43d1e7fdf8697353b8e01fe23a1a1a799b92ac0af0c6ffb2377f0982be97ec88

Analysis

max time kernel
149s
max time network
133s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Size

212KB
MD5

eb691f332be697e729f0db09a3561ec3
SHA1

5a5682bc41a7a3c74ac5891473cf09c7ec83ed4d
SHA256

43d1e7fdf8697353b8e01fe23a1a1a799b92ac0af0c6ffb2377f0982be97ec88
SHA512

3aaacdf637c295da5cf15144fb65e8251e76a7229ba99ebabd0a3a05c086a565ad38fbb14e1022de3648def0427d3bcf8d526885ec5ccbcf6338f4a4beab016f
SSDEEP

6144:dcyyU/A5rZRLEhFTnRa26s+Wdz8V7Wdfwn1nbmuSDmf:dHp/urb4A1WdBfQ

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2256	WScript.Exe

Executes dropped EXE 1 IoCs

pid	Process
2812	Program FilesV80J8A.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\t.ico	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\d.ico	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Program FilesV80J8A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.Exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7650B2E1-7689-11EF-A914-FA59FB4FA467} = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d907000000000200000000001066000000010000200000009f2520e040395edc5df974ae4fe6a17ecf8e5ecca592800c53614378d6d04f1c000000000e8000000002000020000000a6c0ee61b6b496007ec68babe4be04d5b03c2f4708b1318f928daa54b7d77a2420000000151fe62fd6b4367bb93e684b5a1ffef6ef273cc50dcd17277748404e8d37656d400000001a8ca33d8b10dea11268d9e71f4555af7a098045fd184c5543d7344166cc8d2ccac4d397c8613e989a78625921b9dfa9ca1e06b889773536fdf964e18b56f27c	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{765C99C1-7689-11EF-A914-FA59FB4FA467} = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0e4254e960adb01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d793ad506ece624c80bd99362738d90700000000020000000000106600000001000020000000cf7add793d4a434a1d9969fb9ff71cddea4ce91ca2f3a6b8149554e84d4ee708000000000e8000000002000020000000ec06a4aaba521beef255660e6dd8bbe0da5c05817628b26d8ed95ac1381133cc9000000080477c3261890601709727e7ca0709caa4c8ab6d86da17c369fc37ec1b22898f7a2999ef653d94905dc273249cae64863cd9c468132c5a7d489ee6bf13da9d0f443a6c6e77835f2a81a1c3f69f42bd7b697dee36862e903d02026c0d9d8dfeb6bf516ea0224c1d1668943bb5b22bee7c225aac79a3322e97c4bf3505a7fd61c2aff4b16effdfbfc32afdad514f2fe3b2400000006a37e913bea22ab897fb6c88a9a53114316e70b8c36641d444a795d612ea390eead3c5061405a7fa1f48ed1d8f2b3ff05469763c3b42b35cecf894eeb9e99f73	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432913691"	IEXPLORE.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command\ = "IEXPLORE.EXE http://www.piaofang.net/?1193"	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon\ = "c:\\Program Files\\Common Files\\d.ico"	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35\ = "h35"	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,41"	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli\ = "hli"	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command\ = "IEXPLORE.EXE http://www.d91d.com/?1193"	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh\ = "hdh"	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,139"	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon\ = "c:\\Program Files\\Common Files\\t.ico"	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf\ = "hpf"	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command\ = "IEXPLORE.EXE http://www.t17t.com/?1193"	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,130"	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx\ = "hyx"	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command\ = "IEXPLORE.EXE http://taobao.loliso.com/?1193"	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb\ = "htb"	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command\ = "IEXPLORE.EXE http://www.henbucuo.com/?1193"	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command\ = "IEXPLORE.EXE http://www.loliso.com/?1193"	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2156	IEXPLORE.exe
2716	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2788	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
2812	Program FilesV80J8A.exe
2156	IEXPLORE.exe
2156	IEXPLORE.exe
2776	IEXPLORE.EXE
2776	IEXPLORE.EXE
2716	IEXPLORE.exe
2716	IEXPLORE.exe
316	IEXPLORE.EXE
316	IEXPLORE.EXE
316	IEXPLORE.EXE
316	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2812	2788	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2812	2788	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2812	2788	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe	30
PID 2788 wrote to memory of 2812	2788	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe	30
PID 2812 wrote to memory of 2156	2812	Program FilesV80J8A.exe	32
PID 2812 wrote to memory of 2156	2812	Program FilesV80J8A.exe	32
PID 2812 wrote to memory of 2156	2812	Program FilesV80J8A.exe	32
PID 2812 wrote to memory of 2156	2812	Program FilesV80J8A.exe	32
PID 2156 wrote to memory of 2776	2156	IEXPLORE.exe	33
PID 2156 wrote to memory of 2776	2156	IEXPLORE.exe	33
PID 2156 wrote to memory of 2776	2156	IEXPLORE.exe	33
PID 2156 wrote to memory of 2776	2156	IEXPLORE.exe	33
PID 2812 wrote to memory of 2716	2812	Program FilesV80J8A.exe	34
PID 2812 wrote to memory of 2716	2812	Program FilesV80J8A.exe	34
PID 2812 wrote to memory of 2716	2812	Program FilesV80J8A.exe	34
PID 2812 wrote to memory of 2716	2812	Program FilesV80J8A.exe	34
PID 2788 wrote to memory of 2256	2788	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe	36
PID 2788 wrote to memory of 2256	2788	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe	36
PID 2788 wrote to memory of 2256	2788	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe	36
PID 2788 wrote to memory of 2256	2788	eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe	36
PID 2716 wrote to memory of 316	2716	IEXPLORE.exe	37
PID 2716 wrote to memory of 316	2716	IEXPLORE.exe	37
PID 2716 wrote to memory of 316	2716	IEXPLORE.exe	37
PID 2716 wrote to memory of 316	2716	IEXPLORE.exe	37

C:\Users\Admin\AppData\Local\Temp\eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb691f332be697e729f0db09a3561ec3_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2788
- \??\c:\Program FilesV80J8A.exe
  "c:\Program FilesV80J8A.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2776
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/PPTV(pplive)_forjieku_977.html
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2716 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:316
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe jies.bak.vbs
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program FilesV80J8A.exe

Filesize
36KB

MD5
a1c0a7fd645714f2716f6c908da03072

SHA1
dbe049797172af4a80ac2b320d4a281116c158aa

SHA256
80064dabe2a74e98372666490b449110b2cac804c6bfdd96e074de5e7e406199

SHA512
5384da0eb5db33a970fa2a3216002b19de5d188b7099eb130f67f84d9428f30f708bd983613fb2ef0bdf224a801218fda95fb19209e4d922c083d68fec2e36f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4319de04dd22ccd020b2742055679349

SHA1
9e7ac178692390c89e01df04d3949b658dc1405d

SHA256
f4eca2186c0955c650c004d2ec4e0b635fffa07ea774e119927de5c51f670798

SHA512
10b3bb9149f5325cd0490a8036c30a661bf2b6235f44daed0027017534e157bd5eb7e02a56076111e9609b939e4537aecc66a7ceceb1dc64cc79857c949173d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
513ea9169557393a5da385a679e4f98f

SHA1
cb1d75a000b9d12fb392739aac43f27ad6da0349

SHA256
5508dbe1900993d616732c386377ee70d526a44724f36ce09ec883b34e262356

SHA512
54402d2b955898cd111caea4f236cfcec7a04b7f01ace5e637300041c80d944be8ea8674c615df0b41fca2b5d7cf746d85f02edf3cd3a6a4f15cc32282933f56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97e4a9fbe8018f5bfcb09b8f173ae6ce

SHA1
dfd6aca091ec3eccdb945b21237eda7e6a0b188f

SHA256
5404183e4a5a68e864236d0637a256f1b09068d75e43cd7ea91e4ddb71eebf2e

SHA512
cdae11eb3fdbecc4196ed9c5c448c44df1b96bb5437648072073ed1c1f323c7104e2c1699645fb29c3e58d613d5dc827dbdb69806b332c1f55b3b3b373e36399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
358fe446bd673ea65b6e453d64789cf1

SHA1
8449ab33314fdcf5ea59e8df5b6232bd81920160

SHA256
9730da2e03ff68ca83bde12f5caabbad7756ddb24bd1d64b62e153203901f4ff

SHA512
b0ab20df0d2449b63760c1c53a754cde2035d22400a0f42eb0e62d46602b1c58a99289e2bdf60964d7f166b1b5e86da14c52a02fc28b378fe9866bd8340dcc85

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
370e502da020e9382a797e0063bac152

SHA1
5ae103e754d1575ab45c4807eb111d27c20de62b

SHA256
72333eda8ef483c392066e47a4f3f69c8e115924fddea378b166d8ede4673771

SHA512
fe6479c560ee7739bd8648a3c20cb3706cf1f8e9bc48803f58d68cb0741f8352afc3fee327827722b34bd3ec3d30ff3046c5bd140eef752ea9ab0b11bb2e9bfc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f091a911185488bf263ec59e2c46f21d

SHA1
1725ae8c4ebdcd4331cb61a276b5084fe43a8994

SHA256
864db99085adb013b790f05ff1ef63e537455acb43591496bb0f1eff85f907a5

SHA512
09473df9132d63c2d7d2064a4563acb85f667637802c89f05d23113e902282d0b2bd7a07a59e30579165be20375e08d9838ac06d994538b63989c096474ac52d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc7f75eed0c49cfa0f1589fa2f1b19b9

SHA1
790bdc6911b7bf572cfd64680f6708d774d62f45

SHA256
a1e20098f934a94effbd26e1b5f1278e91ee06c81dcc5ff24860e2b1b5cbd43b

SHA512
9409b8b3d621f3660c2080b23581aa5de08b5e53d4d5d7a4885bdaad763393a3404ad2096d8060d55a92215a1d1d9297b6c38f71753f05e920bd2e304117bdfe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcaf86161a8a96c1e6b63ff1bad1f767

SHA1
45ba97aa09484f30e919cbde7d28ecaa48d32364

SHA256
d644ce76f5c8486f9fb4507e3831746732510d3b5077ef0cf7210b5fedded982

SHA512
9f4583c19cb7146e738ec731d0e1412b1b80aa007d3fa9d85668c916cfe67a24a7b936ccfba1d151d752daee8e34bf3c868e9a05e99699cf2cd88f6a3fd3c0b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6b2b946d59f709005d8eb67f9d66c98

SHA1
2c22538114f1ae5d12af6020dc482adcafbae166

SHA256
ff0243a49b5c4c97a5d607e1d26cf2f0bebd3e24413504266b14e590057c292f

SHA512
0f5be2a6bf87c41303371c756d636cd90af83c58df6009680980bf275a93de0521a57604ad52627c94780c87a8dc80c456314ee7b4d4ecf2a45133fc75448e93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
368426034f5b79062d6d561f97b6fcf3

SHA1
e92f713479c9a7060052c6b2369d754c0f77fa56

SHA256
0a9fb189908361c3787f27ba68e35b2f26458ae8e44c19d5939160b989b4bb7d

SHA512
41e790d5419507d47d07ed8b5fc7441121cb0be3bf7177b4f0f6ed83995268a8ef069ddde9c4af484d241899503e00c87e94a8858bf82bda83874dd85ef51e04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7877e6f9c5e9070de44dff513e778338

SHA1
0827bf6a61b8dd55f00fec1b8bca963fe8ac8f81

SHA256
52c68441ff7a5d8bb0c98b01e3a6ac8c50427924295dea5dfad1aa22a453c678

SHA512
c1acd0b30dbde0ae48f80dd4a396168515fc533ad225b7575d65971e986798a28efcf2a12b7270ca847d50aade5d84789f44a094eaa60d7825ff26b3406ec059

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
231abafc4c1d6e002a8d0c1701de6363

SHA1
6fdb2541644edc30aced5071c09629c8e030cf1b

SHA256
8a577f77a3a045126ef7338f52152c837a8897fe8749c2ab20951e8c8fa944fe

SHA512
e7d929faaabb0390acd9e8f890b7651d4f2b053f04d644f35fffd784da2081dfc428e437fe03e7cfb299cc78683c789d782a2e9b1f443ae4260bc41d91922ed7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58b421f617e841c149201f72cd0af476

SHA1
5d419ef8708c577cec4e7bfb16178e0a1380cbe2

SHA256
6d9f9c5348cfd6b3892d2c5bd02fd43d5d7dba28a7845897788134863f7eb220

SHA512
825a837ebd7aee2c5e1bd86bce526cf8be89926a38ba81b73b53d91a4a19bcb148147dcaa2b05f5a23068788b2a862e3e6f4844316ace837287b39d4fd212b56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8fc97b4f916aefccaff26b1dd32f8eec

SHA1
9d46ad91946c8c9e0a1fe285d1f31313963a570e

SHA256
40f1856eebec4e0112f5d161dca9e14c42e4abb071fb1ba1129d1084adf7865c

SHA512
eb655f24d343ad754cdc6ed5110474c1471a1b9f78f172f724b57d04110197f7a2105e0fbe3934df155860c74c8a8b61aae08be4b1de019ce737405e0e7dcd5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e374ec5200276aca932bc0b248cdf96

SHA1
9228009e32bfb3c12f7bdddf8860eccb466616e2

SHA256
4229bb5978d88b0b99086f6b051033decaf9037d0b916885a28ce0e210d94385

SHA512
c6a81d96292902610537bf3698acf6824c4a56bffba13ae219d4be24d031709320cc9ca621c63b196d040735f359285d3032a14d1815a2e28cd6dabe6bfc0837

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e170cddf7d5ff8a1120b6e1e1ddc48d6

SHA1
6bb3d11e5209b5b560b3d537a0e98917c3028b70

SHA256
5e70f24b1caf07beaff394a2619493eaca13ced074a1c00f2c16459976cf63eb

SHA512
c963965e004cc2e63099eea95fa66d724267566a3334e5083be2b6b3231b972b36e15660cbc6b5d93539bf3244579328cc167103ed71762873a9a7d5b9d988fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8da50cfb379b791882cd6da1bca0381e

SHA1
2979648aa2ac914231b9744cb3d57f91c5051e46

SHA256
649e628fec20b783fcf3feac524d30cdef75863b8d7e1d0112c28d6e0eab3bcb

SHA512
f19c67641cb88245f637279e79446061f771780bc2b893d1e48b4e659afa4e3e2d86bd2e484db0c88682752ed71a4671381a8316502c4b763d2ce53fbc6ff060

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f88bc197086f1e990a0a44cd2b9e7e7e

SHA1
43ecec70c69abb3292306425d4699a294c722d71

SHA256
d10b1b67d0d8e27fd28258f5c55f648d9a5920b8cb1b4823a08cf95adc32b8c1

SHA512
fc1d6986dac019e5b216fecba8bd6ae40147ee0f1c984631760c1a697c8821315f7fac49122e6cca59687575f3cce2d0e93faf0bdb6ac28bdc498e5a645d7d39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2978da57afeb71d251e3fe5213e63994

SHA1
764204359eec4b2d67082ac75d900a5e6fc9cfcb

SHA256
c7c0e5710d6fa0ac04c101f3b2acac172d31a1f5d37542df7dce5340683bdc1b

SHA512
7d5171c21e34e71071eff70c97dda99ef258d45ff76b81f02391dd216b30fa9d2db635f5d5cdabdae4196064279d655b17dba83948da4e38283de0e575c4123b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7650B2E1-7689-11EF-A914-FA59FB4FA467}.dat

Filesize
5KB

MD5
174e50b56f689dede6b6b592dcf46905

SHA1
f9025f23a753e9512fa26d7e1f667e07d96a2b84

SHA256
db202856ac3918a52c905b663aadeaa5960c62f68087e4be2cf63847fc38118d

SHA512
7c889274f9d91aba80a55111d1ec61dc0a645fe8ce0aaf63bb1f071039ca4fce340703ea0cf6edfd53f143740a101d11630b247ffab063dbd2edd005fc731205

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCAD1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCB53.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs

Filesize
450B

MD5
5488e26081fcebb65782186b7f2069c3

SHA1
c214c52a1a4e3f04084929117599b2499ed2925e

SHA256
a00a96170266abb8b1d4aeff0faf5c08d727bab5ed4575386fce40b4ed349e93

SHA512
7f8468693591387f084fabe4ad80dd72e656314f80ac02d5933e8f377c07432ba3bbb37ee0ab13009bf27cee4348e5f0c42db21914689b9b8bae6e1246c3dac2

Download Submit