Malware Analysis Report

2025-08-06 02:47

Sample ID 241031-blevkswdnj
Target 80fc7464938eecb59386e65898b56e7f_JaffaCakes118
SHA256 eabc70968d6828deb319a3dcf934bf5ddad355b8f3f065a8e95363f554876908
Tags
defense_evasion discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

eabc70968d6828deb319a3dcf934bf5ddad355b8f3f065a8e95363f554876908

Threat Level: Shows suspicious behavior

The file 80fc7464938eecb59386e65898b56e7f_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Indicator Removal: File Deletion

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

NSIS installer

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 01:13

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 01:13

Reported

2024-10-31 02:13

Platform

win7-20241010-en

Max time kernel

71s

Max time network

137s

Command Line

"C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe N/A

Indicator Removal: File Deletion

defense_evasion

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nbfile0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nbfile1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436502505" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{50C5F5C1-972D-11EF-82FE-DEA5300B7D45} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b131900000000020000000000106600000001000020000000121ce086b0276cde54d2afd147efc05af27d049bec4774d01ebf526a09c08488000000000e8000000002000020000000e3ea3e4082e6202671888c8df5d7b2d7750b1d4f75824c4996d676dd5d8a9187900000007956846663780c8be276c486ef3c61bf104e3769edcc8e99f2b4e2fec11077ef9fa9fe3c6780ff1b66b9c1a244158ad01d1403f5211ef9cf046e6be09f2ab94274a99049d0ba9eac266a57ffc3de43b2f898431725d0ff73090cfbc2b9af29d039cb386c38b94a1ce2e5b89d9d4a4b554f8a8c4c2c071edb2a4c0a4994a3a63f58cd41a793dc795669bb6a499a64f059400000004728924406c7683dffbdfbad2351b49e60a957d2d6b0dedaa121851f835c8fc10432857a52f5a63e06bd868e69b8833ca6799bfd737d80dd334a29df26b0130c C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0023ae283a2bdb01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ecf3e4259aa05419b9c0951a15b13190000000002000000000010660000000100002000000074d71810608224c7871e7f9f17f69a0d4b345c59f526b4ff8b63d80eebd269a0000000000e800000000200002000000041903d80cb0a2db5eca36f991591efbd08746c1f14b217ce2fd2dc2ae3385b55200000000d6e275f72afb1259b6db2e5232f815d5f316ff95fee55ea65952793db5d5d4740000000e8f381e77e582b83b08c1dc1ebab556bd500d2cc85372e2e01163c655117ea1cc1b4c7c240fbf5bbf342e12a7184b1fdd385dc1cc74dbb4af2034840cd56a17f C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2076 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
PID 2076 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
PID 2076 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
PID 2076 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
PID 1552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1552 wrote to memory of 2156 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2156 wrote to memory of 2928 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2156 wrote to memory of 2928 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2156 wrote to memory of 2928 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2156 wrote to memory of 2928 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1552 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\cmd.exe
PID 1552 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
PID 2076 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
PID 2076 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
PID 2076 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
PID 2076 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
PID 2076 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
PID 2076 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
PID 2952 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\WScript.exe
PID 2952 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\WScript.exe
PID 2952 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\WScript.exe
PID 2952 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\WScript.exe
PID 2952 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\WScript.exe
PID 2952 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\WScript.exe
PID 2952 wrote to memory of 2288 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\WScript.exe
PID 2952 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\WScript.exe
PID 2952 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\WScript.exe
PID 2952 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\WScript.exe
PID 2952 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\WScript.exe
PID 2952 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\WScript.exe
PID 2952 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\WScript.exe
PID 2952 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nbfile0.exe

C:\Users\Admin\AppData\Local\Temp\nbfile0.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://down.97199.com/install2/?sl3

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2156 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\nbfile0.exe

C:\Users\Admin\AppData\Local\Temp\nbfile1.exe

C:\Users\Admin\AppData\Local\Temp\nbfile1.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\newsetup.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\1.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 down.97199.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\nbfile0.exe

MD5 74869a0346ab36bbba85022612505121
SHA1 2cd02f46f2f9f46eaf15fce40a3bf4781f80cf8a
SHA256 6de866b5c8abb1db9b2be231b365c1aa029118fbc58823f443f00e3a33dff18a
SHA512 723812083113cff82aa5e2243759c572518865e351cc81b7c2b85a05557862dbbd7a98b964ff6f3aa3802bb5d4dab01a14147211495fc5803d9ddb7b715f4de5

memory/2076-8-0x0000000000360000-0x00000000003EA000-memory.dmp

memory/1552-11-0x0000000000020000-0x0000000000022000-memory.dmp

memory/1552-10-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2076-7-0x0000000000360000-0x00000000003EA000-memory.dmp

memory/1552-16-0x0000000000400000-0x000000000048A000-memory.dmp

\Users\Admin\AppData\Local\Temp\nbfile1.exe

MD5 c4ddf11ebdbf9d8397d710d2cb4e2fab
SHA1 8008c97e7d6ff92deb3e1755a614f4afedca92b9
SHA256 67a632049e45c25de35b533659624ca24f8e70447abca015bf5776ce6cb3ded6
SHA512 3c9be7b92208e8c0f57ab8048108714e06b2aa896a479f61637a93a9eacb4818fcb25ce3d4e1a24086558daeae65d4b482b2c1cfba3df202c396e2bc218362e9

memory/2076-29-0x0000000000400000-0x0000000000497000-memory.dmp

C:\newsetup.vbs

MD5 4736e7158c27f244482f5a614b9dbdae
SHA1 d3a0e95a81e9e3ec95cfd596b25749a0e24e27b9
SHA256 b8229bc8d6b0013858fb9599cb510afa4566a439164b2c7444c449540a124acc
SHA512 cebf895dd3ec3822c42b78bac49c685b063cb5afcbcfb3850b073cb118d086c5fa75ec50b6e73d90e14f2c6b595752ad87910b8cf27378424d72a9ea309bf824

C:\Users\Admin\AppData\Local\Temp\CabEFCC.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarF08C.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2cc5f97be92d4a060feb807f006d9c37
SHA1 ca2d8b3d21d753bdd17bb232bdaf1b4e273ba6cd
SHA256 64b1fe516cc88cac0107e1cc22536f26c51f191b1693b3390f8406865f9b6694
SHA512 151b8cc0b8ced588ffd8dc20df80052ea430d90277d7f2c725f09583efc0fb4b485b2d8cbf93260abd94441e904c30dae8156ec245d2f33b56dd7b3560e0a4d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1176b4ec0ed1059223f3183bff27f028
SHA1 7337e307a9128ad51c1657b6329dbeeee5a6a9d2
SHA256 91460622f837f632a73bd459aa5b1d4cb807e94bf3d56996646fabef042b7ead
SHA512 e4400ff9f31bb0435b424f813a2fe3d3b01ab4da63c199107e55084759a9e0ce23057369725030f71560bd27c5c511610cb5608538ebd6a5e794e700f283b728

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ba9d7d5dd889f782540dec5b9b3c85d9
SHA1 fda3e49a3be02f7a6bc65eaea6a818c472039a6b
SHA256 cd665040ee41eef0196ca74f87ff730d6dfe0aedbeb357fdd638f03567a075b2
SHA512 675a2fa99351b63116db48f5302adf0dcd4bc61716538a4dc9b14e9e55efeeb393123a8c38b28590583cf264925b39aada220699991c9432e8f868c90be4a764

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 87c8ac59f5a86b717e4e9281a555d723
SHA1 cabdaeed004d2e8e2239f7840b26cb912ae489c6
SHA256 296223ac1d8da339fa723cbdf486313e9a4f7158f56b6ab8c250998c7f40bf81
SHA512 e0f76f1decede9f7dea1943a373486892c15cf9907505102aeed8cd342f14008c52773f83f10004ccb8e509e607ebcc8add3644e733ac8d12fa45566ea31c8dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 af21eaf747237241f2cbcc5240a9de8c
SHA1 1f06e00490889860fbafcd0a0a3c331c12577177
SHA256 e7bb1bb5ab256be48b06134827c62c6d2532f354d4d29da131a2126dede8603d
SHA512 04256d46f79ff5bf5f285dd5b35901805b5bb336699e93b395099b31e7c3400c372bc30baa288faff7c1f68cee522fb8f3baec59194b7a2a4d04f0237cc2de5e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff907857a338f2edb8721a775577e2cb
SHA1 9c777e893756182f81e1e20cf4348850f35b0eeb
SHA256 995cec860990617770cfed0242cb25bba3d785b3572443711566653e410aadea
SHA512 862d37ccdfeef0ee17509bfdea5238371a1877781734170a08e29a83e4bea61bc0189a898edfbaa579bf5d731f77069dbed543a9b5842cb88a6523a1c4088e59

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5fdf19d4bdba8901c9a808a0a0bfb62
SHA1 c22751f32f7334896b6a12d2a95f3bc06c0edca0
SHA256 9f708b940f0054579642a084b652bcd9ca3be7bd9b2d4840bf3a1b03ac96b611
SHA512 7440677575d53f48a49c5bad035c171554af6b1eb106cc5a5b2a870075624dc53f703e464a8393cc327166cd07c8f614fde8fcdab2c6e9abb01961585022e66d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 791ed552629e091584e7c8d4c4500d4f
SHA1 b238ce08a91f7643670b5f76b8688fc5ff6d82a6
SHA256 c6e0ced78cf9019e97d938615c371aeae39d3799b598fa14a2055b8c647e1fac
SHA512 d145dd08600a34ba68388c43c634e5843eb805baeb4e68914aff3ad4b172be4b72d9661a5b01b70b53541313d5e1afd8eddc836b6d646dd05e66642a17ee02e7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ee802144c006aa2a85a6a2341870ce9
SHA1 24484f1aaed772c8ee7dc7a815a7565f763f9625
SHA256 9e14d6bdf63cce4ced3b2cff6401e94c4e386fb246162c265f6bce5b9fe2ae26
SHA512 a6e838256f0776def6165d8f769ca43e0861e6a44453f159f2463dc04232e7c132b957c68bc6e5b7662355d344db8b1b34951dfc99fa0afdf10ca9dd1ed642a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7b2ed0dfc07a6cc65e71e9a6a87dd3c2
SHA1 4776a05c55f99dd900fdc180f81f81a4f5324d41
SHA256 412186df6415a5ada1bfbf62c9dfdcdc53777e1c7b84c86fa8d22f5bd9844b9b
SHA512 bd5ff8363dee50d372cd9040c0be87539ab7407f4ea67da3caaab03dff5663e9076b2d7427139fdc1faf97e1dc52d4fca8c3d3d38d9659bb7dbfc217347880aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 851c138bc794044de7b3474b1c11703d
SHA1 5c9010d4c9de5c9f8fb9442251f488da5d653796
SHA256 95db4f350105fc035850a2f8b528ef80893938c939b958bc4e5e03bba6badac1
SHA512 000473a23ec5ac8a343c87e229a6a32c51a6eba73779da19c01ea94d5dc1a93abd28ef551583bee3a905fb2a34b5d27b4a0c88b9eac04bdfa4d8c9d851ebc30f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c9fd66ae9def3378092aafe2e403325c
SHA1 6e01837155567e1899e440ead7ba88299cf86efb
SHA256 3829bc1da6d680363ef472abb4cdd072429cc066a8203935ce221961e7aa8963
SHA512 5477c888f99db209a4eae3172322938f4040783acb04071d89e93aad37faf429e951935931be3cdd974df8efa7a5dbe56a0d3cdeb2d30075836b2ce079f0f36c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a90bddaa68c5e1da7bd770ca36fe82a
SHA1 860d94f4d0959ab781509e59a03c47d1be4564b8
SHA256 a7a3c0a7f559fda6214579462fbe47a9e4c864c28d3d8ecf51c53a57b55facdb
SHA512 80e2ffff5466f889d8e52ea09149673b2dc469d521557878a48d248540b574bdf3c5aae967ee325671479ebf1f29b0f341cdca34218abbf7de78d50358573982

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 11fb50c29e038a80f69398bb5f6946a4
SHA1 9b8f6a9056312e3f85a1adae2a4547291f754451
SHA256 5987512b242b927346f155ae90d6f83aae82e83763c617a6366c96197c898ce0
SHA512 c5bf0ccf96a4f69a8caf00cc3e173526019681bcc4d8d92df6583f080d3c67420542aaca47dd52709d6ee43650c0ffcba2f879f28e1c1e4db548d053eea18980

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ab20e4ea771a31a8389a97d392cc2e1
SHA1 009f16758c996fc7a5027e12ce851114d6199d21
SHA256 10e9882e36989f50e8162fb9bfd2e6ecaa320ebdbe0d120c4eeaffe54c23ab5a
SHA512 c35fb006135c4c3d29bc445e6da2aedf2f8b1fcecadcc017e9808306a972ae5c93fccc810d81d13e6a1645a3f314084526d2d7c4186e4801231de8345e39747c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7fea8f9aa981356f46dfd486ae82b5e2
SHA1 1a89103748df0885a3062495b0022ed5b44bad8c
SHA256 f15f8a5d395e7b428674baac0499e6249f4122b2da65e4ff5d312335f834dfc6
SHA512 acfb1e5bdd19f2fd00902b1fc21dbcae9fa71e5994e6ca79b2d29def30e57b2f02f133572c28864404b779cb71bb5bf5437d9a2deb41ee0dca1415b1e2bf1a95

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 01:13

Reported

2024-10-31 02:44

Platform

win10v2004-20241007-en

Max time kernel

136s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nbfile1.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe N/A

Indicator Removal: File Deletion

defense_evasion

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nbfile0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nbfile1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140670" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2519065719" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31140670" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c88e6291f50dd448b150439a5f2f5a3d0000000002000000000010660000000100002000000078afbaf0a42d7bbc1d0b18b13f08db6ad1967ae36f1a9a04495ff06f04c6c8c9000000000e8000000002000020000000ffc78ff952479cdab181978b3ae2c6c10de58487959bafb23111204afa36bd1d200000000d42536f5b3c7a4053343af4661d4ca718835cb1ab2bda90e0b2e2f450738af74000000045d6fa6a96fbb1362b34d622aaf41c33be5394d726efeec09315a4636cc4799e7146a2f87897c054792b3c538428d97ed1fa202b11aea2ee78ee1a28ee0a118f C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2514690987" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 5013b0963e2bdb01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{C168E4C8-9731-11EF-BEF1-D2BD7E71DA05} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 403fb7963e2bdb01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437107517" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2514690987" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000c88e6291f50dd448b150439a5f2f5a3d000000000200000000001066000000010000200000005cc8a8dfb1e1e044d99e75dfd84f946b98724662e96c829ce6be4721a8c968c4000000000e8000000002000020000000dcb6cae0a4047704cfeaef4b2959cdb0381796f81fd7401b35116e22e5fb285a20000000131a47ff90bcf59e8bae647f11d46679e14b46c14ef0f35462d4dd7a26338c3b40000000510e612baaa4070c80f29ca5cd19230af6364df0e20cb6a02efcdb3f62f26e44ea3d212d1a5e524b79bcad03c459f8c8b7303c9af93ca89c65ca77fe7afbc22c C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31140670" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\nbfile1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4680 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
PID 4680 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
PID 4680 wrote to memory of 3180 N/A C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
PID 3180 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 3180 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 316 wrote to memory of 3900 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 316 wrote to memory of 3900 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 316 wrote to memory of 3900 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3180 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\cmd.exe
PID 3180 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\cmd.exe
PID 3180 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\cmd.exe
PID 4680 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
PID 4680 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
PID 4680 wrote to memory of 4468 N/A C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
PID 4468 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\WScript.exe
PID 4468 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\WScript.exe
PID 4468 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\WScript.exe
PID 4468 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\WScript.exe
PID 4468 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\WScript.exe
PID 4468 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\80fc7464938eecb59386e65898b56e7f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nbfile0.exe

C:\Users\Admin\AppData\Local\Temp\nbfile0.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://down.97199.com/install2/?sl3

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:316 CREDAT:17410 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\nbfile0.exe

C:\Users\Admin\AppData\Local\Temp\nbfile1.exe

C:\Users\Admin\AppData\Local\Temp\nbfile1.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\newsetup.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\1.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 down.97199.com udp
US 8.8.8.8:53 down.97199.com udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\nbfile0.exe

MD5 74869a0346ab36bbba85022612505121
SHA1 2cd02f46f2f9f46eaf15fce40a3bf4781f80cf8a
SHA256 6de866b5c8abb1db9b2be231b365c1aa029118fbc58823f443f00e3a33dff18a
SHA512 723812083113cff82aa5e2243759c572518865e351cc81b7c2b85a05557862dbbd7a98b964ff6f3aa3802bb5d4dab01a14147211495fc5803d9ddb7b715f4de5

memory/3180-3-0x0000000000400000-0x000000000048A000-memory.dmp

memory/3180-5-0x00000000001C0000-0x00000000001C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nbfile1.exe

MD5 c4ddf11ebdbf9d8397d710d2cb4e2fab
SHA1 8008c97e7d6ff92deb3e1755a614f4afedca92b9
SHA256 67a632049e45c25de35b533659624ca24f8e70447abca015bf5776ce6cb3ded6
SHA512 3c9be7b92208e8c0f57ab8048108714e06b2aa896a479f61637a93a9eacb4818fcb25ce3d4e1a24086558daeae65d4b482b2c1cfba3df202c396e2bc218362e9

memory/3180-15-0x0000000000400000-0x000000000048A000-memory.dmp

memory/4680-20-0x0000000000400000-0x0000000000497000-memory.dmp

C:\newsetup.vbs

MD5 4736e7158c27f244482f5a614b9dbdae
SHA1 d3a0e95a81e9e3ec95cfd596b25749a0e24e27b9
SHA256 b8229bc8d6b0013858fb9599cb510afa4566a439164b2c7444c449540a124acc
SHA512 cebf895dd3ec3822c42b78bac49c685b063cb5afcbcfb3850b073cb118d086c5fa75ec50b6e73d90e14f2c6b595752ad87910b8cf27378424d72a9ea309bf824

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 eb495911b32c5419c6e1c9f84108c332
SHA1 7668281d05bd89c6ade1a31aebc00143ca95b2c2
SHA256 a31d4c84f26e3230d3a5f46fde02f225fc51341caeb15ad94e08103812e4a972
SHA512 536a93b36a0c0c3bb9fdc9b10cbe4f1b8020a78372d08fe9069139a5dde92c9f81fc209911bccbb2cb4a8d363d0204a126edc77b92beab5f3c62bd5adb3b737d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 ee4ada789158c1e5a14d597cf1d5edd0
SHA1 9593aee78d30d51ab93d6a29dc4dc873e0d466b6
SHA256 903a6d82bf2fe8951104cf90d9f64aab0fbded30a2246e678a80d07868569b4f
SHA512 a6214f62e5089512aeaabab7c4bb38e8663fb55d5f4129c57e726723dad10802ec40c3dc836087713b77c1874c12f177bf2b2998fd3e52f4210c1c5307885c16

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IQ93NPJ1\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee