7c6a50574bb4035eab64528d57533e48ba16337bbc4d2e5f028268d143c6712c

Analysis

max time kernel
142s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 14:10

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Size

212KB
MD5

ab5504d2cfdc5a4debdb85b47644e9f6
SHA1

d5b5f8b07f73455963abd0fdc82e96e70e0a29b8
SHA256

7c6a50574bb4035eab64528d57533e48ba16337bbc4d2e5f028268d143c6712c
SHA512

08028d6dfa0c558d137dd7b66e2ff7425636594efe14a4ec418fa4aa7dffed060b04eb1906158b2fd6c2e166b41d759688507183a15ff4645c53e71abc79cd17
SSDEEP

6144:dcyyU/A5rZRLEhFTnRa26s+Wdz8V7Wdfwn1nbmuSDmv:dHp/urb4A1WdBfk

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
692	WScript.Exe

Executes dropped EXE 1 IoCs

pid	Process
5000	Program FilesCDJ6E2.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\t.ico	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\d.ico	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Program FilesCDJ6E2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.Exe

Modifies Internet Explorer settings 1 TTPs 38 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430841590"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2515807012"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31126081"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd00000000020000000000106600000001000020000000110c55d416a7b81d48e0134a664039e3c6f87be180a34352df5ff8243591100e000000000e800000000200002000000041f9b320ac0c8e70e4d1eb0a433a0de8d1dc6f59253673531034c2ef05a50e5820000000e109c57655b2022e366c4df482be844a3d88bfd15945fde02ef0bfbdf53ccce5400000009b4430ee2ae95e66a445c7028b54d3f97c56e8cfabaae7c8e242b249f68865e688c1778fd8630a6fe54784004f8f448c8daeb5dd69cc8697f3e388553be8caec	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C19DB2F4-5E34-11EF-98CC-EEE1DD5A0987} = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2519400829"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0abab9641f2da01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d07fa49641f2da01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31126081"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31126081"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd00000000020000000000106600000001000020000000a8cb9f01421728f0b0db2a14e6bb561004a15b826674bca431b171872a9c4f40000000000e8000000002000020000000f645f69b7fa5c8b8a583aa70cec4c8a739fbfa63d6189af94bbd361ddb27086d20000000d5bf860d7296655c741ca3a89f98788186633a643e3319d2f71a23c460b50f3f400000006ff2639f10521ad5186e6f68383fb76e82a6b0b2e273a11827ac92cb98b33e00c27b5b6f0d4a10c8cad7d9dee610c788c150e8268b557bd041bd49be6ea98344	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2515807012"	IEXPLORE.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx\ = "hyx"	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,41"	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf\ = "hpf"	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon\ = "c:\\Program Files\\Common Files\\d.ico"	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35\ = "h35"	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command\ = "IEXPLORE.EXE http://taobao.loliso.com/?1193"	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli\ = "hli"	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,130"	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command\ = "IEXPLORE.EXE http://www.d91d.com/?1193"	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb\ = "htb"	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command\ = "IEXPLORE.EXE http://www.t17t.com/?1193"	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command\ = "IEXPLORE.EXE http://www.loliso.com/?1193"	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command\ = "IEXPLORE.EXE http://www.henbucuo.com/?1193"	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh\ = "hdh"	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,139"	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command\ = "IEXPLORE.EXE http://www.piaofang.net/?1193"	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon\ = "c:\\Program Files\\Common Files\\t.ico"	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3872	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4672	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
5000	Program FilesCDJ6E2.exe
3872	IEXPLORE.exe
3872	IEXPLORE.exe
4140	IEXPLORE.EXE
4140	IEXPLORE.EXE
4140	IEXPLORE.EXE
4140	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 5000	4672	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe	87
PID 4672 wrote to memory of 5000	4672	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe	87
PID 4672 wrote to memory of 5000	4672	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe	87
PID 5000 wrote to memory of 3872	5000	Program FilesCDJ6E2.exe	93
PID 5000 wrote to memory of 3872	5000	Program FilesCDJ6E2.exe	93
PID 3872 wrote to memory of 4140	3872	IEXPLORE.exe	94
PID 3872 wrote to memory of 4140	3872	IEXPLORE.exe	94
PID 3872 wrote to memory of 4140	3872	IEXPLORE.exe	94
PID 5000 wrote to memory of 64	5000	Program FilesCDJ6E2.exe	95
PID 5000 wrote to memory of 64	5000	Program FilesCDJ6E2.exe	95
PID 4672 wrote to memory of 692	4672	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe	97
PID 4672 wrote to memory of 692	4672	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe	97
PID 4672 wrote to memory of 692	4672	ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe	97

C:\Users\Admin\AppData\Local\Temp\ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ab5504d2cfdc5a4debdb85b47644e9f6_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4672
- \??\c:\Program FilesCDJ6E2.exe
  "c:\Program FilesCDJ6E2.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3872
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3872 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:4140
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/PPTV(pplive)_forjieku_977.html
    3⤵
    - Modifies Internet Explorer settings
    PID:64
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe jies.bak.vbs
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6809OHQ0\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs

Filesize
450B

MD5
e8ce9899f2974357d0d71d390c047924

SHA1
3206db45b787b104b942cd0e12e84add7c2c4936

SHA256
3cbecb3d93baf8f1dae47d09470948f0a9e98f13457a0267c0042163a78cf34d

SHA512
11a4a316578ace35b84bd6886ccbe4c359e4712576addc64abec126e16798dfcf25c8f7e5d1fe3f4b5c5aadc1524aaca339be8f4b88a638bd1762396630da2f9

Download Submit
\??\c:\Program FilesCDJ6E2.exe

Filesize
36KB

MD5
e79dc4d795499be83050f0844314dfe2

SHA1
4c80c2c79fb99792e22308781f1b960185050859

SHA256
0a18351dc613a9d35baf98a662003b588f5884adf2abbbdb7cca25ddd5aecde4

SHA512
d325eef6f955f534e9783b32fc128691ed5c56b986240fb7002c36fd12e96dcc514106eb1e256763dce0f7340020cb4de641fa796b867e293478bea768c8205b

Download Submit