Overview
overview
7Static
static
3c439cc4195...18.exe
windows7-x64
7c439cc4195...18.exe
windows10-2004-x64
7$APPDATA/s...k.html
windows7-x64
3$APPDATA/s...k.html
windows10-2004-x64
3$APPDATA/s...k.html
windows7-x64
3$APPDATA/s...k.html
windows10-2004-x64
3$APPDATA/s...x.html
windows7-x64
3$APPDATA/s...x.html
windows10-2004-x64
3$APPDATA/s...m.html
windows7-x64
3$APPDATA/s...m.html
windows10-2004-x64
3$APPDATA/s...n.html
windows7-x64
3$APPDATA/s...n.html
windows10-2004-x64
3$APPDATA/s...m.html
windows7-x64
3$APPDATA/s...m.html
windows10-2004-x64
3$APPDATA/s...m.html
windows7-x64
3$APPDATA/s...m.html
windows10-2004-x64
3$APPDATA/s...m.html
windows7-x64
3$APPDATA/s...m.html
windows10-2004-x64
3$APPDATA/s...n.html
windows7-x64
3$APPDATA/s...n.html
windows10-2004-x64
3$APPDATA/s...m.html
windows7-x64
3$APPDATA/s...m.html
windows10-2004-x64
3$APPDATA/s...m.html
windows7-x64
3$APPDATA/s...m.html
windows10-2004-x64
3$APPDATA/s...m.html
windows7-x64
3$APPDATA/s...m.html
windows10-2004-x64
3$APPDATA/s...n.html
windows7-x64
3$APPDATA/s...n.html
windows10-2004-x64
3$APPDATA/s...n.html
windows7-x64
3$APPDATA/s...n.html
windows10-2004-x64
3$APPDATA/s...m.html
windows7-x64
3$APPDATA/s...m.html
windows10-2004-x64
3Analysis
-
max time kernel
133s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-12-2024 20:20
Static task
static1
Behavioral task
behavioral1
Sample
c439cc419562f1d2552a91e62b33be31_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
c439cc419562f1d2552a91e62b33be31_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$APPDATA/seemao/config/Seemao_blank.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$APPDATA/seemao/config/Seemao_blank.html
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$APPDATA/seemao/config/blank.html
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral6
Sample
$APPDATA/seemao/config/blank.html
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$APPDATA/seemao/config/map/index.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$APPDATA/seemao/config/map/index.html
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$APPDATA/seemao/config/map/www.360buy.com.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
$APPDATA/seemao/config/map/www.360buy.com.html
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$APPDATA/seemao/config/map/www.3dbuy.com.cn.html
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral12
Sample
$APPDATA/seemao/config/map/www.3dbuy.com.cn.html
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$APPDATA/seemao/config/map/www.7cv.com.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
$APPDATA/seemao/config/map/www.7cv.com.html
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$APPDATA/seemao/config/map/www.99kaoshi.com.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
$APPDATA/seemao/config/map/www.99kaoshi.com.html
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$APPDATA/seemao/config/map/www.99read.com.html
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral18
Sample
$APPDATA/seemao/config/map/www.99read.com.html
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$APPDATA/seemao/config/map/www.amazon.cn.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
$APPDATA/seemao/config/map/www.amazon.cn.html
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$APPDATA/seemao/config/map/www.bgccbook.com.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
$APPDATA/seemao/config/map/www.bgccbook.com.html
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$APPDATA/seemao/config/map/www.china-pub.com.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
$APPDATA/seemao/config/map/www.china-pub.com.html
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$APPDATA/seemao/config/map/www.dangdang.com.html
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral26
Sample
$APPDATA/seemao/config/map/www.dangdang.com.html
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$APPDATA/seemao/config/map/www.dazhe.cn.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
$APPDATA/seemao/config/map/www.dazhe.cn.html
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$APPDATA/seemao/config/map/www.huachu.com.cn.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
$APPDATA/seemao/config/map/www.huachu.com.cn.html
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
$APPDATA/seemao/config/map/www.m18.com.html
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral32
Sample
$APPDATA/seemao/config/map/www.m18.com.html
Resource
win10v2004-20241007-en
windows10-2004-x64
General
-
Target
$APPDATA/seemao/config/map/www.amazon.cn.html
-
Size
3B
-
MD5
9e73f8411a70e1bceefc15ac312a362b
-
SHA1
21c4340e3a66a7bc00e5805bc1ebe30d3f2e218e
-
SHA256
c69684c471706da34b39b2994be39294926dc543e51aea5f4ce0f06091a00ebd
-
SHA512
59bb8b649fad3c2c990881eeb177ca0a751eb64b57b111da5300e5025753c9f642297d8c71b0b9ac0712f33af31a853d6174c1648f56ccadc66cf23e4130f538
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439505531" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000aa94bddc94c3904db0f75b2a2f04d4e70000000002000000000010660000000100002000000050d353af3462aaf04c6552dd5b608628943f4e3941cecc2cdc26ea3e5fbd5303000000000e8000000002000020000000248bbae1fff214b0c33fd44589bac2ac5c092ca9a160ddbd8b0eff4896aef89020000000ed3b4b214e9c03633457a812f6f7fec22d7e924bc20bb9c14804b1349b38418640000000b02fc91975a9c911a6c4640a433655d39b99bb5318c65180a03731d4927c0da8b22eed8e75446718ebf36c5d4738358d4fcd489591bbc23fe7b176cda6817e0f iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70e6a61d8a46db01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000aa94bddc94c3904db0f75b2a2f04d4e700000000020000000000106600000001000020000000b9950d2ca8c97f59b07c69d6d9d43daf486f1840f818ef17f5baa362df685ebd000000000e8000000002000020000000ce62c417e09d2face2406e3b58bb61525ac996579bc59409d3d165977cc95a5e9000000074c3e65b37f678acb16af991660bba4cdc6089e9ea08d48751a9cdccebe715355340109b64199ea1da41ee1480d8879ddca818dbedfa173ad3f15819c2d76d5ef8da2dacb95383fa2c28a04beb7c4c504f34ad10cadf3a7bc97485f3ba304aa71dafc258adfccb57363e4c45a0e4f35fa9ce5c1beb30633dc698dd68d8e25c8883382a20e79279c37ade2aa42d1db35d40000000603e0c4bdb59dcab9b92b2c3a1af151fab1fe470588aabc5e2d273e7e931b7d4406d9033f9127596f683ca412434340f4a392e6069d85d59e60b935e06efe67e iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{491064D1-B27D-11EF-B38B-EAF82BEC9AF0} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3020 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3020 iexplore.exe 3020 iexplore.exe 2380 IEXPLORE.EXE 2380 IEXPLORE.EXE 2380 IEXPLORE.EXE 2380 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3020 wrote to memory of 2380 3020 iexplore.exe 30 PID 3020 wrote to memory of 2380 3020 iexplore.exe 30 PID 3020 wrote to memory of 2380 3020 iexplore.exe 30 PID 3020 wrote to memory of 2380 3020 iexplore.exe 30
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\$APPDATA\seemao\config\map\www.amazon.cn.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3020 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2380
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD580591a2b2299fd68e1e64d9696827a1c
SHA1d3b8ec5b20ea209f3388b2d11c4e95396b4a901d
SHA2560dd2fc8e6e6262d6c231318caee76d643f9e7671c40f7b752f0f8e742248517a
SHA512ba32d52d42349af42ee9cafb8f571f9d923a1f6c5628e07ae7e328fce8825602fd37c75c48753d2df2ea05644bb24290ffd4de9a6f279dd8d85f7b7419b4cb8b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c717f3bbb3fdab5e9e64d7553a8d400f
SHA1187ae2bf4c811dc2593b99636cb17aadf4e34fed
SHA2565bb3eb74e88d8fb26fddf2161b99427be83537f7d51cfef03b7ef5923add3fac
SHA512faf4864b2effa468baaf6aefd4ea72ac33c283680d4abc1188bf7448e85355e43ae6e068ece10a37e23d1eb4b3416eadbb6ae1c162434701fbd63dc6e226da67
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b