a82c4c7c6c7ccfe7056fe9bd687a5141b386aa39d9d998b72cf14d5bf4b29e9c

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 15:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0650bda83aa23e7d38c7ca0779b3523b_JaffaCakes118.exe
Size

137KB
MD5

0650bda83aa23e7d38c7ca0779b3523b
SHA1

edfde71d2780c81ed5656d4d9620c5ce0e1daf37
SHA256

a82c4c7c6c7ccfe7056fe9bd687a5141b386aa39d9d998b72cf14d5bf4b29e9c
SHA512

3e88ea63c55595c93645d54be4613aa16b4be52f1ea08cc95956c731491a09aaf8d5a32dd1ea236fc00ee64faf3e0e5729fec2249e1d1d55f439d6ba23a96d98
SSDEEP

3072:LH21a/H7iHL49412xob5btEz0XmCD6j7HcdszWAanIc8G:LH3ziHe+237Hc65G

Score

5^/10

discovery

Malware Config

Signatures

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\oeminfo.ini	cmd.exe
File opened for modification	C:\Windows\SysWOW64\oeminfo.ini	cmd.exe
File created	C:\Windows\SysWOW64\oemlogo.bmp	cmd.exe
File opened for modification	C:\Windows\SysWOW64\oemlogo.bmp	cmd.exe
File created	C:\Windows\SysWOW64\greatwall.ico	cmd.exe
File opened for modification	C:\Windows\SysWOW64\greatwall.ico	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 32 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0650bda83aa23e7d38c7ca0779b3523b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Local Page = "http://greatwall.com.cn"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Window Title = "│ñ│╟╡τ─╘╖■╬±╚╚╧▀:800-8100285"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6096E38F-5AC1-4391-8EC4-75DFA92FB32F}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6096E38F-5AC1-4391-8EC4-75DFA92FB32F}\ButtonText = "│ñ│╟"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6096E38F-5AC1-4391-8EC4-75DFA92FB32F}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6096E38F-5AC1-4391-8EC4-75DFA92FB32F}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Local Page = "http://greatwall.com.cn"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "│ñ│╟╡τ─╘╖■╬±╚╚╧▀:800-8100285"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6096E38F-5AC1-4391-8EC4-75DFA92FB32F}\Default Visible = "Yes"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6096E38F-5AC1-4391-8EC4-75DFA92FB32F}\Icon = "C:\\Windows\\system32\\greatwall.ico"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Default_Page_URL = "http://www.pc966.com"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6096E38F-5AC1-4391-8EC4-75DFA92FB32F}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6096E38F-5AC1-4391-8EC4-75DFA92FB32F}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6096E38F-5AC1-4391-8EC4-75DFA92FB32F}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6096E38F-5AC1-4391-8EC4-75DFA92FB32F}\Exec = "http://greatwall.com.cn"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6096E38F-5AC1-4391-8EC4-75DFA92FB32F}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Extensions\{6096E38F-5AC1-4391-8EC4-75DFA92FB32F}\HotIcon = "C:\\Windows\\system32\\greatwall.ico"	reg.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.pc966.com"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.pc966.com"	reg.exe

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}\Instance\InitPropertyBag\Command = "│ñ│╟╡τ─╘╓º│╓╨┼╧ó"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\oemset	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\oemset\ = "╗╢╙¡╩╣╙├│ñ│╟╡τ─╘"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}\DefaultIcon\ = "greatwall.ico"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}\Instance\InitPropertyBag	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}\DefaultIcon	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}\InfoTip = "│ñ│╟╡τ─╘╓º│╓╨┼╧ó"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}\Instance\InitPropertyBag\Param1 = "http://greatwall.com.cn"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}\Instance\InitPropertyBag	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\oemset\command	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\oemset\command\ = "greatwall.com.cn"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}\ = "╗╢╙¡╩╣╙├│ñ│╟╡τ─╘"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}\Instance	reg.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2812	reg.exe
2768	reg.exe
2128	reg.exe
2800	reg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2716	2240	0650bda83aa23e7d38c7ca0779b3523b_JaffaCakes118.exe	31
PID 2240 wrote to memory of 2716	2240	0650bda83aa23e7d38c7ca0779b3523b_JaffaCakes118.exe	31
PID 2240 wrote to memory of 2716	2240	0650bda83aa23e7d38c7ca0779b3523b_JaffaCakes118.exe	31
PID 2240 wrote to memory of 2716	2240	0650bda83aa23e7d38c7ca0779b3523b_JaffaCakes118.exe	31
PID 2716 wrote to memory of 2800	2716	cmd.exe	33
PID 2716 wrote to memory of 2800	2716	cmd.exe	33
PID 2716 wrote to memory of 2800	2716	cmd.exe	33
PID 2716 wrote to memory of 2800	2716	cmd.exe	33
PID 2716 wrote to memory of 2812	2716	cmd.exe	34
PID 2716 wrote to memory of 2812	2716	cmd.exe	34
PID 2716 wrote to memory of 2812	2716	cmd.exe	34
PID 2716 wrote to memory of 2812	2716	cmd.exe	34
PID 2716 wrote to memory of 2768	2716	cmd.exe	35
PID 2716 wrote to memory of 2768	2716	cmd.exe	35
PID 2716 wrote to memory of 2768	2716	cmd.exe	35
PID 2716 wrote to memory of 2768	2716	cmd.exe	35
PID 2716 wrote to memory of 2128	2716	cmd.exe	36
PID 2716 wrote to memory of 2128	2716	cmd.exe	36
PID 2716 wrote to memory of 2128	2716	cmd.exe	36
PID 2716 wrote to memory of 2128	2716	cmd.exe	36
PID 2716 wrote to memory of 2888	2716	cmd.exe	37
PID 2716 wrote to memory of 2888	2716	cmd.exe	37
PID 2716 wrote to memory of 2888	2716	cmd.exe	37
PID 2716 wrote to memory of 2888	2716	cmd.exe	37
PID 2716 wrote to memory of 2480	2716	cmd.exe	38
PID 2716 wrote to memory of 2480	2716	cmd.exe	38
PID 2716 wrote to memory of 2480	2716	cmd.exe	38
PID 2716 wrote to memory of 2480	2716	cmd.exe	38
PID 2716 wrote to memory of 2596	2716	cmd.exe	39
PID 2716 wrote to memory of 2596	2716	cmd.exe	39
PID 2716 wrote to memory of 2596	2716	cmd.exe	39
PID 2716 wrote to memory of 2596	2716	cmd.exe	39
PID 2716 wrote to memory of 2592	2716	cmd.exe	40
PID 2716 wrote to memory of 2592	2716	cmd.exe	40
PID 2716 wrote to memory of 2592	2716	cmd.exe	40
PID 2716 wrote to memory of 2592	2716	cmd.exe	40
PID 2716 wrote to memory of 2608	2716	cmd.exe	41
PID 2716 wrote to memory of 2608	2716	cmd.exe	41
PID 2716 wrote to memory of 2608	2716	cmd.exe	41
PID 2716 wrote to memory of 2608	2716	cmd.exe	41
PID 2716 wrote to memory of 2712	2716	cmd.exe	42
PID 2716 wrote to memory of 2712	2716	cmd.exe	42
PID 2716 wrote to memory of 2712	2716	cmd.exe	42
PID 2716 wrote to memory of 2712	2716	cmd.exe	42
PID 2716 wrote to memory of 2616	2716	cmd.exe	43
PID 2716 wrote to memory of 2616	2716	cmd.exe	43
PID 2716 wrote to memory of 2616	2716	cmd.exe	43
PID 2716 wrote to memory of 2616	2716	cmd.exe	43
PID 2716 wrote to memory of 2884	2716	cmd.exe	44
PID 2716 wrote to memory of 2884	2716	cmd.exe	44
PID 2716 wrote to memory of 2884	2716	cmd.exe	44
PID 2716 wrote to memory of 2884	2716	cmd.exe	44
PID 2716 wrote to memory of 2844	2716	cmd.exe	45
PID 2716 wrote to memory of 2844	2716	cmd.exe	45
PID 2716 wrote to memory of 2844	2716	cmd.exe	45
PID 2716 wrote to memory of 2844	2716	cmd.exe	45
PID 2716 wrote to memory of 2740	2716	cmd.exe	46
PID 2716 wrote to memory of 2740	2716	cmd.exe	46
PID 2716 wrote to memory of 2740	2716	cmd.exe	46
PID 2716 wrote to memory of 2740	2716	cmd.exe	46
PID 2716 wrote to memory of 2572	2716	cmd.exe	47
PID 2716 wrote to memory of 2572	2716	cmd.exe	47
PID 2716 wrote to memory of 2572	2716	cmd.exe	47
PID 2716 wrote to memory of 2572	2716	cmd.exe	47

C:\Users\Admin\AppData\Local\Temp\0650bda83aa23e7d38c7ca0779b3523b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0650bda83aa23e7d38c7ca0779b3523b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt8123.bat "C:\Users\Admin\AppData\Local\Temp\0650bda83aa23e7d38c7ca0779b3523b_JaffaCakes118.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ActiveComputerName /v "ComputerName" /t REG_SZ /d greatwall-PC-36 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2800
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName /v "ComputerName" /t REG_SZ /d greatwall-PC-36 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2812
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v "Hostname" /t REG_SZ /d greatwall-PC-36 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2768
- - C:\Windows\SysWOW64\reg.exe
    REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /v "NV Hostname" /t REG_SZ /d greatwall-PC-36 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:2128
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\oemset" /v "" /t REG_SZ /d "╗╢╙¡╩╣╙├│ñ│╟╡τ─╘" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2888
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\shell\oemset\command" /v "" /t REG_SZ /d greatwall.com.cn /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2480
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}" /v "" /t REG_SZ /d "╗╢╙¡╩╣╙├│ñ│╟╡τ─╘" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2596
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}\DefaultIcon" /v "" /t REG_SZ /d greatwall.ico /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2592
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}" /v "InfoTip" /t REG_SZ /d "│ñ│╟╡τ─╘╓º│╓╨┼╧ó" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2608
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu\StartPanel\ShowOEMLink" /v "NoOEMLinkInstalled" /t REG_DWORD /d 0 /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2712
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}\Instance\InitPropertyBag" /v "Command" /t REG_SZ /d "│ñ│╟╡τ─╘╓º│╓╨┼╧ó" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2616
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CLASSES_ROOT\CLSID\{2559a1f6-21d7-11d4-bdaf-00c04f60b9f0}\Instance\InitPropertyBag" /v "Param1" /t REG_SZ /d "http://greatwall.com.cn" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2884
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "RegisteredOwner" /t REG_SZ /d "│ñ│╟╡τ─╘" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2844
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "RegisteredOrganization" /t REG_SZ /d "│ñ│╟╝╞╦π╗·╝»═┼╣½╦╛" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2740
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{2559A1F6-21D7-11D4-BDAF-00C04F60B9F0}" /ve /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2572
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\NameSpace\{2559A1F6-21D7-11D4-BDAF-00C04F60B9F0}" /ve /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2580
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ControlPanel\NameSpace\{2559A1F6-21D7-11D4-BDAF-00C04F60B9F0}" /ve /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2588
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main" /v "Default_Page_URL" /t REG_SZ /d "http://www.pc966.com" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2632
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_SZ /d "http://www.pc966.com" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:2644
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main" /v "Local Page" /t REG_SZ /d "http://greatwall.com.cn" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2208
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /t REG_SZ /d "http://www.pc966.com" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    PID:2004
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Local Page" /t REG_SZ /d "http://greatwall.com.cn" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1608
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main" /v "Window Title" /t REG_SZ /d "│ñ│╟╡τ─╘╖■╬±╚╚╧▀:800-8100285" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1656
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Window Title" /t REG_SZ /d "│ñ│╟╡τ─╘╖■╬±╚╚╧▀:800-8100285" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2256
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6096E38F-5AC1-4391-8EC4-75DFA92FB32F}" /v "CLSID" /t REG_SZ /d "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2424
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6096E38F-5AC1-4391-8EC4-75DFA92FB32F}" /v "Default Visible" /t REG_SZ /d "Yes" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2220
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6096E38F-5AC1-4391-8EC4-75DFA92FB32F}" /v "ButtonText" /t REG_SZ /d "│ñ│╟" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2428
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6096E38F-5AC1-4391-8EC4-75DFA92FB32F}" /v "Exec" /t REG_SZ /d "http://greatwall.com.cn" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2112
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6096E38F-5AC1-4391-8EC4-75DFA92FB32F}" /v "HotIcon" /t REG_SZ /d "C:\Windows\system32\greatwall.ico" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:2664
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6096E38F-5AC1-4391-8EC4-75DFA92FB32F}" /v "Icon" /t REG_SZ /d "C:\Windows\system32\greatwall.ico" /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    PID:1368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bt8123.bat

Filesize
8KB

MD5
8e86b70f2d6bebef588d0011e38b6d4a

SHA1
984e0cdfb497b5f6fddfb54ef7ad971307abef9f

SHA256
d550b8fdca083f095c3c99245203469d0e4fbf74d1b55f0f9e8d330842c4e3ab

SHA512
b46c74743439c069ef91529784b49e23b392bda27c8a24b3420e3673ba1313cd19251af439db1e2263bf26443f45a0347cccb8082a87498b4dd24cf36f7d0777

Download Submit
C:\Users\Admin\AppData\Local\greatwall.ico

Filesize
9KB

MD5
268184e3854088260347230d9ec5c97f

SHA1
6ee40f513f2d914fba28c0eee2c45e37ff98c397

SHA256
1754d3f995d5ff5c84e01cb3104202919df27d7af9f94cee066ace1527628f2b

SHA512
555bbd21b5cbdd4516b6dbfe945459000621854e16fabdf5952b778153268190391b4ec36e6519f7dfd76520c8418318898475bebd626103011970a2a4f7f502

Download Submit
C:\Users\Admin\AppData\Local\oeminfo.ini

Filesize
415B

MD5
b655c564a87162d55b18abd979839c14

SHA1
25ebd4739b9a61b0c71bf21f0ba3ddd74e694b6c

SHA256
140808965832ea2e42e8d4d4255308a826246d67067fd26b19064b248706295a

SHA512
85464a6d27a0815e57933f8d570dede912880eaa7308f9aa41dc979ffd1f07bdce796a2231499698e9a3117507cf376f5b19356adb3ebaba6d956e41cf3f1dbc

Download Submit
C:\Users\Admin\AppData\Local\oemlogo.bmp

Filesize
7KB

MD5
63ab80c177bfcd48722b25f73e31554a

SHA1
eeaf9b79aaa98b8e7a71cd5241ee5f09b57a1298

SHA256
ec356a42bc67427eb0584680f40f2c854a3f0d7b3b1e6c861161c97d703b4024

SHA512
e25a241771cf3bd89368f439d0a4221f80c90f617982abce667999668145206091d0ec94e5b83f6ddc0ace83ea961caa97e5f24ad1299d31287bb8386b2bd926

Download Submit
memory/2240-19-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads