cb9aac0ce0e0df317b81f2c21a2fbbefed28c1c020cd59bace633ced6f51a3ca

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 12:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a09c81782ea1795edc1b0d8989005a2_JaffaCakes118.exe
Size

145KB
MD5

3a09c81782ea1795edc1b0d8989005a2
SHA1

3d7497e6875d625a32492f9ec7dbccfa9469603c
SHA256

cb9aac0ce0e0df317b81f2c21a2fbbefed28c1c020cd59bace633ced6f51a3ca
SHA512

1443df0e3e8f3d6affe300b3f572c54d3c85ca8235ceb1b38f0f5beb7fb4a17efd3761db948e9a68efc5ecffa12b3c98fab61f4431c82537dcafa314f8575e2b
SSDEEP

3072:pYU94fDhmJcgMkHcUHqihtU6E/Z4XiNQzkikY5jR/7VHutvcf22W+:pcVFMhaR4XiNiljR/7Qts2u

Score

10^/10

bootkit discovery evasion persistence

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	smsc.exe

Executes dropped EXE 2 IoCs

pid	Process
1780	smsc.exe
2704	mb.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SysAssist = "C:\\smsc.exe"	smsc.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	smsc.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\tb.ico	smsc.exe
File created	C:\WINDOWS\SysWOW64\dy.ico	smsc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\vb.ini	smsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a09c81782ea1795edc1b0d8989005a2_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "434898347"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000dd9ea13593aeaf546e3819c00fcb46341ba9b01ca256f056c7924ef92f181c63000000000e8000000002000020000000b773be3640701a369815fdb72b78dfdac67dde6f54b8681e486554dd4859686520000000b3bc4178681016f505905323b1744ff22e5edc294e95deb562e6947ac4992f98400000005a9d2cfa000bfc7b3e0803630908f8d8cb7490d5760e00f07040a2531ae5926ca081c06adb1816e1a0e8a8a97efe2575d12ada09794be30b5f3de38944fba205	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e004cb30a31cdb01	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000078a0cc6b0b830b4fbbc12dd3fac6f54200000000020000000000106600000001000020000000f188f277c0ac5c2818283538ac41a639b4eb70f7fbe115b87d546b16b386ff3e000000000e8000000002000020000000d0137633879ea0f10bac91c74524b9e13b723d923869c83d605de18304575312900000000775368cf9ad20233d0066f9d8da5fe514925e25729d9f45043050cab64631cc3ed8ef5e9243d536450f8d1d0164c96a3de740cc0215f51d93439a972d0eb2e557051aa407ed4e3d09dca4a8d7227acfb60b6afb3a36d18cb00a812818ed06871218d5311a4fe3e25a991f63edf29089499bd4b926724d1486535440b8234b36a193cd602630e7efa954f4f704fb433b400000007ceb8d4dc93c199fb2fb6ae46fd8d22c363340ae44edb935ff5f9eb191da797cac3e0fa40e00312b38cfc157510520ebc2761da2c4b0955a9d9613eb21dbb459	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{598706E1-8896-11EF-AC61-4E0B11BE40FD} = "0"	IEXPLORE.EXE

Modifies registry class 40 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JE	smsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JE\shell	smsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JJE\shell	smsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\shell\OpenHomePage\Command\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE http://dh1.web768.com/?kj?1144711"	smsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.JE	smsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\shell\open	smsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\shell\open\command\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE http://dh1.web768.com/?kj?1144711"	smsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JE\ = "¿ì½Ý·½Ê½"	smsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JJE\shell\open\command\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE http://dy.dy213.com"	smsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE	smsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\shell\open\command	smsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JE\shell\open\command	smsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JJE\shell\open	smsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	smsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JE\DefaultIcon\ = "C:\\WINDOWS\\SysWow64\\tb.ico"	smsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JJE\DefaultIcon	smsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\shell	smsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}	smsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\shell	smsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"	smsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JE\DefaultIcon	smsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.JJE	smsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.SE\ = "IE"	smsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\shell\OpenHomePage	smsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\ = "¿ì½Ý·½Ê½"	smsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\DefaultIcon	smsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IE\DefaultIcon\ = "shdoclc.dll,0"	smsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	smsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JE\shell\open	smsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JE\shell\open\command\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE http://tao.51chai.com"	smsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JJE\ = "¿ì½Ý·½Ê½"	smsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.SE	smsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\DefaultIcon	smsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JJE\shell\open\command	smsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\shell\OpenHomePage\ = "´ò¿ªÖ÷Ò³(&O)"	smsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}\shell\OpenHomePage\Command	smsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.JE\ = "JE"	smsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.JJE\ = "JJE"	smsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\JJE	smsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\JJE\DefaultIcon\ = "C:\\WINDOWS\\SysWow64\\dy.ico"	smsc.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe
1780	smsc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1780	smsc.exe
Token: SeDebugPrivilege	1780	smsc.exe
Token: SeDebugPrivilege	1780	smsc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1492	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1492	IEXPLORE.EXE
1492	IEXPLORE.EXE
1972	IEXPLORE.EXE
1972	IEXPLORE.EXE
1972	IEXPLORE.EXE
1972	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 1780	2980	3a09c81782ea1795edc1b0d8989005a2_JaffaCakes118.exe	30
PID 2980 wrote to memory of 1780	2980	3a09c81782ea1795edc1b0d8989005a2_JaffaCakes118.exe	30
PID 2980 wrote to memory of 1780	2980	3a09c81782ea1795edc1b0d8989005a2_JaffaCakes118.exe	30
PID 2980 wrote to memory of 1780	2980	3a09c81782ea1795edc1b0d8989005a2_JaffaCakes118.exe	30
PID 2980 wrote to memory of 1780	2980	3a09c81782ea1795edc1b0d8989005a2_JaffaCakes118.exe	30
PID 2980 wrote to memory of 1780	2980	3a09c81782ea1795edc1b0d8989005a2_JaffaCakes118.exe	30
PID 2980 wrote to memory of 1780	2980	3a09c81782ea1795edc1b0d8989005a2_JaffaCakes118.exe	30
PID 2980 wrote to memory of 2704	2980	3a09c81782ea1795edc1b0d8989005a2_JaffaCakes118.exe	31
PID 2980 wrote to memory of 2704	2980	3a09c81782ea1795edc1b0d8989005a2_JaffaCakes118.exe	31
PID 2980 wrote to memory of 2704	2980	3a09c81782ea1795edc1b0d8989005a2_JaffaCakes118.exe	31
PID 2980 wrote to memory of 2704	2980	3a09c81782ea1795edc1b0d8989005a2_JaffaCakes118.exe	31
PID 2980 wrote to memory of 2704	2980	3a09c81782ea1795edc1b0d8989005a2_JaffaCakes118.exe	31
PID 2980 wrote to memory of 2704	2980	3a09c81782ea1795edc1b0d8989005a2_JaffaCakes118.exe	31
PID 2980 wrote to memory of 2704	2980	3a09c81782ea1795edc1b0d8989005a2_JaffaCakes118.exe	31
PID 1780 wrote to memory of 1492	1780	smsc.exe	33
PID 1780 wrote to memory of 1492	1780	smsc.exe	33
PID 1780 wrote to memory of 1492	1780	smsc.exe	33
PID 1780 wrote to memory of 1492	1780	smsc.exe	33
PID 1492 wrote to memory of 1972	1492	IEXPLORE.EXE	34
PID 1492 wrote to memory of 1972	1492	IEXPLORE.EXE	34
PID 1492 wrote to memory of 1972	1492	IEXPLORE.EXE	34
PID 1492 wrote to memory of 1972	1492	IEXPLORE.EXE	34
PID 1492 wrote to memory of 1972	1492	IEXPLORE.EXE	34
PID 1492 wrote to memory of 1972	1492	IEXPLORE.EXE	34
PID 1492 wrote to memory of 1972	1492	IEXPLORE.EXE	34

C:\Users\Admin\AppData\Local\Temp\3a09c81782ea1795edc1b0d8989005a2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a09c81782ea1795edc1b0d8989005a2_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980
- C:\smsc.exe
  "\smsc.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Executes dropped EXE
  - Adds Run key to start application
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://dh1.web768.com/?kj?1144711
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1492 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1972
- C:\mb.exe
  "\mb.exe"
  2⤵
  - Executes dropped EXE
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87dbcc12b4ddf36478c3339e780821d6

SHA1
8c0e441e11d870c5a19ba06f2b026bd764775981

SHA256
7e8c373e0b44c3a6b2c99999fd9d7c6d075246d0f229a0c887cf45018351943b

SHA512
e67d4138cde2253375bc54f661df6c144ff971253f04bb706844584548218a218a24b363c0fd7f6c416a9871b6a02f0303f652987357ca4b73f409fe24c1dc3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
faf4ccf0b7958f6a958649e50969b882

SHA1
76112958aafb3abc10d1c2341d5f4b0142a23daf

SHA256
a37118076d0fa49625997999b647a956eee5f4320eb9aad54dfb368c0b5efb98

SHA512
b33c6682c06a14f27b7aeabc955fb2b950e185afc5bc6f7fd0cdf5af052041aa1fc44d771461b893eaf717a9512f3bd5627981f51cc1041f0d54f67769a5492b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
255dc366be5a380d0ee7303ea3652d4d

SHA1
73d526a129d8edd880e5d752eff37190819b1444

SHA256
430b08c8f1e7250c29c07726b262d039048a6771054c31493e7f620e105e82c9

SHA512
2499d74afe7e19fcd4f8e8c3f3e109ff687c103ac33215a4170241ecc928350ea58dd9f20c8eacd2c5c25b2d5d0e8b268b7eb8be3b4714844af5bf1e90368243

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5265f1d40294dfdf42d9a744e007cf59

SHA1
3ec79ba6686d37dd96ba3d2357b956a2ff9df426

SHA256
666a5effbd97b397d52ef07d235c4782406092b7e31e726d4d22337bc258e3d8

SHA512
22221a1739a7ea0c31d7508a583771273d1794935500f15bf1aeebc169dfb65ef06d7931cbc334113a7898273a2b70f51f1f98bd3f9545fd0956cd3a29844bb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
686bbcfc75b2a6396dd5aeac9f196c79

SHA1
041fd14e8e177364adaba18ad501bf78177e391f

SHA256
ccb7f882c67a0eb5686efef6451a0689cc0c2c92aac2258b1af5fe140b285e42

SHA512
9d26db485e0e39d4fde7230a2ea2434e63586dd4014aa231c82680756d86d811f7a1685e94c8f5b6089f41f7ac78498ce4a15513f99596100d787eb8d69cde1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32f3719820b6ffa0d17e927e7fbc9890

SHA1
b81afddd5bc6c181347d65b45792fd6c301573d5

SHA256
48627ce832bb5cd6b15c395d87e0babf00ce52b2d602e3eaa1da4f52383f7884

SHA512
9493e9cf39baf5eb5bc1ff7af8ca5c84cb5314bc951efc7e89f2712df4a2240d7afbb8bbd161608cce16f8ebcd653006d086c9ba4b481495e4f55418c36e0584

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
849bfd5cfa546d4e8065e0bd7ab38ffb

SHA1
24ffaa4ce2bd77691d9675058ac38cb680d47440

SHA256
2e7628f38cf79a99c8c956fd34bd91ac78c5520b3e82014c62ace015a0f22f52

SHA512
9ea555129f43564e7cb31404b502fcb5f5c36af7676799936277c4fb704e8a261f8956ddd3f09553e1ade83f71e145e4558f86f80c80d0f154c12376f552f50b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d46a5dbe3360ebc03f722cfc3826747

SHA1
191379eab53ad4339963851d4faf286c2f02bb24

SHA256
d7cc4224709620e67383b5b7aea2465eae29aa3a894eb64766c94d61ee465428

SHA512
435c3a75e6337522512021224e47543974a7abc9a546e2aaa291744a9189fa3fc4f1d2c45c053bb798aa494dafe76d96b7ec02f6bfa54cf2c6cb231d21fd62e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b50a670d32594e03ba6bc199d48ed7e

SHA1
a59cc993ae69f88e5057824b378694c2bb09ebd9

SHA256
46775cd6bfd3393f9e36e5829a122d795bb2bd3b8c05c0a3f626e076f1d8da6b

SHA512
7a0af09f2df48deeb86414d2b6019107618a8d247fc9c53cdee61babc21a02dc3d8c1fff2f2f7d8b8120bdfa444fd4db06b893a0438760a6e164a9f4504539d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a852ee12a9db893e4bb498a998b484da

SHA1
26c8e32605311b5fa52de3b60b83b78222b6ed59

SHA256
1bdb0a78e1f6751dc3d25416a2a976e884eb0bb8ece6e9e7a3ac09399febd74b

SHA512
920b2be91e6f7371610419b0727de7e3e793bd3370cc841d51cc7a5fcb68c946222d203a4e7ce9ad25d301ea3cf261eb2ad270031d4c222752c8500c35ce52fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c552bd366d90b07c94dddbb96a5d9d8

SHA1
a8c87c958ca7edc653104a0315bd8ae7d071696e

SHA256
6345331990090317734732529be2ad532c71731cd51ca43cf44dd2303e1d5795

SHA512
773d703c9cbaab1418773e04f611129aa79be240db1032939f08368bf184f7059213b65ea459c1e7c0e5e217fd58a9aeab38740f3d2ff824ed0887a9e6c69bcc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0cb5dfa4d608ba54c34c45c15d10fbe

SHA1
dd7fa68fe6cc368c8c3a77937f944fd788d9ff3a

SHA256
348bfc6227c859e660ddbe8f150d5acd811fbde4f8f4028a3578bf496b535fe2

SHA512
892b15ebcff71ab3024671f8f95a8677862cab6983342c843f5289f3f82f26427f4b8a9c5d03d5f25b93d06db5b242c9b1e46fba9e707c7d2df51365870f74bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0870c16aa4c20e0d2a612014ad5abac4

SHA1
b9a0fbe9a87f5a9e762958ec5b4dda509f30d24b

SHA256
ddf2d60331a1f91a9e02b9d704a8092a8e7b15422eedeeb4c769d81d02d041b4

SHA512
df8005eee2c49cb9efde69cd7b2743baf307e807827d388feb1be64420b329544b8b965c03f3f4219ed6022a6e5432ba8abfee950048af1f5609d908beefa241

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7310f03d4371ee4cdedb89bfda90c24c

SHA1
a1c22fbd9cdcf959e80897a47cdad06300448b2d

SHA256
37caeeee097af173c738523210b2815c0041a2b9af4675a5f5dac070d76ce336

SHA512
d8d642130cbc7cca19ce55cdf674f36895571cb42591e7253c713d9fcc2e2e8fe743afdbacf466231052f3916379a6ba23f6c3531f763f4afc16eb9aee867232

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ad4de04c22a6755d3e7915ed1966bc9

SHA1
c04ee82e64d48dfa883c3d7d8b9b89c79a3a250d

SHA256
4789127efad6d18de25b8bc86499ac2f79285b57bcc197f49c368125cdd70a91

SHA512
0a3c5d1365647de03dabede9219d13a104e8b07c5f9257f01d15fcdce747461661be732646ce776fd5283d7eeefbec04f2e91cc96bc63b1edf2db97532723346

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e0d6ed657c8a6437c0b09b63a2c2616

SHA1
cdeddcbbd1a89da50ac58ab8c03b463298e9ab1f

SHA256
974179ee97e49c8f2ae401dd52684b235eed92ca4c27343cb353e05c980de5bb

SHA512
df65bc954fc9370574fff3675752f4b5880f72abb9427c2b313fab8d5ecf89d14813d99ca9f244c7274d14b147fd6e69c6648ba96be36482d5594195b918cddf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
930c744a0ad5dc5b73ee01b2ad2bfe45

SHA1
e63eeafacd3f7f9551671e12cafa5fd5934a4eac

SHA256
adb39e3236779d4c5db3e232fbbd8e11da9148cb8f6afb8f9274e13f14fbeff7

SHA512
c41e17b8337e031fc9dcad18c5b5ffd3d40429618b4a74692e6d405e07e038f99c770442cbe40b85ae5e4910e26533b0e6e71d3ab4d8cd63ce5bff751fc10434

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c92fae48632534432a73623cf4c2ad2

SHA1
17eb04580b00b6b704c45bda9268c2e3f5493d9e

SHA256
4a02a61030f1204528ac10037c479d86b707f7d9f4222007d1dad9031509ff42

SHA512
40c7721b93188d1d7b78b8f8262323ab1c8f31bb70d41703a371251e4b0d0c223dac46c29352ef78bc53f813cf823af71baaf34e9049ffdaec64dc7aa48a0463

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
49d87a08a5bd8430cef635f0f3d82193

SHA1
66b9a9123e1fc9dd2a17da6ba9c626e46b7bc5f5

SHA256
0edf67b1f8e3340f24ce74414131969347bbb9073b7974239af2ace8e0e06e13

SHA512
fa381079a065b3264411f9e4d5a1874b8823b38cb160d6e12ccdd268ab74260b01add0cdf234a0558d060921cf46e30ce15f73a9fe6e3cefd7f5198e4d73a915

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04cb7d11cb0aa535146c316dc63038d9

SHA1
66f209b4ec2d161aa5992bc67c7a0c785a945878

SHA256
cd2eb251389ce5b4aeeef44e2297d4a739c133c6cc6a5ecae8c43179eb54af62

SHA512
9fff385edb0fed95655eb5b4e5eac880060f511aea4e28cb91a0b43e06b9163115ae8bec3907fbb7b61d403e7b18ea0ed886b7e79e08c96ec7fb73750400d53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2915.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2967.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\mb.exe

Filesize
142KB

MD5
234accf992372edd96560f3def35b4f6

SHA1
6e1fe6979c6763ec162d76cf26309ee08f10ff07

SHA256
8066ecb578c540b25101ea807aad4e64aadf8bcb921eaa68d72983cf6eea00b9

SHA512
99a504ec904452e2b8d81fcbb92f4695b650709838538ab53f3dc12d27344172680fafa6a59a679e533b57afdd4c617fa251dc0e925152e407c02a4ea79750f5

Download Submit
C:\smsc.exe

Filesize
116KB

MD5
b3f5db220f91aaca63fc6b2164c7f419

SHA1
435453567aded72931c8878788b1fa666dbebd50

SHA256
c275f60d0de4d4bf16a82741e6c1442003fc6e3316eab247651b2fe119ef1e94

SHA512
9a41a02361daf8db051bbb187c5dee751e04623789e4b2e30ae6f6312e3013220becd527f0469a14dbee0fcfc0f93d9805d7d6834c62746e0ee72d3a40b12e41

Download Submit
memory/1780-15-0x0000000002E80000-0x0000000002E82000-memory.dmp

Filesize
8KB

Download