Malware Analysis Report

2025-06-16 06:59

Sample ID 241104-ccskrasrgr
Target 8e931fa2fd9391f9f25e17190620c708_JaffaCakes118
SHA256 bd5a31b5c236d773d269499dcaeb18bea722fb9c5d25d1d7034f44fa9f473ebe
Tags
modiloader discovery trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bd5a31b5c236d773d269499dcaeb18bea722fb9c5d25d1d7034f44fa9f473ebe

Threat Level: Known bad

The file 8e931fa2fd9391f9f25e17190620c708_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

modiloader discovery trojan

Modiloader family

ModiLoader, DBatLoader

ModiLoader Second Stage

Suspicious use of SetThreadContext

Drops file in System32 directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 01:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 01:56

Reported

2024-11-04 04:02

Platform

win7-20240708-en

Max time kernel

118s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e931fa2fd9391f9f25e17190620c708_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modiloader family

modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\SetupWay.txt C:\Users\Admin\AppData\Local\Temp\8e931fa2fd9391f9f25e17190620c708_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1952 set thread context of 1932 N/A C:\Users\Admin\AppData\Local\Temp\8e931fa2fd9391f9f25e17190620c708_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8e931fa2fd9391f9f25e17190620c708_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436854664" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{40E4FA21-9A61-11EF-A7C8-6EB28AAB65BF} = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8e931fa2fd9391f9f25e17190620c708_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8e931fa2fd9391f9f25e17190620c708_JaffaCakes118.exe"

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1932 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/1952-0-0x0000000000400000-0x0000000000508000-memory.dmp

memory/1952-1-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1952-3-0x00000000002A0000-0x00000000002A1000-memory.dmp

memory/1952-2-0x0000000000400000-0x0000000000508000-memory.dmp

memory/1932-5-0x0000000000060000-0x0000000000168000-memory.dmp

memory/1952-6-0x0000000000400000-0x0000000000508000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabC297.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarC336.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ac409aa7cedd9fc7d459ec686d47470
SHA1 5439b2bd9e1d8a3eef19b1e2ffeac54b2960a9b3
SHA256 ae464779710b1e6bb61e63ed423fb94a798f014e4064bf6511bd3ca0560455c0
SHA512 24f94569046f8a464e67ba0675d6791d02b9946b453a757a265451a7547cccba0c00d6f4a92d26404f249a161e57f10d85a0c4c6af00c70e6a9bb5e0546310b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e60d56c76547726c0af85f7a3638345
SHA1 bd30687d7e1f2d6e3b507c92dc4647a146c2313d
SHA256 f679c1535a18017c91193b3e19ffb8ebfaf242bb198054682656831889e21ab7
SHA512 462879d045eba6058636fc35fbe440fcccf9c997341249eee4199b2c53ec32f24ed14c192322b8891e4cdc6a93e671d08b3b46c69feb0699434b138cb64a1f71

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9e20c22144a7f7ef96dc4034a3bd539b
SHA1 0e092f54fc937789d471fcc6ac9cb0848319b019
SHA256 48e9f4e57765e74f5058c5cf6fc6234abf45e0a1a1d7fc5b0011070a4fa907e2
SHA512 cb90bb1037d09af28811f513286c214452c2ae7e9625ba6a4c30d97c74ec31c92afc3547e3510ebc6316e497ee4b32d2822076e88eb332757bd97530d4d2a13d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 38374757a37d46489fa307bd8db1cbd1
SHA1 8fc481b7adb7ae7d609815909ef0985ef38ee4e1
SHA256 f3bcc50fdf660f18327c4763ef3705012cfc9da09e9b081976873baf297913b1
SHA512 71b2c203024138ce82bec4677c4215d316a9f4c45954d6382780802ac819fc897b21995ecc282c7b81ec28d815853b862b36a126dab578ec97742777c1cc2b0f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89dfefb8185139deefa8509b9d9ab041
SHA1 ed92e00b7b5cd6c26daa2dc6f30d7b7ce36b2546
SHA256 7253ca60171e5a7b4f63dbfbcd39547c8a6325edf0feac0db0d9ab7cc861f72e
SHA512 37921b40847ca9e5bb1a543c1668872a190ec1eda1f23a1d77376b13337e56bd146755d5776f70f9713154ed3ba656aa9abc36cd80848b5401183c3f92b3ee5d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 179ba03e51449b1a9ad3fc1c3869fa42
SHA1 463903aaff861dc6bf128d5dcf1f27440322a7a7
SHA256 1f89dcdccb0688c0f8560309b70c47a0987ed97f136960ded0c070be05192714
SHA512 d6274f88302995739bd35e92cd58e0dbc623db585cbf59ff8991d0037f769b47e9391db117482837b61fbd19076575cdf5402f169341e1227dd00d6afec6dc11

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3ed30ffdb58cacc09123f86de19fd939
SHA1 013bba7ba9380bf8d4e854703ed11b0431e20c62
SHA256 7bd30e184ca5a1857f9bd7d322d816aa201395f4e0224554844a3dd82fced169
SHA512 1b482c9f926ed4e7e5750a33c2f24e34913f571e6c86bf23e01c50dbc079004eb27085511dc2bd1dc62a014f5d8c5a9b75894a0df3761a37ab97a7a359bdbf50

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2dd7af98372c416b841904b6c18627b6
SHA1 946d1561726971bb0d0e62dbcdfa70ac48f9c974
SHA256 327db154a1b33a09b957bbe53ba92de437d12ad89fb2b78f8f6c3dcdeffa3fbc
SHA512 180e94f59fed5bec91abd0925f19e43aef058fb8c07845bfefee21436b86f92f340264df21571d5e3f7768cd076f374ed3d4b3a338d3a710444cbbca46e508e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 39536dae5fe7ec511310e7cf5e42e5e6
SHA1 327bc7d22d683b9fca18917cdc37883b78197d20
SHA256 1ec240821b8c0797de82c422c78725d5440be7a3a54604a0da38ab070e08830b
SHA512 5d1e751b61abb184b01b38981995425b89b78f7139e274db2c67847fdf209d76f356b37edb10c9764e205ea88fd72f883ccda89a07934c6f69f519a3af49f284

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fc021ccc7b20f0ee9c9dde772527a972
SHA1 f45a798a5a26c4657b44aa6070450d6f6e535ecf
SHA256 6f651177d8b15786da5f91d24361d8d5831c28a793718e030ab7c9e8b521e70d
SHA512 4281182825dd04fc81e5a9739cf95ed68216f1b1bb5753536064dc0fd5585f57a66821153537bd0bf9693bb3fff02afc105d4cc9c735734203f468a590684f23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8899cd43a45d52e4f4e2a343d35af6d9
SHA1 399954fd6a51f412163feb638912e63d3e8b5bf8
SHA256 d772c9ca1a2277e7fc2235e3db993a262032b10809691794d6b6e543eb79e7f1
SHA512 9d23bd84ed7c514f5384b01db70ca108a02a216aba8534a73d4ff1497921fd6c62dbf5c2f4fe742104dba17c0229dc1647e7034dff64a33cfa9270b67b99d759

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05148f83ff3518043c0ae48b68344542
SHA1 091fbe46326ea1c7d24e4ec5955b0140de24bc0d
SHA256 085eaf6acfcf5ad04f351dd238f89bd5307aea09abdafac805340c8cb82f2ca0
SHA512 86da868521f29530364547fb5efd3d994333ceffd0c798636780275e954e8b3ca7a3f1c7df8426fa6eb549ce619eef95313d9f0a624dd46abb4a02bf817f0aae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1540c93f4c84d25d065254832b020d16
SHA1 e3699a06300cff1ccdf199b700a5fec7ff7d46e8
SHA256 9d75bb2d74116f3962aaba7b43aedbed2c26a374013ed52caedd5d63836a69ed
SHA512 e7dcb95017fcef43353a4483e89182bd2b2e31424791e7a2c55ee193733aaa90dd73d94191a9b4904c39a1412c63d71d53d078666d2eeac04e4358c9de1d9dc0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 28b28efd048c3321ef20af13196e93a6
SHA1 a600bf7b0ffcacd6e536091b4d91146d370d9288
SHA256 7888ab9e9297c1e3281d11da17fb271920f24b7c5059923becbbff16647a1867
SHA512 9757dd2d39395dfe2109b78b70857d02ff0faf8b449f77d91452b7493eefe319b96c494e16192d0dae875c653627aadc6ed91983841893c1447485c26a2823c4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 27081e896568f10f6563c21abfd36493
SHA1 dae4d7598a323b28088ea33ba6135e2cef85762b
SHA256 5e7d02a424d7cc2f3112832e8f55da71949f66dca5f73c088e2ad6106f9edce5
SHA512 f83e97af5de3e593aeb08635f505c0c6c30d63ab5ccff1444f3aa4dbe222f269c9768e64bd82a7b0e28708a9556c481a821c1ffd7e72fd5fdd068ca5c6aed9a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d5722f673d4281583da22946e725324
SHA1 ccc84954225a1a7bcdbaff36f8d8e9d4ac2b2035
SHA256 3de2a62757b66b1583c5f0b04d0cd3ab9ddcc584e7f764269054900dffc6067a
SHA512 00601381680ccc8286f654da7b8239aecbfe00c8e4a6c7f5c81548f8b49f557f12cfc1bf3516ff693ef643fe144e5743c72bc056af24835225ad90b129cddcee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f4f68f4287356bd99a967d6f470e0cfc
SHA1 3fe2aea6006f9a9d983064d55b7128eb534d32e8
SHA256 0653511460b59f1873dbb2c91ffb3721db2c2bd32ab84b49efcf5327c56a26a3
SHA512 479ff96a8bf9ac1c7c2badfbdd10485a6c64c5759e031210f85da46a3d053d22f40d1030a026dd1abfb591ba8bad2bee1d732e0d0d12b6cc1b985ff58c1aec07

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6b41ffc0e2b98e9eae29772480797a6e
SHA1 0756ba3b3ca1f6535d19f20c6e3d1e32ae88b6a7
SHA256 05056b48cdde0b8f3e3e24a6d874fe854d78fbdd070d50cda9d8c0e579c1c0ae
SHA512 91160a7f17e01a250803d9fec5e9fd3c78dac1c6eb8e6c00c7184e43099912acba8ca0ce91a49c7e20f2e5c1b882337839405c2090992759b5a371614f39b861

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 869b25517f1db702b455e3fc449492cc
SHA1 8c6c8c27b4ffb8ebcee624a11a4dad4fa7d9710d
SHA256 7b03a7323171d640bcd73b739756668a011d854487d4c0ad53b89a4e562d8de8
SHA512 b0fee53817eb88546307c7631e653ad064011721ba4c3265c9a0e7a3c2352e06146022a85d15f932bbe3f9d6e99b0ffd9607a09e65cd77be1e0983d2d4fc9f8c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 01:56

Reported

2024-11-04 03:56

Platform

win10v2004-20241007-en

Max time kernel

137s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e931fa2fd9391f9f25e17190620c708_JaffaCakes118.exe"

Signatures

ModiLoader, DBatLoader

trojan modiloader

Modiloader family

modiloader

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\SetupWay.txt C:\Users\Admin\AppData\Local\Temp\8e931fa2fd9391f9f25e17190620c708_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 840 set thread context of 2876 N/A C:\Users\Admin\AppData\Local\Temp\8e931fa2fd9391f9f25e17190620c708_JaffaCakes118.exe C:\program files\internet explorer\IEXPLORE.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8e931fa2fd9391f9f25e17190620c708_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7C3574C4-9A60-11EF-A4B7-CE95CE932DF6} = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31141485" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1353534500" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31141485" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1357441483" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31141485" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1353534500" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "437457441" C:\program files\internet explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\program files\internet explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\program files\internet explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\program files\internet explorer\IEXPLORE.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8e931fa2fd9391f9f25e17190620c708_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8e931fa2fd9391f9f25e17190620c708_JaffaCakes118.exe"

C:\program files\internet explorer\IEXPLORE.EXE

"C:\program files\internet explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2876 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/840-0-0x0000000000400000-0x0000000000508000-memory.dmp

memory/840-1-0x0000000002280000-0x0000000002281000-memory.dmp

memory/840-2-0x0000000000400000-0x0000000000508000-memory.dmp

memory/840-3-0x00000000022B0000-0x00000000022B1000-memory.dmp

memory/2876-5-0x0000000000490000-0x0000000000598000-memory.dmp

memory/840-6-0x0000000000400000-0x0000000000508000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 19d708493ad4a370288ff5a144985118
SHA1 88363e78ecaaa248beb6933a5bf9209455ae459a
SHA256 6b7564f59f84e38a5fec4d3b7e6fa4fd5c8eb5ebbf77fd536b8ebbd4926fe905
SHA512 899bbac7464f4813ac93b566889c25a3f8a5ee372560c43a725d1bbbdc538684c534816aa9c06714c07c0efe48b11d26fea49b3879e88cbb9b377b627fecfaf2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 be48916fd36f4a77c29f31253f12e200
SHA1 7b783cbb7dc0a07ca616ea2d83952c20ea82c04d
SHA256 b8d84e4ba922b5e21ff8ba54bf8b34d9d3c4af90651bd5eec09b4648f724a16a
SHA512 9a305a0914fa9a3d89c5881873c6b47237d855e6f6c8e774405d4c491beb5259fcb08e5a29da066d102310965719c9cb5830d0670aeff4c25b8030338d32a9d4

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee