f2f93ba597e572c9fabbd3446f27ade3c20cec946e557a2147b82d6773d0d107

Analysis

max time kernel
149s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18/10/2024, 01:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Size

100KB
MD5

54b02e9b6fff8c5cb88d5ecf82cb849e
SHA1

0167a067c6adce5aa418fca9744981e5ebc9bc58
SHA256

f2f93ba597e572c9fabbd3446f27ade3c20cec946e557a2147b82d6773d0d107
SHA512

73b9fcb3d73456356a892c7f9d96204646245eb5ec9c1dc7f70bbc4bbec0558ab45b15968d12c14885d251c41d93ba79683e729ed0e6db4c34b601414a61fc2c
SSDEEP

1536:9EHVwQWrI0Sc6YDXTwKtmwuVjnw2ynkgqPwn5zDZT125DmQ8:m2hsXZYHwRBVUmgqPwnbEDmQ8

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2608	WScript.Exe

Executes dropped EXE 1 IoCs

pid	Process
2348	Program FilesSSZ2T8.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	\??\c:\Program Files\Common Files\t.ico	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
File opened for modification	\??\c:\Program Files\Common Files\d.ico	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Program FilesSSZ2T8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.Exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea2200000000020000000000106600000001000020000000a7101324c8035681921f6ba54ca2fdc9efa1cc6ad09cfaf485039c4e94bb6309000000000e800000000200002000000009009713046a24c1177c3887c0998de323d1a40ca6c7ebd5dc1a58f826b7c37f9000000016fbefa515c0341f4cdc6dc9b470a0ff1fc3777bbb312a24041fb34e1abd9e6b579d1b16535b6e1d67d4fd1217474deb9d9005c13bbfc302cc714734504e134f3e508e32ee861bd431516d95bb6ec4504947469e58be2d7dcee8b8bf14702e04041be0030a9fb87b9ad53118d1e2e7e7955ae58a2a8599aa0a1e8df21552d7a0a39934e25b18ad5b257960bb047f1c2440000000dc7346c0ad3a1d4a3d07795b454623dcbb3eb73469985ce34e46970d066647c34ca39598926ea03da60fb9e0df67fa3a5772d0b34bcb65d0b1f6d9b8216429fb	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea22000000000200000000001066000000010000200000004664b35eab04bdf6c95fd2f10f837f2bf33830d1c279091dfef7083733b9ee71000000000e8000000002000020000000d187edc4184eb41285e71ebd0682214e1e62badc6256c44aaf1e6e8a509502f420000000b8ec6e72dcc6707be12906c5fe8d9c2f0d2de43d02feb4e36fe8f8db1ad9481940000000de4608eaeab92e5cb3413c8316a71c34356213b8e75fce708ed1b7b35227a19d179b1d296590d2759cf72770eb5a558361936840655529156449aaf4cdb14f6a	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{382C6281-8CEF-11EF-9C44-E61828AB23DD} = "0"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435376329"	IEXPLORE.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 602e0c11fc20db01	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon\ = "c:\\Program Files\\Common Files\\t.ico"	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb\ = "htb"	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command\ = "IEXPLORE.EXE http://taobao.loliso.com/?1121"	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\DefaultIcon\ = "c:\\Program Files\\Common Files\\d.ico"	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,130"	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open\command\ = "IEXPLORE.EXE http://www.henbucuo.com/?1121"	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htb	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli\ = "hli"	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hdh\ = "hdh"	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hyx\ = "hyx"	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.h35\ = "h35"	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\shell\open\command\ = "IEXPLORE.EXE http://www.d91d.com/?1121"	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hli	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\DefaultIcon	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\h35\shell\open\command\ = "IEXPLORE.EXE http://www.35yes.com/?1121"	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE,0"	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hyx\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,41"	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\shell\open\command\ = "IEXPLORE.EXE http://www.piaofang.net/?1121"	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\DefaultIcon	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hpf\DefaultIcon\ = "%SystemRoot%\\SysWow64\\SHELL32.dll,139"	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hpf\ = "hpf"	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\hli\shell\open\command\ = "IEXPLORE.EXE http://www.loliso.com/?1121"	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\hdh\shell\open	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htb\shell\open\command	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\h35	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2744	IEXPLORE.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2504	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
2348	Program FilesSSZ2T8.exe
2744	IEXPLORE.exe
2744	IEXPLORE.exe
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE
2752	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2348	2504	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe	30
PID 2504 wrote to memory of 2348	2504	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe	30
PID 2504 wrote to memory of 2348	2504	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe	30
PID 2504 wrote to memory of 2348	2504	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe	30
PID 2348 wrote to memory of 2744	2348	Program FilesSSZ2T8.exe	32
PID 2348 wrote to memory of 2744	2348	Program FilesSSZ2T8.exe	32
PID 2348 wrote to memory of 2744	2348	Program FilesSSZ2T8.exe	32
PID 2348 wrote to memory of 2744	2348	Program FilesSSZ2T8.exe	32
PID 2744 wrote to memory of 2752	2744	IEXPLORE.exe	33
PID 2744 wrote to memory of 2752	2744	IEXPLORE.exe	33
PID 2744 wrote to memory of 2752	2744	IEXPLORE.exe	33
PID 2744 wrote to memory of 2752	2744	IEXPLORE.exe	33
PID 2504 wrote to memory of 2608	2504	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe	35
PID 2504 wrote to memory of 2608	2504	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe	35
PID 2504 wrote to memory of 2608	2504	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe	35
PID 2504 wrote to memory of 2608	2504	54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\54b02e9b6fff8c5cb88d5ecf82cb849e_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2504
- \??\c:\Program FilesSSZ2T8.exe
  "c:\Program FilesSSZ2T8.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Program Files\Internet Explorer\IEXPLORE.exe
    "C:\Program Files\Internet Explorer\IEXPLORE.exe" http://dl.kanlink.cn:1287/CPAdown/vplay.php
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2744 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2752
- C:\Windows\SysWOW64\WScript.Exe
  WScript.Exe jies.bak.vbs
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program FilesSSZ2T8.exe

Filesize
9KB

MD5
c40eecc94915b9abc4143947203e0dbb

SHA1
f43a22291ae6701627c97b07321a94f57fc675ed

SHA256
3de93c4056e357c486222c9285a2d0bc232dd93c586679d1e812b98e1b3468e7

SHA512
2afa92a0b8b33efb3da9e9ebfcf86f53b34ef7b36738e87e8cfbc15d64e10ee2e72c14fdad71dfa03145f5fb0daa598a8637029d46aafee2cb9cc52d3ea9d04a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6ef456a3ea05bc44a8ad1d8dd57e6ba1

SHA1
810957e565605289458ac788a1cb7cba1f1f356a

SHA256
a63d5608dc372e2b8b4043ce2d0687a56c815967a22f7c39c853269f80d84f7a

SHA512
e399b39ef22ce31f9f4786bab7ab062031e39923088273ae220105ce326391d1391f96ce5a4a173a6861df61da5fae71acb0745701606ecda8c8d2722b4c0d57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29391ae1e32da456f395a816f5a501f8

SHA1
aa437d15786a7999acdd119ee64603208744398d

SHA256
b6d8d88ece00bbfea4e5feef583a25a03ffc091ecc3201f11dab428527db030a

SHA512
550e3ce67b2cf0f7327032038e7ea10e4113f24fcb3673e51da9a0182093cac2756af2672c439d8769b6e416170f52fcb952aa1f573011c3f60700f53646f386

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f6c1454284f380a40fd2f201a05d816

SHA1
4674818df1d64dd8b4b2f8583467f04ccf1cc418

SHA256
1d47e37932c3fa8d70ebf31e8d59744c4b4f9dca5ffb5531d512d7ac6d2fa98f

SHA512
5cc473b1454b4cef26d7ecf923daecfef6fab845471d7ee4a038ace961a5e7c0eec56d2f66abcb35b505ceb7512d6392a55ea972f7959d21678dd50b5d19914f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16d57ec8938a6a79ce01efde56db50b6

SHA1
b72159ad507c29a3343c19c712939d2a05a5bc80

SHA256
30acd9776556b9dcf59d15355046d57805791b5774fb9ecb668ca0fcb7894750

SHA512
f8c557642117cf6b1a3dc76fd31f8c2eb21b3c95ee90989433f5ed1016d16f92d027ce3fce5f602cd5f26a0c3df167282e9bca698c6e7fdb3dfa3451388bcd68

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe0c690cca816b25e08f564e280ae323

SHA1
e9bf0fa2f4bb67567fa211b88bd9b8510724264a

SHA256
3167988f12086c3f4bc5f5aad98ce582b95ef2ae84ca9d02032603019c565732

SHA512
5589e18d4da8fa8a7a72f5b9e4712af6e8491676b74e56e7ce1695be6eddb5673468dcd38edd15f99ebf58804c61b17fbb6c3a96be22175f40268e7a22dc55c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed12f9ddf5dc829afdf7079bba25b65e

SHA1
f7482dc331e51740e4c5b8c45ab9bfd1df21141b

SHA256
93e002535bc805a837b28fdae468dc66b65caa79a7e21e36b6ef8eb12fc70b78

SHA512
48b1de392c2456399f5f986218b6af6afb63572b21f4d1735db98fdcbbce14f9872139621fc7c6c68e5dfb10ccc30a42a72fd5682e9fd6195c3280f6ce4ef9d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d740064c394706868984b7441427bb71

SHA1
da926c2c70557426b63320e82b351968ca1b9903

SHA256
c4f1407b51da2e46521961f8d0c9b66bd08596820423714b26b22b06262df304

SHA512
4d6dc7e89500b922fc2c93054554116cd36206b8862bca8b93e622755ada22b1bbb5e2367e146a50dc95a4d26f1005903acab72e25ebea830dcf689a9df460ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4f223c781ea8cacd56ee73fa512fddc

SHA1
4d1c198b3e90d70d9ef4e67cf2f2b74cadd6a9e5

SHA256
a32ec5213a57ad9c57e6c21b086b72aa99cd1fa52b3c0acdc9babc381355ab8f

SHA512
ac2c3ad40a142edf36bf9bb69872be2e53131cc7544aeb3dac9fe3edb99de020f252b3a6622f097ccea6738428980f4b3f66934aac90c9893b45caaea42d201d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
179c419a29cd5492ae0137e6b736f93b

SHA1
698be5c12cabd41f6dd959889d2cecf44ceb939d

SHA256
9d3cf5835fe3e4644e58a5a3833807181b1b6c07abae1f69685d122402580a4a

SHA512
19c9591b561d9a457f959a8a03c88171aa2b4dea278fedacb9c69515353160950a7ec909560068b1962d8473dcbfc02eb4f5c740d69bb0ea1ff4596fc76d172a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd98974918c041ca25a937604cd08b9b

SHA1
0b5757ab40096e3259b9ae0bdde4b433d570c29f

SHA256
b66d13496235df9843b0c862385a7c5c1eb26bcb9087bc590b8fc70bd46eab3a

SHA512
865896d6a4d0055278fcda53ac2df9434cda12ee40239664fcbcc691835012efd3ba39a266b4db6da7b95a1d84ec56be39c93d7c568957b8ef96c087dfd3851e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83c3ceb812e974a956d7c3efdf21788c

SHA1
3a169f173779f12926d312b6001466483b3ea4ba

SHA256
43e4daefdd147f22ac49413b90ee8d442a8481c1f6eb484a757dd1f12f5c83a6

SHA512
eef55c040e28cf65546ca2b7a4fb9057c2ed6b9d20cd84e477ba38ca8dc31b1e7b576041be6863bd82c986d996fb8458e63ae9276d35fcfda9aeccc85fdfcff8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56fc72c448cbab87596982e57e3650d2

SHA1
150337588d08c8f50a2855dfa7e497a3157e799b

SHA256
2aad6099389f97ced5328d9d357e3a1ca7a196b59a908e15ccfe1b3694ba0dcc

SHA512
85c95c6f68188f10c9c828a233a62e5cc7816669be0b8de919faa3102e4274ba9708fdaf8e6c48c88eeb63779cd87d18445ef87c4ae33008bbc8f88d112ec29a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18b230f3a138b7dcc09605db9f89e924

SHA1
9de524aeed580dcd3a7a40d195ce2f4f33d23d0a

SHA256
393866d46a047d08e7dc773001605b658e4963386bfe8dec937b96375d87372d

SHA512
22ba041d51878754684cc564c40ad0abaaa292f6fafa04b82e903a6c0646be40e360720809cc49fda790b5fe504ca8af587a2e6ed3c764cfdf2b9716a5615ee4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3054efe282fe74d9ce4c095870ddfba

SHA1
d7038130adac6cefc4350b9d172083906fbc5891

SHA256
d3c3f54b41b8b38ccdbdd430fffb3315774de2dbd8404779ee5aec96cb9a17f1

SHA512
4037c05e71bc286ea481e5ad11f7dbf4753f865f89536496f2da4d3d4cd2ecc9091b2143eadc3fc1cb90af3dc9cba83ed30d0247dd9fa9c75f8f64d09a4111c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34ce2ee0064a120d5e943d53328b6a94

SHA1
80cdfdbfb27740037aa0247f8796ba7ca70a3a9d

SHA256
028f05dccb843c591ae278fab0953963b02a33d6e7feed75aeb4594b95451157

SHA512
2cc2579608685956dcecfa1cc8ccc0ee9a3b6c16ee782ff19bb8f1f74aae9a059579257bf74e07fa3e9e3dbe4cc0625fb2079e9ef3af58fb840abb87713bdc17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3bbe83824792d5106cd311f2d7488b9f

SHA1
0b004627807fa7b6b642a195fd9583bdf24281c7

SHA256
914a49b27f2ce5308b0c20dd4d4d00a5a708aa08df8709e63c8748621348ae19

SHA512
a98ec065827964417a3ff83228853172cf38f029d11e48b2651b365d8afc269d10fe61051c3ab9b926169ea389fa3095404c5944125cc52e909bc54e0d179d60

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE801.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE8CF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jies.bak.vbs

Filesize
450B

MD5
b63728926f5d873063ea09689ab33112

SHA1
f0a75cbd4f7b3a3aa595298d5849400f982f4706

SHA256
002429918aadf06c933b79c63f97d46903305f873333707cef2341d8d3630200

SHA512
72dd359d663ee00811c05d5b892a40f84ccc4fabb4a011cfa9b511f15d94cb00d48e1bb7035bf673a81c01cccf6419d530a7035a31f4fee7224f070301d548e1

Download Submit
memory/2348-19-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download