Analysis
-
max time kernel
149s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21-08-2024 21:38
Static task
static1
Behavioral task
behavioral1
Sample
b524bcaa36d0e6bd719d96a27f9277e9_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
b524bcaa36d0e6bd719d96a27f9277e9_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
b524bcaa36d0e6bd719d96a27f9277e9_JaffaCakes118.exe
-
Size
403KB
-
MD5
b524bcaa36d0e6bd719d96a27f9277e9
-
SHA1
3215d49449e2e044d1c6ced7c755b95f6115d864
-
SHA256
cff4ec8251196642821acb071b7d68bc93c05af9261d206a58c379ab922fd4ab
-
SHA512
b07e102ab181a2b2c2f7f44645886097f17512b7e593e371552976b52e39dc998c4e66c1ad80076e558207e19b56811a4cc17777ea4ef005017987d4d2351799
-
SSDEEP
6144:7jtNSS4VNERBnS5NF2idZecnl20lHRxp3gxncduD7yB9VCO6Sco4q8+dE6CqS:0mRB43F3Z4mxx6DqVTVOCS
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2388 winxp.exe -
Drops file in System32 directory 41 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\winxp.exe b524bcaa36d0e6bd719d96a27f9277e9_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\winxp.dll winxp.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A IEXPLORE.EXE File created C:\Windows\SysWOW64\winxp.exe b524bcaa36d0e6bd719d96a27f9277e9_JaffaCakes118.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Low IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Virtualized IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\IECompatCache\Low IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\IECompatUaCache\Low IEXPLORE.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies IEXPLORE.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\suggestions[1].en-US IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1 IEXPLORE.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{013CEF31-6006-11EF-A2A4-76E8F1516C8A}.dat IEXPLORE.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{161E4904-6006-11EF-A2A4-76E8F1516C8A}.dat IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\Favorites IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\Favorites\desktop.ini IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\Low IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\DNTException\Low IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BFA05912-6005-11EF-A2A4-76E8F1516C8A}.dat IEXPLORE.EXE File created C:\Windows\SysWOW64\winxp.exe winxp.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BFA05914-6005-11EF-A2A4-76E8F1516C8A}.dat IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A IEXPLORE.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EC56D3AF-6005-11EF-A2A4-76E8F1516C8A}.dat IEXPLORE.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BFA05916-6005-11EF-A2A4-76E8F1516C8A}.dat IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D IEXPLORE.EXE File created C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\History\Low IEXPLORE.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE IEXPLORE.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\favicon[1].ico IEXPLORE.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{D77CA279-6005-11EF-A2A4-76E8F1516C8A}.dat IEXPLORE.EXE File created C:\Windows\SysWOW64\winxp.dll winxp.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies\Low IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\TabRoaming IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low IEXPLORE.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\known_providers_download_v1[1].xml IEXPLORE.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BFA05912-6005-11EF-A2A4-76E8F1516C8A}.dat IEXPLORE.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5 IEXPLORE.EXE File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5 IEXPLORE.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico IEXPLORE.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\favicon[2].ico IEXPLORE.EXE File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\DomainSuggestions\en-US.1 IEXPLORE.EXE -
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b524bcaa36d0e6bd719d96a27f9277e9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winxp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\LoadTimeArray = 10000000150000000300000003000000ffffffffffffffffffffffffffffffffffffffffffffffff IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain IEXPLORE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@%SystemRoot%\system32\shell32.dll,-50176 = "File Operation" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Suggested Sites IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\User Preferences IEXPLORE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE11SS&market={language}" IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT msedge.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" ie_to_edge_stub.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\Time = e807080003001500150026003500bb03 IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\Time = e8070800030015001500280027001100 IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\Time = e8070800030015001500260032005000 IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Passport\LowDAMap IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing = 1c00000001000000e807080003001500150026003400bb0301000000644ea2ef78b0d01189e400c04fc9e26e IEXPLORE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconURL = "http://www.bing.com/favicon.ico" IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore\LoadTimeArray = 0400000001000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431041302" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Setup\UrlHistoryMigrationTime = 65872a0712e5da01 IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\Count = "2" IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000001c4aba078eea3488473b5dc97032846000000000200000000001066000000010000200000001780daff55affb92b07579f346847546dfaeb403be5dc5fb0421e3b27a82a9a9000000000e8000000002000020000000a15370eda897151afdcee3bd83ce509cc947a98a131fe7adc0173963380035e45000000043f6f41296b27a0f28b3e7b7bf72f80cc71cb0e3ded0d122899e460987ba645fab51c61c9d5c79cea06dd681432313ecd42bbb738f8fffdda9a056c73d5abf858292eb8e28250bf57bbf3506bc7ceb0240000000318b9a736c9923b0e8a1ccdc9251a511dd8c85a3fdd6e5e0a186a6ac403c3542cf575b85d5c4d3580b5522f77887c2b46e988a79b4965084dd10cfe63c9d59fe IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore\LoadTimeArray = 0e0000000400000001000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffff IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\LoadTimeArray = 0300000003000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\InternetRegistry IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Edge IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\UpgradeTime = 65872a0712e5da01 IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\Count = "1" IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\LoadTimeArray = 03000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\RepService IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} IEXPLORE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\NTTopResultURL = "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IENTTR" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories64\{00021494-0000-0000-C000-000000000046} IEXPLORE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation\UnattendLoaded = "1" IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{31D09BA0-12F5-4CCE-BE8A-2923E76605DA}\iexplore\Count = "6" IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\AppDataLow\Software\Microsoft\Edge\IEToEdge IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore\Time = e807080003001500150026003500bb03 IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffffa6000000a6000000c6030000fe020000 IEXPLORE.EXE Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\iexplore\Time = e807080003001500150029000e00ec00 IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\P3P\History IEXPLORE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" IEXPLORE.EXE Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\SearchScopes IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings IEXPLORE.EXE Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" IEXPLORE.EXE Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats IEXPLORE.EXE -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 2388 winxp.exe Token: SeDebugPrivilege 2388 winxp.exe Token: SeDebugPrivilege 2388 winxp.exe Token: SeDebugPrivilege 2388 winxp.exe Token: SeDebugPrivilege 2388 winxp.exe -
Suspicious use of FindShellTrayWindow 48 IoCs
pid Process 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 24 IoCs
pid Process 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4704 IEXPLORE.EXE 4704 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 2868 IEXPLORE.EXE 2868 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 2120 IEXPLORE.EXE 2120 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4232 IEXPLORE.EXE 4232 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 2868 IEXPLORE.EXE 2868 IEXPLORE.EXE 4456 IEXPLORE.EXE 4456 IEXPLORE.EXE 4092 IEXPLORE.EXE 4092 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 3772 wrote to memory of 3868 3772 b524bcaa36d0e6bd719d96a27f9277e9_JaffaCakes118.exe 92 PID 3772 wrote to memory of 3868 3772 b524bcaa36d0e6bd719d96a27f9277e9_JaffaCakes118.exe 92 PID 3772 wrote to memory of 3868 3772 b524bcaa36d0e6bd719d96a27f9277e9_JaffaCakes118.exe 92 PID 2388 wrote to memory of 4552 2388 winxp.exe 93 PID 2388 wrote to memory of 4552 2388 winxp.exe 93 PID 2388 wrote to memory of 4552 2388 winxp.exe 93 PID 4552 wrote to memory of 4456 4552 IEXPLORE.EXE 95 PID 4552 wrote to memory of 4456 4552 IEXPLORE.EXE 95 PID 4456 wrote to memory of 4704 4456 IEXPLORE.EXE 96 PID 4456 wrote to memory of 4704 4456 IEXPLORE.EXE 96 PID 4456 wrote to memory of 4704 4456 IEXPLORE.EXE 96 PID 4704 wrote to memory of 2096 4704 IEXPLORE.EXE 97 PID 4704 wrote to memory of 2096 4704 IEXPLORE.EXE 97 PID 2096 wrote to memory of 1100 2096 ie_to_edge_stub.exe 98 PID 2096 wrote to memory of 1100 2096 ie_to_edge_stub.exe 98 PID 2388 wrote to memory of 1212 2388 winxp.exe 106 PID 2388 wrote to memory of 1212 2388 winxp.exe 106 PID 2388 wrote to memory of 1212 2388 winxp.exe 106 PID 1212 wrote to memory of 1060 1212 IEXPLORE.EXE 107 PID 1212 wrote to memory of 1060 1212 IEXPLORE.EXE 107 PID 4456 wrote to memory of 2868 4456 IEXPLORE.EXE 109 PID 4456 wrote to memory of 2868 4456 IEXPLORE.EXE 109 PID 4456 wrote to memory of 2868 4456 IEXPLORE.EXE 109 PID 2388 wrote to memory of 3392 2388 winxp.exe 117 PID 2388 wrote to memory of 3392 2388 winxp.exe 117 PID 2388 wrote to memory of 3392 2388 winxp.exe 117 PID 3392 wrote to memory of 1260 3392 IEXPLORE.EXE 118 PID 3392 wrote to memory of 1260 3392 IEXPLORE.EXE 118 PID 4456 wrote to memory of 2120 4456 IEXPLORE.EXE 119 PID 4456 wrote to memory of 2120 4456 IEXPLORE.EXE 119 PID 4456 wrote to memory of 2120 4456 IEXPLORE.EXE 119 PID 2388 wrote to memory of 3060 2388 winxp.exe 121 PID 2388 wrote to memory of 3060 2388 winxp.exe 121 PID 2388 wrote to memory of 3060 2388 winxp.exe 121 PID 3060 wrote to memory of 4848 3060 IEXPLORE.EXE 122 PID 3060 wrote to memory of 4848 3060 IEXPLORE.EXE 122 PID 4456 wrote to memory of 4232 4456 IEXPLORE.EXE 123 PID 4456 wrote to memory of 4232 4456 IEXPLORE.EXE 123 PID 4456 wrote to memory of 4232 4456 IEXPLORE.EXE 123 PID 2388 wrote to memory of 1464 2388 winxp.exe 132 PID 2388 wrote to memory of 1464 2388 winxp.exe 132 PID 2388 wrote to memory of 1464 2388 winxp.exe 132 PID 1464 wrote to memory of 368 1464 IEXPLORE.EXE 133 PID 1464 wrote to memory of 368 1464 IEXPLORE.EXE 133 PID 2388 wrote to memory of 2700 2388 winxp.exe 137 PID 2388 wrote to memory of 2700 2388 winxp.exe 137 PID 2388 wrote to memory of 2700 2388 winxp.exe 137 PID 2700 wrote to memory of 3876 2700 IEXPLORE.EXE 138 PID 2700 wrote to memory of 3876 2700 IEXPLORE.EXE 138 PID 4456 wrote to memory of 4092 4456 IEXPLORE.EXE 139 PID 4456 wrote to memory of 4092 4456 IEXPLORE.EXE 139 PID 4456 wrote to memory of 4092 4456 IEXPLORE.EXE 139 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b524bcaa36d0e6bd719d96a27f9277e9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b524bcaa36d0e6bd719d96a27f9277e9_JaffaCakes118.exe"1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\\delmeexe.bat2⤵
- System Location Discovery: System Language Discovery
PID:3868
-
-
C:\Windows\SysWOW64\winxp.exeC:\Windows\SysWOW64\winxp.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4456 CREDAT:17410 /prefetch:24⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4704 -
C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\BHO\ie_to_edge_stub.exe"C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=200305⤵
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=200306⤵
- Modifies data under HKEY_USERS
PID:1100
-
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4456 CREDAT:82948 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2868
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4456 CREDAT:82952 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2120
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4456 CREDAT:82956 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4232
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4456 CREDAT:82962 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4092
-
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank3⤵PID:1060
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3392 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank3⤵PID:1260
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank3⤵PID:4848
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank3⤵
- Modifies data under HKEY_USERS
PID:368
-
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" about:blank2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" about:blank3⤵PID:3876
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=3792 /prefetch:81⤵PID:3936
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
231B
MD570e3edabf568f0cc8ea5a02ef793ae2c
SHA11903911ca37afa98d40af60992ddcf4f42ea8fe2
SHA25698507224a1fa837239c9b5f5cec13d25ed8f456530ad08a6318ca83c96a3128b
SHA5128782e6d85b90dfb2a83396b525ffd49e2c00df8027b2ea3b6fd4633dc811136f219a7d201367b77916909a3f7dbb5676943dba0587b9d1c69fa532898a428e71
-
Filesize
403KB
MD5b524bcaa36d0e6bd719d96a27f9277e9
SHA13215d49449e2e044d1c6ced7c755b95f6115d864
SHA256cff4ec8251196642821acb071b7d68bc93c05af9261d206a58c379ab922fd4ab
SHA512b07e102ab181a2b2c2f7f44645886097f17512b7e593e371552976b52e39dc998c4e66c1ad80076e558207e19b56811a4cc17777ea4ef005017987d4d2351799
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
Filesize4KB
MD5da597791be3b6e732f0bc8b20e38ee62
SHA11125c45d285c360542027d7554a5c442288974de
SHA2565b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e
-
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\suggestions[1].en-US
Filesize17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
402B
MD5881dfac93652edb0a8228029ba92d0f5
SHA15b317253a63fecb167bf07befa05c5ed09c4ccea
SHA256a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464
SHA512592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810
-
Filesize
88KB
MD5002d5646771d31d1e7c57990cc020150
SHA1a28ec731f9106c252f313cca349a68ef94ee3de9
SHA2561e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f
SHA512689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6