77bc3fe1a7c4288c677bdedaa109c49f2be19d729cbb2a0413b2e751323bd5b1

Analysis

max time kernel
134s
max time network
140s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
13-10-2024 21:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

423aaa49a1c1e85de61ddbe5c8eb4732_JaffaCakes118.exe
Size

250KB
MD5

423aaa49a1c1e85de61ddbe5c8eb4732
SHA1

b6f666d3965c784a923aac3e483d7bf31bc56a52
SHA256

77bc3fe1a7c4288c677bdedaa109c49f2be19d729cbb2a0413b2e751323bd5b1
SHA512

f1b4456c2eaa295cdae153a66f6b7096db551ae3359f7a92db9eeec31f1df00084b640e2349ed35f557de96997e7fa522c7c863e67630fee338017638ffd22ff
SSDEEP

6144:khieuJDr5T8b2ufqBLjSB/MS7irtIa6cwoD8ZroSfjGFA:leKrJJuf86AYcwoaoSbr

Score

8^/10

discovery execution persistence upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Deletes itself 1 IoCs

pid	Process
2868	cmd.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/memory/2352-35-0x0000000000400000-0x00000000004B1000-memory.dmp	autoit_exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2352-0-0x0000000000400000-0x00000000004B1000-memory.dmp	upx
behavioral1/memory/2352-35-0x0000000000400000-0x00000000004B1000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\WinRAR\winrar.jse	423aaa49a1c1e85de61ddbe5c8eb4732_JaffaCakes118.exe
File opened for modification	C:\Program Files\WinRAR\winrar.jse	423aaa49a1c1e85de61ddbe5c8eb4732_JaffaCakes118.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	423aaa49a1c1e85de61ddbe5c8eb4732_JaffaCakes118.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2868	cmd.exe
2132	PING.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b1319000000000200000000001066000000010000200000003fe5285902aeb2bb290d73fc14e9ebd9cee0dacf8d0c7c6a9eadee1a4daa728d000000000e80000000020000200000004b7ac2c50fcfcf2aaae950dff1f5b82f88464732c48461868f9e932bf72264db200000003eb8860f182778b877afca299ae8f1291332e6e9e140ba91d5ee188ff9d6f8b94000000040acb875d45cad1075065d6c73531f66d5885c712da4f7280cc9d37a225db34f2e3f5623bc8526a3eb116adfd00017fe1beab012796147bd37515398e5d9c77b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000a5dd9b7b549d4551b3ec34bef587199c9fd09d690927ff9896cf3946b63e203a000000000e80000000020000200000005e77f63858d725877ba8169241aea6483b4a487cf8f3e690750ee8031c5ec2ad90000000e0f0dbfe3a1f6bbda92e2d23e031fa28a36221e217ae1681690404478c584126a872cbbcdd97bf6cb844dab04bab26535c3a5371a08c975298edfe0815e07f01e9dad24e4d49cd8d54c9968575dacd15bd6f6b8a8dcbbe1c69bc593fb7b54d380d1ac92d3c9e02b9e217b127a1f2242f94d9b74bfb82cf4c6aca25d6d22327b00c3ebe3f2b1fffd011663c8a817102e240000000c4bbc4b8e00ab38946dbbedf4ee4b384160ef7b2fdc869fc4a66e8e5af63ce37df9e99b5baee3fd03c84e2824af8f347c2484d19f1eecf17accd35f770f7755b	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30c01a00b91ddb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2920EA91-89AC-11EF-A5FC-C670A0C1054F} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435017669"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe

Modifies registry class 26 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex\IconHandler\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mmc	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\IsShortcut	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\DefaultIcon	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\CLSID	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\open\command\ = "WScript.exe \"C:\\Program Files (x86)\\Winrar\\winrar.jse\" \"%1\""	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex\IconHandler	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex\ContextMenuHandlers	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\NeverShowExt	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\CLSID\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\ = "open"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\open	WScript.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mmc\ = "mmcfile"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\ = "¿ì½Ý·½Ê½"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\DefaultIcon\ = "%SystemRoot%\\SysWow64\\url.dll,0"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\open\CLSID = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex\ContextMenuHandlers\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shell\open\command	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mmcfile\shellex	WScript.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2132	PING.EXE

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2700	explorer.exe
Token: SeShutdownPrivilege	2700	explorer.exe
Token: SeShutdownPrivilege	2700	explorer.exe
Token: SeShutdownPrivilege	2700	explorer.exe
Token: SeShutdownPrivilege	2700	explorer.exe
Token: SeShutdownPrivilege	2700	explorer.exe
Token: SeShutdownPrivilege	2700	explorer.exe
Token: SeShutdownPrivilege	2700	explorer.exe
Token: SeShutdownPrivilege	2700	explorer.exe
Token: SeShutdownPrivilege	2700	explorer.exe
Token: SeShutdownPrivilege	2700	explorer.exe
Token: SeShutdownPrivilege	2700	explorer.exe
Token: SeShutdownPrivilege	2700	explorer.exe
Token: SeShutdownPrivilege	2700	explorer.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
2352	423aaa49a1c1e85de61ddbe5c8eb4732_JaffaCakes118.exe
2352	423aaa49a1c1e85de61ddbe5c8eb4732_JaffaCakes118.exe
2352	423aaa49a1c1e85de61ddbe5c8eb4732_JaffaCakes118.exe
2352	423aaa49a1c1e85de61ddbe5c8eb4732_JaffaCakes118.exe
2352	423aaa49a1c1e85de61ddbe5c8eb4732_JaffaCakes118.exe
2352	423aaa49a1c1e85de61ddbe5c8eb4732_JaffaCakes118.exe
2640	iexplore.exe
2640	iexplore.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2640	iexplore.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe

Suspicious use of SendNotifyMessage 23 IoCs

pid	Process
2352	423aaa49a1c1e85de61ddbe5c8eb4732_JaffaCakes118.exe
2352	423aaa49a1c1e85de61ddbe5c8eb4732_JaffaCakes118.exe
2352	423aaa49a1c1e85de61ddbe5c8eb4732_JaffaCakes118.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe
2700	explorer.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2640	iexplore.exe
2640	iexplore.exe
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE
2704	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 1976	2352	423aaa49a1c1e85de61ddbe5c8eb4732_JaffaCakes118.exe	31
PID 2352 wrote to memory of 1976	2352	423aaa49a1c1e85de61ddbe5c8eb4732_JaffaCakes118.exe	31
PID 2352 wrote to memory of 1976	2352	423aaa49a1c1e85de61ddbe5c8eb4732_JaffaCakes118.exe	31
PID 2352 wrote to memory of 1976	2352	423aaa49a1c1e85de61ddbe5c8eb4732_JaffaCakes118.exe	31
PID 1976 wrote to memory of 2640	1976	WScript.exe	34
PID 1976 wrote to memory of 2640	1976	WScript.exe	34
PID 1976 wrote to memory of 2640	1976	WScript.exe	34
PID 1976 wrote to memory of 2640	1976	WScript.exe	34
PID 2352 wrote to memory of 2868	2352	423aaa49a1c1e85de61ddbe5c8eb4732_JaffaCakes118.exe	35
PID 2352 wrote to memory of 2868	2352	423aaa49a1c1e85de61ddbe5c8eb4732_JaffaCakes118.exe	35
PID 2352 wrote to memory of 2868	2352	423aaa49a1c1e85de61ddbe5c8eb4732_JaffaCakes118.exe	35
PID 2352 wrote to memory of 2868	2352	423aaa49a1c1e85de61ddbe5c8eb4732_JaffaCakes118.exe	35
PID 2640 wrote to memory of 2704	2640	iexplore.exe	37
PID 2640 wrote to memory of 2704	2640	iexplore.exe	37
PID 2640 wrote to memory of 2704	2640	iexplore.exe	37
PID 2640 wrote to memory of 2704	2640	iexplore.exe	37
PID 2868 wrote to memory of 2132	2868	cmd.exe	38
PID 2868 wrote to memory of 2132	2868	cmd.exe	38
PID 2868 wrote to memory of 2132	2868	cmd.exe	38
PID 2868 wrote to memory of 2132	2868	cmd.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\423aaa49a1c1e85de61ddbe5c8eb4732_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\423aaa49a1c1e85de61ddbe5c8eb4732_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Program Files\WinRAR\winrar.jse"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://www.go2000.com/?g8
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2640 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2704
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -n 4 127.1>nul &del /q "C:\Users\Admin\AppData\Local\Temp\423aaa49a1c1e85de61ddbe5c8eb4732_JaffaCakes118.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 4 127.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2132

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\winrar.jse

Filesize
11KB

MD5
9208c38b58c7c7114f3149591580b980

SHA1
8154bdee622a386894636b7db046744724c3fc2b

SHA256
cb1b908e509020904b05dc6e4ec17d877d394eb60f6ec0d993ceba5839913a0c

SHA512
a421c6afa6d25185ec52a8218bddf84537407fd2f6cabe38c1be814d97920cfff693a48b4f48eb30c98437cbbb8ad30ccd28c3b4b7c24379ef36ac361ddfdbf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9690a2beba42c6b33808e4e89cff07fe

SHA1
086b21e59507a3645d6a224f054bf2dcfedfc4bf

SHA256
76307b313a2298332ce815995ab3363a9ba1a15660caedfa4d0de097531cc127

SHA512
435e624009e921a9797f11daf6a02f18915ff8c01e6ade0665accda36a03c820f75673b25f9bc2a08f89330787b569de7376c62bae4a4dcc21377bc84dce0b94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
334d59435e45efff3fa1f1ea608880dd

SHA1
11f654fb3c33c00c08a33bb4604427be6c2b0204

SHA256
066b320e4c5eea990afea1688f135682935e673dacf90d7b4d8b63c1f1bb1170

SHA512
80614cfb664310abf3ae68fda6f5ae3835d24de2a0134240408ce1a4d3556da42de83502409de02ad419f5ec33a3137eaf075d627fb768994ed9f3f73681ece9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7bf18e07a96398ae15a4ca0de133ba9

SHA1
cb6ef7abbdc30c0dedb69965d6609e6451dc5a18

SHA256
5573638b4bf3f31068a526704e84c009f02bd5712443b250003a13b1c8d46ef6

SHA512
38e09a16dba49d2d6f5d8729c9f7663d4b194904ff3d7341c2e403326fe10ac9181a922ee563c8bdbe296be4a94d0e099c118ad5112191284dc53d57dae68f9d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfb204bf5447b3f01e9e961a372161db

SHA1
4046c261886aa22d0de49e9a11663e92d641a387

SHA256
c8ab9a4d7072573e6c01adb8eaa2f8c4fe97dd2fcc977b8d7a40de0eb11c2a26

SHA512
d431217d2b972e7ac31e6f3b68f38e0f3ee0802fa3e63ca9ff9bdf0c9f543bf68bb33ffa2ab0be2c13fb235ae1be20ebbb3c097d2c888fc3a12c00f972624ebe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4838cd8838be05ccf6f2ef7fba19927

SHA1
3e7a01237289d62a83b94d5e1d53c4f2d3c29fb3

SHA256
0bd4cf68af018c10169deb002eda4fb75b7ff8d2d95d91cd6d59efd4675f02a9

SHA512
795827eb127edbe3e1e26f6d94b9080155de2f78f3463b7ebc6372e1ca82ff2635c795ea4378703a86dc2b65a9a094d27591437dceb651927b7373de503be487

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82d0688b95adaf6f66631136793aca0c

SHA1
aee2c7feebd66ee49d24cf98a3ed97def6201277

SHA256
6fb77c98b16aac75b456758c3944d28eb5c55cebf7931b17987a906702e54318

SHA512
508f5cd2c4be6ca05d9a9ef601e457e7ac21c62407dd32c4cafdd450fed7a59b8472ec2bc223dd7b71592e40baf419273b55023b7d4612f302fec5d04c1e8309

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4497d04a90cadc07c19197b7cb5b1a55

SHA1
ee3c59631af9a1e27863e2a7394c66e0f83607b3

SHA256
ac996838eb02881a349a7cbbd210432aa976896951779d15d5a2130774d2a78b

SHA512
d1b0c443586baf54c266d1d2cd7be7393906e0feb48d3acff0b03b3585d20907863de166243e4b9eedea1e00bcaebdf3359923023122562324c8b91478ad6112

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09f65fdaa4a4798dd18ae4f1a5e2d83e

SHA1
62e5ee335bc3258c4a60b8cbd83cc72d0b31b9a9

SHA256
8efc2e6efeb01a34f7c8f23bde56eb50b09a0da854ad8ea8f7937b40d2d6e455

SHA512
d64327bf10d9dd5f7f26a40eb940dc56849c63cf777756bd3d78248d2e6933a62082d833aed353721245959471aa71f1d541bc323fc06e29de4bbfcd90f753f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd21cce318322bf34fd6bbc91b5b6d43

SHA1
a085a3efeede219416ca1f7f829025cc61fc61ee

SHA256
f9fe7af0c6fb50aa3cc1fd5d344e03f6d3680c5f57528565ac413a22c58018d5

SHA512
c19c4a34209867db6b4b54c376ed5f6f701e53a88af04db36804822dbf1e176990dfb50b0d5f99ba8b2cde55278892a9afa3ce6c612c2122109e2c0c871290b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8019aa58cc064a168e640990ac9b1d61

SHA1
94196ded834de71c103ae3a0c6ab90acc4a91e60

SHA256
84a2065360051b78af837087a2d3fa9b186e3eb3e35ccff2ae135047f86c7344

SHA512
609984956483989802e3c6f9967239f3fd2a2929e18a984662864fca1a479f39536333ec5ef1e50a3255e616112f5bfb87fcaeaeecc94f38b9af6384970da90c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c22ca7ff26cf664362362a7316821dd9

SHA1
8495ccfa4b10812407a3e2948f0993b0df8e158b

SHA256
a35d782360e8312d3ab7283dd257c284a125418b737acc8c80f8175b1c962455

SHA512
732351568c7fad62b322e48f8c16f28fc76d0e5885519b4c1782e2a0562f00f0d6a903dafc7e765f8132272fede48aa136a22fae72d959d65e624bbc5edbcb19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d9ccc8e91d9014c5dce70067a15bf55

SHA1
f450298163761cac697b6764ae93125c4912f16a

SHA256
cd49057afa04a52453f4e0fc99c0fcde86e31736487ac923bca0d6810c482730

SHA512
e0d1b415dd389aaf0626204a3644f148d9ec41aac62de26a99a5a027317fb67065bb0f7aa8df6636ce922af8e835a543714deaeca9b2c4d691bcba8c69be13a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04b84ad5bf371cc47d66ecc0b97a8dad

SHA1
6476e1169c9ada6bb8b1ab6b23f82819b1ce090c

SHA256
5e853b2dcd42a915cf1899757c6ec7b97c23bca9022e32d65675c33d2998c169

SHA512
21b6a9f55517531c481b8a293bbbb99e732c9dabf76ffc15b4968d1f9f611029e80a5c50c64a910ed3b61aa20dd60dd5443306a7900572441321036edcd20ca5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db244afd5298444f7092388fec6ac05b

SHA1
ac43e0c207a397dba35df1c0f1177fb99b03667e

SHA256
07a80eff26bdc9fb6ed9c9655250bbebb25272ca6b9c1ed21f00c7a908f5908d

SHA512
8265e0344e87f02783fb0974c999a61d3962683626c5c1e1a1eb5baab97999d294cba57ab82b0b9969c6f3134d5c05025c4133053bcb979a3a78bdca01dd1688

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9fab59534b88b017957bcd8b36d1f8ef

SHA1
c6c5a489d2e2e61e3eb2f1f80b10577bbdd10994

SHA256
01795adc62379193625961c75fcb6c53ac1b2d6d831e2fa88b392973fd579d55

SHA512
3749da2ae84950717eb017ac14b50881a8c1ff469b871a1ac8e0384003c392c1f07ad59d41ce019f783a7fe427af0ac0cb3f9b2f28133038f434833dac97ffb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a2aa2e499213b335da08e93e3d31c70

SHA1
cde36ca9eae34efe34cbf9cbee72dfa93391c988

SHA256
20e0599e83811176fb7f814809d679a10e87bafb900b1f18a9611f62bc3129fb

SHA512
54f7f33e0fbe5125bc66d7467ad826f6fd0bb2c45877cea681b52d683a47c322c67d71498fefa180ed963900ba7d5a6be9371340d90ed9ff92305dd1214433c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d2cf0e5f84cb2411d493310ad956e5c

SHA1
415d183708771c2d1fbca488f80488173a9d50ad

SHA256
af72703f04f29369a91e5a0aa59c06c089d07080b12471d6c995873b748604dd

SHA512
c48a2576355b979e21ee64b4e132c7eea8c2438317f56c70dada174fd2743530afa6bc99a5d26c689836e2d3893b51725fa1a2fd624db74c57145f556dea8133

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6065ffee1aa537ea1c51632162d7d9d4

SHA1
3ab9420bbb1114c8c268506120d8925da1ba8151

SHA256
b4c97a730dd60518d6d7902a2efe34d43ded15c8aa5b00e1ccf9904c4715d3db

SHA512
1b4f424c7aaf96723656ee1cc761619e285189aceae5b33f7246f1c3e9f0693f4726336b7d855c71001c973e51c08e33dba5593d80ed611932653eb092322484

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b784d27b896721b8844346d90a33ca74

SHA1
030cd20882a5009b145a2d95f69ec64f48fe8736

SHA256
a471e2caebf145dcc6ae67487ab7848d418e77b6c72cb56781cbf4740e2ed01b

SHA512
e37491ea7071673a5a05e072441c392acd7d3cd369c5a3431cd54ce2faf06e1346b12d7fdf498016881ac71eed15aa823bba873bc902cf5afbd6048da075bb8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed24b0b8d65b8c1ec6d75ce3407fdde9

SHA1
e1440c5011910fb6d97ae2c34715f16313f086c4

SHA256
de5fc59e7ecc6286eeb485f2fc20261be5706a5a504f2d665f96f59cc68ce0d6

SHA512
53578758f80bca184b5f0c48b580864dcbb8b210dce2516188bdaab0d922119625e3f1253279e87a92dc4f082a1fae8e6e1df5fd0e9108a83f0d58a461013c43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c22e4324b89abe18e088cc3a0286c114

SHA1
c05b304b34c62410ff7560e0232411dbbb3306ff

SHA256
c8df1e85a70f0951e39d59b400571b48b41ea877194a2eb943c89d38ffd8e311

SHA512
e6e0855d5f745ac96d2ff5c394c3e6cc855096f3b15e8774e7fc47e34078ba5306d08b566f2bde4196937edeed3e2644be4791f9b1b336b0d3bdf46dec9ed2f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
adab0c0d687f1336c6f8a93fea5069dc

SHA1
6cc87d71c602324fcb569b204a086ffe455ea2f9

SHA256
12bf4e3ead69d2c41ce319407a1a0e3a119e496c2b126b3f2a51862759191a2b

SHA512
b1900e8bb89fae314ea4ba746bcd8aecd0014847256afa513ba9bb53f0a4b25d04daf89f32943a4bd7c7a15a191be6bfa663548413344d33f78d62880f4c359d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a68ed02da609b9208248b57ae8764c9

SHA1
3161ce3f0b28201e03b37376a5f51695fc39495c

SHA256
430d55ecc08348ce1e08ae8118bd7ac8cba5c579fae7008c94c99701b2b86e4b

SHA512
f2e1a0a0d3dd3707c7e6478bf315c33c9dd03b914fb05a95b70406ec2aaa42f2f6357213025b1e2a960dfe361fb2f4487d9df76925ff4b679fae7c169d20e789

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
801da5d3af9102b0ba5369d927e7222e

SHA1
e51f59f623057e68508f6dd5507c4dc142ba13c9

SHA256
0f17e35bddca274476da19b3b5b3ed8b6eaff2496e01c92397980a4b7ff09a4a

SHA512
fde0ebfb988bf98296fbfe9b2db8d6f43cfa5bdb6d1594f8e72d4ebf03387529bcb0ac7a5af80c91a960bb3a8d6ba7834e6d0df97436e502ce01ac8547496ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab121C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar12DA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.mmc

Filesize
255B

MD5
a0c4d2f989198272c1e2593e65c9c6cb

SHA1
0fa5cf2c05483bb89b611e0de9db674e9d53389c

SHA256
f3170aeec265cc49ff0f5dcb7ed7897371b0f7d1321f823f53b9b0e3a30e1d23

SHA512
209798b5b153283bea29974c1433fe8b6c14f2a54e57237d021ecc1013b8dc6931dedcc2fe173d121c719901045fdf2215177ba164c05d703f2e88a196252ec4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Shows Desktop.mmc

Filesize
149B

MD5
b0ad7e59754e8d953129437b08846b5f

SHA1
9ed0ae9bc497b3aa65aed2130d068c4c1c70d87a

SHA256
cf80455e97e3fede569ea275fa701c0f185eeba64f695286647afe56d29e2c37

SHA512
53e6ce64ad4e9f5696de92a32f65d06dbd459fd12256481706d7e6d677a14c15238e5351f97d2eb7bfb129a0d39f2603c4d14305a86821ed56e9face0bc252b6

Download Submit
memory/2352-0-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2352-35-0x0000000000400000-0x00000000004B1000-memory.dmp

Filesize
708KB

Download
memory/2700-1265-0x00000000026C0000-0x00000000026D0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads