5b08d7552c17dc0f138d35bedb0ef6a458012267caa61fcd1e0cb8155f86c651

Analysis

max time kernel
141s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-10-2024 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe
Size

299KB
MD5

057661e0ef34c148782c1ab5d228ea0d
SHA1

8028a823215b312cfd001c24ef0e787bf9f1d3bb
SHA256

5b08d7552c17dc0f138d35bedb0ef6a458012267caa61fcd1e0cb8155f86c651
SHA512

47cc004419c38316677f99e69d2f64c61f586d1a81a26d5c281836f66cbbdef195c33d7bb4e136cc8c2b4f11e9f285324b3dce3b962fe0ae864c195f9bacc0c0
SSDEEP

6144:N1db49+rEg024fpLZazEjvE/rbay19tSt4bO2BaDmeBJe/ZVa+Tn0eAxcY/:NjkArEN249AyE/rbaMct4bO2/t70PGs

Score

7^/10

discovery upx

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1808	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\迅雷免会员 VIP加速.xns	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
2468	test.exe

Loads dropped DLL 2 IoCs

pid	Process
2532	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe
2532	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe

AutoIT Executable 7 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2532-18-0x0000000000400000-0x00000000004B3000-memory.dmp	autoit_exe
behavioral1/memory/2532-19-0x0000000000400000-0x00000000004B3000-memory.dmp	autoit_exe
behavioral1/memory/2532-20-0x0000000000400000-0x00000000004B3000-memory.dmp	autoit_exe
behavioral1/memory/2532-21-0x0000000000400000-0x00000000004B3000-memory.dmp	autoit_exe
behavioral1/memory/2532-22-0x0000000000400000-0x00000000004B3000-memory.dmp	autoit_exe
behavioral1/memory/2532-23-0x0000000000400000-0x00000000004B3000-memory.dmp	autoit_exe
behavioral1/memory/2532-29-0x0000000000400000-0x00000000004B3000-memory.dmp	autoit_exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2532-0-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral1/memory/2532-18-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral1/memory/2532-19-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral1/memory/2532-20-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral1/memory/2532-21-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral1/memory/2532-22-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral1/memory/2532-23-0x0000000000400000-0x00000000004B3000-memory.dmp	upx
behavioral1/memory/2532-29-0x0000000000400000-0x00000000004B3000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1808	cmd.exe
616	PING.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433940340"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CEE63291-7FDF-11EF-AD4F-5A85C185DB3E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff6f00000019000000f50400007e020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e06d5994ec13db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CEE893F1-7FDF-11EF-AD4F-5A85C185DB3E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea220000000002000000000010660000000100002000000049eb8d20d1cb0b09072aebf29e9f7512fdea271c295a1825fdf1ee069e87eacb000000000e8000000002000020000000a815e4a185df1085dcb0d410fd7414f8cce6292264bcd8a124b1d83ea08d818190000000d46af17eb307f36cf97bd640ac8706958dde32078ab5dce1954908a541a5ca75ecef97e8b3a76a92fa339ea5af6951a59125a8ffb0ff19970594820f4257d3c9dc187dd8b2d06ff4b817beba4106fd2470a0b07fb592df04aae44c812f194c3d05c13450d9fdfc5c013ed3b91e95988d91998a39c1de5eb16b58023dcd8f8f3ebf2167bb5ac2f20875c25da82a2c186e400000006d06333225b79f18c554f5a5076cc94d4fbc8e57e2d673d715a2b589f5eb1d940001bd87200b8037598d10b7b196c9f4bc2229869edf197adfcd69070c06a78b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea22000000000200000000001066000000010000200000000ba0825396c6c21573af6606a5ed2cbf7c17cc5126d13ae2b1e054046dba6840000000000e80000000020000200000007a48e9e5fecddb870c15bc184ba8fde17ef0b9ae1ba868246beb0262820915ec20000000af2f3c64f7f27c652bc24201a8471fa7e966b42470532868eefcf90ff6afe1ee40000000dcc29f63e76b133c6a6c94b9129973389a04bdfa08a1538c9e0b2a760439298b8f72a7b86b751efbc84fa5ce4d4690d82830b4ecac497d603c954c50cb085a44	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\New Windows\Allow	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xns\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xns	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xns\ = "VBSFile"	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xns\PersistentHandler	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
616	PING.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
552	iexplore.exe
1444	iexplore.exe
2492	iexplore.exe
2492	iexplore.exe
2492	iexplore.exe
2492	iexplore.exe

Suspicious use of SetWindowsHookEx 24 IoCs

pid	Process
2492	iexplore.exe
2492	iexplore.exe
552	iexplore.exe
552	iexplore.exe
1444	iexplore.exe
1444	iexplore.exe
2492	iexplore.exe
2492	iexplore.exe
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE
996	IEXPLORE.EXE
996	IEXPLORE.EXE
2836	IEXPLORE.EXE
2836	IEXPLORE.EXE
1704	IEXPLORE.EXE
1704	IEXPLORE.EXE
2492	iexplore.exe
2492	iexplore.exe
1640	IEXPLORE.EXE
1640	IEXPLORE.EXE
2492	iexplore.exe
2492	iexplore.exe
2680	IEXPLORE.EXE
2680	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2468	2532	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2468	2532	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2468	2532	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe	30
PID 2532 wrote to memory of 2468	2532	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe	30
PID 2532 wrote to memory of 1192	2532	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe	21
PID 2532 wrote to memory of 1192	2532	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe	21
PID 2532 wrote to memory of 2492	2532	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe	34
PID 2532 wrote to memory of 2492	2532	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe	34
PID 2532 wrote to memory of 2492	2532	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe	34
PID 2532 wrote to memory of 2492	2532	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe	34
PID 2532 wrote to memory of 552	2532	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe	35
PID 2532 wrote to memory of 552	2532	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe	35
PID 2532 wrote to memory of 552	2532	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe	35
PID 2532 wrote to memory of 552	2532	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe	35
PID 2492 wrote to memory of 2680	2492	iexplore.exe	37
PID 2492 wrote to memory of 2680	2492	iexplore.exe	37
PID 2492 wrote to memory of 2680	2492	iexplore.exe	37
PID 2492 wrote to memory of 2680	2492	iexplore.exe	37
PID 552 wrote to memory of 2836	552	iexplore.exe	38
PID 552 wrote to memory of 2836	552	iexplore.exe	38
PID 552 wrote to memory of 2836	552	iexplore.exe	38
PID 552 wrote to memory of 2836	552	iexplore.exe	38
PID 1444 wrote to memory of 996	1444	iexplore.exe	39
PID 1444 wrote to memory of 996	1444	iexplore.exe	39
PID 1444 wrote to memory of 996	1444	iexplore.exe	39
PID 1444 wrote to memory of 996	1444	iexplore.exe	39
PID 2492 wrote to memory of 1704	2492	iexplore.exe	40
PID 2492 wrote to memory of 1704	2492	iexplore.exe	40
PID 2492 wrote to memory of 1704	2492	iexplore.exe	40
PID 2492 wrote to memory of 1704	2492	iexplore.exe	40
PID 2492 wrote to memory of 1640	2492	iexplore.exe	41
PID 2492 wrote to memory of 1640	2492	iexplore.exe	41
PID 2492 wrote to memory of 1640	2492	iexplore.exe	41
PID 2492 wrote to memory of 1640	2492	iexplore.exe	41
PID 2532 wrote to memory of 1808	2532	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe	43
PID 2532 wrote to memory of 1808	2532	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe	43
PID 2532 wrote to memory of 1808	2532	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe	43
PID 2532 wrote to memory of 1808	2532	057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe	43
PID 1808 wrote to memory of 616	1808	cmd.exe	45
PID 1808 wrote to memory of 616	1808	cmd.exe	45
PID 1808 wrote to memory of 616	1808	cmd.exe	45
PID 1808 wrote to memory of 616	1808	cmd.exe	45

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\test.exe
    C:\Users\Admin\AppData\Local\Temp\test.exe
    3⤵
    - Executes dropped EXE
    PID:2468
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ww2221.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2492 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2680
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2492 CREDAT:406530 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1704
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2492 CREDAT:3224580 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1640
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ww2221.com/
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:552
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:552 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c ping -n 3 127.1 & del /q "C:\Users\Admin\AppData\Local\Temp\057661e0ef34c148782c1ab5d228ea0d_JaffaCakes118.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 3 127.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:616

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1444
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1444 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02632c8bf1d87bb0c1666e96c17b2f60

SHA1
81b262f5cd53fb9c34c0e0c4b685186987d2df54

SHA256
e46d3547ef3ea31e350fc3aa36a98b1cfe355aa2d7590134831535b557402512

SHA512
47ff17ccbb9b43c9201e7fda92fbebe7f613fc820fe52f36dadce542d129e0eaa924852b1f78da2151bdcc385e4569a2f3f20a8eaeb43e6ede2df93c51e9ff2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1c611bd64fa0eff3fddef73c309ae23

SHA1
a0e4f4a0f1da53bf46bca1ebda1b47f2964756b6

SHA256
32e5ab8c84d28e27cb37bb92aabe5a72c45fb9ee63e4ea88efeacd479b105b3c

SHA512
26c84b18d8b6f3162609f47ecff059da119e73fe9608714a89c5f1ba63a6f10fc8006fe7faf8d30fff842a0c90c3b1291d2cad27f785b2270c5780da2f0e4ff0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de289df88b912a7fc58dd573cd311756

SHA1
fb8dcf57ad0e9f7d76ff8cc875d93be85aed87f4

SHA256
725a4dca876b1d40d99ed4a279790cad0eb8fee7a0d318959f4e9e1465173a1d

SHA512
2b05d3519b54f8c37757de140efeebc466424cc8ad84ae42d8847c0d3e929ecbcbc3ad4aec4d314c2a96b694f9eb24e5a4f37f35800623315f13a64d25a61a6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6ed7ff078159e7518690bb30d6bf201

SHA1
0a78c3bb4cba6c7c9f15af7b9e62aa06e2f6f9b1

SHA256
481b18ad30513637485702dd4faadaee6423824cd58d2ee11538d0a139c1e186

SHA512
8074bf982de4919219edd24a70e589fd3f2d26a980723bd9ad5314c205935ee553aba61014d0b09a7e88c1c3f832cdef706dd18f44a6b7e74839a31ce0e4eeaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c671abdeedd6a78b4ded6dc31abf6ffa

SHA1
f58219b472abf57a06b47edc1e4cb265daa20070

SHA256
31d86436b6446c63ea0f919e950b32c92b7d7e38ed8fb8084ca98b36216b8564

SHA512
f9eae43cac42000b8f75f5125ddc02f1c84a323f3ff69ab3f7f5b4b3452779716b6bed04b8938779b73f775bfe3abfa71f26bb8c7c629d2504385d5e4b1d7342

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3b36baac70b3b104367871d8e1b15e7

SHA1
a20a55fa07d44808d2aa2f473d072edcbbc6fab1

SHA256
c7cf34916c96d8975a8a663a0d089b132fdc043ca6901e47482bf9dc427abc8f

SHA512
1702149a1567ee40ccba0ad3d41d04a385de84334a21555930273138c855db69aea45136f6936034a7d60067f89a9b619c3948ebb885c208a8ab68d241176c23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd09220f86160d426518c9ac8165f8b3

SHA1
57496fe9b05a20e25c92e5696e531801ee4038d4

SHA256
15043553d2a344aa1d8c42677f65aff6eeec45ddb8a279dfce50060c96738d2f

SHA512
5986e925ad5f6894777f7590603d4b7f18f28e0e39ae418f32bddc10f72dcb6baa75b4edf64c2f8e1eab743314f301c78cf107cf2f8ec557143fe93eb7de2bd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
260644931fef9617f6415ac7c056cf41

SHA1
ea227610119babea4cd9b6bbba8d1fd233757619

SHA256
b97f80bfce8cac98b76e3ce5d7a2c5d2807ef24356458a33862b91b9020cd590

SHA512
1a4af3c2f304d66d6e567734e966b7a198fe5fa88218e310330f7301408544c84a17618bee47d272a5f4cb3a513b1803fe223c437ade7019c448a358f8e89d2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3208082e14d3e92ed70126b33db416b

SHA1
8520b61b93c36ccd7a29206d2a2c684d4b80b8f9

SHA256
8cc78f09948f392e97b8a6806e8078ef7671167564ea7f9f23da43f6e5c33259

SHA512
337a983656fb8216d4f5086de71eb1d99d4ddbc7daa61f0986f893aa6a9b5f87dab30dfb7bab9366c76e2b5131da73f4fa4282536a058348de30e13931ff57ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3f1c1172145515df863cf2632e2ca14

SHA1
bedacfc74c834e786e9d973294b1410f0c5ce12b

SHA256
1bd9308c418dfaedec6c9bc59c0a3371abd3e442ade555ad1ae713a5112a6bb5

SHA512
68177b4d07cf773beaf6add6ce8594505ea6aaa5e852c19203fdfab7e53ebae0b67cc6e9a794f84419184586e275d54eaafc973fcf41a86f6cfaf716d37b0779

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6499af17ae992524653cc1e3df12808f

SHA1
06e7a027fdde2a50e2ef8083215bb377805f572d

SHA256
027409d364e568e80e82823e965800e346626b775554fa7552f113266ec2ed22

SHA512
dfad79c1d3aa5978952eb081be7df4e1d7b5f59dcc298debbd30a61520b8c1fd80a6764ac31c8866b6cc653cdb0d9f860a9b002cdb311d4542df5ad0099eee08

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
748f3be0c8e62e9854b26524ac55c1b3

SHA1
475839098ad598a25d99b9025a89907cd85472fb

SHA256
7b95ec5a0f82871fa5c4538651310ff850ab626fe8a1cbaea226e7efbfb6f9d5

SHA512
8b2fff302ccd624307e42c74260f8bad6b9200333e97672aa0c7798cefca14fcdbe8a6c8d3fb180ebd934d96c541b6bed78c862845f3d56f4b87e2458deb108d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CEE63291-7FDF-11EF-AD4F-5A85C185DB3E}.dat

Filesize
5KB

MD5
d1e136042d5056173f9c3d19af21eb23

SHA1
8127dfb968123deeede4a8a27c6bd1533fde2892

SHA256
b5a806ad5adbae77b8ad0e429f0bd02a123f679774105e39f3fc5a7464a23c71

SHA512
20f1e9418d8788eb1f83583645a06bd6b0eb0def5dc8f30f603b6e53c3fa9510c686faa1cc754b256d5175c37b973d1afb6fce23325e498d822d42984fc130c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CEE893F1-7FDF-11EF-AD4F-5A85C185DB3E}.dat

Filesize
3KB

MD5
041d401fbe22c61e569876954512bacd

SHA1
07800d885ca4ec9c59e5d23686a97106261cc7cf

SHA256
44f799063e9f3af0563c81534bb312cd7903061a25ccb53708e299a51fe212f0

SHA512
42700d617e61de8f82c2f12e72a2d042b9cad824c85a316b63a95772843ecc12e8fb1d616e6bb29627ae5e307e7ded69077d78f6fd8e48dcd3e94194586aac11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{CEED56B1-7FDF-11EF-AD4F-5A85C185DB3E}.dat

Filesize
4KB

MD5
514164ac6f4f8e036acf70a12a24ded4

SHA1
a909d84a2e8f8f36e32bace1ca8b5071c1715522

SHA256
cc171b531ce69382a5ade649a3530a75bc34fa91acaaa5872bf93973df89cdb8

SHA512
f19eb2dac3fad5463768fe51e37338af5039dc8cdf939c5804744e9eeaec4c5dc5ca442ba660ad167b94236813eba59c07ebc36b43dba5e7507497f0ff39964d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\NewErrorPageTemplate[2]

Filesize
1KB

MD5
cdf81e591d9cbfb47a7f97a2bcdb70b9

SHA1
8f12010dfaacdecad77b70a3e781c707cf328496

SHA256
204d95c6fb161368c795bb63e538fe0b11f9e406494bb5758b3b0d60c5f651bd

SHA512
977dcc2c6488acaf0e5970cef1a7a72c9f9dc6bb82da54f057e0853c8e939e4ab01b163eb7a5058e093a8bc44ecad9d06880fdc883e67e28ac67fee4d070a4cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DJB1KT77\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KIYAG1MM\dnserror[1]

Filesize
1KB

MD5
73c70b34b5f8f158d38a94b9d7766515

SHA1
e9eaa065bd6585a1b176e13615fd7e6ef96230a9

SHA256
3ebd34328a4386b4eba1f3d5f1252e7bd13744a6918720735020b4689c13fcf4

SHA512
927dcd4a8cfdeb0f970cb4ee3f059168b37e1e4e04733ed3356f77ca0448d2145e1abdd4f7ce1c6ca23c1e3676056894625b17987cc56c84c78e73f60e08fc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPUI9R2R\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA843.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA8D3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.exe

Filesize
16KB

MD5
79643af79d6a21f43be3e734b8a78d59

SHA1
bea50713dfbec00799abff5e5ea2a5bcc24eb0de

SHA256
b8e5a39f5f79f7ebba0848eff0de732c35cc277218d999877979e5c2ae15a16c

SHA512
0f87a423ff865d4329cf5dee21cea1b25bc08998129eb73b7a1c553d5b05f85e69115463f0c3d86b8f8b8c1ca8273ee6a460b6714c2d67bb8d1bfa47a0ba3337

Download Submit
memory/1192-14-0x00000000029E0000-0x00000000029E1000-memory.dmp

Filesize
4KB

Download
memory/2532-29-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2532-22-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2532-21-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2532-20-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2532-19-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2532-18-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2532-23-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download
memory/2532-0-0x0000000000400000-0x00000000004B3000-memory.dmp

Filesize
716KB

Download