b8502fed214c5fbccd67a4cc7a95e3527e79ab1059f05014edd413b471610bd3

Analysis

max time kernel
133s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ab9d9d4ae9a4dbeca72d64f8c728753_JaffaCakes118.exe
Size

250KB
MD5

2ab9d9d4ae9a4dbeca72d64f8c728753
SHA1

63de7369c002a5067e584451648c346b0e6bb8bd
SHA256

b8502fed214c5fbccd67a4cc7a95e3527e79ab1059f05014edd413b471610bd3
SHA512

d72f36f2d33655bb8c00dcdd382271340bb6faadacaf6da56ddcca1dfb31f0fd5c0f194f57af3f8d2133413834e27fa1eaeaf9f99b3ab4b6562f86024f385f9c
SSDEEP

6144:OhieuJDr5T8b2ufqBLjSB/MS7irtIa6cwoD8ZroSfjGFA:beKrJJuf86AYcwoaoSbr

Score

8^/10

discovery execution persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

pid	Process
2344	cmd.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2936-36-0x0000000000400000-0x00000000004B1000-memory.dmp	autoit_exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2936-0-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral1/memory/2936-36-0x0000000000400000-0x00000000004B1000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\WinRAR\winrar.jse	2ab9d9d4ae9a4dbeca72d64f8c728753_JaffaCakes118.exe
File opened for modification	C:\Program Files\WinRAR\winrar.jse	2ab9d9d4ae9a4dbeca72d64f8c728753_JaffaCakes118.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ab9d9d4ae9a4dbeca72d64f8c728753_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2344	cmd.exe
2696	PING.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 307f9e83501adb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000f880ac2c44b1b87fbe64fbfbaf768d78ec8d7eeed5f57faae87abc876b378f60000000000e80000000020000200000000db9a8b278db7b2040c8f08a39d8a23f17e388f689dfc84020410dfeb4b18b049000000052c3a65b485f70b0904eb1f88df9cdfa570554cc817b4f3d5c33702529688d0bab620f1949e0b3295c3f270ed2737ead206f0caf0b6a71a9073172efa8d3d426a33f5edbac9613eb614409e37eae0d40a517784b9a696c4a14f93e04a34ca99bd3beee84128f76f43a91aa2cccb4565d941ce7e80e88313e2a9fc4c91bbc25ac750a33557a7dad6327146ab605041b6040000000ef56e459421bf6b893be7bc01c7af955f1c88258df9f87f4749d4d4c0b42f71197f14c76e0444975dcf9f841a1cfd4806e89a2a78acb27bdfd4e3ee56ed2bcae	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434642967"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000989e8535a6c6f14975fcc7892350121fcf803384a2cf3d17aaf80f892af91c82000000000e8000000002000020000000e270772dcbe8ba5a12f1b17fb05c68001a17f7fc44f35105acf6f1114f5fee852000000050d9404af2c45c3da207819b746c4de38278ac7a755511e9287144873b4d7d83400000001ee5b7ce55b928d6a51527a7f8ea338afda1101f183fadf054036be8d44c44e02b4b402c9a1474660121be21b1a3bd7c2de22cef841fbd9a91ef72ec7d06a92d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{BF0D6681-8643-11EF-9A8E-4A174794FC88} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Modifies registry class 26 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mmc	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mmc\ = "mmcfile"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex\ContextMenuHandlers	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex\ContextMenuHandlers\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\IsShortcut	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\CLSID\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\open\CLSID = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex\IconHandler\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\CLSID	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\ = "open"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\open	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\open\command\ = "WScript.exe \"C:\\Program Files (x86)\\Winrar\\winrar.jse\" \"%1\""	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex\IconHandler	WScript.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\ = "¿ì½Ý·½Ê½"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\NeverShowExt	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\DefaultIcon	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\open\command	WScript.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2696	PING.EXE

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe
Token: SeShutdownPrivilege	2976	explorer.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
2936	2ab9d9d4ae9a4dbeca72d64f8c728753_JaffaCakes118.exe
2936	2ab9d9d4ae9a4dbeca72d64f8c728753_JaffaCakes118.exe
2936	2ab9d9d4ae9a4dbeca72d64f8c728753_JaffaCakes118.exe
2936	2ab9d9d4ae9a4dbeca72d64f8c728753_JaffaCakes118.exe
2820	iexplore.exe
2820	iexplore.exe
2820	iexplore.exe
2820	iexplore.exe
2820	iexplore.exe
2820	iexplore.exe
2820	iexplore.exe
2820	iexplore.exe
2820	iexplore.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2820	iexplore.exe
2976	explorer.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
2936	2ab9d9d4ae9a4dbeca72d64f8c728753_JaffaCakes118.exe
2936	2ab9d9d4ae9a4dbeca72d64f8c728753_JaffaCakes118.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe
2976	explorer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2820	iexplore.exe
2820	iexplore.exe
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE
2452	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2732	2936	2ab9d9d4ae9a4dbeca72d64f8c728753_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2732	2936	2ab9d9d4ae9a4dbeca72d64f8c728753_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2732	2936	2ab9d9d4ae9a4dbeca72d64f8c728753_JaffaCakes118.exe	30
PID 2936 wrote to memory of 2732	2936	2ab9d9d4ae9a4dbeca72d64f8c728753_JaffaCakes118.exe	30
PID 2732 wrote to memory of 2820	2732	WScript.exe	33
PID 2732 wrote to memory of 2820	2732	WScript.exe	33
PID 2732 wrote to memory of 2820	2732	WScript.exe	33
PID 2732 wrote to memory of 2820	2732	WScript.exe	33
PID 2936 wrote to memory of 2344	2936	2ab9d9d4ae9a4dbeca72d64f8c728753_JaffaCakes118.exe	34
PID 2936 wrote to memory of 2344	2936	2ab9d9d4ae9a4dbeca72d64f8c728753_JaffaCakes118.exe	34
PID 2936 wrote to memory of 2344	2936	2ab9d9d4ae9a4dbeca72d64f8c728753_JaffaCakes118.exe	34
PID 2936 wrote to memory of 2344	2936	2ab9d9d4ae9a4dbeca72d64f8c728753_JaffaCakes118.exe	34
PID 2820 wrote to memory of 2452	2820	iexplore.exe	36
PID 2820 wrote to memory of 2452	2820	iexplore.exe	36
PID 2820 wrote to memory of 2452	2820	iexplore.exe	36
PID 2820 wrote to memory of 2452	2820	iexplore.exe	36
PID 2344 wrote to memory of 2696	2344	cmd.exe	37
PID 2344 wrote to memory of 2696	2344	cmd.exe	37
PID 2344 wrote to memory of 2696	2344	cmd.exe	37
PID 2344 wrote to memory of 2696	2344	cmd.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2ab9d9d4ae9a4dbeca72d64f8c728753_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ab9d9d4ae9a4dbeca72d64f8c728753_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files\WinRAR\winrar.jse"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.go2000.com/?g8
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2820 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2452
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -n 4 127.1>nul &del /q "C:\Users\Admin\AppData\Local\Temp\2ab9d9d4ae9a4dbeca72d64f8c728753_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 4 127.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2696

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\winrar.jse

Filesize
11KB

MD5
9208c38b58c7c7114f3149591580b980

SHA1
8154bdee622a386894636b7db046744724c3fc2b

SHA256
cb1b908e509020904b05dc6e4ec17d877d394eb60f6ec0d993ceba5839913a0c

SHA512
a421c6afa6d25185ec52a8218bddf84537407fd2f6cabe38c1be814d97920cfff693a48b4f48eb30c98437cbbb8ad30ccd28c3b4b7c24379ef36ac361ddfdbf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
507adaea391d4c8d7831dc101aeb075d

SHA1
5485bbf67cad2de7687227295c333af12163de7c

SHA256
477eefd598a5bba4b0688768d1653b99bb5d09d6b53bd6dc96f213f7c7117560

SHA512
468f4c880e9b24d92b302140e83e5a387d0becd57dff3d7ede5e67adf05d60a921b69dc151a2be40b229d38515c5db8899dc842bffa05160e1dbc4d356393cb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84f41360d6861d528bac2b22636d61b6

SHA1
4a2487c77e7cf913a011a77699a4cca033cc512e

SHA256
5e4af42423c7f5e35efc782ac0bc7ecc25583266660453d189bae6143e1096bc

SHA512
1f649426f772c7559e974a0f37677aa29683e14f24aea43da6731ea566af3a52805a305969ac75020c3c77725e6ec3dcf84d57b615e1b034f19488146c470587

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
beefb81d6015414b3717d3b983af963f

SHA1
35b9e6688af7a657675bf32a139a8aea7dda294e

SHA256
f994759ac62a65734ddbfdd3f4997b571a9b25e6a2a1c52839503d9949b67f3b

SHA512
be49626ec2e1d2d7dd812803263e61d99e772fbae1437e47fab505d224bed18af871a628658b4b8086598f2681304f7d83096d56761cc0ccd0ccee21d9f6d64a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5430cc70a3d5070b21560c5d8333dd26

SHA1
ba6f3433ebf6885bf3bc0ee420d9089f8ad890eb

SHA256
07b21590dfa91923c16231c9196e3ec592b9579e945080b5444e421ff696f719

SHA512
39b3bcb76d2959f516373f1be020ef2e2674119eb9ffa1d6439ca83e17750885413a43251d1788604b3491ae652a671cfa725451afddaddf4aa94f70b98c0a70

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db319622a02b8c5d9fab17fc5f7d0f7e

SHA1
650eef83850c18c4d85c139b5bf4b9c81db08692

SHA256
5cf1260c34caec3ff1e350e5f6c226d8ccd640612ceb86c343609a502a7ad22f

SHA512
04f01d058a2e6d9edba4b587fa09fe347429de8eaf5e82b830b8200bd231a268cc76a7c4d9cc6f27ea207a2033bb0fbc12faae11a909efafbcbc4f73bbfc097e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b186a45c46b754864475d250f0843035

SHA1
dd523919e5bea2687f73bc3cdb49e97c920bb141

SHA256
41244ceec6af9a2711d7266df9157ab460e1daa7d540ddf107bd43c716173da7

SHA512
b3969f30984467b94983643a978b4e7ad20647e2d16fdd0bf09cd6a4dd560850502867d742c60e9ca5533bef3cb64cfb12c7a64bc172003a867af718471a012e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0520fb460b06c8626d90f38db27a717

SHA1
ea0c9c92e68052de582f3020d915556f290083db

SHA256
69325b68f0813f0bc2f647138067692c46934fb1b9397f7cb3e73be5cf50ab53

SHA512
50d9a3a21af2d98864a40bbd0a756e021559abfa5cfbfb8f74e1d38913a45a2f95652322b40ff3e64c71303bb9fd1484e5235b61df7b157d886288b64ff55aa2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cd20d0682ef7e002688867b69b9cafc

SHA1
cd7a5a9759c1c57ab00d32e65a3330f3eb40b4c6

SHA256
57d2ad6e3affb59d79910081c6380f015f86d32f42275829f9d4f593a4e492d9

SHA512
95dc191457b53ba99f3ce148d6fbf1ed03f9a63a38e49497661fa807e415625565dfcab290b688cf1f5c17ab7e58f8b381067c4b84f793cccfea37c7746a8b3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
848c2a14372e1703219a0c6c91f7c059

SHA1
9b78ae2315be9eaead27e6cca6ac5bee1f615dcb

SHA256
3358287064cb090f721b3c233a4ad171cab353ca7a9dc321a7ce1c143609dc7c

SHA512
c5370155311d372b705aa772f2a48b86a35d1b15a5605e328f8bcee76fd544bf738c212f9566cf7bfc54c873d2cea8f56e7db02d2f0921083351b5452e34d507

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15eba4b6e850c6ce407b2001b503a776

SHA1
0a8df5ee674d6fa6f8424ab7d0edcd21c37f026e

SHA256
f7d9c071eca7dae2698cd5690eb95b0fc61d2c9b71523e73d5d47b92dd4ace8b

SHA512
90903643784f6ee3b4e28e8ed15058a121a1f74feb1da0868bb1aa011812f7bac1bfbf05b2e2bdbc7fa5667f99a7885daff7207475dccc8cb6f9c622f8b92618

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9553c060a12d5081e6765b3aa74f2ae

SHA1
b58379675cbedd8c80095e96211d47ffaee3495d

SHA256
f582c911c28a029738b39147c9abde114c8919737f1e20d0562e4d7014dba39a

SHA512
cc30a98373ea5c1ad7fe1e3e421894c00053483ace2eba82b4048f69cc2f5ad6e5582cb70f74d74a0179fb7b8cf0943dc45363a7e57aa232ed38757745009d17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc86a85cc27e7cfdede04e0e0462f1a3

SHA1
b43b6846274376b7f98c27d2371a9e6513a69da1

SHA256
25c25972d4dbcdae631e474fa4a04d41d441b59250c21e64f2112faad65dff5e

SHA512
83a34bfd47b30ccde2f097ec902b9510f800f60eff667244632fdedf42d5f46023433c56b6428c94dd00a177f8a1e52bc1245a4647391f9955965bef891001da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83d69d1083cf84d931cdac293ad0b8b9

SHA1
be86db92f4a0448297be769c07ce7b8e4cb93ef4

SHA256
aa499fb8562d95c257b26a626fd91954acf037a2766646e8eb7db7d8af6fd3be

SHA512
5ba19589d1a150c896b261b9574c4e87b1f46030119621edb8419145d0d5d048136cbd09c39afd94141f793306fc937a9b7f1ca8d8bf52cb86ad80a79e643c33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a449f86016e92bacc8edbcf8e92b1632

SHA1
1b037379e05db37b605ae3163176bc18a9aff72c

SHA256
17b9ce7538755ef9382cd268022c0a94340587f7e31a493aa687b93867c3554f

SHA512
1a465e8ba6b3c099fd51584a66bec54a2ee657ddba83c4bcf13dfd72a462931654344cb9dc055f4cb33ad3cd04ef0a0f05ea4e169a7a44cc41cfa66213ca0e35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9318b884fe437cc1db38be6d58d74467

SHA1
158ae3b9478f112fb862f3228529d9c2ff3810c1

SHA256
a8778d7a9157eaf4d0c1d6b6a9d831ae3c355056c57a1a560f90424744e5b7ed

SHA512
d7d6ffda9e047d85965d07854aa757e060ae05577b3a0c71227305ae9a3690a363ec75840325946d37406627cb605086f0a2e80362a85faee35ae769380994c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
716a14db7e175b7da96271c715395aba

SHA1
6a2873c7d7c82cab81f169e3e901e61516b1f77f

SHA256
8d1c0efc14f32583a2bf15ed0af7cd284669f7f89f2c06fd51695b807bc18d64

SHA512
8c10588d65b1c59cdd75435cdac1bf354ca79031d01b1d6387d330b8068ebada5524021493be9176c869a37cf38d9481f032926ee0895d326eea5ad9fdd18df4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38ad156571383538b734fcc02f8c7d18

SHA1
f7d8f7bbf7507a003cdf3476c4b888526efaa15a

SHA256
ecd19857dd8339a77aeea500b9f5c677eb7d39beb5d2f29f9579f0c3d28deb6e

SHA512
54e5bd0366af2fe39cc5d8fb84ac895d253bf66a3cbaf6a36dfe088853b250bca294a3c78510e106ad769ca001e82bb9fa3dd7c3f716dd4d8249cdbeb5a09734

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85cb72408ea43be6e2d3d0eddc593e3a

SHA1
c33e4b69ac1bd22f533647e1631e3661de770d1f

SHA256
021be9bd78dca3892f63e15629f812d0e2424a12cb57b41896ff5e8c74cbcad2

SHA512
2e86d6a83b7d227b01528986777d2a94693381b31a525c3532fbef3542190b0225a03a87e00a03f7c3e3834a587dbeed504b1507fc10fe07540659553584079f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15ddc4ae2d91d3ddd5663e2cc5242252

SHA1
39a6285d61b58664cf39868ed076c3edee982b0f

SHA256
d5a87ace071d30ab470e1737d9e6d5a4f9aa1ad8d7f1304d0506d0363a3c936e

SHA512
6f177dacd87b6b8cf66afcb6becd71cdb77e353f1b95609168a9991ee487fa019b59b03099fbd660bea9c596e10c43041fa46f4b7b8d9edd738582ce066f6e5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eaf36bbad5f404b076d6f8e96309747f

SHA1
a50edcd82c75b5446919640a5e4c4fd2ea120471

SHA256
087b4be818982af625161f2346b13c45b73bc904750f624f14924c20b1c8e427

SHA512
906990d7166406ad77fb31f76394a00fd0013abbe9e69a93a0dfe7e720372cb855b6e19562c9314204487810ec1b8f99285de6f9881bca083ee1d9b39f5a2fc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8603.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8616.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.mmc

Filesize
255B

MD5
a0c4d2f989198272c1e2593e65c9c6cb

SHA1
0fa5cf2c05483bb89b611e0de9db674e9d53389c

SHA256
f3170aeec265cc49ff0f5dcb7ed7897371b0f7d1321f823f53b9b0e3a30e1d23

SHA512
209798b5b153283bea29974c1433fe8b6c14f2a54e57237d021ecc1013b8dc6931dedcc2fe173d121c719901045fdf2215177ba164c05d703f2e88a196252ec4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.mmc

Filesize
149B

MD5
b0ad7e59754e8d953129437b08846b5f

SHA1
9ed0ae9bc497b3aa65aed2130d068c4c1c70d87a

SHA256
cf80455e97e3fede569ea275fa701c0f185eeba64f695286647afe56d29e2c37

SHA512
53e6ce64ad4e9f5696de92a32f65d06dbd459fd12256481706d7e6d677a14c15238e5351f97d2eb7bfb129a0d39f2603c4d14305a86821ed56e9face0bc252b6

Download Submit
memory/2936-0-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2936-36-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2976-1286-0x0000000003CE0000-0x0000000003CF0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads