16401240e6bd9806889dea960dc98ac957ec1e76841766024d84f2f6f1fde8df

Analysis

max time kernel
133s
max time network
138s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
21-08-2024 22:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b5499f608222505fbb59d09a32d48125_JaffaCakes118.exe
Size

250KB
MD5

b5499f608222505fbb59d09a32d48125
SHA1

c15faaa02ccc9cc494c108106e36ff356f82411a
SHA256

16401240e6bd9806889dea960dc98ac957ec1e76841766024d84f2f6f1fde8df
SHA512

209f139d8927e10387ecd06a4dbf662719dae21f9fe8864e05c473b51a86dc6e8654f42ec940d5cc455d5f50b2628558f075d3181e706cdfed9b9d39791ce484
SSDEEP

6144:0hieuJDr5T8b2ufqBLjSB/MS7irtIa6cwoD8ZroSfjGFA:VeKrJJuf86AYcwoaoSbr

Score

8^/10

discovery execution persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

pid	Process
1248	cmd.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3004-0-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral1/memory/3004-35-0x0000000000400000-0x00000000004B1000-memory.dmp	upx

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/3004-35-0x0000000000400000-0x00000000004B1000-memory.dmp	autoit_exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WinRAR\winrar.jse	b5499f608222505fbb59d09a32d48125_JaffaCakes118.exe
File created	C:\Program Files\WinRAR\winrar.jse	b5499f608222505fbb59d09a32d48125_JaffaCakes118.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b5499f608222505fbb59d09a32d48125_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1248	cmd.exe
2648	PING.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{62680911-600C-11EF-BAC8-7A3ECDA2562B} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430441048"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10d4d52919f4da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b7000000000020000000000106600000001000020000000841727210ba7412b5a87dcf9d88b6cbabb0c360d9ebd0226d4233c624e2e61ae000000000e80000000020000200000005c3725c020b590424302e9455e2c1e4c0b983ed4b634787b1f50a9ad1600c0d590000000226b5b828972c5570ce1a508b1af343bf1c5a8cd0a09c05824d3408bbb699be0512fa4cba5fde7af5b21c00a6570d3428f121e0413006fae77ccc670bacd18cbf2ded41021ea9e6f7eaf27d64e1a01c9ec6fce975d2aeff3efa8cec6396086aeaa9072e4ebc1a3cba4f0453d1093a8dfeffee337ae96eac4208ce92df9ce2820ce762bd16c3a46e1121633cdad05483b40000000bcbcc589687da778ef256a0cf15dc65df41468a313bb86a021e36db44cf4ed70e9529f72449847d05ca819f56e86485f0ce5b2caaf0d19573fa383f5cf7a6676	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000bb7c5835718279428690b074aa627b70000000000200000000001066000000010000200000004be2524b675bc3fc2459638106516463ee9ea5c0bdfe4c9e1717d51dfd4f319b000000000e800000000200002000000091662b53069eff5b3e42e2a7a59a6309e83a71b87b36b65f160731639b68bcbf20000000c55c9a70e73e611927ca07ca7188d6b84d7fc6bc738540d015f2d351f94f91444000000046b43ae8d28b6903279ae0693fde897c136cf185e6ba9c58cf821fc574af5d60b4288c1382094750b2f33dd51bd822f2b0a4d2554daaa00d6aaca8e1c31d50d7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe

Modifies registry class 26 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\ = "open"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\open	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex\ContextMenuHandlers	WScript.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\IsShortcut	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\open\CLSID = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\CLSID\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\open\command\ = "WScript.exe \"C:\\Program Files (x86)\\Winrar\\winrar.jse\" \"%1\""	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mmc\ = "mmcfile"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\ = "¿ì½Ý·½Ê½"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\DefaultIcon	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\NeverShowExt	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\CLSID	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\open\command	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex\IconHandler	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex\IconHandler\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex\ContextMenuHandlers\	WScript.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mmc	WScript.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2648	PING.EXE

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeShutdownPrivilege	436	explorer.exe
Token: SeShutdownPrivilege	436	explorer.exe
Token: SeShutdownPrivilege	436	explorer.exe
Token: SeShutdownPrivilege	436	explorer.exe
Token: SeShutdownPrivilege	436	explorer.exe
Token: SeShutdownPrivilege	436	explorer.exe
Token: SeShutdownPrivilege	436	explorer.exe
Token: SeShutdownPrivilege	436	explorer.exe
Token: SeShutdownPrivilege	436	explorer.exe
Token: SeShutdownPrivilege	436	explorer.exe
Token: 33	2244	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2244	AUDIODG.EXE
Token: 33	2244	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2244	AUDIODG.EXE
Token: SeShutdownPrivilege	436	explorer.exe
Token: SeShutdownPrivilege	436	explorer.exe
Token: SeShutdownPrivilege	436	explorer.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
3004	b5499f608222505fbb59d09a32d48125_JaffaCakes118.exe
3004	b5499f608222505fbb59d09a32d48125_JaffaCakes118.exe
3004	b5499f608222505fbb59d09a32d48125_JaffaCakes118.exe
3004	b5499f608222505fbb59d09a32d48125_JaffaCakes118.exe
3004	b5499f608222505fbb59d09a32d48125_JaffaCakes118.exe
3004	b5499f608222505fbb59d09a32d48125_JaffaCakes118.exe
2888	iexplore.exe
2888	iexplore.exe
2888	iexplore.exe
2888	iexplore.exe
2888	iexplore.exe
2888	iexplore.exe
2888	iexplore.exe
2888	iexplore.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
3004	b5499f608222505fbb59d09a32d48125_JaffaCakes118.exe
3004	b5499f608222505fbb59d09a32d48125_JaffaCakes118.exe
3004	b5499f608222505fbb59d09a32d48125_JaffaCakes118.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe
436	explorer.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2888	iexplore.exe
2888	iexplore.exe
2616	IEXPLORE.EXE
2616	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2160	3004	b5499f608222505fbb59d09a32d48125_JaffaCakes118.exe	29
PID 3004 wrote to memory of 2160	3004	b5499f608222505fbb59d09a32d48125_JaffaCakes118.exe	29
PID 3004 wrote to memory of 2160	3004	b5499f608222505fbb59d09a32d48125_JaffaCakes118.exe	29
PID 3004 wrote to memory of 2160	3004	b5499f608222505fbb59d09a32d48125_JaffaCakes118.exe	29
PID 2160 wrote to memory of 2888	2160	WScript.exe	32
PID 2160 wrote to memory of 2888	2160	WScript.exe	32
PID 2160 wrote to memory of 2888	2160	WScript.exe	32
PID 2160 wrote to memory of 2888	2160	WScript.exe	32
PID 3004 wrote to memory of 1248	3004	b5499f608222505fbb59d09a32d48125_JaffaCakes118.exe	33
PID 3004 wrote to memory of 1248	3004	b5499f608222505fbb59d09a32d48125_JaffaCakes118.exe	33
PID 3004 wrote to memory of 1248	3004	b5499f608222505fbb59d09a32d48125_JaffaCakes118.exe	33
PID 3004 wrote to memory of 1248	3004	b5499f608222505fbb59d09a32d48125_JaffaCakes118.exe	33
PID 2888 wrote to memory of 2616	2888	iexplore.exe	35
PID 2888 wrote to memory of 2616	2888	iexplore.exe	35
PID 2888 wrote to memory of 2616	2888	iexplore.exe	35
PID 2888 wrote to memory of 2616	2888	iexplore.exe	35
PID 1248 wrote to memory of 2648	1248	cmd.exe	36
PID 1248 wrote to memory of 2648	1248	cmd.exe	36
PID 1248 wrote to memory of 2648	1248	cmd.exe	36
PID 1248 wrote to memory of 2648	1248	cmd.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b5499f608222505fbb59d09a32d48125_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b5499f608222505fbb59d09a32d48125_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files\WinRAR\winrar.jse"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.go2000.com/?g8
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2888 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2616
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -n 4 127.1>nul &del /q "C:\Users\Admin\AppData\Local\Temp\b5499f608222505fbb59d09a32d48125_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 4 127.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2648

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:436

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x5a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\winrar.jse

Filesize
11KB

MD5
9208c38b58c7c7114f3149591580b980

SHA1
8154bdee622a386894636b7db046744724c3fc2b

SHA256
cb1b908e509020904b05dc6e4ec17d877d394eb60f6ec0d993ceba5839913a0c

SHA512
a421c6afa6d25185ec52a8218bddf84537407fd2f6cabe38c1be814d97920cfff693a48b4f48eb30c98437cbbb8ad30ccd28c3b4b7c24379ef36ac361ddfdbf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
891622e0bd5d41cbee77a97fef3cbaaa

SHA1
da6c9e5d400284ae5e4bdd46fdce70c63e145f6d

SHA256
ea6062ab7c60fa21ef70a4c0ba1fc25943f1a53cc998d714182e38a43f76e189

SHA512
279e37736495fed25d1e470dfc9e494a56b4e5c281d1f3d5910a964799f91a2cf1e5d24bb59b00e6f34d35734c39e8ab64ee0432cabf1ca2ee2443e8b13f916d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c83106553ad628b9131384ef94dbdff

SHA1
8cb4463a47692c1e85296150498333f23f1d53d1

SHA256
c32b4a711f083621c5723c19c6a698bff0e408b7a2f9a9ec266e98b9b111547a

SHA512
b7a4b4e9d948f95f0c0626f366544c211fabd99f11c2908b347fb6b67f261476c83952519c5f89b436602c3b2ae3edfe184071e4dd30d0f99968cd06b6e0ad68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc1c53179fe439acbd50356133fdba48

SHA1
5d2f91c116f796db6d8d84d40d10ce66eb1018d9

SHA256
da1b3f16ed34870f9bb05373ef2aeff884fcc00b08afb68d7c14f8124f74001c

SHA512
1a03ca22af4616e6f39bd934bf3f6c3e5a4f4ccef11ea162aafacc648f8d8e922b7f34106c649e50b17981461257712b76499e87cfb8418a9df722c8a7f1bb11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df2b1a160609f0c8632a2b27ca1ba5ac

SHA1
b26723897749b9102177de95767d7fe4a6258813

SHA256
54dee51d396866738a489238a960415fa09da8f3acd6085fb8066fc513504489

SHA512
1b6be41a4d988341f7eed08bc1ed7171cbd460646b120ce9542eed5703c896945e00510803138af02935ceb623d7dbc4b8c80fd67952b6b22c78319632692c02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
691e538b61c925b97cbc2a7f95238598

SHA1
3b3c9d27d193ec14617692d80ac9b92ed0e1233b

SHA256
49ec323f541471d6a50900a56667b82567bec416450396f253a6326bf5d5ad4f

SHA512
9f246f718b05bda2c5cd5b9bf8afed26e756086272622fbb097c472bc044b8a3594a36307534cc4b1e334b694485f4e42b51c83990cfd9e2eee21a00406ed78c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8071653211d9322153ed113bea8dfe95

SHA1
f3043da5393492e675738d8100cb47086af1df69

SHA256
3e948e8bc12cb14537501f2d85d154de2cce8c9f645a6232b19994cc66b1bd37

SHA512
e082153ca7ebe8e70ebe0c0801ebf26b56ca435cb369b23e92601d1b4d60ffdd6327b34040078eb6dfefd0fe902d55b6d979d57d10ca12a43f35f07cd4b4f3f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76f9a0a74de4f609e0de37a6e783ff3c

SHA1
0bfd988ba5898b16508f967b5859398345914782

SHA256
503cd607842cf993ba99057e0c37bd5c0c98f23b1e012e895400796fc37dde6d

SHA512
1745362b5286f361cfe19e9da869cdf0d8e24fc21e2967399e31728c7e89fcba730903fa3247627db623b39467fc77d597cb443360307633dd665274acd47680

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f97617d8ed2c63f2b3b2cc89e7642c16

SHA1
45d85d3f69dfe76b4d4ea75da314f2f5e4193d8e

SHA256
7c8606242894a452b116678f4295df7bb75bc7f08abe1c2bbf28e35ba9c35ffe

SHA512
e6a2df34523d854b8e91d6672a631040bf50c5e21859d9a1d289baf37f12b1c5d27173e1bcf16c2043ca9d71ece00c49674adbb43850a602ab42d8a69b5db16d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79a99f83937ba0ab67fe730733be72ad

SHA1
5f6a0e65559573b5bd39f7ab2b26b88edade66bc

SHA256
3e2b2ce5931b161c57160f7bd88f0efe90316a13782e36943002d4a113a3aee7

SHA512
04832687a723110ff0760b25e0555cc0313120a674a4392d4ce4698adb769370445711955f94474fe591830c18d9f1ec49cfd9e3beb6c621e732ad997c4f5c81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac541657ed92decd700f0802fcd198ca

SHA1
a93130a23c7a9976fc78d1fe342bdb360089a8f7

SHA256
ba83552789ee385e9b8eda24377d7cd5b8d262bb4189f542f5725e0bae481929

SHA512
c03e8cebb49862428161b257827292787056fa02282e72173d3ea51b8577cce7408734503e9a3b41eb1bbf4267d3cd13c54395014d208898a04c9e0db41d723d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5bed114df96d849921b4c6685ec17911

SHA1
63dd05e7d82032192f71c44d82676b5e6342dad7

SHA256
816bea45ccd95a2718b794264d27541e04b24b2a97fe52eac43fe364feb52176

SHA512
790d61c22ad9c1e40692fc66e4c3cd0526788da637b631d145b308da3984e7292cb20403bbacdc034740e52eaa727380fcdb63773dc1726fba515e0ad8791ea9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f42832a250264bdf41ba2e03bd680f8c

SHA1
a3b34630a62a929f67914846130cc09fa5f9b4e4

SHA256
d39204272a25c2d827ec6ee5e650e193116c3f5ba816693fd164ed43279ec3ef

SHA512
49878d86cb7f45e1d39171021112ea881c047039bd8e385d2ec5e5a924be417630e852d164dc36ac3f609367e44acaff30dd76637fc98e4be311a8f06d0f26fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c99f1096aa2f503eba545d08ce598c2

SHA1
cc3b78554d07fe6ab5567c2e1e0e535e4f187d5b

SHA256
3c83efedfbf17dfd0484889643955749eb47fd0c3826e559abb8841c901763cc

SHA512
7410e59e01f79b565106823d8887b39e276ed42e5c0df70cd3776b1f52c1167bbad5bedcb32a8a4e775dfe584db65ff62e77c2dac9840001c2ce42f7f265f3b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0007e7396d6c854b088ef05d0d3c211e

SHA1
f6fce7f61f7a54fcf9cafaa4e2636fc11ec7f9f9

SHA256
da02696ea87787b96cd37d5fb545276f2a1109b2445c7bbbd40d0a89296f2ff3

SHA512
555092b14c3a1cce20946e01ed5026f0589b2fcc15ec96b046c179eed7da9df1f33b47f73a3028ae59068b97e90a58633414b5b423ffdb1eadc06e1a68f00a6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
090d12afa178fda51ccada966981cc09

SHA1
06ab9f84e667cff89f73a14551a877253dece14a

SHA256
d0f8a121177d54f6e0bc0f1fae3c8bfa966206249c8ccc35228859269b3e267a

SHA512
4c0196fdcaf2834442cb81d82a8de4712b21ce299978bd384920306ddfe92f465a89b30905c4dd2692ccb0923401d93c4f326ddd4bdc630b7dd1aa022ac1bac5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f96801dd84f8573cffdedbd39024bdd5

SHA1
efa902e8fbf7ee8e974091de0fa7f7b8f305e843

SHA256
09edd5b8348e5b1515b7619a20ee521bb6f24891dbd30fba167044d9493e355f

SHA512
695536cdbe653c533b9fc32459ba0bf6c5d91559d84bcad6f89be6fe0a57293520cbdc009782ff7ee5c68bba7c1d01e33e5c523457dd049efe6369282a3877d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e6b2eebc7a38dd735a7f4fbf4cc9576

SHA1
db0fbd4c7de711cf6aa2850f1e3c045d74ae8401

SHA256
88f2b1f6521e93cc49b2e1fd9bd88796d2f5baea65570e4435db7de29b578e5d

SHA512
90f0f537951f8adb00ef869d37a99aadfd6284cb7bbaf53d71d0c8ce2349240f85f1594d2891edbfba42618bd877b719bdf9ae18eb923cc9bc65dd5d62735701

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6fb8709d2c79f84f8a04220dfed802b6

SHA1
d06f19e2f12fe4a2da6fabd9ef5e474505b97c3c

SHA256
a1c0d5a7278e2cbb8fb0cfc6d79773e73711b4727c90c81a5d6f16f96ddc4663

SHA512
aea2a53b0ad7dcce19f528b4bf76aba2a8d3405f6337798c4f6dd09a4ff96d1e8d3087264d344b5d6084cbec34385c5061442161e69714fc7f79ba961820184c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
227fb7f6a880aa715dc8400950d9746d

SHA1
42c1c00b5811a6ce950db2710f4124da97dc5570

SHA256
86b592241af72ebfa9862e35b60ab480f845c61e27b14064022690a14caca163

SHA512
3856e96cf04b77330cfc9e7fba065d6fd6f1f4f8bacf99fd0641ac25a1a8e2226b9f0d4e6f9d8108ea75fac2918b7cdc6e5daa2fc4ba2946a1ea9d907151758f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB29F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB2C1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.mmc

Filesize
149B

MD5
b0ad7e59754e8d953129437b08846b5f

SHA1
9ed0ae9bc497b3aa65aed2130d068c4c1c70d87a

SHA256
cf80455e97e3fede569ea275fa701c0f185eeba64f695286647afe56d29e2c37

SHA512
53e6ce64ad4e9f5696de92a32f65d06dbd459fd12256481706d7e6d677a14c15238e5351f97d2eb7bfb129a0d39f2603c4d14305a86821ed56e9face0bc252b6

Download Submit
memory/436-1064-0x00000000025B0000-0x00000000025C0000-memory.dmp

Filesize
64KB

Download
memory/3004-0-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/3004-35-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads