Malware Analysis Report

2025-08-05 16:52

Sample ID 250127-sk6qcatre1
Target JaffaCakes118_40dd585383358253ab47de6f05b38a71
SHA256 e31eb92bc1607542f267d7f7050664e43d7cbacdaa1852345e4d74e28cd6d44f
Tags
defense_evasion discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e31eb92bc1607542f267d7f7050664e43d7cbacdaa1852345e4d74e28cd6d44f

Threat Level: Shows suspicious behavior

The file JaffaCakes118_40dd585383358253ab47de6f05b38a71 was found to be: Shows suspicious behavior.

Malicious Activity Summary

defense_evasion discovery

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Indicator Removal: File Deletion

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

NSIS installer

Suspicious use of AdjustPrivilegeToken

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-01-27 15:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-01-27 15:12

Reported

2025-01-27 15:14

Platform

win7-20240903-en

Max time kernel

134s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe N/A

Indicator Removal: File Deletion

defense_evasion

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nbfile0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nbfile1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{11A31CE1-DCC1-11EF-B578-7A9F8CACAEA3} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de3f2bed27548041a47fbc2b277d4da90000000002000000000010660000000100002000000087d2069caf3ef834a88e47f910763d4e16e8cc8d7b9c7a7b4f79c2fd85ce97fe000000000e8000000002000020000000288cbc8b58d19e84682df344aa5a7dbac42bc8a8d08707445a3fe89134e06d1820000000650167f7b21fab8acf645814e777d6eb82957e0beee7a42ad81c0bfcf429f55540000000c3176a73d35739332bfda7c05a716a0f12185d647cd969816051a3d38793f5e1c02002091a7d5c1e153b1d073c6083dad47defe95d2426bcc57d99aeb87f7d5e C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = f0f9ece9cd70db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "444152593" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000de3f2bed27548041a47fbc2b277d4da900000000020000000000106600000001000020000000b9065103fac1440a61899d73d4d56cedb5eabeff616766d87729a2acf80f44df000000000e800000000200002000000087951c8c28eaf097e1e0b237b90ae4d5828381da4d66ae2724149f63ce96ba3490000000ea0bef8f5bd4a9a7c37c389e1eaaec917a3c4b1c1678a83ac5c5853167a6493a338d9f8a88d7a1fba6975b1970f26f6d3798d45ba6e4b7a64c36e7a60d27ff25d0fbbeb00202cb4a492495ac33b26cb298c8ed208aa68a1816350bb9421f9711eb9fb8364a15759b1c783190c0a0cc78852350afa7b9767da74a3cf09b70e580b2fcd8e9dab0992bc73acb5b0d2ea0264000000086bc9c9060e38730162e852aadb5ad0bbde1c19d30df6c2a5e5c44c7c4fb10b635cd55f8dc0072ffdaf5edd6daa96eaf53894b703e7900999812fb053357bdb1 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
PID 2120 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
PID 2120 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
PID 2120 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
PID 2120 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
PID 2120 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
PID 2120 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
PID 2120 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
PID 2120 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
PID 2120 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
PID 2120 wrote to memory of 2416 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
PID 2320 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\WScript.exe
PID 2320 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\WScript.exe
PID 2320 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\WScript.exe
PID 2320 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\WScript.exe
PID 2320 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\WScript.exe
PID 2320 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\WScript.exe
PID 2320 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\WScript.exe
PID 2320 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\WScript.exe
PID 2320 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\WScript.exe
PID 2320 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\WScript.exe
PID 2320 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\WScript.exe
PID 2320 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\WScript.exe
PID 2320 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\WScript.exe
PID 2320 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\WScript.exe
PID 2416 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2416 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2416 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2416 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2340 wrote to memory of 2920 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2340 wrote to memory of 2920 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2340 wrote to memory of 2920 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2340 wrote to memory of 2920 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2416 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\cmd.exe
PID 2416 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe"

C:\Users\Admin\AppData\Local\Temp\nbfile0.exe

C:\Users\Admin\AppData\Local\Temp\nbfile0.exe

C:\Users\Admin\AppData\Local\Temp\nbfile1.exe

C:\Users\Admin\AppData\Local\Temp\nbfile1.exe

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\newsetup.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\1.vbs"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://down.97199.com/install2/?sl3

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2340 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\nbfile1.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 down.97199.com udp
US 137.175.78.196:80 down.97199.com tcp
US 137.175.78.196:80 down.97199.com tcp
US 8.8.8.8:53 ttns127.tx1.amoywine.com udp
US 8.8.8.8:53 ttns127.hw.amoywine.com udp
GB 43.132.64.157:443 ttns127.tx1.amoywine.com tcp
GB 43.132.64.157:443 ttns127.tx1.amoywine.com tcp
US 8.8.8.8:53 e5.o.lencr.org udp
US 8.8.8.8:53 e5.o.lencr.org udp
GB 2.23.210.75:80 e5.o.lencr.org tcp
GB 2.23.210.75:80 e5.o.lencr.org tcp
US 8.8.8.8:53 webgroup98.eastasia.cloudapp.azure.com udp
HK 52.184.84.74:688 webgroup98.eastasia.cloudapp.azure.com tcp
HK 52.184.84.74:688 webgroup98.eastasia.cloudapp.azure.com tcp
US 8.8.8.8:53 js.users.51.la udp
GB 169.197.114.136:80 js.users.51.la tcp
GB 169.197.114.136:80 js.users.51.la tcp
US 8.8.8.8:53 ia.51.la udp
CN 121.12.111.52:80 ia.51.la tcp
CN 121.12.111.52:80 ia.51.la tcp
CN 118.123.207.194:80 ia.51.la tcp
CN 118.123.207.194:80 ia.51.la tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.19.117.18:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 2.17.5.133:80 www.microsoft.com tcp
CN 218.12.76.157:80 ia.51.la tcp
CN 218.12.76.157:80 ia.51.la tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
CN 121.12.111.52:80 ia.51.la tcp
CN 121.12.111.52:80 ia.51.la tcp
CN 118.123.207.194:80 ia.51.la tcp
CN 118.123.207.194:80 ia.51.la tcp

Files

\Users\Admin\AppData\Local\Temp\nbfile0.exe

MD5 08f52a4ccd01913b9a9691093a64366f
SHA1 e44c6620b4107a0f55e89f632c007a9a1ec88119
SHA256 85357e0168e34f2d01f319a0f129132b77f03cafb6820ecf6dda64a39266582d
SHA512 d6a9eed3a663f59047cb6d74aed375a7041060921ea80835f039726fa171fbf7b030c29a4c3059ae875058605f54bebfcba7d4daaf36b5ed1cb960e91d4755fc

\Users\Admin\AppData\Local\Temp\nbfile1.exe

MD5 74869a0346ab36bbba85022612505121
SHA1 2cd02f46f2f9f46eaf15fce40a3bf4781f80cf8a
SHA256 6de866b5c8abb1db9b2be231b365c1aa029118fbc58823f443f00e3a33dff18a
SHA512 723812083113cff82aa5e2243759c572518865e351cc81b7c2b85a05557862dbbd7a98b964ff6f3aa3802bb5d4dab01a14147211495fc5803d9ddb7b715f4de5

memory/2416-25-0x0000000000020000-0x0000000000022000-memory.dmp

memory/2416-24-0x0000000000400000-0x000000000048A000-memory.dmp

memory/2120-21-0x0000000000320000-0x00000000003AA000-memory.dmp

C:\newsetup.vbs

MD5 5e2c0c26e344eeae4304c9bb561ea89b
SHA1 4664f9d0f582ab586ab197515aa45499eb18db41
SHA256 f74ed58e1ff45165abf943ff0364fff8e5d873b9051ccba0da940399fbd8aac3
SHA512 4aa5f6d5c35160470f99808dab9a68f826e726eae0b7f536e71665b978d72502faf971c4f9f2a9a792b3aca04736c9c97d633da7b34b50dbd3831dcb67284d97

memory/2120-30-0x0000000000400000-0x0000000000493000-memory.dmp

memory/2416-31-0x0000000000400000-0x000000000048A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabF5C5.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarF5D8.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a9aa252437ffde787e021ee1b459ada
SHA1 f0b32625201c87bba96d80044fd4a92cf20c6203
SHA256 b9b0e3be33c5d1f0f4dbf46acc66d2c54989e89231312528d8e4f568669b23c4
SHA512 b13686d0e263d0f048b642791adb7ffc84af7d3fb468ed48376b8af48833455287614b622333789f5ff14041e57abf791f6f916a69f851779272842d4350c0b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d9ec6973dd97c952bd55e9dbfcb56cf2
SHA1 84a85340e4e8f2229963c40973bfdf9d180fb626
SHA256 f5e1ad322b55cc62453a53938feb3b83793913b20ae27aeebb52b044186d1a7e
SHA512 b6f80927c1fcc0ccde4878f8da1afca24a0072d9dbb18c84b124e097eb5510cea7f08bf23eaf4376d213b90426db59fd0c165aeefda2c66dc647f7135b7896aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e6e7c63e6fd0cc8165a2df77c231f002
SHA1 28866a1ec5701f6900ef0cc365792730b9a0360b
SHA256 f6d13a56e5eb66a97cb0dfc1017a3c8956e2a43bc752acbaf810f34b6cc12306
SHA512 6f58a2b3cacddc59ffc19b186fee26a5427c8d4f50150dcfc30acb903caad6399d708905e93367139657fa2b6e69cbb34e666301c514ea3b29bfc9d7a0306462

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9fd726a1d6b9c3daa6236746093861cb
SHA1 4cf51b961526dbbd1b67fc8831fe61bf3f42d1b0
SHA256 9bb8f0a6703c24c7f17c7bd99e4a08dd103ebc136cd5497936bf14e8448f86a8
SHA512 1e07ff5755161417c6cd33806db1e51cb4189c1e012a4551edf87bfe6f512e7f5b7e3bbad4515f3c344d3bddc2aa9ce60f775565e809eefaa161b13cbbfa9853

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d730a1eff2fb65553cdbda36caa06ecc
SHA1 591a733e034eae6414516e918a9da121e4fa2587
SHA256 5d9edb61959db321a5bc8fc09444ab905aad3d37252df7f642e098738671eb8b
SHA512 3809a8e81494cca26c8dfab95b25996237827dec6f21a3d9d099465f8941c450a1b8b95e952fc80bc5920851a063e23a63f2a8e5aff93c03b8750218190f1931

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9541cc32b330ef1548a77be631f7bdc3
SHA1 32609a9079ff8017603893fe89e8b700f5697261
SHA256 cb9c267835f47760b995382c26354429f8525ed17bb52777ad502de39e49df30
SHA512 1ef5635f3da21b4db475878ff1218857b5a1d6deb50ca01dcc77ccf6f14111ba9d7c4dcc29c482e7bff18850bb4c83423444cec0d73ef328d408236a6ca31f65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f3b5f0158d7c0b9af657393e7960d58
SHA1 c23cb5b94293b6d06f682d9ccf09964e7f8f3f5b
SHA256 f7f88b7bed46ac18e618be3cfafefa8495c0c4e93495994568bfb5eac6712ff2
SHA512 444a396e59fed00263fef0090cfa1a7bafee0346e2ecd57158fc91a550172daa2e956fd8527812f9293c1ee893a7032bb354baa0d55838f7ac2be1f9a5e876aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 af40640a3c868cd96602f6f40729c967
SHA1 609205aec0b61a0c9068225f315e5f9c8b143168
SHA256 6dc9f412dc8f6264158e564ceb4dcf669266b5d26faacbe568294cdaad069d45
SHA512 7f56ac977f911f78d266ccd915ec5433197f86b447a3c9ba34297b0e92b410bad9d5cb3a03fb1efa662be50b220d58b8427e36d17c6fa9b42b22ef9aa996b8fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6380eb39048e936df46edada5ff8b4df
SHA1 d15b803ebaef1612335204308a6f7c32302efd46
SHA256 35112f8091d5b74ebda63eb864fac69dc15343404a4fbcd0d7a084131e685a13
SHA512 3674657e6009c6f18379e40a2b6ca61d0d0aea46ecee9ff515d5a5463092912d5d48e6d7e8bb7b5e9957fddbf14d51f6bcf0b0a0f0a894df84fabc6f61698c88

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 62caaf332b10b658784be82ba0107423
SHA1 ef62cba0ab4bac85f0e52d6ea227680916d53b98
SHA256 a41b959fb774be0ca5cf0a872d54f60f83f9a8bd958eb028831dfee13a82f5b9
SHA512 58bf8866deaba90dc32bb5d67a8da698d5d1a718ca014d41e2983ca62fa5a1dfb655ede8e96e4cb721e51dbad5c3ee493c0904132c4099b983416d0ec43a694e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 152b4841e8ee63d3193bf60e9efaa806
SHA1 33425478408c0269c5ff6d3881c7989cadfa4939
SHA256 9641d455e9f55b593087eab99478db49385a6aab262b2e77f18c4f575f0e4321
SHA512 b5d70072d8db1d3321e1fe83cab0a6fcffbe1fee746e75f1e9e57ade1e4721d70c097ddfa08d9920f95213ca5b1d544aa4bb3fc43c9f15c6dcbf469945929872

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 0f3f54c2b98c50c6e0267180b6897f5c
SHA1 3158e0a36712ae31bb2f39a4a4181d426847e2d4
SHA256 b04deff6bda2b77405a4e27037f841011305d0b76722196939ba912679278115
SHA512 f5e26f3fec36d4d883181285d7e3ed563060568246fe5d673f2d8faccd7e418a78e09825d7616e491ef1e0b60b9f669ead1ad102e8a50224ed2f02e5f80c1de7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e6a3a6d1504ccc675a20c72989ac6615
SHA1 80c3c5b498c91ba669516aaffc89cff0ea5fd197
SHA256 0dce00c586ebde8e3e6f58e8df6512be7b4ccec242cf4fd280c9ea6d4ae2cf71
SHA512 4253aed0e41b46f43bec190b7f6267aad4b3258478ff52350764a69a8e95f0389e9ae41a3399b7afccfac305cc528042ec8f7257962042c18641a590f392d9a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd9d178590280f7d1f24af471e051ecf
SHA1 b10f7f14725a648442fd76b6508f652f47e3fce6
SHA256 8e818192abfee29014cb8c36b3bab0808d8b8b7fdef4345f5004dbd86359b94f
SHA512 7021f9e5d046e540374ba11b39ec6fa640990eadcd88bf0179e4d19e73f2e2ee3c16fe9fa50a3175fc37fc3347c2cd4903f784996e23eec9e10347039d786485

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cc0b7ab4fd498e6cc402e20f2d1f6443
SHA1 6403fb4624c6aa6bd4a610c64b47a86f013ee76a
SHA256 1d98d3f6dec3ad5b9884ac653161f1a31c4bd0bc6452b5a165d61a18a6ce8f26
SHA512 a3604387ba3457e5924fcb0d4859300daa646d5b0a58864d05e7aa2d0f6018a27d78cae6840b0a583efe53899687fa847667fe0e6846ca63811c6ad06d24ac36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f5d0088bf1c739bb6402df6e993d995e
SHA1 aa3fc03880ae8bfadc46e10ec2e18823a1837a7d
SHA256 5dc60c535e314e9bb13d39bbd8edc309bd0e180beb7194b9a841288c1f2e774d
SHA512 10568848efb35886bbd99889bc514e31ea42bc57bb76fa892ba05e703fa0cd525253244f3f7628fb2ab562b50f49b312a2b4c3042232c5a262d248e6edacedd2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9ddbaa7468b5bb3aa57a5950510a9436
SHA1 65af3e5e9e23e3c0b290c051cda4ec7d3b0b8a09
SHA256 0662ba5806313df76af796165966584c57e4ac0c54c522e37387e23ee1c52165
SHA512 b2de5a03c942782c4f35f366efb2173418f8e124aa998b9f954d959e959e58dd64acc604d93cf7354176024862e9729cbb478eeb13b1c4dd09832f1353a99fec

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e0910a4cb7133e0a23dd8a77c4fb12da
SHA1 60886700c04bc77faa35c2351b5548013963e408
SHA256 8687530a92d5fcef2a7feafaf4a623aeb082f09da636da4b0a6677e26ee9b4ce
SHA512 31d4c8606a293826783427d367078ab0edf39501c6f87c6736559a339435ea4050b3436e4164c86191b113a5de532aa8b3a02c3647a6163eccc3b97f94042593

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 0c8a91dbc036d2672a25807459587bac
SHA1 ca8a7c485d3c9f41e66c4d2af551aea9b24e05a1
SHA256 5692f8c8631cb344fc3b3973ab485d8ce6de5f62eeef4a39585e0c7e279844ca
SHA512 cc70bdcceb7817d40078a55e61c8a1b87ed3cd3702ed8fe402f287b590789d7eefe2ebd4eebb1ffa2fa42b7921cddac8cc7aa9e3573e3395544d34732aef5df6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 244fb73adb13c48bdb923f21cb3921b4
SHA1 e088bb392e945f79a5dfaf1ca14a0d811dae7512
SHA256 db44244557429721c307d500326987071c503d4a9122afff05a7b71e151d6944
SHA512 5db14aeee39b76005fb7126a00581ad60243a35c1dda584ddbda76de7bacfe0e2fee535157a463296638e663eda62151381a000a5b02c1552a529398b5c19882

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5fd815dfa6f2270a3ec1349197b9bc68
SHA1 677d8876a5692784c919d12e46c83b0333296af9
SHA256 4ee90b00b9f2711f0f3479e3f7c08f160e90cf7b1f15e10dbc15232f30147ad9
SHA512 69a545fccf1c359a883b68bd4285fa159ea0f9ffaf233c4fc8054401963bf1e4f255268f796a3ff3e6597c9a103c8bdafc130646cb11559eb04b7c934852df9a

Analysis: behavioral2

Detonation Overview

Submitted

2025-01-27 15:12

Reported

2025-01-27 15:14

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nbfile0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe N/A

Indicator Removal: File Deletion

defense_evasion

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nbfile0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nbfile1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3877908767" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30cf9feacd70db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31158477" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31158477" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 602d8feacd70db01 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3878689653" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "444755702" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cf5e2d781c051b42bc6b8082e201d2c200000000020000000000106600000001000020000000b4bb054c431039118a27e30b18b3dca40bfdf5c9c8dfd575bd7ae6cd51e9c63c000000000e8000000002000020000000b6c10701443e4c09cbcf6cca3b0a746155dccd0727533daae285409e5a2e688820000000a309944875e32f461ac51a49754fff3b0a1e8bb76b275d4e4f3e39b2caa3711e40000000f27ac034e3b6fe1724a6f7363e264ff916ba3e87b1f653eb7427c37b13fedaf57343ed68a46bf58cd3431fa2eb70e23bab83ebeda1a291ac6c0d5b4f2414d4bd C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{12A2CC4B-DCC1-11EF-BDBF-FAA11E730504} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000cf5e2d781c051b42bc6b8082e201d2c200000000020000000000106600000001000020000000d4b090547560c5bd49642e4ada39bdf02e103f334bca9f87257a13ba596dbc79000000000e8000000002000020000000e4a43c91e634a572bc7184a93b2784ba49446fa0a43fd750694c5d7f4b188be0200000000c7e5238e2f26cda86b9331f32f98d3d93200feda360c20baad3179557dbf476400000005f2db8a20778509e6ced0807d8ad070746acbee5494942783c95eaa274f55c9e32e0bc6888d2a100dda48e2c7b83ede8289993742554e64946874ddf1a71617b C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\nbfile0.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1716 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
PID 1716 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
PID 1716 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe C:\Users\Admin\AppData\Local\Temp\nbfile0.exe
PID 1716 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
PID 1716 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
PID 1716 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe C:\Users\Admin\AppData\Local\Temp\nbfile1.exe
PID 1668 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1668 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2632 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\WScript.exe
PID 2632 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\WScript.exe
PID 2632 wrote to memory of 1500 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\WScript.exe
PID 2632 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\WScript.exe
PID 2632 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\WScript.exe
PID 2632 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\nbfile0.exe C:\Windows\SysWOW64\WScript.exe
PID 1988 wrote to memory of 4572 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1988 wrote to memory of 4572 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1988 wrote to memory of 4572 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1668 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\cmd.exe
PID 1668 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\nbfile1.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_40dd585383358253ab47de6f05b38a71.exe"

C:\Users\Admin\AppData\Local\Temp\nbfile0.exe

C:\Users\Admin\AppData\Local\Temp\nbfile0.exe

C:\Users\Admin\AppData\Local\Temp\nbfile1.exe

C:\Users\Admin\AppData\Local\Temp\nbfile1.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://down.97199.com/install2/?sl3

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\newsetup.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\1.vbs"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1988 CREDAT:17410 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\nbfile1.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 down.97199.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 137.175.78.196:80 down.97199.com tcp
US 137.175.78.196:80 down.97199.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 ttns127.tx1.amoywine.com udp
US 8.8.8.8:53 ttns127.hw.amoywine.com udp
GB 43.132.64.157:443 ttns127.tx1.amoywine.com tcp
GB 43.132.64.157:443 ttns127.tx1.amoywine.com tcp
US 8.8.8.8:53 196.78.175.137.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 167.173.78.104.in-addr.arpa udp
US 8.8.8.8:53 157.64.132.43.in-addr.arpa udp
US 8.8.8.8:53 e5.o.lencr.org udp
GB 2.23.210.82:80 e5.o.lencr.org tcp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 82.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 webgroup98.eastasia.cloudapp.azure.com udp
HK 52.184.84.74:688 webgroup98.eastasia.cloudapp.azure.com tcp
HK 52.184.84.74:688 webgroup98.eastasia.cloudapp.azure.com tcp
US 8.8.8.8:53 js.users.51.la udp
US 8.8.8.8:53 74.84.184.52.in-addr.arpa udp
GB 169.197.114.137:80 js.users.51.la tcp
GB 169.197.114.137:80 js.users.51.la tcp
US 8.8.8.8:53 ia.51.la udp
US 8.8.8.8:53 137.114.197.169.in-addr.arpa udp
CN 121.12.111.52:80 ia.51.la tcp
CN 121.12.111.52:80 ia.51.la tcp
CN 218.12.76.157:80 ia.51.la tcp
CN 218.12.76.157:80 ia.51.la tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
CN 118.123.207.194:80 ia.51.la tcp
CN 118.123.207.194:80 ia.51.la tcp
CN 121.12.111.52:80 ia.51.la tcp
CN 121.12.111.52:80 ia.51.la tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
CN 218.12.76.157:80 ia.51.la tcp
CN 218.12.76.157:80 ia.51.la tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\nbfile0.exe

MD5 08f52a4ccd01913b9a9691093a64366f
SHA1 e44c6620b4107a0f55e89f632c007a9a1ec88119
SHA256 85357e0168e34f2d01f319a0f129132b77f03cafb6820ecf6dda64a39266582d
SHA512 d6a9eed3a663f59047cb6d74aed375a7041060921ea80835f039726fa171fbf7b030c29a4c3059ae875058605f54bebfcba7d4daaf36b5ed1cb960e91d4755fc

C:\Users\Admin\AppData\Local\Temp\nbfile1.exe

MD5 74869a0346ab36bbba85022612505121
SHA1 2cd02f46f2f9f46eaf15fce40a3bf4781f80cf8a
SHA256 6de866b5c8abb1db9b2be231b365c1aa029118fbc58823f443f00e3a33dff18a
SHA512 723812083113cff82aa5e2243759c572518865e351cc81b7c2b85a05557862dbbd7a98b964ff6f3aa3802bb5d4dab01a14147211495fc5803d9ddb7b715f4de5

memory/1668-8-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1668-10-0x00000000001C0000-0x00000000001C2000-memory.dmp

C:\newsetup.vbs

MD5 5e2c0c26e344eeae4304c9bb561ea89b
SHA1 4664f9d0f582ab586ab197515aa45499eb18db41
SHA256 f74ed58e1ff45165abf943ff0364fff8e5d873b9051ccba0da940399fbd8aac3
SHA512 4aa5f6d5c35160470f99808dab9a68f826e726eae0b7f536e71665b978d72502faf971c4f9f2a9a792b3aca04736c9c97d633da7b34b50dbd3831dcb67284d97

memory/1668-19-0x0000000000400000-0x000000000048A000-memory.dmp

memory/1716-18-0x0000000000400000-0x0000000000493000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 724e446070cdf854a793c9fa8f8f009f
SHA1 cfd1e152d4d86161a74459cd9090b3b04ac44c42
SHA256 e10bc6731c11841350f557136451f3dacfb55308a1c56af04a44a68e655d27c6
SHA512 bfe7100cd86ef8ad559ba463f597392fa3b1cf0daa47003a223632727a4eb61c9d1c5fe679d7d4a12184b37c72b648a4b9d99591ccca65853513d5efb56b7fb9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 65ff4e1a660b03c192195dc09416d8a8
SHA1 c8e9c1b5d0e74e2f581eaa06d77db42ddb2b24b9
SHA256 25f890730498e80c6b85f0ca869917f45af6cadbb427695a615181eac3285dc2
SHA512 3efa3c79d74861659b4e6e97b362fb4943eeae2e81425029bbf407fb2c4c914bc2d2b43bc8164e9ed050cdb24f411a8582e086eb3557227ad79ec2256c5a52ba

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\W9QJOIKH\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee