2e980431a3a092c619584ae6aa1015aacc16601d79ca2373f7d6a1568c5ada14

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe
Size

1018KB
MD5

118a5583abe12d104472c7f79cdef960
SHA1

18e4a85487504735eb24900c1f752ac3ee3dec72
SHA256

2e980431a3a092c619584ae6aa1015aacc16601d79ca2373f7d6a1568c5ada14
SHA512

19e6b3daa077fb1d4baed31811cb39145735f0732371df1cbdb9f2cae4fce6914d0248156fee01ea9c87f91f1a113ecc8e8b74b812b3df63fa2298270fba62fd
SSDEEP

24576:nBR3JS2l7sit4dSGa7ggzu7CQjcmi+QnTN3vJxdjpaD:BBJS2xsi7Ga7YCQjcmifnTlv5jE

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation	utiBDC2.tmp.exe

Executes dropped EXE 4 IoCs

pid	Process
772	hpet.exe
2188	utiBDC2.tmp.exe
4700	hao123.1.0.0.1104.exe
2500	hao123.1.0.0.1104.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hahpjplbmicfkmoccokbjejahjjpnena\1.2_0\manifest.json	hpet.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234ae-25.dat	upx
behavioral2/memory/2188-33-0x0000000000400000-0x00000000005C1000-memory.dmp	upx
behavioral2/memory/2188-102-0x0000000000400000-0x00000000005C1000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hao123.1.0.0.1104.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hao123.1.0.0.1104.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	utiBDC2.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hpet.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Software\Microsoft\Internet Explorer\Main	utiBDC2.tmp.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://br.hao123.com/?tn=4shared_hp_hao123_br"	utiBDC2.tmp.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	utiBDC2.tmp.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 0f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb0b000000010000002a0000005300650063007400690067006f0020002800550054004e0020004f0062006a0065006300740029000000090000000100000022000000302006082b06010505070303060a2b0601040182370a030406082b060105050703086200000001000000200000006fff78e400a70c11011cd85977c459fb5af96a3df0540820d0f4b8607875e58f140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d81d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf67087e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d901030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d4620000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	hao123.1.0.0.1104.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	hao123.1.0.0.1104.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	hao123.1.0.0.1104.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	hao123.1.0.0.1104.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46	hao123.1.0.0.1104.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
772	hpet.exe
772	hpet.exe
772	hpet.exe
772	hpet.exe
4700	hao123.1.0.0.1104.exe
4700	hao123.1.0.0.1104.exe
2188	utiBDC2.tmp.exe
2188	utiBDC2.tmp.exe
2188	utiBDC2.tmp.exe
2188	utiBDC2.tmp.exe
2500	hao123.1.0.0.1104.exe
2500	hao123.1.0.0.1104.exe
4700	hao123.1.0.0.1104.exe
4700	hao123.1.0.0.1104.exe
4700	hao123.1.0.0.1104.exe
4700	hao123.1.0.0.1104.exe
4700	hao123.1.0.0.1104.exe
4700	hao123.1.0.0.1104.exe
2448	msedge.exe
2448	msedge.exe
4700	hao123.1.0.0.1104.exe
4700	hao123.1.0.0.1104.exe
1164	msedge.exe
1164	msedge.exe
4700	hao123.1.0.0.1104.exe
4700	hao123.1.0.0.1104.exe
4700	hao123.1.0.0.1104.exe
4700	hao123.1.0.0.1104.exe
2188	identity_helper.exe
2188	identity_helper.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe
1164	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
772	hpet.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4516 wrote to memory of 772	4516	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe	82
PID 4516 wrote to memory of 772	4516	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe	82
PID 4516 wrote to memory of 772	4516	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe	82
PID 4516 wrote to memory of 2188	4516	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe	85
PID 4516 wrote to memory of 2188	4516	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe	85
PID 4516 wrote to memory of 2188	4516	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe	85
PID 2188 wrote to memory of 4700	2188	utiBDC2.tmp.exe	87
PID 2188 wrote to memory of 4700	2188	utiBDC2.tmp.exe	87
PID 2188 wrote to memory of 4700	2188	utiBDC2.tmp.exe	87
PID 2188 wrote to memory of 2500	2188	utiBDC2.tmp.exe	88
PID 2188 wrote to memory of 2500	2188	utiBDC2.tmp.exe	88
PID 2188 wrote to memory of 2500	2188	utiBDC2.tmp.exe	88
PID 4700 wrote to memory of 1164	4700	hao123.1.0.0.1104.exe	89
PID 4700 wrote to memory of 1164	4700	hao123.1.0.0.1104.exe	89
PID 1164 wrote to memory of 2032	1164	msedge.exe	90
PID 1164 wrote to memory of 2032	1164	msedge.exe	90
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 3656	1164	msedge.exe	91
PID 1164 wrote to memory of 2448	1164	msedge.exe	92
PID 1164 wrote to memory of 2448	1164	msedge.exe	92
PID 1164 wrote to memory of 3108	1164	msedge.exe	93
PID 1164 wrote to memory of 3108	1164	msedge.exe	93
PID 1164 wrote to memory of 3108	1164	msedge.exe	93
PID 1164 wrote to memory of 3108	1164	msedge.exe	93
PID 1164 wrote to memory of 3108	1164	msedge.exe	93
PID 1164 wrote to memory of 3108	1164	msedge.exe	93

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4516
- - C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
    "C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe" -home -home2 -et -channel 167991
    3⤵
    - Executes dropped EXE
    - Drops Chrome extension
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:772
- - C:\Users\Admin\AppData\Local\Temp\utiBDC2.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\utiBDC2.tmp.exe" /S /noeula
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2188
  - - C:\Users\Admin\AppData\Roaming\baidu\hao123-br\hao123.1.0.0.1104.exe
      "C:\Users\Admin\AppData\Roaming\baidu\hao123-br\hao123.1.0.0.1104.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4700
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://br.hao123.com/
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:1164
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0xf8,0x134,0x7fff417846f8,0x7fff41784708,0x7fff41784718
        6⤵
        
        PID:2032
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,1105363965622629750,7596533708067665250,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
        6⤵
        
        PID:3656
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,1105363965622629750,7596533708067665250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2448
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,1105363965622629750,7596533708067665250,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
        6⤵
        
        PID:3108
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1105363965622629750,7596533708067665250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
        6⤵
        
        PID:456
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1105363965622629750,7596533708067665250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
        6⤵
        
        PID:1532
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1105363965622629750,7596533708067665250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
        6⤵
        
        PID:5044
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1105363965622629750,7596533708067665250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
        6⤵
        
        PID:4452
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,1105363965622629750,7596533708067665250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8
        6⤵
        
        PID:984
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,1105363965622629750,7596533708067665250,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5008 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2188
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1105363965622629750,7596533708067665250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
        6⤵
        
        PID:3832
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1105363965622629750,7596533708067665250,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
        6⤵
        
        PID:4668
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1105363965622629750,7596533708067665250,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
        6⤵
        
        PID:532
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1105363965622629750,7596533708067665250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
        6⤵
        
        PID:2240
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1105363965622629750,7596533708067665250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1748 /prefetch:1
        6⤵
        
        PID:2204
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1105363965622629750,7596533708067665250,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1076 /prefetch:1
        6⤵
        
        PID:4836
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,1105363965622629750,7596533708067665250,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5860 /prefetch:2
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2068
  - - C:\Users\Admin\AppData\Roaming\baidu\hao123-br\hao123.1.0.0.1104.exe
      first_exec_from_inst
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
13KB

MD5
4ac4b28cbd432893585e09f40b571e9d

SHA1
407f64cfde74eb707272bfa076630173c0403bb2

SHA256
a19ebfd8dac7dcf705c57dd5ac0ea2377811848c45fb77d5f57a0caaa2d9f64d

SHA512
2a832d200e580de9d7ea4987ef25213e60e095707de132aa000a15320b16308feb71674accfdb946e3c691b6f2c52d0cdf9feb0d3356f1b839cd70774d249acb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fcaa76b69f8cc209538b7fa5238fee32

SHA1
a0338bfa3fe59ac4abb1c14c640b7c601b16d4b4

SHA256
e3383a97b55d4f4efacd8520aa2438def11d7186a7f9fe914511ccaa1c084cf8

SHA512
07066424a2b3cc21809ae193fa3e9c951e08dc27e43c2fd2c5d910932a78ea89f3ffa21f14c7ba6bafa0abe621577a502f10f4332d7bdde7a171c7e417f96c28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ee8979defed27d55c3839bb04c530fe3

SHA1
ed819e375a1aad8b78fd4e28e96ae30d7f81529d

SHA256
19e758ceafdd69c35102b43f2b550f7497e6da8d243f271958717f2670bda5e9

SHA512
907b414f05c21d663e0c53cb6c6e0c895d218fce4ff38bcc1c4155c8cc49c90a2ecbf9e91291404a3027891efe015262df4d8ea2d71258725bc79c85dd1d6377

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
181d2ce61bff4a33fcc1cc51dd59379b

SHA1
ae7bde0a5e1a9bd66d6592ba1beecf9362d18f2f

SHA256
8419e5b4ff0b66b912c6b665b30a9a5bcae4e2967695aaa051e07ba4243b7a81

SHA512
48a0008de8a91aff80feee11a50a2bf631765f844fed39301ffc7428c6d63d388858da90d68eb912fc62569b738f1086b68b6978170249249a6cb80a531f2469

Download Submit
C:\Users\Admin\AppData\Local\Temp\utiBDC2.tmp.exe

Filesize
341KB

MD5
72090258195e1dd0d6c49a314c745d0d

SHA1
604c69e4b22a95cb711306fac6c83796bea1309e

SHA256
81502e7f7be3941c4383f104b2a30377a5a50c0baf6b5449a329a3706ae3fc39

SHA512
9baeb85154db459cc8807a47accc927ccfd915cfd8c1f78870e37ac6da9cb89723610edff3c8932f46f48c61e57f2b774a9084c43471467b16969c48a9535f7a

Download Submit
C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe

Filesize
467KB

MD5
97bc7c2a98ee92297fcb2cecf1b222f9

SHA1
b3e08065fff002513c36cfe85e0ca607c68fbce3

SHA256
0effc6288b6ce1f933c8b97dc8ec5e6ee883f0628bea176538f65b0b2297d1fe

SHA512
a53e1220dfba16fe44f20bfc32dd986054751fb124a1c0917af4c34a45e7a2187ae05098a7681f9ed65cee852e3fbecf8fa49cc015b224dc50566659859986cc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Hao123.lnk

Filesize
1KB

MD5
7d1ae9313dd8b79fd1f3d8858a29b661

SHA1
173a201227e529fd7e7adb22ade267004d3e82bd

SHA256
6996f79e57b4b034c1d2b8babd62d3ecf18954e418eb19cb968b793447aa5d57

SHA512
bc9ad859527fd9b78453399c6baea319d7088e1171d9cd3c49718204ab0fb47193db9f9d06d2f898c9dac86afd4559068874cd3bc7656fc162b48d97786faf78

Download Submit
C:\Users\Admin\AppData\Roaming\baidu\hao123-br\hao123.1.0.0.1104.exe

Filesize
808KB

MD5
c2071b37c94a0fd8ff0ecc17d17f9583

SHA1
37ca74ef0594fae3bca1c37fb4df19e1130c2c18

SHA256
1b278f89309b77d0ad4eaa51a759311fbed941afcd36b709c91636c4dd916642

SHA512
a451de504b91326bd0487740f0de347184a8ac38936922e5fbaab114fa17934f31de8c5ecafe5a9f98f25bb2f18e02121893ad9454f8ab38d25619495424c82c

Download Submit
C:\Users\Admin\Desktop\Hao123.lnk

Filesize
1KB

MD5
38dc61573a73a730b4231f701367c367

SHA1
3ccb3888f4ce63e058fb92274e5181cf83790123

SHA256
0865a471c32b5c00d8646ef4213d314739d7e25a12ee3d6570b90d108f085d8a

SHA512
642938ae59654616c181d7750400f1dc4edf20f8510abd1413cd46a8be0ed1a8deb9374cc7e7f5b3d011d255989b46c34e5978f2f090415a8b011c22caf85793

Download Submit
memory/2188-102-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2188-33-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2500-158-0x0000000075750000-0x00000000757EF000-memory.dmp

Filesize
636KB

Download
memory/2500-159-0x0000000076B10000-0x0000000076CB0000-memory.dmp

Filesize
1.6MB

Download
memory/2500-188-0x0000000076B10000-0x0000000076CB0000-memory.dmp

Filesize
1.6MB

Download
memory/4700-138-0x0000000075750000-0x00000000757EF000-memory.dmp

Filesize
636KB

Download
memory/4700-139-0x0000000076B10000-0x0000000076CB0000-memory.dmp

Filesize
1.6MB

Download
memory/4700-85-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download