f52a3e4862a665e8772929057c0150644d6c2f42756744af4e6061db67b5a3a9

Analysis

max time kernel
150s
max time network
134s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17/10/2024, 22:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Size

188KB
MD5

53f9754c93aded28ee9c5e38db3532ed
SHA1

039c79e9c5629f37991810494e86a60d36e1d5ed
SHA256

f52a3e4862a665e8772929057c0150644d6c2f42756744af4e6061db67b5a3a9
SHA512

1bf393e498ac078c2b86ba586e3a2f04ed0724f28cff747d4ed022f379da2eedd604889b0965bd3eee1c0a387dfac3df424eedf89e774977354169de7329c680
SSDEEP

3072:Z/FDc0Cbdss/q+RxKd9u1Wb/4/8uL6suQ14Zvop4lhdPupdoK0QCcLq2XrDmQb:fc4+RId9ui/4UuOjQuomhupdoK0QCcLd

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2640	WScript.Exe

Executes dropped EXE 1 IoCs

pid	Process
2504	Program Files0035CF.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\t.ico	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\d.ico	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Program Files0035CF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.Exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{51785251-8CD4-11EF-AB3B-C60424AAF5E1} = "0"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f0000000002000000000010660000000100002000000023f59f40b7ac3c382719b2e3a1e4b11305fb9231ce493aaf6adbe160ff03fd6a000000000e8000000002000020000000c28b5b0c58aa82b836a37d165dfc1c90d86e7bbee9ab3582ce10d5a80d471c0190000000e4bb68bd65acec44f78735b41a82d3584d8e2a28bbd99e6619b890c7fd7be99d627be5b52f887499157226e8c4a3060eea4c0d461bbc82741e53d3922a68e5b70172e67762d78821631caa28376e3a2e03c02439bf68a8536c3a3454a7dacc8bf84d2f37540ec5d8376147ebc9a9d111bffd0296f785da5b87fc4ca63031c9c1d4f5534adc9d89d1863d6751ae608014400000006e193b30acc899aa07cedfda11d0f45519f88a910dd54e094d12f235e0289f6c3c12c58ca9fbf79afe6a5248401b3ca7ceed7f897507137a7f6657ea8ff1b37c	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435364767"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b8d48fc8adfa6b4a805f1a4a681aaa6f000000000200000000001066000000010000200000000c5a1200be7c204c624070a96c1c96c924bef96ad2fd9c91db2021c64665214d000000000e8000000002000020000000057a4482d40fe2884832a73d99798ebce3170f398cf3cb8f625bca264a4e58a5200000009fffef06f7fd717de3b39463051278540eef327699699cdb19ca4f5af065484640000000dbee61aa6a2aa790757d2d3ba18cff7436cee9a3c45eb1075e94bb8c514700989585fe2b1204c9fd280728768d2ab8ecaaf0fa47bbc25b56ec8ee2c710a125d0	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20d95c2ae120db01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe

Modifies registry class 60 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command\ = "IEXPLORE.EXE http://www.loliso.com/?1193"	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli\ = "hli"	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon\ = "c:\\Program Files\\Common Files\\t.ico"	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb\ = "htb"	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command\ = "IEXPLORE.EXE http://www.d91d.com/?1193"	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command\ = "IEXPLORE.EXE http://taobao.loliso.com/?1193"	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf\ = "hpf"	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon\ = "c:\\Program Files\\Common Files\\d.ico"	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,130"	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35\ = "h35"	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command\ = "IEXPLORE.EXE http://www.henbucuo.com/?1193"	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,139"	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,41"	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command\ = "IEXPLORE.EXE http://www.t17t.com/?1193"	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh\ = "hdh"	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx\ = "hyx"	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command\ = "IEXPLORE.EXE http://www.piaofang.net/?1193"	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1580	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2384	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
2504	Program Files0035CF.exe
1580	IEXPLORE.exe
1580	IEXPLORE.exe
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE
2796	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2504	2384	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2504	2384	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2504	2384	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2504	2384	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe	30
PID 2504 wrote to memory of 1580	2504	Program Files0035CF.exe	32
PID 2504 wrote to memory of 1580	2504	Program Files0035CF.exe	32
PID 2504 wrote to memory of 1580	2504	Program Files0035CF.exe	32
PID 2504 wrote to memory of 1580	2504	Program Files0035CF.exe	32
PID 1580 wrote to memory of 2796	1580	IEXPLORE.exe	33
PID 1580 wrote to memory of 2796	1580	IEXPLORE.exe	33
PID 1580 wrote to memory of 2796	1580	IEXPLORE.exe	33
PID 1580 wrote to memory of 2796	1580	IEXPLORE.exe	33
PID 2384 wrote to memory of 2640	2384	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe	35
PID 2384 wrote to memory of 2640	2384	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe	35
PID 2384 wrote to memory of 2640	2384	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe	35
PID 2384 wrote to memory of 2640	2384	53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\53f9754c93aded28ee9c5e38db3532ed_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2384
- \??\c:\Program Files0035CF.exe
  "c:\Program Files0035CF.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1580
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1580 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2796
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe jies.bak.vbs
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files0035CF.exe

Filesize
36KB

MD5
47e25f2b31c5c41ed62fa8efd26362b2

SHA1
f82e9115e4799c395aed86b19a2dd0c53959380a

SHA256
dc6bcaf3113a7306012ce4b4d0d94c698352247670003f9d84af36a6c4675d91

SHA512
304c6062ea52c2e3f1fa8f336b7c607adde77d9f61cb871dd6a24ccbbf1c9b98774f83a056d22e3c2673edc24152188170d551b6180936c2259c4c7faf87da9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f04b6dd32e3430f28733db01c78a2ec2

SHA1
fcbc8c5b86f3b944f1fcd40cf88a9fea1eab8a1c

SHA256
977f93bfa795dedf7fd99f2bdf01b85397bb41fc7e77160c8ac0886406cb0b92

SHA512
ed4c9dfd36b6ea1b492eced040336c4f3a9d667ca6596a736f89c3f26a4642fd9eca67cc0948fd7984e5b312ca3c94f3ab746cca3450bdcaf7247360c3e338d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ddae63199b6e5f22791ac0ae4809879

SHA1
e8db73b9800a792b498b471ea0a662d22584ff02

SHA256
07de87f53462f92d41c67e7458cd35086143ffb175734463b113e683316067b8

SHA512
e14c696f05cf3b0dbfda0e0e07c5ae1dfff034718c4e084342da14564032fb560edd03c0cdad3a71a06f604a990b23b5e99532d5e38f98554555a11cdf764beb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8598c2c3c98c39da661fce9d1b8b8064

SHA1
df7978b89a6f4a51e65ce3388f7fe8d58e00ea5e

SHA256
041e944e053e72065aa49f3c9981b920893c115ca9b13355a41242a76fe1ebed

SHA512
bb2eac64e67ab0d301f26f7dc3e4e18a0478188daa0bff332a0f5920cfbebade4aa4dc3518a6cf6e58bbc7865b483c21f75b6b57810b4ff31d331ed285bab035

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0ba36751348c60ee181a22254baaf8b

SHA1
2e08f5abe5eb1031be6d270025080c70295f2182

SHA256
64d47d68d413b112103c2d790aa29905720a6f4bb570a821c06fb418604061e2

SHA512
01809ccdbf45c8a77640f8ef476969cec76988db7597f3949ae4e7a258da0373477033a0ab622fda214535e3c873426762f65d602f04043f2f8cf745e0c7de74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f0081fb8c9fe8820b85ce7cea507e97

SHA1
5628125b2401b688ea43ce5cc58ed42e940e02b1

SHA256
c079eaf4f35e9927359bf925fadc4b94a9c4e20d49528df6a9984a25c598a4fd

SHA512
ad45a50aa8d2e408a052cc9d05819dce7169a6acb3e640640e563fc4e2255ede26fa4b8048f0463c9607937e6666c89b1269cf5fe4f1924b836d9884c3742e1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc131dca6c748387de580c05680651ee

SHA1
58353ea9f2a1c86a0bc28462613c5d4d9c40aa8c

SHA256
a8f951e7874fec4767963b2eac3a15f09ed5b7a536d5e54a169d2b526f7ef7e0

SHA512
1c6d631400994c91a9811119d423f88836a914f510727ac8a855d2fb767bcdcf33af0a88fff7f6820494599a2522daa88125d2a504327871fc070eaf46a26fb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da0db1592ae01bc49123fd58e48f5a62

SHA1
5abbe2d98889bf83b09b4ff82ea04691526cd00a

SHA256
077ff6a71fef726366e2149b7f89cc3d94389c97b33bb909e6076042f00734d2

SHA512
f56b8f49f9ae0381bc1f5ae7a1a49e884bcaacc6836b0faa20c0625aa8d095f45b5dfb128427317b9aaeaa5f8309c6057d0576082fc4d11118850a8326f6a5d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07d88790348f6f2907c8ddfcfb3b78b1

SHA1
12fc0bb308f9e7e3dfcdd2cf8081ddad10a0c42d

SHA256
8f1052b7fed0d72a090ffe52f4ad007aa7f0f6f96b91ec0cf86405b973cfad75

SHA512
5a2b5ed9fa2fd4d358c33281a2778ad2a5ad97bc954f5317a5197e8b5910cd9424723264b59d25161bb5c6d6ba6d1e0f6a445bdf008f78188abef623ee756f09

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e24703b7aaecaa73100e251ae9938b2b

SHA1
ba8bcad80f87560e00e7ac8094dce838deae6b77

SHA256
aa6a09fa906ec5b6bb4c5116c86533fa004a471a8d116003539d4d6ad9bc77ff

SHA512
be705b97d224d6489354e840d75ef7e80a6fd989e5519354d837ea2629c198e280ea8130093862ea6d36c4930b04eb8896ecfe378ab043dfcce419e5adb21d7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
951d1f78a5f398a6b78f07a7a63b500c

SHA1
9ce62ad91fc4f7613db109be3e939e6a9834f9f6

SHA256
08f1e4470dc0b5e2bb7b40589598c92aca4750c4351a1c8d8dee13645081846d

SHA512
25559b3305ae45bcf8e0a484d6badbbf36a4eee0654ee270c1e2486b45f483c322f69601b16089c06e7379df5048b830ec74d45a045a518bf43424fd76118db8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4cf6ed927bc0b613ee88cb3965e4881

SHA1
73210d5cfbd89ce9168e70d9408d85c5544b5035

SHA256
92455778b81762838eabed78d3bb74f82a0a7c527cba07306dc245a140dceda4

SHA512
9d15a4ae143113fc89d57d6ccb515e46241cc7312844c3eb7ff94583fad2dbdde0d93d5ba78a21a2840826c998448fb7bfd68dda69f55f405c086fae9223dfa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d765f62cd91d35878ec88d5195a7abac

SHA1
b38190056c6a0a90c765fb031c449c8421e00e49

SHA256
b739c3bf581cfe09d47736fcccec920ea902e286a7645713de7c5d30a66fb155

SHA512
75e233a11f6ff215e18740fe10c2d2588010eb06bdccd578fb3ee5298f296fd4455b8b441ddf071ff2c525a32642ff089f80e17e45c34c66ce5a7585e54ab7d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9735701f87f9d150e1e4a66d7417fda

SHA1
af2e903b62e4fb036afa9a21db3be96c61fc036f

SHA256
f1d0bba0d2ec89b3211d505d0334aaa10c9d472c4cef5436ff853133920681f7

SHA512
85eb30a073e16f76b3829442530ea450b4683187aa12a09e42703aa3a39b574b8423ae0e4566679529812acf26725f1a5f664d47873eba8a14bb59fb632ccda0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48fc460fbb21795a36e77b74772b63c3

SHA1
81bff2417602486057efaa36c018c1efd962a9ea

SHA256
35ab92a3ae1b881ac554806269f147e15c1cb0664e17112120ac3bd598c1041b

SHA512
bcae96d04bc7ef44c82a1bdaacce5c1e223a064779824f6549e98ec4f476cd6d1896505ecc8f2f669561bdad74e0d75e4e6e0ce0226902ee070eab8c506f231e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe48b885bd3b552a8f82ba95d65f484b

SHA1
c8c908f6253a4613a3d3f7987bb85e4d7b57c47d

SHA256
a1ba3e31ee8619089576350a06ce21384944c3f1bd893915204d3d5d641f5906

SHA512
aa368a127563c57e55622e20b08b91268f488fb63d93befa2268ad137d1cf58527a909ced111096e39944162818f8612aba6db689cf32500e9402776754091ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
993b8b6766944247ba63b7a353d0f1eb

SHA1
56d67c5207a84688de2df47a2c82c3c9e01cf7ba

SHA256
36898f504c347d48103968af7dc9019daa83dc7f62afe64de21654f2659c9371

SHA512
68383d0504faf401b44cfdaaad27db9b473bea2d2b45abd6c97946fbd6e437926dd93d45a670b873cc5b90afe99b260449e7a3dfcf8c439bd77c382db18ed0af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d17fa4ad61eb6091681fc6b3f4f69c99

SHA1
3813a6d92122d184b8fb1ecfd7c08ad7d422baa0

SHA256
ad2e4218642ee2317ad90f6fb0fa7a210b6eefcbf282be86e356dde8ef8890d4

SHA512
eda55ba72b0d13bc21cc1682f20663fdb9148d32b80c6a8890d8e99a136b61926ac259b0d017d48396fd755a725774da3fdd59f8a7e67f57e8336dd6c38bdb0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF76C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF80B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs

Filesize
450B

MD5
aa715bf41f873a9de9016bbc7b64ed57

SHA1
1f247bafbe6272e45b9fc5902ef4031d8ab27fd1

SHA256
9337194cd66a28dc35b0b3df87c8487d579d57914b1d39c822146235b8513d55

SHA512
50ec8e943906525973e8b9b1de2125c76cf4ea8729a5ac2d97f87ebc5174473f1a0c679adfd0f9f0824e19942fe65f645af3056f8cdfafe4f01fedf9215de16b

Download Submit