1a14bfd8d8d6a97883dd217f0c0733f4789a39d06014baff0ca9f647e805d248

Analysis

max time kernel
142s
max time network
145s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
Size

77KB
MD5

3f11133f9df37ba69963fddc92f3e75f
SHA1

6350ff86d201bd90a1a55125c496c59b32f65690
SHA256

1a14bfd8d8d6a97883dd217f0c0733f4789a39d06014baff0ca9f647e805d248
SHA512

d2c244f9137ac9fd8fd6be2d52821f318ae4e9dce1f2b4bb9890cd241292f76ef4e052e9a5ca1acb4f6e0a1bb1a67964dae3bd0e2d0f008e430aebae4b4968e5
SSDEEP

1536:2mQ0u4oaXubNkgzpW4iWKsuyn2biLNn30lTmYSO/dOrE1/dTTo:2mQrSuy46sN2bcNnYTmYSKNFdTTo

Score

7^/10

adware discovery persistence stealer

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1656	WScript.exe

Executes dropped EXE 2 IoCs

pid	Process
2628	smss.exe
1072	smss.exe

Loads dropped DLL 11 IoCs

pid	Process
2800	regsvr32.exe
1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
2628	smss.exe
2628	smss.exe
2628	smss.exe
1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
1072	smss.exe
1072	smss.exe
1072	smss.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\micrososo = "c:\\windows\\t\\smss.exe "	reg.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8130BF1A-D220-4853-86C7-675EF81C7C70}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{8130BF1A-D220-4853-86C7-675EF81C7C70}\ = "??????"	regedit.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\QZF\QSLMJNKZUQ.dll	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
File opened for modification	C:\Windows\Survival_0.txt	smss.exe
File created	C:\Windows\userid.txt	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
File opened for modification	C:\Windows\tao.ico	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
File opened for modification	C:\Windows\t.ico	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
File opened for modification	C:\Windows\YRB\ORN.vbe	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
File created	C:\Windows\reg.reg	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
File opened for modification	C:\Windows\T\smss.exe	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
File created	C:\Windows\Survival_0.txt	smss.exe
File created	C:\Windows\del.bho.vbe	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main	smss.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AF4D978-15D5-4659-B06E-CFE47FDEF620}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AF4D978-15D5-4659-B06E-CFE47FDEF620}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AF4D978-15D5-4659-B06E-CFE47FDEF620}\1.0\0\win32\ = "C:\\Windows\\QZF\\QSLMJNKZUQ.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\ = "_Qvod"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\ = "QvodAdBlocker.Qvod"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\TypeLib\ = "{3AF4D978-15D5-4659-B06E-CFE47FDEF620}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.Qvod	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.Qvod\Clsid\ = "{8130BF1A-D220-4853-86C7-675EF81C7C70}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AF4D978-15D5-4659-B06E-CFE47FDEF620}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AF4D978-15D5-4659-B06E-CFE47FDEF620}\1.0\HELPDIR\ = "C:\\Windows\\QZF"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AF4D978-15D5-4659-B06E-CFE47FDEF620}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\InprocServer32\ = "C:\\Windows\\QZF\\QSLMJNKZUQ.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\VERSION	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.Qvod\ = "QvodAdBlocker.Qvod"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QvodAdBlocker.Qvod\Clsid	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AF4D978-15D5-4659-B06E-CFE47FDEF620}\1.0\0\win32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\VERSION\ = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AF4D978-15D5-4659-B06E-CFE47FDEF620}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\ProxyStubClsid	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AF4D978-15D5-4659-B06E-CFE47FDEF620}\1.0\ = "QvodAdBlocker"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3AF4D978-15D5-4659-B06E-CFE47FDEF620}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\ = "_Qvod"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\ProgID\ = "QvodAdBlocker.Qvod"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\TypeLib\ = "{3AF4D978-15D5-4659-B06E-CFE47FDEF620}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\TypeLib\ = "{3AF4D978-15D5-4659-B06E-CFE47FDEF620}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\ = "Qvod"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{10DE75DF-9438-40C1-A11C-17414B09A225}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8130BF1A-D220-4853-86C7-675EF81C7C70}\Implemented Categories	regsvr32.exe

Runs .reg file with regedit 1 IoCs

pid	Process
2612	regedit.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
2628	smss.exe
2628	smss.exe
2628	smss.exe
1072	smss.exe
1072	smss.exe
1072	smss.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 2840	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	33
PID 1488 wrote to memory of 2840	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	33
PID 1488 wrote to memory of 2840	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	33
PID 1488 wrote to memory of 2840	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	33
PID 1488 wrote to memory of 2840	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	33
PID 1488 wrote to memory of 2840	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	33
PID 1488 wrote to memory of 2840	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	33
PID 1488 wrote to memory of 2800	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	34
PID 1488 wrote to memory of 2800	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	34
PID 1488 wrote to memory of 2800	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	34
PID 1488 wrote to memory of 2800	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	34
PID 1488 wrote to memory of 2800	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	34
PID 1488 wrote to memory of 2800	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	34
PID 1488 wrote to memory of 2800	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	34
PID 1488 wrote to memory of 2832	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	35
PID 1488 wrote to memory of 2832	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	35
PID 1488 wrote to memory of 2832	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	35
PID 1488 wrote to memory of 2832	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	35
PID 1488 wrote to memory of 2832	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	35
PID 1488 wrote to memory of 2832	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	35
PID 1488 wrote to memory of 2832	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	35
PID 1488 wrote to memory of 2628	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	37
PID 1488 wrote to memory of 2628	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	37
PID 1488 wrote to memory of 2628	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	37
PID 1488 wrote to memory of 2628	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	37
PID 1488 wrote to memory of 2628	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	37
PID 1488 wrote to memory of 2628	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	37
PID 1488 wrote to memory of 2628	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	37
PID 1488 wrote to memory of 1072	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	38
PID 1488 wrote to memory of 1072	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	38
PID 1488 wrote to memory of 1072	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	38
PID 1488 wrote to memory of 1072	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	38
PID 1488 wrote to memory of 1072	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	38
PID 1488 wrote to memory of 1072	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	38
PID 1488 wrote to memory of 1072	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	38
PID 2832 wrote to memory of 2612	2832	cmd.exe	39
PID 2832 wrote to memory of 2612	2832	cmd.exe	39
PID 2832 wrote to memory of 2612	2832	cmd.exe	39
PID 2832 wrote to memory of 2612	2832	cmd.exe	39
PID 2832 wrote to memory of 2612	2832	cmd.exe	39
PID 2832 wrote to memory of 2612	2832	cmd.exe	39
PID 2832 wrote to memory of 2612	2832	cmd.exe	39
PID 1072 wrote to memory of 676	1072	smss.exe	40
PID 1072 wrote to memory of 676	1072	smss.exe	40
PID 1072 wrote to memory of 676	1072	smss.exe	40
PID 1072 wrote to memory of 676	1072	smss.exe	40
PID 1072 wrote to memory of 676	1072	smss.exe	40
PID 1072 wrote to memory of 676	1072	smss.exe	40
PID 1072 wrote to memory of 676	1072	smss.exe	40
PID 1488 wrote to memory of 1656	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	45
PID 1488 wrote to memory of 1656	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	45
PID 1488 wrote to memory of 1656	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	45
PID 1488 wrote to memory of 1656	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	45
PID 1488 wrote to memory of 1656	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	45
PID 1488 wrote to memory of 1656	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	45
PID 1488 wrote to memory of 1656	1488	3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe	45

C:\Users\Admin\AppData\Local\Temp\3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f11133f9df37ba69963fddc92f3e75f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\YRB\ORN.vbe" 0
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2840
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /s "C:\Windows\QZF\QSLMJNKZUQ.dll"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2800
- C:\Windows\SysWOW64\cmd.exe
  cmd /c regedit.exe /s C:\Windows\reg.reg
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe /s C:\Windows\reg.reg
    3⤵
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:2612
- C:\Windows\T\smss.exe
  C:\Windows\T\smss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2628
- C:\Windows\T\smss.exe
  C:\Windows\T\smss.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\reg.exe
    reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /v "micrososo" /d "c:\windows\t\smss.exe " /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:676
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Windows\del.bho.vbe" 0
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\run.jse

Filesize
201B

MD5
d069f9cca8a0ee1c0384b22d22bdf68d

SHA1
06e07b6063471ff27760b6c32cc90324d3c14133

SHA256
b1be9ef641f134bb5db1e7c94567f5bf0096b6e0408aab3f333c814ad9909f0c

SHA512
29038a13e8842bf77259e5de9069dec8f88cc5f958bba25a33655230d17c76f7affd3a366ed86d673fc842f1766809142bb2fda05954af5da15642e54fd984a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0E1IWGZ4\ErrorPageTemplate[1]

Filesize
2KB

MD5
f4fe1cb77e758e1ba56b8a8ec20417c5

SHA1
f4eda06901edb98633a686b11d02f4925f827bf0

SHA256
8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f

SHA512
62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0E1IWGZ4\dnserrordiagoff[1]

Filesize
1KB

MD5
47f581b112d58eda23ea8b2e08cf0ff0

SHA1
6ec1df5eaec1439573aef0fb96dabfc953305e5b

SHA256
b1c947d00db5fce43314c56c663dbeae0ffa13407c9c16225c17ccefc3afa928

SHA512
187383eef3d646091e9f68eff680a11c7947b3d9b54a78cc6de4a04629d7037e9c97673ac054a6f1cf591235c110ca181a6b69ecba0e5032168f56f4486fff92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0E1IWGZ4\info_48[1]

Filesize
4KB

MD5
5565250fcc163aa3a79f0b746416ce69

SHA1
b97cc66471fcdee07d0ee36c7fb03f342c231f8f

SHA256
51129c6c98a82ea491f89857c31146ecec14c4af184517450a7a20c699c84859

SHA512
e60ea153b0fece4d311769391d3b763b14b9a140105a36a13dad23c2906735eaab9092236deb8c68ef078e8864d6e288bef7ef1731c1e9f1ad9b0170b95ac134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6XUZ2JLF\httpErrorPagesScripts[1]

Filesize
8KB

MD5
3f57b781cb3ef114dd0b665151571b7b

SHA1
ce6a63f996df3a1cccb81720e21204b825e0238c

SHA256
46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad

SHA512
8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WHDSWW5V\background_gradient[1]

Filesize
453B

MD5
20f0110ed5e4e0d5384a496e4880139b

SHA1
51f5fc61d8bf19100df0f8aadaa57fcd9c086255

SHA256
1471693be91e53c2640fe7baeecbc624530b088444222d93f2815dfce1865d5b

SHA512
5f52c117e346111d99d3b642926139178a80b9ec03147c00e27f07aab47fe38e9319fe983444f3e0e36def1e86dd7c56c25e44b14efdc3f13b45ededa064db5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WHDSWW5V\errorPageStrings[1]

Filesize
2KB

MD5
e3e4a98353f119b80b323302f26b78fa

SHA1
20ee35a370cdd3a8a7d04b506410300fd0a6a864

SHA256
9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66

SHA512
d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YW15VCHK\bullet[1]

Filesize
447B

MD5
26f971d87ca00e23bd2d064524aef838

SHA1
7440beff2f4f8fabc9315608a13bf26cabad27d9

SHA256
1d8e5fd3c1fd384c0a7507e7283c7fe8f65015e521b84569132a7eabedc9d41d

SHA512
c62eb51be301bb96c80539d66a73cd17ca2021d5d816233853a37db72e04050271e581cc99652f3d8469b390003ca6c62dad2a9d57164c620b7777ae99aa1b15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YW15VCHK\navcancl[1]

Filesize
2KB

MD5
4bcfe9f8db04948cddb5e31fe6a7f984

SHA1
42464c70fc16f3f361c2419751acd57d51613cdf

SHA256
bee0439fcf31de76d6e2d7fd377a24a34ac8763d5bf4114da5e1663009e24228

SHA512
bb0ef3d32310644285f4062ad5f27f30649c04c5a442361a5dbe3672bd8cb585160187070872a31d9f30b70397d81449623510365a371e73bda580e00eef0e4e

Download Submit
C:\Windows\QZF\QSLMJNKZUQ.dll

Filesize
3.3MB

MD5
54733e325dfea3478fba401ce26f3dc2

SHA1
f8fedd286e34088e2bf5e4060a2996080fee6ad4

SHA256
3fa1108676abf97eedc0ebca3a7acef080f6b2d54756e58f6cffe8db29642b84

SHA512
be3fa244742e53253c0eb94cfc2ee14fe2f5a6866a43e10dbe5ed80ca31c0bb9e89c1afccb7dda4e98a9110575032434406412659ea935a1c50693b31b46e40c

Download Submit
C:\Windows\Survival_0.txt

Filesize
3B

MD5
a5ea0ad9260b1550a14cc58d2c39b03d

SHA1
f0aedf295071ed34ab8c6a7692223d22b6a19841

SHA256
f1b2f662800122bed0ff255693df89c4487fbdcf453d3524a42d4ec20c3d9c04

SHA512
7c735c613ece191801114785c1ee26a0485cbf1e8ee2c3b85ba1ad290ef75eec9fede5e1a5dc26d504701f3542e6b6457818f4c1d62448d0db40d5f35c357d74

Download Submit
C:\Windows\YRB\ORN.vbe

Filesize
1.4MB

MD5
6b207acfadf906a07df549e214dd367f

SHA1
ff593c0d63ac8295860d08125feb7ab6690c0887

SHA256
63c39b44c2edf0d767a2397150cca462a77d5f812dc7c328698be7802f60a064

SHA512
df69771c40edc85de84481fda44eefdb86a572296b4b2697b4600731bd879e8c370bb1521de3155f5fac175f8389b5cfa128b3ea0866024fb8027e7807198b6c

Download Submit
C:\Windows\del.bho.vbe

Filesize
426B

MD5
600b935e9b2268e1866da1b8ec800316

SHA1
0fdc65e7e4d6cb9802c3c91dc0e10f220fb77622

SHA256
d2a43948bd79b7ac2a2cae4b9a45b0e4debbe293248f73f79292bae453e3b786

SHA512
6cd432658d9fdbeb284a1382e5865492d517f4d4450efb4d8401a9f9ba56bb52d887bc7086d9fa702c62aee259369e5f4c55feb41e4a92050040bd53bc07d674

Download Submit
C:\Windows\reg.reg

Filesize
185B

MD5
8c60338daede12257ecea2129aceea7a

SHA1
cb7921ca7fc11a04c3f1230a4676769656a1af44

SHA256
03c1eccc1d53b3bf3fd5b36f8f05ed242b2c023423708aee1b819e2764bd78f2

SHA512
a948da636a6a26e0aa0e711a0c66b1aaf53f9c7b3a73e34a1a7ca93884742637f4a155d6dba28a19c6c64685a20555147308fc46fd4a66996a5eed8e2bd5238c

Download Submit
C:\Windows\userid.txt

Filesize
5B

MD5
3719bc4d13977453b5d8c9d8f1e7462a

SHA1
c24505bcdb2b09980198730cd4791acad1796dcc

SHA256
197a4e2a0db3b79c8240827c9ea2ed1476c8a5ad7e22c02c832ba3a0a8bff9a1

SHA512
9bebfe9c377389f34afd15c2f4e2b027edfec3ec4883f0df09c8a0e4d22dbb9692eb8b4264c89165bc336c458e5488a7cd743bd5f99ae5d4b71a8b3c2805f1a5

Download Submit
\Windows\T\smss.exe

Filesize
68KB

MD5
b360a5d6ebafeca7b928e870d60d313e

SHA1
13d54b73843603fd86cabde7f8bd45b5dde9e1c9

SHA256
be12ba429afb3f0aad0d03f2bfca19842c07deb5a622f9651b9e36b774f76635

SHA512
e78b8fdb525c78e985dd2099b65c89b21d5f75c1f1a7ffddfbdab2b57cdc22c4a96e36b6703318f894664e905446e5d4cd44656dc91e7198b2d44f87d4eb7683

Download Submit
memory/1488-92-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1488-44-0x0000000005A00000-0x0000000006A62000-memory.dmp

Filesize
16.4MB

Download
memory/1488-0-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1488-130-0x0000000000400000-0x0000000000590000-memory.dmp

Filesize
1.6MB

Download
memory/1488-1-0x0000000000B60000-0x0000000000CF0000-memory.dmp

Filesize
1.6MB

Download
memory/2628-81-0x0000000005AC0000-0x0000000006B22000-memory.dmp

Filesize
16.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads