gozi | f8edc9e3b84fc1a98f70b9bf3b68f86baed4e04b7daf7b70d1ac5820d6ba11e1

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
Size

8.1MB
MD5

8a60f22c8d18cdfbfe84b56a7aaa49da
SHA1

7c8b05826c4f7c65fab370eaf141f54651f3907c
SHA256

f8edc9e3b84fc1a98f70b9bf3b68f86baed4e04b7daf7b70d1ac5820d6ba11e1
SHA512

50539e668c1a0c2214ef77f5abcb6e3d1bc59555962a46e6d3fa271fbed0724c4673fd3c9210634aae7754cb9049d5431930e7cc0952a9fe3a8d82a8fa1de825
SSDEEP

196608:LCK8Iwvgsb87DwQiiFFL4an2L/dfXaI+fVcZ:O93Stl4LL/ZaI

Score

10^/10

gozi banker discovery evasion isfb persistence privilege_escalation trojan

Malware Config

Extracted

Family

gozi

Signatures

Gozi
Gozi is a well-known and widely distributed banking trojan.
banker trojan gozi
Gozi family
gozi

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 7 IoCs

pid	Process
3492	cexplorer.exe
3552	cexplorer.tmp
2416	update.exe
1448	ChameleonExplorer.exe
2168	ChameleonExplorer.exe
4124	ChameleonFolder.exe
3580	ChameleonExplorer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Chameleon Explorer = "\"C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe\" /startup"	ChameleonExplorer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	ChameleonFolder.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SYSTEM32\ntdll.pdb	ChameleonExplorer.exe
File opened for modification	C:\Windows\System32\kernel32.pdb	ChameleonExplorer.exe
File opened for modification	C:\Windows\SYSTEM32\ntdll.pdb	ChameleonExplorer.exe
File opened for modification	C:\Windows\System32\kernel32.pdb	ChameleonExplorer.exe

Drops file in Program Files directory 36 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Chameleon Explorer\is-1Q3HK.tmp	cexplorer.tmp
File opened for modification	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder64.exe	cexplorer.tmp
File created	C:\Program Files (x86)\Chameleon Explorer\unins000.dat	cexplorer.tmp
File created	C:\Program Files (x86)\Chameleon Explorer\Folder64.dll	ChameleonFolder.exe
File opened for modification	C:\Program Files (x86)\Chameleon Explorer\kernel32.pdb	ChameleonExplorer.exe
File opened for modification	C:\Program Files (x86)\Chameleon Explorer\symbols\DLL\kernel32.pdb	ChameleonExplorer.exe
File created	C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup	ChameleonExplorer.exe
File created	C:\Program Files (x86)\Chameleon Explorer\is-EKCP8.tmp	cexplorer.tmp
File opened for modification	C:\Program Files (x86)\Chameleon Explorer\DLL\kernel32.pdb	ChameleonExplorer.exe
File created	C:\Program Files (x86)\Chameleon Explorer\Folder.dll_backup	ChameleonFolder.exe
File opened for modification	C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll_backup	ChameleonExplorer.exe
File created	C:\Program Files (x86)\Chameleon Explorer\is-0FJ3J.tmp	cexplorer.tmp
File created	C:\Program Files (x86)\Chameleon Explorer\is-A3TG0.tmp	cexplorer.tmp
File opened for modification	C:\Program Files (x86)\Chameleon Explorer\ntdll.pdb	ChameleonExplorer.exe
File opened for modification	C:\Program Files (x86)\Chameleon Explorer\symbols\dll\ntdll.pdb	ChameleonExplorer.exe
File opened for modification	C:\Program Files (x86)\Chameleon Explorer\symbols\dll\ntdll.pdb	ChameleonExplorer.exe
File opened for modification	C:\Program Files (x86)\Chameleon Explorer\kernel32.pdb	ChameleonExplorer.exe
File opened for modification	C:\Program Files (x86)\Chameleon Explorer\dll\ntdll.pdb	ChameleonExplorer.exe
File opened for modification	C:\Program Files (x86)\Chameleon Explorer\DLL\kernel32.pdb	ChameleonExplorer.exe
File opened for modification	C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe	cexplorer.tmp
File created	C:\Program Files (x86)\Chameleon Explorer\is-KV8FA.tmp	cexplorer.tmp
File created	C:\Program Files (x86)\Chameleon Explorer\is-5225V.tmp	cexplorer.tmp
File created	C:\Program Files (x86)\Chameleon Explorer\Folder64.dll_backup	ChameleonFolder.exe
File created	C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll_backup	ChameleonExplorer.exe
File opened for modification	C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe	cexplorer.tmp
File created	C:\Program Files (x86)\Chameleon Explorer\unins000.msg	cexplorer.tmp
File opened for modification	C:\Program Files (x86)\Chameleon Explorer\ntdll.pdb	ChameleonExplorer.exe
File opened for modification	C:\Program Files (x86)\Chameleon Explorer\dll\ntdll.pdb	ChameleonExplorer.exe
File opened for modification	C:\Program Files (x86)\Chameleon Explorer\symbols\DLL\kernel32.pdb	ChameleonExplorer.exe
File opened for modification	C:\Program Files (x86)\Chameleon Explorer\Folder.dll_backup	ChameleonFolder.exe
File created	C:\Program Files (x86)\Chameleon Explorer\Folder.dll	ChameleonFolder.exe
File created	C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll	ChameleonExplorer.exe
File created	C:\Program Files (x86)\Chameleon Explorer\is-7B88V.tmp	cexplorer.tmp
File created	C:\Program Files (x86)\Chameleon Explorer\is-QHCBV.tmp	cexplorer.tmp
File opened for modification	C:\Program Files (x86)\Chameleon Explorer\unins000.dat	cexplorer.tmp
File created	C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll	ChameleonExplorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3448	2416	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cexplorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cexplorer.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChameleonFolder.exe

Modifies registry class 52 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Drive\shell\ = "open"	ChameleonExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ChameleonExplorer.zip\shell\ = "open"	ChameleonExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\LocalServer32\ = "C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe"	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\ProgID	ChameleonExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\System.RangeException	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\System.RangeException	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Directory\shell	ChameleonExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Directory\shell\ = "open"	ChameleonExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ChameleonExplorer.AutoplayEventHandler\ = "Chameleon Explorer Autoplay COM Server"	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ChameleonExplorer.AutoplayEventHandler\shell	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ChameleonExplorer.AutoplayEventHandler\shell\open	ChameleonExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Directory\shell\open\command\ = "\"C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe\" %1"	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ChameleonExplorer.AutoplayEventHandler\CLSID	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.zip	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ChameleonExplorer.zip	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ChameleonExplorer.zip\DefaultIcon	ChameleonExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\ProgID\ = "ChameleonExplorer.AutoplayEventHandler"	ChameleonExplorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\System.RangeException\CurVer\uid = "c4988fd4a233d3ee6f9fec5ce0237ca1"	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\System.RangeException\CurVer	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Drive\shell	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Drive\shell\open\command	ChameleonExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\ = "Chameleon Explorer Autoplay COM Server"	ChameleonExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ChameleonExplorer.AutoplayEventHandler\CLSID\ = "{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}"	ChameleonExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\System.RangeException\ = "System.RangeException"	ChameleonExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Applications\ChameleonExplorer.exe\DefaultIcon\ = "%WinDir%\\System32\\zipfldr.dll"	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Directory\shell\open\command	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}	ChameleonExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.zip\OpenWithProgids\ChameleonExplorer.zip	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ChameleonExplorer.zip\shell\open	ChameleonExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ChameleonExplorer.zip\shell\open\command\ = "\"C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe\" %1"	ChameleonExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\System.RangeException\CLSID\ = "{4286FA72-A2FA-3245-8751-D4206070A191}"	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Applications\ChameleonExplorer.exe\DefaultIcon	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Directory\shell\open	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Drive	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ChameleonExplorer.AutoplayEventHandler	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ChameleonExplorer.AutoplayEventHandler\shell\open\DropTarget	ChameleonExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ChameleonExplorer.AutoplayEventHandler\shell\open\DropTarget\CLSID = "{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}"	ChameleonExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\System.RangeException\CurVer\ins13 = "installed"	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Drive\shell\open	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ChameleonExplorer.zip\shell	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ChameleonExplorer.zip\shell\open\command	ChameleonExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Drive\shell\open\command\ = "\"C:\\Program Files (x86)\\Chameleon Explorer\\ChameleonExplorer.exe\" %1"	ChameleonExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.zip\ = "ChameleonExplorer.zip"	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\.zip\OpenWithProgids	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{A20662AD-1909-4774-8FC2-5F8BDC3A21AB}\LocalServer32	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\System.RangeException\CLSID	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Applications	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Applications\ChameleonExplorer.exe	ChameleonExplorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Directory	ChameleonExplorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\System.RangeException\CurVer	ChameleonExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\System.RangeException\CurVer\13 = "45600"	ChameleonExplorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\ChameleonExplorer.zip\DefaultIcon\ = "%WinDir%\\System32\\zipfldr.dll"	ChameleonExplorer.exe

Script User-Agent 1 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	22	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3552	cexplorer.tmp
3552	cexplorer.tmp

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
3552	cexplorer.tmp
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3104 wrote to memory of 3492	3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe	91
PID 3104 wrote to memory of 3492	3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe	91
PID 3104 wrote to memory of 3492	3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe	91
PID 3492 wrote to memory of 3552	3492	cexplorer.exe	93
PID 3492 wrote to memory of 3552	3492	cexplorer.exe	93
PID 3492 wrote to memory of 3552	3492	cexplorer.exe	93
PID 3104 wrote to memory of 2416	3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe	95
PID 3104 wrote to memory of 2416	3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe	95
PID 3104 wrote to memory of 2416	3104	8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe	95
PID 3552 wrote to memory of 1448	3552	cexplorer.tmp	96
PID 3552 wrote to memory of 1448	3552	cexplorer.tmp	96
PID 3552 wrote to memory of 2168	3552	cexplorer.tmp	101
PID 3552 wrote to memory of 2168	3552	cexplorer.tmp	101
PID 3552 wrote to memory of 4124	3552	cexplorer.tmp	102
PID 3552 wrote to memory of 4124	3552	cexplorer.tmp	102
PID 3552 wrote to memory of 4124	3552	cexplorer.tmp	102
PID 3552 wrote to memory of 3580	3552	cexplorer.tmp	103
PID 3552 wrote to memory of 3580	3552	cexplorer.tmp	103

C:\Users\Admin\AppData\Local\Temp\8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8a60f22c8d18cdfbfe84b56a7aaa49da_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Users\Admin\AppData\Roaming\cexplorer.exe
  "C:\Users\Admin\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3492
- - C:\Users\Admin\AppData\Local\Temp\is-SSRT8.tmp\cexplorer.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-SSRT8.tmp\cexplorer.tmp" /SL5="$140050,6397385,121344,C:\Users\Admin\AppData\Roaming\cexplorer.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /SP-
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
      "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /trialregister
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Modifies registry class
      PID:1448
  - - C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
      "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /replaceexplorer
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Modifies registry class
      PID:2168
  - - C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe
      "C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe" /update
      4⤵
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:4124
  - - C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe
      "C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe" /update
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      PID:3580
- C:\Users\Admin\AppData\Roaming\update.exe
  "C:\Users\Admin\AppData\Roaming\update.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2416
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2416 -s 344
    3⤵
    - Program crash
    PID:3448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2416 -ip 2416
1⤵
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Chameleon Explorer\ChameleonExplorer.exe

Filesize
14.4MB

MD5
92a3d0847fc622b31f2d0c273a676c0e

SHA1
e642d694367cc98a8863d87fec82e4cf940eb48a

SHA256
9a9923c08d3fc5937b6ed189e20cf416482a079bc0c898c4ed75329e0ee3ae89

SHA512
01d13fd9a0dd52bc2e3f17af7a999682201c99ecf7218bca254a4944a483fd1dec2a3e6d59def501a024ad760b849787902ecb55bd33d23fa9651c0a7689cd1c

Download Submit
C:\Program Files (x86)\Chameleon Explorer\ChameleonFolder.exe

Filesize
4.4MB

MD5
5b0ae3fac33c08145dca4a9c272ebc34

SHA1
940f504d835fc254602953495320bb92456177b9

SHA256
137723bdd388f6e5a50b7942eff02f4cc70e6b86d8650a41f9e8956ea1e4de3b

SHA512
015ffc133ad3a6937222bbc057f68b60abfe22b900b5e7c4e6ca3ec7dc6b09abaf54b595f00fa9212f370da8531af1ac5fc52b39953e1f685e81c66d1ec61f8a

Download Submit
C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper32.dll

Filesize
786KB

MD5
dd5ce4d765edd75eba6f311e6e0ea10a

SHA1
9ea7f6516e5ad0755b74463d427055f63ed1a664

SHA256
64b7f8f70a7b037d10da72eaa769078b7e4d1ac8964c5eae5515d373e816ed6d

SHA512
d2782310df7cc533cc9ffaf5c1903d5bc6a500c3bbe48148c1339fb5de19c835e4a8c765da1b80b3744ea231353f76f22ba4e04c78a3d950d7ee291d6eab2216

Download Submit
C:\Program Files (x86)\Chameleon Explorer\ExplorerHelper64.dll

Filesize
1.2MB

MD5
de5f74ef4e17b2dc8ad69a3e9b8d22c7

SHA1
42df8fedc56761041bce47b84bd4e68ee75448d2

SHA256
b89a6a57b48be10103825440d2157f2c4a56e4c6b79ad13f729429cd5393bf32

SHA512
515e9b498d8cd9bb03f8d9758e891d073627dfd6fb0b931650a47d6e53722aa6e1cc3caff8c0e64f4721ad2abef7a81ef4e7b49952d3c8fc325deb5bba6b3314

Download Submit
C:\Program Files (x86)\Chameleon Explorer\Folder.dll_new

Filesize
750KB

MD5
fb76f4f533203e40ce30612a47171f94

SHA1
304ba296c77a93ddb033d52578fcc147397db981

SHA256
3de05f18ffe9fda589a45ea539a464e58a30f70d59d71444b018064cf831c4a6

SHA512
a416a6d6efbbd69209e1867f12b9d1d11b21160f6dfe07c510b43112c22c317f805c67dd9402744a6c7e1541f6b3a061c49942fe28fa70f74aea670ba9c71995

Download Submit
C:\Program Files (x86)\Chameleon Explorer\Folder64.dll

Filesize
1.2MB

MD5
96f92c8368c1e922692f399db96da1eb

SHA1
1a91d68f04256ef3bc1022beb616ba65271bd914

SHA256
161408b86eed7c4d9a5882aa00df3f8765ed28fa4fd9aab2c9b3dceadbd527f9

SHA512
b3d3fb2d78fe2df864f0e07a8bc1610ee9d65251957e0495a34c1631895293590e0fca965ec9deb160f48a4e09a2feabd3bff6fb9a0c22888a941e308de39d14

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SSRT8.tmp\cexplorer.tmp

Filesize
1.1MB

MD5
729bc0108bcd7ec083dfa83d7a4577f2

SHA1
0b4efa5e1764b4ce3e3ae601c8655c7bb854a973

SHA256
b1c68b1582ebb5f465512a0b834ccac095460b29136b6c7eea0475612bf16b49

SHA512
49c83533ce88d346651d59d855cff18190328795401c1277f4e3d32ff34f207d2c35f026785aa6c4a85624d88bf8c927654907faf50db1d57447730d9d6ac44c

Download Submit
C:\Users\Admin\AppData\Roaming\cexplorer.exe

Filesize
6.5MB

MD5
d8388140b196952bc419141fa07ac0c9

SHA1
71e6f4a14964c39a9b827479ffe90ec07b9145e3

SHA256
6d77ff618ac5c4306dea8f34e66092e146f172570e88a3ac05166068e5a4abd6

SHA512
4f8e089eba0cc90af09321cc83297cf763b9899cb65cd1ebd44697866e7458fa5ba1f3ace9e6cf7875c92fa5ac7d7fe85ff3a4af0c6f659b1849c03bba674e22

Download Submit
C:\Users\Admin\AppData\Roaming\update.exe

Filesize
434KB

MD5
192e3b49aacb274d5684c4e1e0d65c35

SHA1
ec255fbf5e5c3e85c53c7404e251aa94065624ee

SHA256
f8ca51ccb2f07095760ff54c26589eb922eb6874857287515511431d8b0d6cec

SHA512
18d2519232c0fa4743c14916dba1b720d805e843f7f6b944c86d925014b757f70c17740ed4686f9c390e9a936348abfbbc80ad60794bae15cabd83609ef4d4bd

Download Submit
memory/1448-73-0x0000000000400000-0x0000000001438000-memory.dmp

Filesize
16.2MB

Download
memory/2168-77-0x0000000000400000-0x0000000001438000-memory.dmp

Filesize
16.2MB

Download
memory/2416-31-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2416-128-0x0000000000670000-0x00000000006B7000-memory.dmp

Filesize
284KB

Download
memory/2416-120-0x0000000000670000-0x00000000006B7000-memory.dmp

Filesize
284KB

Download
memory/2416-127-0x0000000000670000-0x00000000006B7000-memory.dmp

Filesize
284KB

Download
memory/2416-81-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/3492-75-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3492-12-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3492-117-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3492-14-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/3552-116-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/3552-76-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/3552-19-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/3580-112-0x0000000000400000-0x0000000001438000-memory.dmp

Filesize
16.2MB

Download
memory/4124-96-0x0000000000400000-0x0000000000A39000-memory.dmp

Filesize
6.2MB

Download