33fb6bd1e4fb0b70a6498c923b37b0d5e40a3e625a123beea8b5fd2ca757f2f1

Analysis

max time kernel
149s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeedd7fed36d232f5e82545efdf325fd_JaffaCakes118.dll
Size

12KB
MD5

eeedd7fed36d232f5e82545efdf325fd
SHA1

38b702d057e148021e31b11e3cc03740da7c4202
SHA256

33fb6bd1e4fb0b70a6498c923b37b0d5e40a3e625a123beea8b5fd2ca757f2f1
SHA512

e5aff5746eee026433217ed552661b7cc2e67185ac0277c8544eb1b31bf0fe8d30abc419c89f45ef3f8c9213ff8cb949700ccc543814c0a325c980c6a61cc2ea
SSDEEP

192:ELuHwPxde7dxnu6FYxjj48/T4xg6e51THKfXQtziprZ4wv5gq5Ca7FobeIHhk+yX:idPnennT8/0xC1D6XFZt5GyFwXBuN

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PreBootCheck = "{0a96f0fa-4b5c-453c-9bae-fc8a96fd9a67}"	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000682ef1adb6c1b741b9a6296375b8eefb00000000020000000000106600000001000020000000ef11a95cb07853baed9d35399dc356ba0fa47d8a8ad67697c2e6b194f59715ec000000000e800000000200002000000093783c614110ad42664cd4abf304e5d6a0bca888f39b01a6892dbe8666b5c1fd2000000066a59a9374afca914e80390854921e755d89cffc3f976999f4f89a233fb4fc8040000000448e5876b578fa2e03da95b2be12d78328a74c38e18260c10c6be14a2e97b1d380721231aadb6f2b33e5307d5b51c178b7362ebf66e6e6c9c0044c38e54a6618	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000682ef1adb6c1b741b9a6296375b8eefb00000000020000000000106600000001000020000000667e4e27bc20e7e9af375b8ef58aadff186a9c0834bdd173a82de8d4c3726162000000000e8000000002000020000000a51f28ac2bfb7fbad1f71f9941384c552df6f5c1ed6ff09418bc86caf8d150e120000000b3d51455494d88b7e8b828fb3e1abb37dbc22d98336993c7e929f82c55ec073540000000d30fbccdbebcd23bde50e9c00bb52d80ee7950b6abf459bacd2ea2581493ee5f5ca5d2291f4104176531fbc9892df537c5398751dd7c862ebb12dfbe506db846	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000682ef1adb6c1b741b9a6296375b8eefb000000000200000000001066000000010000200000004c6cde45f8c156c940a42db4a46e98b17ccd47ce0e2bb9821a672809980698d3000000000e8000000002000020000000141382afb2b2ad99d429755de135d9e7b023f298992e0c3a2fc7ea17103fcbfb200000008cf7b713d000e8adc64728732f9a86852d5c5ddca56379f9fddb783091a97caa40000000ad50f2e5aca3e94db31049328ef1b80680f61d32127d65a608be2dd784a936a75161c6ce7b53c7dc14c290f3ed26237fe9f2fc0e35cf746bcaa584e39b164e60	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1760677639"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0f7a258d00bdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e00b7059d00bdb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000682ef1adb6c1b741b9a6296375b8eefb000000000200000000001066000000010000200000007f355b3a87725bf39fabcf7e2acddd20a86fb7d93192ada3c38f48e971f50534000000000e8000000002000020000000b2ebcfad05d140659b6ca9867837428474eea0df56e1051ae53bee051634e9a2200000003d62996bd0eeba09d5d67784f59b651512721c372275f744ccb39830ca5220724000000038ed6ca436e31b345754bad40398eb156498f83481cf72055d4114becbf2364855ecf47f146bee9afdca739ad0a920ee15b0418a9259c053cb988fb39836e31d	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0799f5cd00bdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff1a0000001a000000a00400007f020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000682ef1adb6c1b741b9a6296375b8eefb0000000002000000000010660000000100002000000073877abde28a3c682f2a8dd72422d035b9dee02233034df55ad0f7da09004794000000000e8000000002000020000000b53236673de45a00f8f085348c8d090f3816cfd3a069c7904d13fe0fe59194d1200000008997e9c9b948e78eaae2a58d76b0f69515b2789f040c911e447671275f8995fc400000002f57724833fdafab6399980c99ed884d7af28bf0ea8f38bcecfdc6d93956de6e495413e399a68114607c4e856eeb6fae8892ee750750ff89572a3311be5a9b01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000682ef1adb6c1b741b9a6296375b8eefb000000000200000000001066000000010000200000002d9e3ec257163032afbdc1c5569c04c3fe2b8476f33d698f4317664b122e6609000000000e800000000200002000000007a34ebcec671aa8e283dadb6006b4381803d5a18889fd5cecf55cb60224016b20000000ac000e3e57949e775a588315d36fa260a9580b3c181758c9065a8b44875ed99f40000000b20e7049625316fb3e056bd0e4f7ca6de178b8e7d0915989b351e7e2786da8471faa32606af9f9cd1e46749a9aa7257289c953b9227347a73cdf901dcd54ea4f	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9002bc5cd00bdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000682ef1adb6c1b741b9a6296375b8eefb000000000200000000001066000000010000200000001d0b196ca2b3621230b63631063b023458833547c702d253be50103b67f7d568000000000e8000000002000020000000010843a73e8b5be56ff26bb756f57e7989b7fe28b338910129e72ad8e7cb239920000000e08ec558aa978bc01864331b611325b339c8c72ae7bc0ace368f7445dc12d97e40000000a6f50808496917a642cf46194adf8b8919dba25dc3bbb49ab2da9cd7b7fc205db89c57196bf18bbdd856992f365846196d8185b22b014cf942dde1a4e62c30e8	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff00000000000000008604000065020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000682ef1adb6c1b741b9a6296375b8eefb00000000020000000000106600000001000020000000d08452bcedc8fe4d4adcc696b500a96c953aeb5270d34d7b8dba969c161fa154000000000e80000000020000200000007ac4237ef1fb54da4ff5914eb26ff68d1167f87e9b6efa3e65bb27cf8e98aae120000000d6c772f1fb343a077e9b2d7e734689814ce5257427b805b76c3aa205ce8432ff40000000d334800e24261915848a73d247d7f37f763ea2d06e395b9ba650222c07e4a5bebabbe7d5e5fd1e1a484b56df794f40568d1bedb8b31208e5432b5a1e928f2332	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 6089a459d00bdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000682ef1adb6c1b741b9a6296375b8eefb0000000002000000000010660000000100002000000054f3d4c97f9745c4e25cfc374116a0643b04475614ad0d6c388f7cb0012ce6a5000000000e8000000002000020000000516e2f1e828047b457e122bd0f7bd704b9b4de33bb27975d73e884237bcbe3672000000041584b92bd48326b5eeb7ed01511c9ca1296647a90c8403bbbd978dca2b53ae240000000ffe4edcea796db12b6d28ed6dee44f67caae4d13280aa1b1e0f59ca3c3cd31dcbfb33777a3b63e31529cab88bba23d68ff2747140e78d2d72aa1786e234fc3f1	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d023aa58d00bdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50ce0f5ad00bdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000682ef1adb6c1b741b9a6296375b8eefb000000000200000000001066000000010000200000002bea5be74f779a85727808f6839aa8a4395e4be1e8c2d888dbe59210c3e64893000000000e8000000002000020000000baed40a5985b667eab0a1d86e70b6601ca27b23f02e31953a4e72bb836070cb920000000a3f964d5f49f41b46feb4c1efd4a3111e9f7026de04f8d65c8a5f359efe5bee640000000517631f3beec78a76bb8f325d61bc9418cb3fb142972058b1712c5932641246101ab117b258c5025cf05ad2f7050ada2289f4c5bcbac7ac3434a8dd0d781bad2	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff3400000034000000ba04000099020000	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff720000001a000000f80400007f020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000682ef1adb6c1b741b9a6296375b8eefb00000000020000000000106600000001000020000000c927e9ddbb7739c07e3a53577f9dd511abe1704c08b661376d132e6523f2b366000000000e80000000020000200000002131a9fea361642747b89fbeb9f88630de7e9f5ba98764a89d0805ac04017a74200000008c6b5c025661ffe11693071e42778c8f632a314b69f0289903fac5e7e002edb1400000000c585f091c4c9c21961e1207af8bbffcfc0eee2a4392b7fc2fcee2d4022e0ebf4bf138c93257e7eff906d1787107aed2e366447ea637ec425ea252cb2d1c71a2	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000682ef1adb6c1b741b9a6296375b8eefb00000000020000000000106600000001000020000000a1b06cfbb10fd7be71dfa3d308b6000d08c772ac7c64c4c79235228579c97501000000000e80000000020000200000006e97fb08fa238e84a3ffa46c6d3d1582550f0e591455828060d7b38b4b9bb32f20000000ecc9ad115ef66b8fa931946d0765a826a136d561f6318c9e27be871811f3731840000000cd09b37146f7bbc864728955afe59ff36ed96020326cb10a5546a56b900e4c8c8b93838fbd8b52f4b5992c87c9d03ed2b64dad05abd39eb51a74dbfb40a1ed9f	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31132624"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{947EB983-77C3-11EF-BFD9-C61537EC8B44} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000682ef1adb6c1b741b9a6296375b8eefb000000000200000000001066000000010000200000005a81389da7719669efc9b3f300c565f472c3ea997173fdd8ba6f1e00fff8a08a000000000e8000000002000020000000e15360a40143eeed5ab03df8224b10a06ec405501b9abbe8152e6c095e8ae1d8200000009d1a84c569f69d5233ef2b8b36e818b64225add07bf3ca85fe824c0ec6562282400000001b1180d88519d3684622af5df27b10937578571cb405442b6c428c7d2e6620929ba13c065bc7b3ca806c61f186adec5c51d4d747caace58d4fc7c599872241ad	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e01f3d5ad00bdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 505a3a5dd00bdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000682ef1adb6c1b741b9a6296375b8eefb000000000200000000001066000000010000200000004150463661c1b96e9ab2ba188814da232203adf8d347d252430792a82e2320e6000000000e8000000002000020000000c8bf2ea28b88bad5f6fd87b5d09dfe4b8ff170be0a76d2ef8213adaf9a5cce6620000000a0ac2a7584815d47dd5ec755d13033ce63f30ffc549e291d545a36f7194ebd624000000002694e72bc9cc75e3252f7091e1f23fb537613719907d5e3b63bb24c6d3bfb437da1625f2c99063246c6c374420520e0460a4ab27636b83b131216c0f9952b13	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31132624"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 306f8658d00bdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70ce9f59d00bdb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 3085175cd00bdb01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00c55b5dd00bdb01	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1760677639"	iexplore.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0a96f0fa-4b5c-453c-9bae-fc8a96fd9a67}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0a96f0fa-4b5c-453c-9bae-fc8a96fd9a67}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eeedd7fed36d232f5e82545efdf325fd_JaffaCakes118.dll"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0a96f0fa-4b5c-453c-9bae-fc8a96fd9a67}\InProcServer32	rundll32.exe

Suspicious use of FindShellTrayWindow 10 IoCs

pid	Process
1888	iexplore.exe
1888	iexplore.exe
1888	iexplore.exe
1888	iexplore.exe
1888	iexplore.exe
1888	iexplore.exe
1888	iexplore.exe
1888	iexplore.exe
1888	iexplore.exe
1888	iexplore.exe

Suspicious use of SetWindowsHookEx 40 IoCs

pid	Process
1888	iexplore.exe
1888	iexplore.exe
4748	IEXPLORE.EXE
4748	IEXPLORE.EXE
1888	iexplore.exe
1888	iexplore.exe
1888	iexplore.exe
1888	iexplore.exe
1888	iexplore.exe
1888	iexplore.exe
1888	iexplore.exe
1888	iexplore.exe
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
2856	IEXPLORE.EXE
844	IEXPLORE.EXE
844	IEXPLORE.EXE
1012	IEXPLORE.EXE
1012	IEXPLORE.EXE
1888	iexplore.exe
1888	iexplore.exe
2548	IEXPLORE.EXE
2548	IEXPLORE.EXE
1888	iexplore.exe
1888	iexplore.exe
1888	iexplore.exe
1888	iexplore.exe
1012	IEXPLORE.EXE
1012	IEXPLORE.EXE
1628	IEXPLORE.EXE
1628	IEXPLORE.EXE
1888	iexplore.exe
1888	iexplore.exe
1888	iexplore.exe
1888	iexplore.exe
844	IEXPLORE.EXE
844	IEXPLORE.EXE
1652	IEXPLORE.EXE
1652	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3116 wrote to memory of 3324	3116	rundll32.exe	82
PID 3116 wrote to memory of 3324	3116	rundll32.exe	82
PID 3116 wrote to memory of 3324	3116	rundll32.exe	82
PID 1888 wrote to memory of 4748	1888	iexplore.exe	89
PID 1888 wrote to memory of 4748	1888	iexplore.exe	89
PID 1888 wrote to memory of 4748	1888	iexplore.exe	89
PID 1888 wrote to memory of 1012	1888	iexplore.exe	90
PID 1888 wrote to memory of 1012	1888	iexplore.exe	90
PID 1888 wrote to memory of 1012	1888	iexplore.exe	90
PID 1888 wrote to memory of 844	1888	iexplore.exe	91
PID 1888 wrote to memory of 844	1888	iexplore.exe	91
PID 1888 wrote to memory of 844	1888	iexplore.exe	91
PID 1888 wrote to memory of 2856	1888	iexplore.exe	92
PID 1888 wrote to memory of 2856	1888	iexplore.exe	92
PID 1888 wrote to memory of 2856	1888	iexplore.exe	92
PID 1888 wrote to memory of 2548	1888	iexplore.exe	96
PID 1888 wrote to memory of 2548	1888	iexplore.exe	96
PID 1888 wrote to memory of 2548	1888	iexplore.exe	96
PID 1888 wrote to memory of 1628	1888	iexplore.exe	97
PID 1888 wrote to memory of 1628	1888	iexplore.exe	97
PID 1888 wrote to memory of 1628	1888	iexplore.exe	97
PID 1888 wrote to memory of 1652	1888	iexplore.exe	98
PID 1888 wrote to memory of 1652	1888	iexplore.exe	98
PID 1888 wrote to memory of 1652	1888	iexplore.exe	98

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\eeedd7fed36d232f5e82545efdf325fd_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\eeedd7fed36d232f5e82545efdf325fd_JaffaCakes118.dll,#1
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  PID:3324

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:1540

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1888 CREDAT:17410 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4748
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1888 CREDAT:82946 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1012
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1888 CREDAT:148482 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:844
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1888 CREDAT:17414 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2856
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1888 CREDAT:17452 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2548
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1888 CREDAT:82966 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1628
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1888 CREDAT:82970 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D

Filesize
314B

MD5
d74dbb8f738c8c63fc8df859eb5286e9

SHA1
341ce22e9c4295715365dc50894235afbae1d120

SHA256
f8695c4f69b951ec278bdfae01ec88c757937995bbb183886232867f651791c4

SHA512
747d0a92db2c564298d4e0f1ba3bc5980f37e5c103dfaa2f000ac98852ea48d7ecc0d0e8698620919fd4185ee8d59c1e692c2c06e4291d0315354346742f7cb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D

Filesize
400B

MD5
8eb6c4b597b9e654db5b2f259e731f3e

SHA1
19cc9ddf00589a643f14ff3a9f185a5e26870e2c

SHA256
c90e066665c45b47e32ad338e1c063658bb9b94469e9eaeb9eb4418a9c4d9fad

SHA512
e1c88d54384bdaa6d187a35bce2f03c9d4d0938bae3c8d7718a322a31f73846295f6601102df7fa715b5f3e07d104b73a2325bd2f83e194693153e50bb2956bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\au4xsoz\imagestore.dat

Filesize
4KB

MD5
d414f78b7939ae57f2d5de5a74105ae7

SHA1
c83e6c25f5771bb0eab4bf359978f77c3e0a3ce9

SHA256
d37db318d7d98e21dd7e5251061bce1bb41d3ec64eefb4c142e57ee813b50574

SHA512
957a10ed05fc917032ebd5b28b17f10fbcd45cc2fd14d8a22cdb9bd4f98a0e46f2574e576a75e297a438c63a37ff480d2b48d44f7d79d92e9cac69b9025c7fa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0XI3G1SB\bullet[1]

Filesize
447B

MD5
26f971d87ca00e23bd2d064524aef838

SHA1
7440beff2f4f8fabc9315608a13bf26cabad27d9

SHA256
1d8e5fd3c1fd384c0a7507e7283c7fe8f65015e521b84569132a7eabedc9d41d

SHA512
c62eb51be301bb96c80539d66a73cd17ca2021d5d816233853a37db72e04050271e581cc99652f3d8469b390003ca6c62dad2a9d57164c620b7777ae99aa1b15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0XI3G1SB\navcancl[1]

Filesize
2KB

MD5
4bcfe9f8db04948cddb5e31fe6a7f984

SHA1
42464c70fc16f3f361c2419751acd57d51613cdf

SHA256
bee0439fcf31de76d6e2d7fd377a24a34ac8763d5bf4114da5e1663009e24228

SHA512
bb0ef3d32310644285f4062ad5f27f30649c04c5a442361a5dbe3672bd8cb585160187070872a31d9f30b70397d81449623510365a371e73bda580e00eef0e4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\N27JXEQ0\httpErrorPagesScripts[1]

Filesize
11KB

MD5
9234071287e637f85d721463c488704c

SHA1
cca09b1e0fba38ba29d3972ed8dcecefdef8c152

SHA256
65cc039890c7ceb927ce40f6f199d74e49b8058c3f8a6e22e8f916ad90ea8649

SHA512
87d691987e7a2f69ad8605f35f94241ab7e68ad4f55ad384f1f0d40dc59ffd1432c758123661ee39443d624c881b01dcd228a67afb8700fe5e66fc794a6c0384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\N27JXEQ0\info_48[1]

Filesize
4KB

MD5
5565250fcc163aa3a79f0b746416ce69

SHA1
b97cc66471fcdee07d0ee36c7fb03f342c231f8f

SHA256
51129c6c98a82ea491f89857c31146ecec14c4af184517450a7a20c699c84859

SHA512
e60ea153b0fece4d311769391d3b763b14b9a140105a36a13dad23c2906735eaab9092236deb8c68ef078e8864d6e288bef7ef1731c1e9f1ad9b0170b95ac134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\ErrorPageTemplate[1]

Filesize
2KB

MD5
f4fe1cb77e758e1ba56b8a8ec20417c5

SHA1
f4eda06901edb98633a686b11d02f4925f827bf0

SHA256
8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

SHA512
62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLXU5DI6\background_gradient[1]

Filesize
453B

MD5
20f0110ed5e4e0d5384a496e4880139b

SHA1
51f5fc61d8bf19100df0f8aadaa57fcd9c086255

SHA256
1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b

SHA512
5f52c117e346111d99d3b642926139178a80b9ec03147c00e27f07aab47fe38e9319fe983444f3e0e36def1e86dd7c56c25e44b14efdc3f13b45ededa064db5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZK5NPJWQ\errorPageStrings[1]

Filesize
4KB

MD5
d65ec06f21c379c87040b83cc1abac6b

SHA1
208d0a0bb775661758394be7e4afb18357e46c8b

SHA256
a1270e90cea31b46432ec44731bf4400d22b38eb2855326bf934fe8f1b169a4f

SHA512
8a166d26b49a5d95aea49bc649e5ea58786a2191f4d2adac6f5fbb7523940ce4482d6a2502aa870a931224f215cb2010a8c9b99a2c1820150e4d365cab28299e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZK5NPJWQ\search[3].htm

Filesize
354KB

MD5
fff6973c33d04076cd1a46ed50341c9f

SHA1
66c40139c3e55d4d923733ee960dde04a3ae08a5

SHA256
ed63d20e7e32bfbdbb5262aab3a71b14baf9e16af6c4447daee556754084ee19

SHA512
936964faad54af900bac25ec3351c41a3d07656b9a585a022d47fda99dde032bbbef1de9d7993a7badbc5ce0989355bc108a89b4b68b0790e9d471cd6beabe0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZK5NPJWQ\search[4].htm

Filesize
355KB

MD5
1588bbf92e30b65fa909157f300c4c24

SHA1
3ebd0152bf6d75bf11215bcad7228206373f2e10

SHA256
30a743392470a5280f7981e31f8f9335fe0854445707601f6b52c4b46a2cf2b2

SHA512
3665e43ad10ba0c57f3747e3d9e35f1a4a790d6bafa2076a8b82c455575a728d98babcc392d34815cce9fb34fdca041fb4eaa8cd855a2ddba294bb492587afe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF09BE10A75A1DE344.TMP

Filesize
16KB

MD5
98cd2e47d15bcace363753de1443f7b2

SHA1
973cbef8db21182ab79035e848224c3e761b49f0

SHA256
7ced90da54fcc3cc84d5c84ce24878adcc6942f47e610c967c22e14e2123c8a9

SHA512
4d94585c9ecf466cce1bea35c2194fa885dc04c23b69d969d74c16e0ed095021e0630ecc9b8d5c5f547b5578ea9be6b6c61d8aa7077f34ddce2dd9308f739b3c

Download Submit
memory/3324-0-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/3324-48-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/3324-1-0x0000000001410000-0x0000000001411000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads