Overview
overview
7Static
static
5JaffaCakes...5c.exe
windows7-x64
7JaffaCakes...5c.exe
windows10-2004-x64
7$PLUGINSDI...nu.dll
windows7-x64
3$PLUGINSDI...nu.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PROGRAMFI...360.js
windows7-x64
3$PROGRAMFI...360.js
windows10-2004-x64
7$PROGRAMFI.../3.bat
windows7-x64
1$PROGRAMFI.../3.bat
windows10-2004-x64
1$PROGRAMFI.../3.vbs
windows7-x64
3$PROGRAMFI.../3.vbs
windows10-2004-x64
3$PROGRAMFI.../q.vbs
windows7-x64
3$PROGRAMFI.../q.vbs
windows10-2004-x64
3$TEMP/SeFa...01.exe
windows7-x64
6$TEMP/SeFa...01.exe
windows10-2004-x64
6�...��.exe
windows7-x64
6�...��.exe
windows10-2004-x64
6Analysis
-
max time kernel
127s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2025, 16:30
Behavioral task
behavioral1
Sample
JaffaCakes118_8ad5786bd8973d15d926e4fd2d4d9a5c.exe
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral2
Sample
JaffaCakes118_8ad5786bd8973d15d926e4fd2d4d9a5c.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PROGRAMFILES/NetMeeting/360.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
$PROGRAMFILES/NetMeeting/360.js
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PROGRAMFILES/files/3.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
$PROGRAMFILES/files/3.bat
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PROGRAMFILES/files/3.vbs
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
$PROGRAMFILES/files/3.vbs
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$PROGRAMFILES/files/q.vbs
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
$PROGRAMFILES/files/q.vbs
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$TEMP/SeFastInstall3_3201.exe
Resource
win7-20241010-en
windows7-x64
Behavioral task
behavioral18
Sample
$TEMP/SeFastInstall3_3201.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
֮.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
֮.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
General
-
Target
$PROGRAMFILES/NetMeeting/360.js
-
Size
6KB
-
MD5
5c1512b2632927dd12837c74f431061c
-
SHA1
b2bea9c32771b258a23c89934d33476518b25371
-
SHA256
161941a6efafa22308ea856b4c07b859de3c0b80c0e16874b0483a9e34f46f69
-
SHA512
8cfeb98a1fff40c30b3b3dce463a1f2987c4c2028f414b27843375446667df33ee1494b7f3f99a662066af9f9010d656ea7223fca84dd129d74d3f672cac6973
-
SSDEEP
192:MjNBQi2529bCkp40e9As/7gS8kPzJszGQ:MjNKN52ZCb0pScS5DQ
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation wscript.exe -
Command and Scripting Interpreter: JavaScript 1 TTPs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 904e5a18ff9fdb01 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f800f43246331f4499a70972ff180a7000000000020000000000106600000001000020000000444287ebdcd83e394369090bdd9f632ea9c8049c9d58160ae9fed95d324d5277000000000e80000000020000200000008294f8ee3156f958a25d8895f5a018ea90d1426add322fce260baf37c34a82cb200000002da2be417fe13e7c94ef8e45e80f186e4e27541ea2248a4beead2ad61e197cae40000000f3b8f966cd836687681f2b9290f1a671da503f11294ec7e2134961d5680ad28c06790a4167537292a2d37536096adeab7f236e8b791f0a2e3345329dc3a20869 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\International\CpMRU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{0B4495B3-0BF2-11F0-A824-46172D3D8C37} = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10696018ff9fdb01 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000f800f43246331f4499a70972ff180a7000000000020000000000106600000001000020000000afee844868c5ae2b87bef5f4fd576c2f30255f18105ed60b4bd4dcc15aeebdc2000000000e8000000002000020000000b1e22b33a03fff61ff8f33423bbb9fa586b07a8c8ccb402036599c07e564ce7120000000dd1250c32827ecfa981992e0acddcbd9055b37e568786d54d0470580a26a4b69400000001078729aa838befc97a3bd5afa4f9bc32522385950798d29a14335f5e0bc8da8a808893b97b453d33c6731443c6afc926b75862c8c6b1bdd88971c455fadcda8 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Size = "10" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "449944439" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Internet Explorer\International\CpMRU\Factor = "20" IEXPLORE.EXE -
Modifies registry class 21 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\qafile\NeverShowExt wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qafile\shell wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qafile\shell\open\command wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\qafile\shellex\IconHandler\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\qafile\shellex\ContextMenuHandlers\ wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\qafile\ = "¿ì½Ý·½Ê½" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\qafile\IsShortcut wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\qafile\DefaultIcon\ = "%SystemRoot%\\system32\\url.dll,0" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qafile\CLSID wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qafile\shellex\IconHandler wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qafile\shellex wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.qa wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qafile wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\qafile\shell\ = "open" wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\qafile\shell\open\CLSID = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qafile\shellex\ContextMenuHandlers wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.qa\ = "qafile" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qafile\DefaultIcon wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\qafile\CLSID\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}" wscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\qafile\shell\open wscript.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\qafile\shell\open\command\ = "WScript.exe \"C:\\Program Files\\NetMeeting\\360.knl\" \"%1\"" wscript.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2652 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2652 iexplore.exe 2652 iexplore.exe 4216 IEXPLORE.EXE 4216 IEXPLORE.EXE 4216 IEXPLORE.EXE 4216 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 2288 wrote to memory of 2652 2288 wscript.exe 91 PID 2288 wrote to memory of 2652 2288 wscript.exe 91 PID 2652 wrote to memory of 4216 2652 iexplore.exe 92 PID 2652 wrote to memory of 4216 2652 iexplore.exe 92 PID 2652 wrote to memory of 4216 2652 iexplore.exe 92
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\$PROGRAMFILES\NetMeeting\360.js1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://www.t162.com/?new2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2652 CREDAT:17410 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4216
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize471B
MD50c5ef9158dcdd3b41a7e84c5e760b59d
SHA19cb930588b30e4399d0fbf73a559b2d89373a6a9
SHA25695c2b916d5668f7823fc9222d4cac008570c4f1866a3ef2b4175cb1ea5bbd9d9
SHA51213cf19b192d4b6365ab09e13b5ffc6c26470ff51527d8e49fad7aa410df5a7bc6557e731d5b49fa7c19cd9b677764422d2f57c10d2578cdfdf91cd1120db9c4e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize412B
MD54b137757ad10e5fb92d2a0ff3151ffb0
SHA1e5ca9a2cfebde7a7b3767f4d795243a67f3f72b0
SHA256d516ba6a991d0306b62731161bd1abf4634fee773103f0d4b8e15b719662fefa
SHA512515006b19826cc4765927dafe1d3d7c00e8879389c0cf5a56548be874759d6fc3710d18e803f4659394a5d80e74f9bb0185090878739141be0a55bac06f33c75
-
Filesize
1KB
MD56a58e6923c6935f6729789a02b9ade50
SHA11cbc578fbd7fb94243e396595d90b3a5c5062dc5
SHA25610e56d3dc7819fe1f6c69fc64a6ebed050da260fbc1f9474f7a17cbcb2d678cc
SHA512cd263f07a30bbbda52066882993b662b3b245225888c17599b0901a1e1cd0a0145efe26fbd24eb1f1ef4078930c0bdaba51529444772fe636a69ee1d99889c02
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
1KB
MD57ef1f0a0093460fe46bb691578c07c95
SHA12da3ffbbf4737ce4dae9488359de34034d1ebfbd
SHA2564c62eef22174220b8655590a77b27957f3518b4c3b7352d0b64263b80e728f2c
SHA51268da2c2f6f7a88ae364a4cf776d2c42e50150501ccf9b740a2247885fb21d1becbe9ee0ba61e965dd21d8ee01be2b364a29a7f9032fc6b5cdfb28cc6b42f4793