bba5c650b8169484cec018636b0466ad51d28b84937f674d7704764f0463e5f3

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 12:39

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Size

806KB
MD5

af4168f6bf0ba1577cf2295b1a4ff090
SHA1

1a3317fbbfc31d2dae284cc67ad5192bb6a6eaf9
SHA256

bba5c650b8169484cec018636b0466ad51d28b84937f674d7704764f0463e5f3
SHA512

d2c1d43852cd054976ab2246c2f3ce24f513cf8640d8a0095da06e761bc76ccd4c4316e7f8257d2a64566c212c4e2582280c26262f525285fa2aac3bf68ef56c
SSDEEP

12288:xEncCP0UpnIIxU8H3Ek9aL4cLdWvuMg5gYgVE/zbnFn8WuN2u/unEIZUlxOnY7aB:scaAIxL3EkyrLdeop/Xq7BdIKxQXB

Score

10^/10

discovery evasion

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "1"	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\system32\drivers\etc\hosts	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
File created	C:\WINDOWS\system32\drivers\etc\hosts	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msscp.reg	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\msscp.reg	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\taobao.ico	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\System\taobao.ico	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\web\Index.htm	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
File created	C:\Windows\web\Index.html	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
File opened for modification	C:\Windows\web\Index.htm	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
File opened for modification	C:\Windows\web\Index.html	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
File created	C:\Windows\web\Inde.html	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\TYPEDURLS	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.a585.com"	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.a585.com"	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe

Modifies registry class 53 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder\WantsParseDisplayName	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder\HideOnDesktopPerUser	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz\1 = "20240820"	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz\5 = "191815"	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÖØÃüÃû(&M)\Command\ = "Rundll32.exe"	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ = "ÌÔ±¦Íø£¡"	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\É¾³ý(&D)\Command	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\Open(&O)\ = "´ò¿ªÌÔ±¦Íø(&T)"	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ = "Internet Explorer"	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\É¾³ý(&D)	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\DefaultIcon\ = "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.EXE"	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÖØÃüÃû(&M)\Command	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\Open(&O)\ = "´ò¿ªÖ÷Ò³(&H)"	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder\HideFolderVerbs	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÊôÐÔ(&R)\Command	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\É¾³ý(&D)\Command\ = "Rundll32.exe"	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÖØÃüÃû(&M)\Command	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz\9 = "0"	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Pz\9 = "1"	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\Open(&O)\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\IEXPLORE.E"	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\ShellFolder\Attributes = "0"	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÊôÐÔ(&R)\Command	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÊôÐÔ(&R)	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\É¾³ý(&D)\Command	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÖØÃüÃû(&M)\Command\ = "Rundll32.exe"	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\Open(&O)\Command	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\DefaultIcon\ = "C:\\Program Files (x86)\\Common Files\\System\\taobao.ico"	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÊôÐÔ(&R)	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\Open(&O)\Command	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\Open(&O)\Command\ = "iexplore.exe C:\\WINDOWS\\Web\\index.htm"	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\DefaultIcon	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\É¾³ý(&D)	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder\HideFolderVerbs	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder\WantsParseDisplayName	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder\Attributes = "0"	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\DefaultIcon	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\ÖØÃüÃû(&M)	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\Shell\Open(&O)	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\É¾³ý(&D)\Command\ = "Rundll32.exe"	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\Open(&O)	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder\HideOnDesktopPerUser	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD43}\ShellFolder	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÊôÐÔ(&R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F3CA57DF-C5DA-11CF-8F28-00AA0060FD42}\Shell\ÖØÃüÃû(&M)	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe

Runs .reg file with regedit 2 IoCs

pid	Process
1304	regedit.exe
3044	regedit.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2964 wrote to memory of 1304	2964	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe	30
PID 2964 wrote to memory of 1304	2964	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe	30
PID 2964 wrote to memory of 1304	2964	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe	30
PID 2964 wrote to memory of 1304	2964	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe	30
PID 2964 wrote to memory of 1084	2964	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe	31
PID 2964 wrote to memory of 1084	2964	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe	31
PID 2964 wrote to memory of 1084	2964	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe	31
PID 2964 wrote to memory of 1084	2964	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe	31
PID 1084 wrote to memory of 3044	1084	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe	32
PID 1084 wrote to memory of 3044	1084	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe	32
PID 1084 wrote to memory of 3044	1084	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe	32
PID 1084 wrote to memory of 3044	1084	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe	32
PID 1084 wrote to memory of 2744	1084	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe	33
PID 1084 wrote to memory of 2744	1084	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe	33
PID 1084 wrote to memory of 2744	1084	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe	33
PID 1084 wrote to memory of 2744	1084	af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe	33
PID 2744 wrote to memory of 2724	2744	IEXPLORE.EXE	34
PID 2744 wrote to memory of 2724	2744	IEXPLORE.EXE	34
PID 2744 wrote to memory of 2724	2744	IEXPLORE.EXE	34
PID 2744 wrote to memory of 2724	2744	IEXPLORE.EXE	34

C:\Users\Admin\AppData\Local\Temp\af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe"
1⤵
- Modifies visiblity of hidden/system files in Explorer
- Drops file in Drivers directory
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Windows\SysWOW64\regedit.exe
  C:\Windows\regedit.exe /S C:\Windows\system32\msscp.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Runs .reg file with regedit
  PID:1304
- C:\Users\Admin\AppData\Local\Temp\af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\af4168f6bf0ba1577cf2295b1a4ff090_JaffaCakes118.exe
  2⤵
  - Drops file in Drivers directory
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer start page
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\SysWOW64\regedit.exe
    C:\Windows\regedit.exe /S C:\Windows\system32\msscp.reg
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:3044
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" C:\Windows\web\Inde.html
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Windows\web\Inde.html
      4⤵
      Modifies Internet Explorer settings
      PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Common Files\System\taobao.ico

Filesize
14KB

MD5
468fada123f5548ac87e57bae81f6782

SHA1
edb8f012c25906e6afd8bf335b495e16c440243d

SHA256
091c882bb307d57f2c7c42309e7ba8740130fef8c3ed772b0bc5e5505e37034d

SHA512
635ec26c88c2394dd4f2a81b9aea8f429a91adfeb37ae34e51b03f3cf8e503c123c3685938f40cea07d6146e0c7113aadbe62fa528f1f6d8b995e617fd68a4aa

Download Submit
C:\WINDOWS\system32\drivers\etc\hosts

Filesize
3KB

MD5
d52814065e58c9802ed59e9529bd5f7e

SHA1
d7ad95cca5846eaf14cb6943a9b8f8df02c3a229

SHA256
87b0e9f7af38674b84a055f3ca8bc9057d645290412e4cdd63eaa3e91352bbc0

SHA512
ea407bc87eb052542ef30a588051c5d3a5d578c493656502c8a0d6965e37d19ad1162a362bf1bee21c41afaf03dad10d87c5539f08b60cdb5146735d5e57cfdd

Download Submit
C:\Windows\SysWOW64\msscp.reg

Filesize
228B

MD5
2d06a424ad1c7611ea9caad93892ea26

SHA1
a901e15c2ecea498f1ca8ffc5d5c32bd3f0169d8

SHA256
8c19027357bcb3170b6844aec44cd4c143c7b795d5df52ff89426615010f715c

SHA512
3199dffce9d7625d9e01d7a06c912d3629e5f3d98d3935763df6b323807d46f24a40876d78d5ae7f7ac83c90e498e7c4810d88993904dbca1036e8c06833ccdf

Download Submit
memory/1084-11-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1084-10-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/1084-25-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2964-0-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download
memory/2964-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2964-27-0x0000000000400000-0x00000000004DD000-memory.dmp

Filesize
884KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads