185f6e209635d969183fe521f76efd33dc622563d99b73f46fa5f9513662d838

Analysis

max time kernel
119s
max time network
135s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19/08/2024, 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
Size

1.4MB
MD5

ac35e362a8f2d426515056b8e7d0b91b
SHA1

436d37800e2580ae19370fba58c176f039a7f8a8
SHA256

185f6e209635d969183fe521f76efd33dc622563d99b73f46fa5f9513662d838
SHA512

37c997ec1d36572851cba99497e88310d2874d12f964ac30873c9ba643d918d8ad49b2815602806f179bcca9a17c7de6f75379af6c4dc9589883ec470c57ada2
SSDEEP

24576:P/ss/4p6qO4pDlPJsZtZQk5p8hulbEwfDpBzjRvdsxlTShiV7:5/4Qf4pxPctqG8IllnxvdsxZ4U7

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 7 IoCs

pid	Process
2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\soft174652\down_7383.exe	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_174652\sc\126ÍøÖ·´óÈ«ÉÏÍø×î·½±ã.url	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_174652\sc\²ÊÆ±¿ª½±²éÑ¯-ÔÚÏßÂò²ÊÆ±.url	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_174652\sc\ÍøÉÏ¹ºÎïÍøÖ·´óÈ«-Íø¹ºµÚÒ»Õ¾.url	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_174652\FlashIcon.ico	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_174652\sc\Ã¿ÌìÍÅ¹ºÒ»ÏÂ-¾Û±ãÒË.url	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft174652\a	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_174652\sc\»Æ¹ÏµçÓ°Íø-ÔÚÏßµçÓ°.url	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_174652\dailytips.ini	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_174652\5220115206525219465217525252_ini.txt	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft174652\z009.exe	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\jishu_174652\jishu_174652.ini	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft174652\B_5220115206525219465217525252.txt	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft174652\5220115206525219465217525252.txt	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_174652\sc\2144Ð¡ÓÎÏ·--³¬¼¶ºÃÍæ£¬ÀÖºÇºÇ.url	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_174652\sc\GoogleËÑË÷.url	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_174652\ImgCache\www.2144.net_favicon.ico	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_174652\newnew.exe	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430256318"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{437D0411-5E5E-11EF-AAA3-7AF2B84EB3D8} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{43801151-5E5E-11EF-AAA3-7AF2B84EB3D8} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c700000000020000000000106600000001000020000000e53d9a2d03fce2e592b8158c0ab4a47e14272bba25a5fc754ab0da3492f3a408000000000e8000000002000020000000d867b0d9eaf1ef90dcc057376d2c1ca22168e2a4e2f935e4afc1eac12fec6cfc20000000d32de4092b1dbdc496f4b189c703c387a6fb3ff8ee9c098e61754efb71222a3a40000000860148233f5d6ee3cd0a5f819ee4f37a3fc4b4f1bcda9245065239404b1b0f9b16d62ca0ef8187125460455286fb7550ded67aeb11407cf23e2b40143ebfeaa3	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5053061c6bf2da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c70000000002000000000010660000000100002000000087058353cd7d73f8a63d1efd42a54aa87b1671e6906c1f65088592ba20e55802000000000e8000000002000020000000a96c7b19d96606b956f172825356732a5f6f0f23315be592f7ba44312e7084b0900000006e41ce6ecd9155c730ade74f378002c1d9f3ab296dfc4923de7c63b46a386417f4df15e607bc034ef070bc0d4845ac7ede1eea0d1babd4f4b730b045aafe1fb4dd1c493e50c57d528bc0e49645d00b489d3a94e299daaed84e3302f39524b7d5d31ef329cb14c959632d335514801fa0a3c30bea8866790e01186137da9ef4b9f803f8c8191b286a3ff9a0722c6940d4400000000daf8f34fc94b071cd69fcd2f18dd60d1cd953e1ab5b1fc67c162302ddc00546b6d8a78c02192c8add1466b1295fd4228db4cccab5809c3b3a6d3e404ecf5709	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
588	IEXPLORE.EXE
2180	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
588	IEXPLORE.EXE
588	IEXPLORE.EXE
2180	IEXPLORE.EXE
2180	IEXPLORE.EXE
2844	IEXPLORE.EXE
2844	IEXPLORE.EXE
2784	IEXPLORE.EXE
2784	IEXPLORE.EXE
2784	IEXPLORE.EXE
2784	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2184	2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe	30
PID 2392 wrote to memory of 2184	2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe	30
PID 2392 wrote to memory of 2184	2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe	30
PID 2392 wrote to memory of 2184	2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe	30
PID 2392 wrote to memory of 2184	2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe	30
PID 2392 wrote to memory of 2184	2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe	30
PID 2392 wrote to memory of 2184	2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe	30
PID 2184 wrote to memory of 588	2184	IEXPLORE.EXE	32
PID 2184 wrote to memory of 588	2184	IEXPLORE.EXE	32
PID 2184 wrote to memory of 588	2184	IEXPLORE.EXE	32
PID 2184 wrote to memory of 588	2184	IEXPLORE.EXE	32
PID 2392 wrote to memory of 2408	2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe	31
PID 2392 wrote to memory of 2408	2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe	31
PID 2392 wrote to memory of 2408	2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe	31
PID 2392 wrote to memory of 2408	2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe	31
PID 2392 wrote to memory of 2408	2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe	31
PID 2392 wrote to memory of 2408	2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe	31
PID 2392 wrote to memory of 2408	2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe	31
PID 2408 wrote to memory of 2180	2408	IEXPLORE.EXE	33
PID 2408 wrote to memory of 2180	2408	IEXPLORE.EXE	33
PID 2408 wrote to memory of 2180	2408	IEXPLORE.EXE	33
PID 2408 wrote to memory of 2180	2408	IEXPLORE.EXE	33
PID 588 wrote to memory of 2844	588	IEXPLORE.EXE	34
PID 588 wrote to memory of 2844	588	IEXPLORE.EXE	34
PID 588 wrote to memory of 2844	588	IEXPLORE.EXE	34
PID 588 wrote to memory of 2844	588	IEXPLORE.EXE	34
PID 588 wrote to memory of 2844	588	IEXPLORE.EXE	34
PID 588 wrote to memory of 2844	588	IEXPLORE.EXE	34
PID 588 wrote to memory of 2844	588	IEXPLORE.EXE	34
PID 2180 wrote to memory of 2784	2180	IEXPLORE.EXE	36
PID 2180 wrote to memory of 2784	2180	IEXPLORE.EXE	36
PID 2180 wrote to memory of 2784	2180	IEXPLORE.EXE	36
PID 2180 wrote to memory of 2784	2180	IEXPLORE.EXE	36
PID 2180 wrote to memory of 2784	2180	IEXPLORE.EXE	36
PID 2180 wrote to memory of 2784	2180	IEXPLORE.EXE	36
PID 2180 wrote to memory of 2784	2180	IEXPLORE.EXE	36
PID 2392 wrote to memory of 2912	2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe	35
PID 2392 wrote to memory of 2912	2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe	35
PID 2392 wrote to memory of 2912	2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe	35
PID 2392 wrote to memory of 2912	2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe	35
PID 2392 wrote to memory of 2912	2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe	35
PID 2392 wrote to memory of 2912	2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe	35
PID 2392 wrote to memory of 2912	2392	ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe	35
PID 2912 wrote to memory of 2552	2912	Wscript.exe	37
PID 2912 wrote to memory of 2552	2912	Wscript.exe	37
PID 2912 wrote to memory of 2552	2912	Wscript.exe	37
PID 2912 wrote to memory of 2552	2912	Wscript.exe	37
PID 2912 wrote to memory of 2552	2912	Wscript.exe	37
PID 2912 wrote to memory of 2552	2912	Wscript.exe	37
PID 2912 wrote to memory of 2552	2912	Wscript.exe	37

C:\Users\Admin\AppData\Local\Temp\ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ac35e362a8f2d426515056b8e7d0b91b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.teaini.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.teaini.com
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:588
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:588 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2844
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://sadfsdafsadf.zaiqu.net:81/wangdaqing/none.htm?z009
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://sadfsdafsadf.zaiqu.net:81/wangdaqing/none.htm?z009
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2180 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2784
- C:\Windows\SysWOW64\Wscript.exe
  "C:\Windows\system32\Wscript" "C:\Program Files (x86)\soft174652\b_1752.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files (x86)\soft174652\300.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\soft174652\300.bat

Filesize
3KB

MD5
c274f4f4cb20cb8f0cf9dec34a0224aa

SHA1
03689d14e7103e32dc2e597d8361f138796f217f

SHA256
355632f1cb6ada23c1fdbe75b3bc7c861bcc51e24264383e14ac593582fe524f

SHA512
5a0864cab4d8a92b3d25e9a139861b9db9e6a671b8cf7ed74a0d84b8a6a05d71f050702133cc9c58fdd1d495bb9245ca5262d7dcc9f6d5486792e7f903f8a086

Download Submit
C:\Program Files (x86)\soft174652\b_1752.vbs

Filesize
274B

MD5
320a578207c7d023000481596ad35044

SHA1
b4c7dd0fd620bdeb580282c6c6181713bd19485a

SHA256
20e4857d0028bd3b76da38b9c7320659eca56fd244f5ef021804918a71243891

SHA512
1fd81103accd94e9dc4132057919329704e7df605ae675c644956de30e50a2b9d7723b3005f6075950e4cf8a65c8a398f353d46a7d777396948ff9bed90379a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a821ee9006e5f08ea67ef6a5f51c475

SHA1
f11b8d1fde02328b098f49ee664daa4bc4c8357d

SHA256
bfeafebaf049ad09855c1e3b15427c02dcfe768e800b3f38084507d4f3ce1070

SHA512
4f0da47eb754c88d4ae695ef61260aec0f798ab27e8e316f32ecc525d05ea94a26adedfb52c81a25c141b4a479d8855550dbb01798a2184b682f0a5bb7d3cb79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e1c4a94cc071b17bc67d798487e5748

SHA1
99acd140873c81ed0d42dae3ef4f16aad5cae93d

SHA256
99a71509ed1b82abd4e499bb553fac5bde594a9ddb3b240ac7543e63f0eb491f

SHA512
b47dc1353462d6654cdd0a6f52be284954cd416383334787987fe4e4c9a46371a4f1f549c08b7cd902c285b35f62185a1187f4e2130c12a4c02195f3ea3f9514

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5b401b9d20570120d36ff7851030d2b

SHA1
ce4bab3501cd94266c6ee6db5136a565ec1ee819

SHA256
58e62e1175544d5ab7f5187bc16d5992c423d415f0f030fdb4119a8c62cf347b

SHA512
01f9710c04e12d71ccd075e750a91ababb1ec0c0d7a1bac5ca9da63eef1238757214a9fe967c06caaab19a0b4c2666f7fd5088043da482997b763950d7f6e874

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d82f15d96feaaabf1656a482f450f4d3

SHA1
cd31f63d11ef1e349af8013a5ce24c5e1bde8403

SHA256
3a3dfb5a5b6b91ed7d33dfd29656bf1e52193b550157381d356289afe6e63ce2

SHA512
a1d7a5a523370c1e26909702177e6354055d50b97a075bf3a2807379b7acaf528d2e4340aab77768c9ec0a8ed5baabb79a4e95013df179859ae9db2036a4d345

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ffbc99d916038308c1af3b8254a7bcd2

SHA1
0621340eec689afb9fba7454ee3efaefaae7eaf1

SHA256
16a812f5d63f87299ad29f0cfaec847f32fd40793293673b60f105d218618aa0

SHA512
de351422b1937fb58e4b9a927b683ad8029023c25f434089e6f73e13c1e18fcb29e89fabd35b72aa0b4a44f03f44e4504085c8c7cb6b7080b160b32aa2901780

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50f8637e7cf124755b0929159ef8491e

SHA1
1c828e5cb79cd33d8d4646fe2c3a3c69a57879fd

SHA256
bca41c6da83b35a4efe4829f840ccf74393c10912a826713e562cd3524e6d183

SHA512
e2e2b61e12903046749a648a22564d96a4377ae9dbf4cb47aaee81e281e9dc679f86c346707bf057afa0e5dd73db1a21019b1c05d7a8ba313fc867e59e62e39e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e198015da3758afc22948a112325e9af

SHA1
3889476ece9abd0520cd3d47a1c8b23bc8a9bd56

SHA256
b1c8e70cbee70a9b7e402e9e067296566c9c7850d5de75b2a4f78a6896a4830b

SHA512
6f0bd19d55309b87965d459425c925c7cd94cd3ff5d1a10ee8b61ad692770bec4b9dff3b3f20734cd27a9bd12694c013ae92b6756350a58ae10b43d1923932ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
034d15fda407bd2163a6e94639a4d356

SHA1
265e9666512e26bcd2e9b4597af2852839844644

SHA256
ad998dbc7badc1270a99b3127e296495d19bcec760e9862a1de3d102d5156395

SHA512
fb289207e67d5912f89ffaf12ecfc572f1a966d3304f6f7629aabf26907f43637adc9db898b5879d11ccfaee67ca71d818f7fc28fde30ecb473b602dbc023b6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
475fb09a9fb7cfdb2698fd28205afc4e

SHA1
da1236048c43eec758341035051976f10ac2cbb9

SHA256
f24337e074aff06b40bae04f4488daafdbbf9c37796ae81b3777885321c3a6bc

SHA512
6923be04c7fd6b507798d5afdf83943ca1cf996cb7d4910e0c30c0ca0018dcf728fb6e9b6a22d042879661ab362ddc7d0a6d0488e3c8458b34550b357aed0de6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
946cbf7f2afd32d1436905a2c42cf54b

SHA1
42b8adeb5a89c8079af17abce50b3894ad60cf9c

SHA256
56d5f95a182f134cd54c30f149db4a0d9857dc2c9f5b27875a8eb7fe9b3b32f3

SHA512
9b41b76bdf426ecc4b0dcca5e975aa8cce4e071ef58012ddab7c8180972d780a852c907f321090864eef1fbadf40790a150c9e31d71eb99b13be2acace51ec2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2879faafb39a5b6a6261e4500a5969b0

SHA1
32da37bae35c1d657d9bfa4e331ec08a320d8700

SHA256
192538c5a44de4cd40fd44e10490086a6560397b4e8b8caf16618718971930d7

SHA512
5d908ecb4082436fda7b49d7fbbc573abd7049da7b8fb85bfd7fa29de68ae61df7047814dc9541f5efad005d970759e610a27954d5b458902d4956f0265c92cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6adb680a9e4933ecf8d3ae3cf2b7368c

SHA1
6fca90635c11e4439b90e63bad8993b98caec382

SHA256
9945c2741eea3bb14bbe0f79888b420f6ed85c98e0f5cc43dd15b33c79780212

SHA512
7b2a7847f0e686910af66e8c387bfef0f6ac63f50ff89e6c04bd3350cf668d34766b6492d97c1d84649382783f875a2985111fc8157602ad054c17b63722692d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb58e41a95a89068d16ca3e34bf8c8d6

SHA1
689502916061969758f477674c4d66ce55b19338

SHA256
e0c6010c76cbc5c9e16dfb2009a863773e2fc5b7944dee2ffdf11e7607723f83

SHA512
131b367bce243d28d4043edbbc292e1ecd028e09ad8066822540455be366f2e069115fb395414e8bdc26a70f1102b95ecce4958d27c28da881ae5101a8fb76a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe244a94ed12bd43f5066c432a298590

SHA1
ad59541d804bc63692bc48e04971895b79dc2c7f

SHA256
980bc609b30ea0c60ad441ab6d498c406e5d708ce4cb3710d142902374a36a73

SHA512
6e4507cd226be204a51c73e6311e83c4c86d61f9bb28f8ed1c2f2985e73953af28257df12c2594089c7a7634a69f4bf3632685d5c467349893c15470244f1d59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0725769d053d11074f9b3f38135bd663

SHA1
c944b5459b6d677dd87d9d15525a1ea01ba0a87d

SHA256
edf18fe1e84e5f61f56c8172566bfdc1f0c5cb42ac3efea751309bda6c67a61d

SHA512
4d80aa5a5a18c3e5d9a10a18d1b998625673ac344aa7f815872eff4eed355c46c0fe05fde2f3e42d1bd647fcf706c75da88cc49590aa538d710c5367174dcadd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1ed6b71ea2f18f6854d83f76d8f3fb4

SHA1
53a994f0d766c72bbaf9b37eb36ca4c6240e8fd2

SHA256
3005da680d61f6c0ca0b31e6fe4f90c5251ac300bc1343accbef1d5b5fb90832

SHA512
05a4dc5d02d1ea6a70226b17c7f7c763474410e619c53ea4994c341374fb0b644fef6d2923b71e30a779db3542bdb13eec0c83cdf680ba0c084d103a5bbe38d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2dbc7f7ee777f0ccba0641174f06f5fa

SHA1
a2b23540b225a85104d5c1973bc29e1a4127fbe1

SHA256
70aec89a8b67e1764df59e90fa07b22d842a9fdfbed8ffc1710343b5410709d2

SHA512
db399156a77c655117ae5ce19da6b10f5e7f2b317f52cb7d0d06919ac621e37d6fb0bce7efa1dd8e243b5555ab45bd200b634b421659cfe5d6e345e135bcfa0e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3fa130d2e6ce9b8fb06c126989a84c5

SHA1
1841d4d38cf480a3591f6e5db5339fab3567a4da

SHA256
c8fcbee59a3684484ecbb7845a9def949bd193838042a1802b22f6fca0805f01

SHA512
9292f8938bffdfa4cc8410dac07ff99b9e91f4ecefa47e3d97b953184a459f24b4965e71f97c3568ac96e17529dc3155d170653283e04769782e9766fcc0e3ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ca46d8c26cd9b16ac74721d43ac8430

SHA1
c5fb5da711e068537b482152d39fa38cbd01a636

SHA256
9f29a0cc76373e8e37b0d5226b28f96e60a37e55ee3cf65a07cf8d50fc4a0e27

SHA512
306823dbfc4358f6e51d0a16a9e019dbcaf1d74e0ca390cafe7843b286d4639f4f223924aebabdeab5917c0483baf310aaa4177a6bd3e3e6df93ccd004e92d3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{437D0411-5E5E-11EF-AAA3-7AF2B84EB3D8}.dat

Filesize
5KB

MD5
04c3413ba122b1cec587e8f318edfe26

SHA1
00fab063f978df162c99981b55ad3c730662e08c

SHA256
aeb535766940bcaeb49d417bdf27e17a2c5291fdc2a6b61f3d4656db28d1250d

SHA512
6234fa883859524e6464d00064a2f9c3466eab99470741092621748cd2a7bf8c7a64574d26b51d7a8f04e273723d01b5cb425dc682cf4e4fc69be6e4d6b938f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{43801151-5E5E-11EF-AAA3-7AF2B84EB3D8}.dat

Filesize
4KB

MD5
4b24fa2aff68d95c1f8747a1a61ec12c

SHA1
f4e7cb042fe489a6d3819d912f99a003879a979a

SHA256
2f7956ca736df69b51e8cb41c9ee728428eb6f3e34528ea8f62c46001b5808c3

SHA512
32035c3c519b94141e050da9e13a886eb8c52242a75faac2db47fdde10f6e6562b09ea593eebe1be8b2f6454209cff4fc536080f905c316b6da61d4778e5cfc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF1B2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF232.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Program Files (x86)\jishu_174652\jishu_174652.exe

Filesize
1.0MB

MD5
e2590fb7bac27dbfa512820e9139f28b

SHA1
209d8d0b77c7a8863a3c68464ce47f6a3f00d454

SHA256
4369c213390dd318aaf57b841e338f0b781b16e61713c39e3d961d6065de1821

SHA512
a6b8cdac512c2d05eb2270f8b4f64248cc177785acbd8d4f0ad725acdd2c894f639e7e7259066a8014a79d69f213812dc09793a2bad7a3d6bd9a511f3ee57223

Download Submit
\Users\Admin\AppData\Local\Temp\nsjC13E.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nsjC13E.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit