12430acdfbb50c4ba1d4fb4e456977890e3025866e9171cd5f5ec4c2551717da

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06/09/2024, 14:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

cfb41b0c68228fa0570bfd3dd412adf4_JaffaCakes118.exe
Size

395KB
MD5

cfb41b0c68228fa0570bfd3dd412adf4
SHA1

3f28858afae9878b1a1d8d1a685afab60a5f91e3
SHA256

12430acdfbb50c4ba1d4fb4e456977890e3025866e9171cd5f5ec4c2551717da
SHA512

7a31cc48662ddbcf39d2a21c89dc9a87c24c4d6ba3ab6957ff3e6ce5c3167c3f6a33c02b75184c86c6ef6c9034c3ca38d7a05fb022db9098464db5a9ce9270f4
SSDEEP

6144:hkW9ycvhT/fTZeaphIK6KgL9sYqshPuGAjg9C9qYiCaTMf4kRHJU4QHxTKv+:hkkR/fcqhIK9u5qXGAjgsinMf4TR

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2308	TrintT.exe

Loads dropped DLL 2 IoCs

pid	Process
2368	wscript.exe
2368	wscript.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2132-0-0x0000000000400000-0x0000000000579000-memory.dmp	upx
behavioral1/memory/2132-4-0x0000000000400000-0x0000000000579000-memory.dmp	upx
behavioral1/memory/2132-18-0x0000000000400000-0x0000000000579000-memory.dmp	upx

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Ganst.dll	wscript.exe
File opened for modification	C:\Windows\Ganst.dll	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cfb41b0c68228fa0570bfd3dd412adf4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TrintT.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "431793342"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30a702ca6500db01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000c86659b0f8fa88d23914c6cc686c452e04d91831196e144cf5f7fe0e35ccbc6c000000000e80000000020000200000001b08b64436a9b98bc88bbeceb845ed26ffbc50fc7a11b03068cf3b5309209db22000000054f35cd998d9c6c0396f567b03c65163c7d5e985841b1242cc57b212ccbdd49a4000000041b487bb3d7b8bb2c5359c5bff975fc2ccd931622970eddad164fc216fd9c92d65351ddbcb012e11b663e7b1a36ccbcb82fd68c30c0f01307781f6637ed1c2af	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F2A92D31-6C58-11EF-8202-7A9F8CACAEA3} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd30000000002000000000010660000000100002000000047d8a824e8eaf2e90dc1cdcb0b95fbf1287c6ad0668fc19f59fc72562f15c552000000000e800000000200002000000086debe6b631f98bdaacc81bca6781da23ccc1c172c848bde81ceb14ad4ed7e189000000081ad7c9d642b081b73064687b8457ea3442b64ab404ab9944ad702bcfc8bdef0698f5647841da9d397505760b452582101d216a5a38de7ae2ef7109eae0086f7f5a33ae47ffb1047a3b2a658df51f415afc65ccf54900b5586cb8a0ad1004438db0c4a534bb7f11e3b88e812677a9bab5d837a8af3dad406734d25a296b5d82d694fc15b43a140f6b37cdb08da0377e5400000003fd6fb44f841a9071f0f2adae22d46e68842e26f6a0762f86a90536edf1353f5532154506f624e0a120c62ed4211c3f5304e2f9ad1b7f18fc04652320b804283	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED4F4FB9-A3E1-471B-839E-DA50D59D14A1}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED4F4FB9-A3E1-471B-839E-DA50D59D14A1}\1.0\0\win32\ = "C:\\Windows\\Ganst.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED4F4FB9-A3E1-471B-839E-DA50D59D14A1}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97F84FDC-3776-4A54-9874-A5C0C321CC8B}\ = "_Gansts"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97F84FDC-3776-4A54-9874-A5C0C321CC8B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97F84FDC-3776-4A54-9874-A5C0C321CC8B}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71EF9DAF-B4CB-4D06-BEDA-DDEBECFBDD2F}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71EF9DAF-B4CB-4D06-BEDA-DDEBECFBDD2F}\InprocServer32\ = "C:\\Windows\\Ganst.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71EF9DAF-B4CB-4D06-BEDA-DDEBECFBDD2F}\VERSION	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED4F4FB9-A3E1-471B-839E-DA50D59D14A1}\1.0\ = "Ganst"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED4F4FB9-A3E1-471B-839E-DA50D59D14A1}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71EF9DAF-B4CB-4D06-BEDA-DDEBECFBDD2F}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97F84FDC-3776-4A54-9874-A5C0C321CC8B}\ProxyStubClsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71EF9DAF-B4CB-4D06-BEDA-DDEBECFBDD2F}\Implemented Categories	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED4F4FB9-A3E1-471B-839E-DA50D59D14A1}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED4F4FB9-A3E1-471B-839E-DA50D59D14A1}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97F84FDC-3776-4A54-9874-A5C0C321CC8B}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97F84FDC-3776-4A54-9874-A5C0C321CC8B}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71EF9DAF-B4CB-4D06-BEDA-DDEBECFBDD2F}\ = "Ganst.Gansts"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71EF9DAF-B4CB-4D06-BEDA-DDEBECFBDD2F}\ProgID\ = "Ganst.Gansts"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71EF9DAF-B4CB-4D06-BEDA-DDEBECFBDD2F}\TypeLib\ = "{ED4F4FB9-A3E1-471B-839E-DA50D59D14A1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ganst.Gansts	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71EF9DAF-B4CB-4D06-BEDA-DDEBECFBDD2F}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED4F4FB9-A3E1-471B-839E-DA50D59D14A1}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97F84FDC-3776-4A54-9874-A5C0C321CC8B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97F84FDC-3776-4A54-9874-A5C0C321CC8B}\ = "Gansts"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71EF9DAF-B4CB-4D06-BEDA-DDEBECFBDD2F}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97F84FDC-3776-4A54-9874-A5C0C321CC8B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97F84FDC-3776-4A54-9874-A5C0C321CC8B}\TypeLib\ = "{ED4F4FB9-A3E1-471B-839E-DA50D59D14A1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Ganst.Gansts\Clsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED4F4FB9-A3E1-471B-839E-DA50D59D14A1}\1.0\HELPDIR\ = "C:\\Windows"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97F84FDC-3776-4A54-9874-A5C0C321CC8B}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97F84FDC-3776-4A54-9874-A5C0C321CC8B}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{97F84FDC-3776-4A54-9874-A5C0C321CC8B}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ganst.Gansts\ = "Ganst.Gansts"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97F84FDC-3776-4A54-9874-A5C0C321CC8B}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{ED4F4FB9-A3E1-471B-839E-DA50D59D14A1}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97F84FDC-3776-4A54-9874-A5C0C321CC8B}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Ganst.Gansts\Clsid\ = "{71EF9DAF-B4CB-4D06-BEDA-DDEBECFBDD2F}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97F84FDC-3776-4A54-9874-A5C0C321CC8B}\ = "_Gansts"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{97F84FDC-3776-4A54-9874-A5C0C321CC8B}\TypeLib\ = "{ED4F4FB9-A3E1-471B-839E-DA50D59D14A1}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71EF9DAF-B4CB-4D06-BEDA-DDEBECFBDD2F}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71EF9DAF-B4CB-4D06-BEDA-DDEBECFBDD2F}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71EF9DAF-B4CB-4D06-BEDA-DDEBECFBDD2F}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{71EF9DAF-B4CB-4D06-BEDA-DDEBECFBDD2F}\VERSION\ = "1.0"	regsvr32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2308	TrintT.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3024	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2308	TrintT.exe
3024	iexplore.exe
3024	iexplore.exe
2872	IEXPLORE.EXE
2872	IEXPLORE.EXE
2872	IEXPLORE.EXE
2872	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2368	2132	cfb41b0c68228fa0570bfd3dd412adf4_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2368	2132	cfb41b0c68228fa0570bfd3dd412adf4_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2368	2132	cfb41b0c68228fa0570bfd3dd412adf4_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2368	2132	cfb41b0c68228fa0570bfd3dd412adf4_JaffaCakes118.exe	31
PID 2368 wrote to memory of 2752	2368	wscript.exe	32
PID 2368 wrote to memory of 2752	2368	wscript.exe	32
PID 2368 wrote to memory of 2752	2368	wscript.exe	32
PID 2368 wrote to memory of 2752	2368	wscript.exe	32
PID 2368 wrote to memory of 2752	2368	wscript.exe	32
PID 2368 wrote to memory of 2752	2368	wscript.exe	32
PID 2368 wrote to memory of 2752	2368	wscript.exe	32
PID 2368 wrote to memory of 3024	2368	wscript.exe	34
PID 2368 wrote to memory of 3024	2368	wscript.exe	34
PID 2368 wrote to memory of 3024	2368	wscript.exe	34
PID 2368 wrote to memory of 3024	2368	wscript.exe	34
PID 2368 wrote to memory of 2308	2368	wscript.exe	35
PID 2368 wrote to memory of 2308	2368	wscript.exe	35
PID 2368 wrote to memory of 2308	2368	wscript.exe	35
PID 2368 wrote to memory of 2308	2368	wscript.exe	35
PID 3024 wrote to memory of 2872	3024	iexplore.exe	36
PID 3024 wrote to memory of 2872	3024	iexplore.exe	36
PID 3024 wrote to memory of 2872	3024	iexplore.exe	36
PID 3024 wrote to memory of 2872	3024	iexplore.exe	36

C:\Users\Admin\AppData\Local\Temp\cfb41b0c68228fa0570bfd3dd412adf4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cfb41b0c68228fa0570bfd3dd412adf4_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\wscript.exe
  wscript.exe /B "C:\Users\Admin\Lxs.vbs"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /s "C:\Windows\Ganst.dll"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2752
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.zettel.com.br/site/images/stories/notify.php
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3024
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3024 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2872
- - C:\Users\Admin\TrintT.exe
    "C:\Users\Admin\TrintT.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad1f99da1bf0da9c3740b47f809e9275

SHA1
a87e3ea490b2941be0fe22f69088be97e628f1fc

SHA256
d2cdfaedc5a7117783892635a9ab33301a543ed9342caec798a17aa051f4ba57

SHA512
30dedb14586015c2cb952af23e9c1c0fe8096520a13d3d2ed4fbbab14b87caf2b0b16fcfba60745e6c8a25271fc7623c98c6a7208662ffacff747352bbcc0723

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab3edc932c4e2db1b4e43b5de7a3f039

SHA1
3f1081bc0cc7c1d4f9474823853fe273dbbfde76

SHA256
08f8716bb71f6c935f625e9a8392dd0589b33f10d50308962d0e3be94251e7f0

SHA512
a8500687003ec627d1641aed2ae4514d992418a63d638b2853bf8ced5a75c87cb775efec6bb8f828fec752bc51e558c2a8c1c27a3eb8d91732e8e0127f2c1b58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
983a0d9a931534cd652e5b25b1ae9d74

SHA1
92512fca3d0aa7cfcf26b700eb5b43bf9c46591d

SHA256
6193923d4e9699167314c501938f1d995a6e7d871634fa9b182562a32e12ff90

SHA512
b27afab2d745cfb8edf9364b82483183f53fc62b6f379c3679e1c7a55cbebe4729dfe21b4100f748df30d5c3f8c451e6ceda756a64b02f119b4b063bb193f3b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa27a75ff86a870cc2545c2e75b072a9

SHA1
7b89c08773cb926b8230f345fa41f88db4fbeb69

SHA256
326f80a9493a194151725bf60ac9cf2d77b021a74907d887048bd1959bb21c3b

SHA512
b1acde971224f5d4909ed83874b351945a7c30dfa94911d184da33e99e034df1748da48b792e4be48504504e037ec1d6c54b4bc44d4eb3c7fff3c01ddc1df104

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae81630929d4276a7b09eb9f18d15195

SHA1
59c7cacb94b53b6472a647498dc98145f6d34cb2

SHA256
d3e81d4790120441628c8d11ba9340079526d8f25a987f55107edec3fa5a8527

SHA512
0656e67a76e46b756ca955d3c6168ff060f192cd75fe4009545a2203df4a8ba7bb1c2fe50084962e20719e7e4128dc877d6e6116efb0f0d0767030e9dc4b6abb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0107f661d4dfcd14b25a527187f8beaf

SHA1
82a690495cfa482d23bb17b425ef2bc5d472ad1f

SHA256
2200cb645aa906f3e6aaacca353834c4fc12981d63cdfc911d57c3ce7574a5e9

SHA512
cd4e7a8ebef42acda0f5df3f64356a7d464679ba5e4b2fcb42db5788081a7a6ce372288127bc2f14ddba06fdf4e94aa61b18241b9bc71d108b7f852cc54b36d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
996ddb7f65510b6e7a60f059be1d0aec

SHA1
82a551480634ba36d259ead70619cc54b0e35648

SHA256
5922e49441b6fa5445f234d5ee68686666d6d69d29720a8e3e39a2b8c9875cfa

SHA512
2a685808dd2e88d6d0a8de41f7bac11da3a57f130277c4e8fdc9d95f06c0e4d334df33cb8dca5e06098298affecc422e9672fdf8233486c1a6362a48d5fcb690

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
54e41413fe79328aebf50c92ae9eff99

SHA1
46b23fda04f3d69dc27803e9860614df82778a69

SHA256
22e7d774b69bfe43a97677b26f76bf3a2c4a4a0314b09fac505ae2d7857abfcf

SHA512
453bb50f074aed5e263d21e59f0bb2374c6e462eea284233d23ea9d0838c01660caf04b89f49bcdab775576f5d077d2cd86a4952b9150250bc9c305886944c70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da3eb53472f29ffd51c283b2f7311875

SHA1
39c03b002f40e6da53afb9dc22b03968c59fad71

SHA256
c73d004606a756fd91f12409dae3a89037493ff6148d56c37e63dc7e565d4cfb

SHA512
ab662270ce708aa67f905734666d061d81b76af0b5fe029c1dffed987b2761a8bb2feb095d51cba300593795919103650c7747d98e1f87e61f82673fb888516f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be0d1db7e8f0826ba6219413246bab09

SHA1
0865cfec21769e39472516721f85414e295729e1

SHA256
345f2314b4b1b3845007fa9549a7920261b147dd9ac4e2f001250044ed5dba7c

SHA512
dbb87aa6bfe2c1f363f9a5cc04f8ba64fe2fb80ab48d0eae2cbb7397142f2c14717bc39e9e6faa510257f8ac91cdc4992c35599f2bd400e6584c812759e492c8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
691b0feab992d090ec544c43c7662bdb

SHA1
cbaa400b5fb054cd3bfc625750b6612c37760c17

SHA256
54868386e49157a3001b1d12f65a78e73ed55a1616712bc2669293750a3dff19

SHA512
df91230b22497a82eb24bd9e4ee0cfe3cfb16f8c2fe20914be2fb3ee655835586eb4446f2e57878313c560546a7a21a4ce1b5e938e62920cf1535f46dd9f5dd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d505c763fbf87c7c85dcdcccc6da36a

SHA1
adc2a3a6c4f63121b99ed253c946688c794d2c09

SHA256
3d285ebf50187499664c1eaaa1555917f740213449e7c87158f06acd14915ebd

SHA512
f049349426b477ea7e47a3306b67ea5156ddf2b36d5391b469cdffd2ab7dea20c82255a9954fbe38f522870435d57ee1f90ee4fa14f579c617b49dde90a604d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3edb781f2d8a3cddcf375f51c337bcb

SHA1
b32afc19adc26644c7d8f27dcc25b0d7080d1b95

SHA256
4877bf84bbed58c4825e33cc1a22fbfce03217d8e7da82b8ef0fa6cb4f4444fa

SHA512
6134371e2c839e6cfc451d5a781fd3dabb8f66efc1f3e14f12cb56256d268946ce144ea5180063d4c53888b7d1647b191c401fa1cd01b5900d38c12ff10afea1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d431a26ffa0095971a4c430d3fea5556

SHA1
8dc83ea93635db9bfed6c0fdfbee2adf38ad5bf4

SHA256
ae22197a379eeea57870ca9dffb69bebb18382e28dd4e294080f1b26310c0281

SHA512
0bc55a1b4effe3eccb2330bd48803253311028348f806b3dc30e4d749b296802ce740cf92ca55dd4af220eef8ad4eaf7bf2a00ca9c788fbdd44d593d9601a9db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9cdd165c7d021ff1503ec8882e717cb

SHA1
72df7255fcd40218c81317e79be41d438754dd42

SHA256
564167ec1fb82a1a4f95635ea145f75bdd7ed8460fd5eacbc10902760a1d83ae

SHA512
dddadcb42ee305ef33e1fd4079d3795b32a9ef1072936651b4d91607c7e598221a109ad630d49eec13050791764bf4c136707d36440e244b01b72c91ec3a1acf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4848dda40266d261a8d08bff482f1e42

SHA1
14456e2b86deb4aca9d0ca7d3c169b64495e963f

SHA256
ecc7bf6ff59eb8cf2bc168bb548c455eb1ad8b465b07033cd8ef5eb7c1c6c8db

SHA512
06c3e7e9a861bc154f40b890aec6df01fd59e0975ab39adcfc1442e751ae1e75c1e6ff54c8726c3ad0aef1d2057692594c4bb3826db322bc3d3e33826cb512f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47fb80c284d37453d47f6fee7b48b4b1

SHA1
a885404f1a44affd042c21719d1e81923d74c00b

SHA256
2de7fb37324d5514a966df7f6c40147d19cb7132e4cb81864158b4cc652e0b9b

SHA512
6222cf19eaff0d972dc1ee9963297f2e2132ef7dd71ac3252f28d97223d24f573d4e45ebf16f274220b3d4f6f80677d87aa48a1888881dc1b7e2593199c2ef2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
909800ef2f1895a93dd6c19ef1e0f80f

SHA1
b2d798c09328bd0705ba65244d33ce3a409652ea

SHA256
cf4d336b4f329b6258152701614441365541c1a55192e509644c7e3d6d92fbbc

SHA512
0f39c53264b08a595bf50faaccc191ad0e70c5ed2e1582369f30d818d708892e57ae940814701f1282a7854d2cd72f55187c49a208f47ffb19409e9f1ea6cd8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7342569c646bb8ad48ed9d15eb746946

SHA1
3cc6739899187a2bdfc359ffeb52c0149fd4bb18

SHA256
3857c3a6bccccf06557f5562596fc5adfa1182befc58e1f5f9921a7402ee62d9

SHA512
2917eac630fb53dad58c04e0ca6fa5b08d5cb11bbd7bedda34039229cfba5f129a402ab67583ce8084d3100bfe9841cf73289c1b8e5655a3755c2a86db1e13e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab31BB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar31BE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\Lxs.vbs

Filesize
1KB

MD5
74e18bf23f700b50c7743b7792529c7e

SHA1
729fad1b840f662583eb0d734fa958ae42002d84

SHA256
aad04fb776d2a23349f03c216063d44ac483dbf88743e5cff682420fad241f87

SHA512
7eee01e4041653fccc5baccd55e10def1af2c5e95fb297864435f20663fd878faaeee9f348380b94614ba42cc1369176b6ee36a56f0028db6ed7050b13234b7d

Download Submit
C:\Users\Admin\msrt.dll

Filesize
992KB

MD5
8a7ea5ea1dbe208196b72f1c020c69f4

SHA1
236a5237157669e6adf3fa465b08674de14faafb

SHA256
f58e1fd5b7594e43501c03a72a9430d878ac25bb1aa4c6ae6b7a87e9face635f

SHA512
73851c395225f054fba0b6570ae40bb5a597d3eb3e9d132a5e17d3c524abf6288025ddb739109b12ce26a6e09c5c6fae7d7cdf68d63f63ad915bec0299da9349

Download Submit
C:\Users\Admin\olje.exe

Filesize
80KB

MD5
d410a16a133d0eb50f78ae3d18d2bbe6

SHA1
2f42c772cca20b9dd0f324afec40bb23bab8326b

SHA256
ceb1f834c3d2939380550e828c068935ca3db45be37e4670c36aacad251fccb1

SHA512
180518d4092b9cd9b4dc7a5e696bcf236f3cfb2125fbf66f0d6d76d6bf6dc53027d810a5237bded0313f29173c3b7174eb6be824e33f0f4df44e04bb2a8c258f

Download Submit
memory/2132-0-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/2132-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2132-4-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/2132-6-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2132-18-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download