503531d83c6cd

SHA512
c852ff3b51db00184bcfb0d6609a2791cb81efdb0d8d5aaed1c5b9e576b17b19804affe6ea7b5db575179c166543db5dcd828b3fcbd90e8baabb47c166da7c3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9CFB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9DAB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\teacher2011_check.bat

Filesize
53B

MD5
23962a245f75fe25510051582203aff1

SHA1
20832a3a1179bb2730194d2f7738d41d5d669a43

SHA256
1abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647

SHA512
dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80

Download Submit
C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp

Filesize
660B

MD5
c40ea8f677b3f48bfb7f4cfc6d3f03ab

SHA1
10b94afd8e6ea98a3c8a955304f9ce660b0c380a

SHA256
b1a31a74cc88d0f8e39aaebf58a724b89391dc3fbac733953790edf8ded8172c

SHA512
409b8a45576bf08e185446b13a512c115df7483ff8ec30ea51ee93ee1ac8153ae3b615650ff69a5d1e41fa0cd57fcdc4c5d03b4b4453431114ac018f48e194d9

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.bat

Filesize
3KB

MD5
b7c5e3b416b1d1b5541ef44662e1a764

SHA1
8bff7ea2be2f3cf29f2381d8007198b5991ca3ae

SHA256
f1a2f9fdebb3cac24756e53fa5e1628b2bd1cc130480c1878e3b3bc880575cd1

SHA512
65dbd6a7a7cf6fec00e6b0f1d7d5655769e6087ad09cad74c91c5a3395e675ac8f9df5c7185327e6f8dd03ddb60504400f54237d9e4b53c8b08e7e3d41ee61fc

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.inf

Filesize
454B

MD5
45a663aaaa22c42bb167b18436c73938

SHA1
81236229eaed313ba57b0377629b8e50f824a352

SHA256
a8958f6b4cfc7a3db84f806ab7751ee1b72227c59f682e433e764228b3d94fc9

SHA512
adbd1253176aa7c40ac25dec3bd81202db3d1f762a0f9176d5719bb7120b6fffd0e420fd8ebd9c8fa62127c4c46001244865da077f383a8d35a4207ac7887d81

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\1.inf

Filesize
492B

MD5
34c14b8530e1094e792527f7a474fe77

SHA1
f71c4e9091140256b34c18220d1dd1efab1f301d

SHA256
fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713

SHA512
25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\2.bat

Filesize
3KB

MD5
6b78cb8ced798ca5df5612dd62ce0965

SHA1
5a9c299393b96b0bf8f6770e3c7b0318a9e2e0cf

SHA256
81f64f42edfac2863a55db8fabd528c4eefc67f7e658cad6a57eeec862e444e3

SHA512
b387ba10021f3284d1406d520a2c8b3ba0c87922d67c79394c1aa50c631194519ac6bb5b898956533f040d48e1c7b202734e0075f8fc8c8bfab82c8ef359b28e

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\2.inf

Filesize
247B

MD5
ca436f6f187bc049f9271ecdcbf348fa

SHA1
bf8a548071cfc150f7affb802538edf03d281106

SHA256
6cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534

SHA512
d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591

Download Submit
C:\Users\Admin\AppData\Roaming\PPLive\4.bat

Filesize
12.3MB

MD5
a32bbdad09661444a45fdd65a7d670bd

SHA1
410db20811ba0aab44f7b9ac7478ec081c694da0

SHA256
cb5d2924229bdb21d3535cd8fdc1f119b31c152210be5e99e861c13f5aaa8791

SHA512
388d8787a4e627f42dd3fd9360340b15428f35c7861609a04df6d3f2517f7ad9231c571e6cefe18b8e1c185e753b2f89c4cda20fb6e3dd4ffe6521fdba16d3c9

Download Submit
memory/1536-47-0x0000000002140000-0x0000000002150000-memory.dmp

Filesize
64KB

Download
memory/2424-0-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2424-92-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads