b2c9b70e86a6dafc1e8d73c1706ddfcdc929ee43e7132cda51518e331026b2cc

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/08/2024, 18:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
Size

1.4MB
MD5

b8ab97601149e1e9c9cf65d89501def3
SHA1

6e262b4e61fdea184177b0afdd21280ec98958d7
SHA256

b2c9b70e86a6dafc1e8d73c1706ddfcdc929ee43e7132cda51518e331026b2cc
SHA512

31a5131f08820743e4d23c14aa51fa65a2865c96f5697f5928901fbfc606bc2843950e562a60a0724af198a9ebaa383c38379cffe3232f2dd6da49badc1225ac
SSDEEP

24576:lkr/4p6qO4pDlPJsZtZQk5p8hulbEwfDpBzjRvdsxlTShiVPdI:O/4Qf4pxPctqG8IllnxvdsxZ4U2

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 10 IoCs

pid	Process
588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\jishu_024101\newnew.ini	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_024101\sc\126ÍøÖ·´óÈ«ÉÏÍø×î·½±ã.url	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_024101\sc\Ã¿ÌìÍÅ¹ºÒ»ÏÂ-¾Û±ãÒË.url	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft024101\B_0120110106010123410102010101.txt	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft024101\seemaos_setup_BC21.exe	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_024101\newnew.exe	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_024101\sc\2144Ð¡ÓÎÏ·--³¬¼¶ºÃÍæ£¬ÀÖºÇºÇ.url	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_024101\sc\GoogleËÑË÷.url	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_024101\sc\»Æ¹ÏµçÓ°Íø-ÔÚÏßµçÓ°.url	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_024101\sc\ÍøÉÏ¹ºÎïÍøÖ·´óÈ«-Íø¹ºµÚÒ»Õ¾.url	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\jishu_024101\jishu_024101.ini	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft024101\0120110106010123410102010101.txt	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft024101\guoguo_024101.exe	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_024101\ImgCache\www.2144.net_favicon.ico	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_024101\sc\²ÊÆ±¿ª½±²éÑ¯-ÔÚÏßÂò²ÊÆ±.url	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft024101\a	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft024101\wl06079.exe	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_024101\FlashIcon.ico	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft024101\CoralExplorer_200401.exe	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
File created	C:\Program Files (x86)\soft024101\pipi_dae_381.exe	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
File created	C:\Program Files (x86)\jishu_024101\dailytips.ini	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 807f795dc1f4da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6F915531-60B4-11EF-85EE-5AE8573B0ABD} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c7000000000200000000001066000000010000200000007f3919e547ffc98dba919328aaae05c7e3bf688fe1413a2a27c54d4d4743d764000000000e800000000200002000000015eb3ec79367ed588e7b04e09fbd9b0765e21a8f51705b2cbfb2730202a8f05b20000000c57c4ee072d6c25e44444dfc66eb004d4f631e0266c336e69c2d7f48332d4e7640000000f626f1dcefe595828e9660230b6827bf43f74e7f58dce608f7c51b25b5669c2936ceadf39444438478a63779b2cc4dcd7f285f17e0bb61762d09ddef185db443	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6F93B691-60B4-11EF-85EE-5AE8573B0ABD} = "0"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000043174f1aa2314a47aa677ebd5ad1f6c7000000000200000000001066000000010000200000000aff66bb90bf2aaea7274ba4739655fb4f39fe87f8be07fe3a1f319e7a2818ed000000000e8000000002000020000000c64e873b2d87a9f7f14189823d35cc3f40c6ece2a414f7c5920208b2aed29da39000000000a27cb2a3df21e5bd93de74f1600dea9e541d5510e7a0660e6d6a8144835a874b73bc7d24763140ded87d01324d2b2c4bb1c7e99a8e152a835e8f2c9aadcc4c1f0d3747bc48afa5ef0e51c595523e4740009af88967b2c6f9f65f0390ba83bf9909e3bb2d79587e539d9517ccef87a0b1923e7752461880b7f466eb911bf865704d4fd2b23fe4e14f159e12adb66cab4000000029f89d67c82f5630ea63f0f1d90b99c4e0282deb2f2e93370bd5f3b4c8edd0ae7038e69c14e6223cb65c9417c85633f20762559f36a09a7c3187a9b45b5b2dbd	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "430513223"	IEXPLORE.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2944	IEXPLORE.EXE
2936	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2944	IEXPLORE.EXE
2944	IEXPLORE.EXE
2936	IEXPLORE.EXE
2936	IEXPLORE.EXE
1320	IEXPLORE.EXE
1320	IEXPLORE.EXE
372	IEXPLORE.EXE
372	IEXPLORE.EXE
1320	IEXPLORE.EXE
1320	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 588 wrote to memory of 2100	588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe	30
PID 588 wrote to memory of 2100	588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe	30
PID 588 wrote to memory of 2100	588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe	30
PID 588 wrote to memory of 2100	588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe	30
PID 588 wrote to memory of 2100	588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe	30
PID 588 wrote to memory of 2100	588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe	30
PID 588 wrote to memory of 2100	588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe	30
PID 2100 wrote to memory of 2944	2100	IEXPLORE.EXE	31
PID 2100 wrote to memory of 2944	2100	IEXPLORE.EXE	31
PID 2100 wrote to memory of 2944	2100	IEXPLORE.EXE	31
PID 2100 wrote to memory of 2944	2100	IEXPLORE.EXE	31
PID 588 wrote to memory of 2740	588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe	32
PID 588 wrote to memory of 2740	588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe	32
PID 588 wrote to memory of 2740	588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe	32
PID 588 wrote to memory of 2740	588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe	32
PID 588 wrote to memory of 2740	588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe	32
PID 588 wrote to memory of 2740	588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe	32
PID 588 wrote to memory of 2740	588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe	32
PID 2740 wrote to memory of 2936	2740	IEXPLORE.EXE	33
PID 2740 wrote to memory of 2936	2740	IEXPLORE.EXE	33
PID 2740 wrote to memory of 2936	2740	IEXPLORE.EXE	33
PID 2740 wrote to memory of 2936	2740	IEXPLORE.EXE	33
PID 2944 wrote to memory of 1320	2944	IEXPLORE.EXE	34
PID 2944 wrote to memory of 1320	2944	IEXPLORE.EXE	34
PID 2944 wrote to memory of 1320	2944	IEXPLORE.EXE	34
PID 2944 wrote to memory of 1320	2944	IEXPLORE.EXE	34
PID 2944 wrote to memory of 1320	2944	IEXPLORE.EXE	34
PID 2944 wrote to memory of 1320	2944	IEXPLORE.EXE	34
PID 2944 wrote to memory of 1320	2944	IEXPLORE.EXE	34
PID 588 wrote to memory of 1916	588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe	35
PID 588 wrote to memory of 1916	588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe	35
PID 588 wrote to memory of 1916	588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe	35
PID 588 wrote to memory of 1916	588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe	35
PID 588 wrote to memory of 1916	588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe	35
PID 588 wrote to memory of 1916	588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe	35
PID 588 wrote to memory of 1916	588	b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe	35
PID 2936 wrote to memory of 372	2936	IEXPLORE.EXE	36
PID 2936 wrote to memory of 372	2936	IEXPLORE.EXE	36
PID 2936 wrote to memory of 372	2936	IEXPLORE.EXE	36
PID 2936 wrote to memory of 372	2936	IEXPLORE.EXE	36
PID 2936 wrote to memory of 372	2936	IEXPLORE.EXE	36
PID 2936 wrote to memory of 372	2936	IEXPLORE.EXE	36
PID 2936 wrote to memory of 372	2936	IEXPLORE.EXE	36
PID 1916 wrote to memory of 1964	1916	Wscript.exe	37
PID 1916 wrote to memory of 1964	1916	Wscript.exe	37
PID 1916 wrote to memory of 1964	1916	Wscript.exe	37
PID 1916 wrote to memory of 1964	1916	Wscript.exe	37
PID 1916 wrote to memory of 1964	1916	Wscript.exe	37
PID 1916 wrote to memory of 1964	1916	Wscript.exe	37
PID 1916 wrote to memory of 1964	1916	Wscript.exe	37

C:\Users\Admin\AppData\Local\Temp\b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b8ab97601149e1e9c9cf65d89501def3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:588
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.178gg.com/lianjie/10608.htm
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2944 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1320
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://taourl.com/6jb4v
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2936 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:372
- C:\Windows\SysWOW64\Wscript.exe
  "C:\Windows\system32\Wscript" "C:\Program Files (x86)\soft024101\b_0201.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Program Files (x86)\soft024101\300.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\soft024101\300.bat

Filesize
3KB

MD5
53c4fb14dc46449d23ab697654d2496d

SHA1
d04a948a13650f8a68e8fb252705ec435744d831

SHA256
c53c012023fb31d7fd9d038a8977a2dfa81b1209cb9be76d4f7f01b464b32e7a

SHA512
ffeb7be3f048570632652ea3a43008fd9f4eabf08ca68344b483a1889d8b1acd0a57100faaf41ef37f2cb865982f831fc08acb245b6f72ccab9d88786527efc3

Download Submit
C:\Program Files (x86)\soft024101\b_0201.vbs

Filesize
348B

MD5
aa306961fd33fd1c9b0030ad76c906fc

SHA1
5b22d0309967d82f72de133fc6acaa39fbfd595b

SHA256
ab4b10644d16313e6ed80ed3564eb70695607f9151ed7b2d0d56a66fa84b5dd6

SHA512
93302f4a768f30de9f3f56bab3d1eee9c508c5859856dd477c43101bb5c7f0e6a228f1ea8a92cc3aa48191136511377d764ce6c9add0d43d7d712d75faab9726

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd72960da5014f0bbe6d868a47f578ab

SHA1
666630648ed29da7241a6fb6341e437ee713d4f3

SHA256
7fdd12c48b87f8a3cbab1894d5107aef0240fc39658e1d1b1e8a419fa9d79f65

SHA512
02239565cabbf6a09516fd8d0b5f1be181d37b1a7fd61890e6edba0e1f70ae4a2f376ccca3f0a3b7c716878dd07e08835156dd6d508a52b80a3f152c24a1e65e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
674101b08894c565aafe4a29c5dc6619

SHA1
97d25593d554494a169cd193a66406255c05ad96

SHA256
6567631c9d61a604758a648fa3f84ff7c1bb7643f213051d679efe81e4690621

SHA512
ccabb9263bd8bbecd898287d5b5bece9dd28d1cdb936fcf0b31bfa25b7b77dd2479bf725669c04e36121ba71a2e29f745b28bf7d022c075f1e9aec9ed2a58d9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1e5cfc2988195c1dd696155c0948a0bf

SHA1
3696fe280a09af72c058b5ac95df74d6159ef6a9

SHA256
c1950dff325c51d3179dd47b3264a5e63f3ddb5086894f7c932706a7c89ad064

SHA512
40313c455fa6ae9c992d76ed7166362dedf5525d2e90d9f1999c027062e0460ab826b32bc2803463e91ea25921e4ab7f16fa81ee65b3953c5f5c6f54db18d9f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ac4ef95669ad7f8bc000eca6024306a

SHA1
dfcd4ce4d035f92ce0acbae21321b9bc59d8df2b

SHA256
3a64c72486f702be680271834afb7f267f5d7c793a2a2fa97cbd003fae4136a9

SHA512
d1f28d292a445d687c45eb515a4a880308dad061d126bfb09e6c626ddd05463411f4082dfe3ade2498446dc3b8e9856b0d656ad729fadb821f91a6ed70ac8dcb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
258439a79a566e4922c4d0e86cdc6595

SHA1
0cc667a0c85c837dc28803ee1a57ce37002559f8

SHA256
667438015bb0019b7c4704d6536b3394e60402d26aa10c5d308ec296f6571714

SHA512
af10afffdd9cd41e66f44960068700a7cd196d659bb99f62364deaa3facd36720ee986aef7d7fb3e1907f7c5a7bf5ae959753e5b7366dd2ad165cb945002336a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
975424d2cddec8be24dfd6118f98a75b

SHA1
3d2c24dbd9f6613371f3d237f0ae22f1d56e24e3

SHA256
59a8bdb2eb1ff2d0fdcc8176a5e24d0228af58e6bd6cb8cec5d59a3acc40346a

SHA512
a929248c8670ee1703eefb985a12fbe47b7135af2a87b40140f7494ab8d042f00e119e6c63a3ff7dacbe53f375b56ce3747e32883edcb3118cd364f5e1c571e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e96a4b08cb6b40ceaf383b0e2e408ebd

SHA1
2925de8388d9d02de3ba48f445fe87803ce2c8a7

SHA256
aacec3323522289dd7db96b9313413d8ff7470e12a9b88d09fd345b74defd3e0

SHA512
65ae8c989b73313f963005ac45b37485307eaca23f8de77d060b9766be9175dd12651b4a6df9946c164d4f18fcaf6e98c77c7cf3824ec7cd0c3dfd5adc2a9fe3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b2b9c00bd1f8b4bb5b232cf68e0aaf2

SHA1
272222452e199bef486e83f4631876f7dba08ae7

SHA256
b5a5cbc738183f9944d033eb70d98a4889443efbc173ed7b79a4191c0b69b706

SHA512
e5e644a534dfae98467f11ce2fb90b9cdbcf06c2f11cf267ad06f1080d4848defd489cd10131fd6c4a4b421697fee48ddd65fbd101404b72a74b03b9fb002118

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59a3318fd96ea8ed60ef6f89bd9f940f

SHA1
d22a2ef313aa2b45077d29e855385e2ca4d474ae

SHA256
94154d39462e2c8d5e49f92bfa3858b09fe6e156e5553ee2265c979100a15572

SHA512
c4ec13065183392369e20c48efe044dd730116c25ef75a67a22890d9b7a8487ffe7efff15a8720f9e961223eb6306bb3d0c867f131ab6fc6f3d44698abba36f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1017832fd0cea3269f8b4219a94cd000

SHA1
549ae641add16ca12107d0d5f4eb228969248cea

SHA256
b3b729ff57b96f03bf19541f36e97cb91915527fbca27a1887f23323a77c3b03

SHA512
6aad7b35bba26b04eea52a21b2c179ff4051ee3b36c26a5e6ca6b3432b25fdb5db65f4a23457a23c5a125b085d2349a1b6f2fb5c79178c2646bbd177e8ae9add

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7e72456df9c585e244e5d08f9358422

SHA1
9e9c7f5d2d4637f41143427134b3c5a419871fcc

SHA256
081339db1615efff613d4aaba1da5a54ccc67b5bada1e06ed5c16d7d36752d33

SHA512
97155e9cd6a71d7270c99f69e61e421461d2c9183061758839b6cd4edd56ea9392dcf05eb27827d3256355cf7bc32e7a18ed66194491d4f724128196b8ded7e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dce472c8d7795547dcd1c7ea05760df5

SHA1
863c1b3ed1eb2a61635dc7bbca810c6a44b778da

SHA256
bcb0cf8afb4d8d79db0f2a8d608e0f471d96c1170e37aa2409b4578eb1dbb3f3

SHA512
5fc981ed1a3ba8534b8990164b650cb33cb521cef50ae9bdbad6a618e4e81fffb0397577440f33023d9a910a0940eeac3ee7352c9d379ba3392fbbad6385a5df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a387daeec838da432fb4def2c7a63ea8

SHA1
3b69b961e73234cc5cb521abfffeecd426aea735

SHA256
df9ba04c4cae7bb8e5e6486759e2177b6869f240bcc724c773ebc3475a5f7934

SHA512
906b9875e632397ac0115595b50d578bae56907bbde5cbf94154821fae96518913cc1347003ff068ec63c8094951fca12964d93c4a9b7deac0e61511ba746183

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
480b3afa755e72c01dd81a6b1c1807cd

SHA1
d61b5a9b15cb6f3c6cceede6b4279df235be41ef

SHA256
036b57a8eb716724c8f678685fb006056dd0e7e75741b57d7e863acd07af6a45

SHA512
25b34b838ab9b03105032e59c37e28820d3c7b1932eb4fe19cf1a995d6db3ccbca1206796bdf573c49adab67f1c53dc76d678271d7bb518a04b1a5be0f731549

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6720fb30b0f8cd21866d99fac9f99ff

SHA1
8816486347f558697a0894abc762546202d7606c

SHA256
10dcb0388655d96261c928e78dcf15754798f1925c46346674e1e16e4c5d87a4

SHA512
730dc721d3786e713700cdd09260ea360ab8afd1ef702812654ad4116e7765ad987b3a54a4ac4bdf46b59686b6165efef19b7a037bc98543eb938f38ff4ea8be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96f218036679e8e1a6d0722ce9e187df

SHA1
9e4200ebe41dd5ac2ed8d67e63ff5d9f93c28e1c

SHA256
99761a298b10e6926234915d0f66cd8a1539e97d6c3802ebca6fa8f8082000ff

SHA512
5ad0bca25e700d35bd8795694622ead6c8f344c2c4028c4358f2c60161ace51818b04f6d0e99458bd33ef2141d3e17a79b3d61f9c3134df7ca892a28196e3848

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea40e02f6171d7456244cb10d514fa33

SHA1
51cd373acdd245157902d8e89d9f1cac7155ab45

SHA256
daf78b5563a975650064980daa33a523d41d323f700095f914dee177ffb6926b

SHA512
b3509d998d5e1563c7e6a2f55a3c371f1798af161188ab52579d2d8c6b352ca9128b76095bad39c060b3fd1dcd386d9fa3d935fb57a2a8ef6030e30c43cbe866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6F915531-60B4-11EF-85EE-5AE8573B0ABD}.dat

Filesize
5KB

MD5
a96bc971de5878474c85b2055a4a2a4d

SHA1
2c219ac466e9385bb8a352e095650be43737b340

SHA256
e16d2f1b74ecf93823171669a0458c8f90951acc12199d87ee3e5b649690b02c

SHA512
7cecccf0a0170297cd5bf327813e4dbabdfea8342972f85377b63cb10593aa27114abe938789d82a51f2e566218679dc8f4adc1e5c07b8ace57596f6ee83157d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{6F93B691-60B4-11EF-85EE-5AE8573B0ABD}.dat

Filesize
4KB

MD5
bba204804a134a5e810cb4e59a30e182

SHA1
ca76c7126bc616bf2061c32719aa2bdfa5a7d961

SHA256
2654cb9dad82416902563cc478492c7a30a7e5ae281db42c50a4e6a951c2d420

SHA512
a62de4cf1c1fae36a66beae2a8a65c6c7ea21ea2e2314f6d78a1642f94cff02f068610d3ba0475c0848eeaebb0b9aee5e859d2603a7aea7cfb87197e7a4b35af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5563.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar55F3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\ Intornot Exploror .lnk

Filesize
1KB

MD5
77cc393d7e31cbfc3eb67dfbb1a8ff6c

SHA1
58b2823eaad1833dd83ca937f782b89e8753331d

SHA256
8c794b0db8f31491efc8512993334c70e8d65c1096eaf7ceb42d41bd24b63eda

SHA512
05d697197968f3483a17ea49411394c56debee733c41eb8dd56740a14fc46affbd93afaa7542198c394e5ddf8be2226f8a481daa6a8bd2ad3c3d44a67d35ebf2

Download Submit
\Program Files (x86)\jishu_024101\jishu_024101.exe

Filesize
1.0MB

MD5
e2590fb7bac27dbfa512820e9139f28b

SHA1
209d8d0b77c7a8863a3c68464ce47f6a3f00d454

SHA256
4369c213390dd318aaf57b841e338f0b781b16e61713c39e3d961d6065de1821

SHA512
a6b8cdac512c2d05eb2270f8b4f64248cc177785acbd8d4f0ad725acdd2c894f639e7e7259066a8014a79d69f213812dc09793a2bad7a3d6bd9a511f3ee57223

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7BA6.tmp\FindProcDLL.dll

Filesize
31KB

MD5
83cd62eab980e3d64c131799608c8371

SHA1
5b57a6842a154997e31fab573c5754b358f5dd1c

SHA256
a6122e80f1c51dc72770b4f56c7c482f7a9571143fbf83b19c4d141d0cb19294

SHA512
91cfbcc125600ec341f5571dcf1e4a814cf7673f82cf42f32155bd54791bbf32619f2bb14ae871d7996e9ddecdfcc5db40caa0979d6dfba3e73cfe8e69c163c9

Download Submit
\Users\Admin\AppData\Local\Temp\nsd7BA6.tmp\NSISdl.dll

Filesize
14KB

MD5
254f13dfd61c5b7d2119eb2550491e1d

SHA1
5083f6804ee3475f3698ab9e68611b0128e22fd6

SHA256
fd0e8be2135f3d326b65520383a3468c3983fa32c9c93594d986b16709d80f28

SHA512
fcef8ac5bd0ee6e316dbbc128a223ba18c8bf85a8d253e0c0877af6a4f686a20b08d34e5a426e2be5045962b391b8073769253a4d9b18616febc8133ccf654f7

Download Submit