87b922c2c6911584b5f52b4ff7ceb30f5b1f4a125e02f67207760ae3db698318

Analysis

max time kernel
125s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2024, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Size

142KB
MD5

eb85693a4b1b1eb580867256811626fe
SHA1

b8bf11749b0bc0695aaa09d5e9f5cd3001490389
SHA256

87b922c2c6911584b5f52b4ff7ceb30f5b1f4a125e02f67207760ae3db698318
SHA512

2eae7151965c1578765e70d1360dbf2e049d84d73168ee40f4c311e86c8b8b78bd5c2a4fe4e23dd81d10926a310da91f0bcb14bdedc25b824745b019933f28f3
SSDEEP

3072:dqBFJLzgOJJ9ZT2a0kyS8OwsxLZ4LaXUiYPAsobPpKY00X/6u0Nvh:EPdZhZ6kz8OJLZb9sobMuSvh

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 8 IoCs

pid	Process
1804	max2_133daohang4.exe
4368	D31BD71A.exe
4628	D31BD71A.exe
3664	D31BD71A.exe
2724	D31BD71A.exe
4424	D31BD71A.exe
764	D31BD71A.exe
3372	D31BD71A.exe

Loads dropped DLL 21 IoCs

pid	Process
2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
1804	max2_133daohang4.exe
2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
1804	max2_133daohang4.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WinRAR\WinRAR.knl	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WinRAR\WinRAR.knl	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Explorer\IEXPLOR.EXE	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\IEXPLOR.EXE	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D31BD71A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D31BD71A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D31BD71A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D31BD71A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	max2_133daohang4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D31BD71A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D31BD71A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	D31BD71A.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000500000001e3aa-22.dat	nsis_installer_1
behavioral2/files/0x000500000001e3aa-22.dat	nsis_installer_2

Modifies File Icons 2 IoCs

ransomware

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\explorer\Shell Icons	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3060166480"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 601425b79f0adb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50b12eb79f0adb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c000000000200000000001066000000010000200000007f58aba64b417999d185ad2bf53ab4ee7649f63cffcca74c386439a65dfd6d45000000000e8000000002000020000000dde3e3c4f4f3d9e3c9a96b74a19e768ae0c98654d001c71ac432a22b0d70cc0520000000cac4155bffc113e01dbf124c26583336b882c4a924b0a6a58f0dcf36c83e301c4000000022a909319d5c4a39599d0c816a58702c129368ec8eb8837bb1209a5b2ed51bd6825eeaa37c13ee13bbf51e38b01d837f9645244843b27fadf33e0d5ff8fb96bc	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31132319"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E1E9D279-7692-11EF-A2A4-D6586EC96307} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433520845"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132319"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3063291816"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132319"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009a7bf3bae5f3a549b81f23758225dc5c0000000002000000000010660000000100002000000009ac0f896a03ead0cc7f9151eba50dab002d25c0240cf6aaa3dd88da603eaa50000000000e800000000200002000000042fe87a218c49f85174d70985134db3655cca654c972f3224900fba3a11b3fee20000000c2c4555728a1a3ea8297b62df0b4104703607b0a26af76bc8d6bd01521f878244000000078b260f169ebe5a2d0de793c0f37376cc3aed51366521af6b724c81918bd3da7e648c35c908ca85d0c72fd4e9d3c0bb8e0e0ebfc30eb986cb38fdbd9682d1309	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3060166480"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe

Modifies Shortcut Icons 2 IoCs

Modifies/removes arrow indicator from shortcut icons.

ransomware

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\29 = "C:\\Windows\\system32\\shell32.dll,50"	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Icons\29 = "C:\\Windows\\system32\\shell32.dll,50"	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ScriptEngine	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Edit	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ShellEx\PropertySheetHandlers\WSHProps	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\CLSID	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex\ContextMenuHandlers\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ShellEx\PropertySheetHandlers	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\DefaultIcon	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\open\command\ = "WScript.exe \"C:\\Program Files (x86)\\WinRAR\\winrar.knl\" \"%1\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open2\ = "ÔÚÃüÁîÌáÊ¾·ûÖÐ´ò¿ª(&W)"	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.qc\ = "qcfile"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5940D96E-6EB5-4E5D-8E03-1D9000A1B1F6}\Shell\Internet Explorer	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5940D96E-6EB5-4E5D-8E03-1D9000A1B1F6}\ = "Intrnet Explorrer"	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5940D96E-6EB5-4E5D-8E03-1D9000A1B1F6}\ShellFolder\Attributes = "0"	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5940D96E-6EB5-4E5D-8E03-1D9000A1B1F6}\DefaultIcon	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5940D96E-6EB5-4E5D-8E03-1D9000A1B1F6}\TypeLib\ = "{5940D96E-6EB5-4E5D-8E03-1D9000A1B1F6}"	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ = "JScript ÒÑ±àÂëµÄ Script ÎÄ¼þ"	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Print\ = "´òÓ¡(&P)"	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5940D96E-6EB5-4E5D-8E03-1D9000A1B1F6}	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Print\Command\ = "%SystemRoot%\\SysWow64\\Notepad.exe /p %1"	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ShellEx\DropHandler	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.qc	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\WScript.exe,3"	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ScriptEngine\ = "JScript.Encode"	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Edit\Command\ = "%SystemRoot%\\SysWow64\\Notepad.exe %1"	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex\IconHandler\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5940D96E-6EB5-4E5D-8E03-1D9000A1B1F6}\InfoTip = "Intrnet Explorrer"	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open\Command\ = "%SystemRoot%\\SysWow64\\WScript.exe \"%1\" %*"	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open2\Command	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ShellEx	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5940D96E-6EB5-4E5D-8E03-1D9000A1B1F6}\Shell	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5940D96E-6EB5-4E5D-8E03-1D9000A1B1F6}\TypeLib	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.knl	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open2\Command\ = "%SystemRoot%\\SysWow64\\CScript.exe \"%1\" %*"	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\open	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex\IconHandler	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5940D96E-6EB5-4E5D-8E03-1D9000A1B1F6}\Shell\Internet Explorer\Command	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Open\ = "´ò¿ª(&O)"	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Print	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\CLSID\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ShellEx\DropHandler\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\NeverShowExt	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\ = "open"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5940D96E-6EB5-4E5D-8E03-1D9000A1B1F6}\Shell\Internet Explorer\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.pp2345.com"	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.knl\ = "wfile"	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Edit\Command	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Print\Command	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shell\open\command	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\qcfile\shellex\ContextMenuHandlers	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5940D96E-6EB5-4E5D-8E03-1D9000A1B1F6}\DefaultIcon\ = "C:\\Windows\\SysWow64\\SHELL32.DLL,220"	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\FriendlyTypeName = "@%SystemRoot%\\System32\\wshext.dll,-4805"	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\ShellEx\PropertySheetHandlers\WSHProps\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\wFile\Shell\Edit\ = "±à¼\u00ad(&E)"	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2828	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2828	iexplore.exe
2828	iexplore.exe
2244	IEXPLORE.EXE
2244	IEXPLORE.EXE
2244	IEXPLORE.EXE
2244	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 2760	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	89
PID 2568 wrote to memory of 2760	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	89
PID 2568 wrote to memory of 2760	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	89
PID 2760 wrote to memory of 2828	2760	WScript.exe	92
PID 2760 wrote to memory of 2828	2760	WScript.exe	92
PID 2568 wrote to memory of 1804	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	93
PID 2568 wrote to memory of 1804	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	93
PID 2568 wrote to memory of 1804	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	93
PID 2828 wrote to memory of 2244	2828	iexplore.exe	94
PID 2828 wrote to memory of 2244	2828	iexplore.exe	94
PID 2828 wrote to memory of 2244	2828	iexplore.exe	94
PID 2568 wrote to memory of 4368	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	96
PID 2568 wrote to memory of 4368	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	96
PID 2568 wrote to memory of 4368	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	96
PID 2568 wrote to memory of 4628	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	98
PID 2568 wrote to memory of 4628	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	98
PID 2568 wrote to memory of 4628	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	98
PID 2568 wrote to memory of 3664	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	100
PID 2568 wrote to memory of 3664	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	100
PID 2568 wrote to memory of 3664	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	100
PID 2568 wrote to memory of 2724	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	104
PID 2568 wrote to memory of 2724	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	104
PID 2568 wrote to memory of 2724	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	104
PID 2568 wrote to memory of 4424	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	106
PID 2568 wrote to memory of 4424	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	106
PID 2568 wrote to memory of 4424	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	106
PID 2568 wrote to memory of 764	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	108
PID 2568 wrote to memory of 764	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	108
PID 2568 wrote to memory of 764	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	108
PID 2568 wrote to memory of 3372	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	111
PID 2568 wrote to memory of 3372	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	111
PID 2568 wrote to memory of 3372	2568	eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe	111

C:\Users\Admin\AppData\Local\Temp\eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eb85693a4b1b1eb580867256811626fe_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies File Icons
- Modifies Shortcut Icons
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\SysWOW64\WScript.exe
  "WScript.exe" "C:\Program Files (x86)\WinRAR\WinRAR.knl"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.7322.com
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2828 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2244
- C:\Users\Admin\AppData\Local\Temp\max2_133daohang4.exe
  "C:\Users\Admin\AppData\Local\Temp\max2_133daohang4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1804
- C:\Users\Admin\AppData\Local\Temp\D31BD71A.exe
  C:\Users\Admin\AppData\Local\Temp\D31BD71A.exe "C:\Users\Public\Desktop\Internet Explerer" /P "Admin":F /y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4368
- C:\Users\Admin\AppData\Local\Temp\D31BD71A.exe
  C:\Users\Admin\AppData\Local\Temp\D31BD71A.exe "C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Æô¶¯ Internet Explerer ä¯ÀÀÆ÷.lnk" /P "Admin":F /y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4628
- C:\Users\Admin\AppData\Local\Temp\D31BD71A.exe
  C:\Users\Admin\AppData\Local\Temp\D31BD71A.exe "C:\Users\Public\Desktop" /P "Admin":R /y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3664
- C:\Users\Admin\AppData\Local\Temp\D31BD71A.exe
  C:\Users\Admin\AppData\Local\Temp\D31BD71A.exe "C:\Users\Public\Desktop" /E /G "Admin":W /y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2724
- C:\Users\Admin\AppData\Local\Temp\D31BD71A.exe
  C:\Users\Admin\AppData\Local\Temp\D31BD71A.exe "C:\Users\Public\Desktop" /E /G "Admin":C /y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4424
- C:\Users\Admin\AppData\Local\Temp\D31BD71A.exe
  C:\Users\Admin\AppData\Local\Temp\D31BD71A.exe "C:\Users\Public\Desktop\Internet Explerer.lnk" /d "Admin" /y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:764
- C:\Users\Admin\AppData\Local\Temp\D31BD71A.exe
  C:\Users\Admin\AppData\Local\Temp\D31BD71A.exe "C:\Users\Public\Desktop\Internet Explerer.lnk" /E /G "Admin":R /y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4160,i,10369132178352108590,11047993562598554317,262144 --variations-seed-version --mojo-platform-channel-handle=3812 /prefetch:8
1⤵
PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinRAR\WinRAR.knl

Filesize
10KB

MD5
8d37b6390218a7ab80b77de294a62139

SHA1
5cba8411e8e3335f19f7941971c12e321b2dcd81

SHA256
9cee3c10565f11bf41c8e66ee302f15c8aa60d3cba56003f72ddb038df31269c

SHA512
b26b45331704800bf141f73e228fa0eb9a5d53637e6dcac7824bb582895799a0e5b4705dcfb4b225b0035edfca092f7170ade10f8bd8812b9949db09dfc194d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
d05db975cf07282910d2eeaf4d1d6e0a

SHA1
ee43161120259ffd9a634c71ad97a786a228c559

SHA256
3198a8f5168605583124b415310f2b135b6233cd3ff9d3bec9b064d609f86e5e

SHA512
c0aeba576a2b4baa4c38b4b4176137c3c72a426e222cf16424e333cbeb16e559499fa9c70d200adcd71bb012c35e65478772879071c80f7f9a2b945c9f6c0f3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
d823f843e3047f402838c6b008111f57

SHA1
67f3275289fc161a89af2921c4bbaa8166995199

SHA256
a683d933ec8dda313e56017ff81071c5aba953da6dd14785048e92796cffbeaf

SHA512
600a9f31f8f8ad36fba5b1cea3b58316be4d513804d3515461d6c199e5f8e200425f567d954953df3bad20f17a12d591c859b100d3b64571ec191e65aaa790e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0KP8BKDN\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\D31BD71A.exe

Filesize
44KB

MD5
78fd41a1e1d2cf1c7657cf80bdde1164

SHA1
acb97223f909ab20dd0b0e655a8869e78b056d2b

SHA256
01259b3cd50d39ca21b03af4e22a7bca2b91cf11ab4ce78661c646f08f6bce00

SHA512
317e4013bdd70cd50d28961581fe7b774116ea83083718c9db921a86adab5c8d2d3a5cdedd9d172ba65b7a3c7b0699aa8546061b995d3f62e10062f568b78077

Download Submit
C:\Users\Admin\AppData\Local\Temp\max2_133daohang4.exe

Filesize
65KB

MD5
b904cf041cacaae74655cf009acfed2e

SHA1
028ef889562a55bc98119fe2c186efb35f556bd1

SHA256
72f4498744d1c856eb35028fc0fa59bf0a78b0fa833c49ead54115f08c2f3846

SHA512
4ebf41f49fdcb1b70c6b88351c85dff98eb2f75787e36b8741e922363ec8134399450351c431cefed42d1757163eb6196275d2c6509a9c4826bcc4961d726d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn5929.tmp\InetLoad2.dll

Filesize
21KB

MD5
33322da8b36ea8b67448ec34c827a319

SHA1
45cae4b64ecc9bb5d3f1e01faaa14e067e74828d

SHA256
fcc886a8ef7575e292ef6210902581273e33047da2f3f6e0092b7887a212c2f0

SHA512
e97a4b427e89832c6555ac64044b5b3745164482afd3ff7c4b17005c99f245cc7c7e97653abad345810caca3f472c43f51036157f32926ea81306c939e9e1c3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4F74.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4F74.tmp\inetc.dll

Filesize
20KB

MD5
8d8fdad7e153d6b82913f6fdc407d12c

SHA1
aabbeed33cd5221e4cb22aab6e48310df94facfd

SHA256
e727c8bba6686c4814602f2bc089af4b4cf3498d1dbe1a08d8c4732da5ba046b

SHA512
42bc0ce1aca63904c34025307fd4b1d9f480ae47e42e7dfa48bbbf8286d947de2989435ad7a748951291307949217afeebcd31d10a1356c9366d3187085773a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4F74.tmp\md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsz4F74.tmp\nsExec.dll

Filesize
6KB

MD5
e54eb27fb5048964e8d1ec7a1f72334b

SHA1
2b76d7aedafd724de96532b00fbc6c7c370e4609

SHA256
ff00f5f7b8d6ca6a79aebd08f9625a5579affcd09f3a25fdf728a7942527a824

SHA512
c9ddd19484a6218f926295a88f8776aff6c0a98565714290485f9b3b53e7b673724946defed0207064d6ab0b1baa7cb3477952f61dbe22947238d3f5802fa4f4

Download Submit
C:\Users\Public\Desktop\Internet Explerer.lnk

Filesize
1KB

MD5
1451fe15538363eaefbc7b10c5b83f11

SHA1
e6e6243601acab74b9e418a4fff45e3cacd51d13

SHA256
2520d7091bc352d90db4ff50261234d54d3d83c1619f8012b588acb37763d00e

SHA512
44c056d8e8c3729d7d98638cfb73c403c10c831db813cdcc0735f103c311a0719f3568e294c3f0e8301c7bfe5d80248fe330862e7f4f1cdbf60eb9d9938d0fea

Download Submit