7b7d6486a2949310dee64ef4d0c51939251fca19213efc6b861231435046fd7a

Analysis

max time kernel
141s
max time network
123s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
01-07-2024 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1a7b95d799bfc4252f650808872bcd31_JaffaCakes118.exe
Size

991KB
MD5

1a7b95d799bfc4252f650808872bcd31
SHA1

27f428ad55d6dd7921ad8cab710ac6975bda7134
SHA256

7b7d6486a2949310dee64ef4d0c51939251fca19213efc6b861231435046fd7a
SHA512

4de6da802aa5e1899be0b2bf2ea973c73f90d547b16db3ca20e8cc08a8a27d32a669726e4e287ac2d7992f9af0f6d0da8e0f178212d40c54b47a18b85f7f299e
SSDEEP

24576:UpniXLZcchleJIqycPVQr+5IG/WUgRvkWdbSsaPsa3kY2+mO8i:KiX9c0cyGQr+3IRvkQy13O+mOh

Score

7^/10

adware discovery stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

is-I9LRK.tmpbaiducb.exe

pid process

1888 is-I9LRK.tmp
1964 baiducb.exe

pid	process
1888	is-I9LRK.tmp
1964	baiducb.exe

Loads dropped DLL 10 IoCs

Processes:

1a7b95d799bfc4252f650808872bcd31_JaffaCakes118.exeis-I9LRK.tmpbaiducb.exe

pid	process
2208	1a7b95d799bfc4252f650808872bcd31_JaffaCakes118.exe
1888	is-I9LRK.tmp
1888	is-I9LRK.tmp
1888	is-I9LRK.tmp
1888	is-I9LRK.tmp
1964	baiducb.exe
1964	baiducb.exe
1964	baiducb.exe
1964	baiducb.exe
1964	baiducb.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

baiducb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{77FEF28E-EB96-44FF-B511-3185DEA48697}\id = "bdbar"	baiducb.exe

Drops file in Program Files directory 3 IoCs

Processes:

baiducb.exe

description	ioc	process
File opened for modification	C:\Progra~1\Baidu\bar\SET5CDF.tmp	baiducb.exe
File created	C:\Progra~1\Baidu\bar\SET5CDF.tmp	baiducb.exe
File opened for modification	C:\Progra~1\Baidu\bar\BaiDuBar.dll	baiducb.exe

Drops file in Windows directory 1 IoCs

Processes:

baiducb.exe

description ioc process

File opened for modification C:\Windows\INF\setupapi.app.log baiducb.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.app.log	baiducb.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

Processes:

baiducb.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷Í¼Æ¬	baiducb.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷MP3\Contexts = 10	baiducb.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷¸è´Ê\Contexts = 10	baiducb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷Ìù°É\ = "res://C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll/BAIDUPOST.HTM"	baiducb.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷ÍøÒ³	baiducb.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷ÍøÒ³\Contexts = 10	baiducb.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷ÐÂÎÅ	baiducb.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷ÐÂÎÅ\Contexts = 10	baiducb.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷MP3	baiducb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷MP3\ = "res://C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll/BAIDUMP3.HTM"	baiducb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷¸è´Ê\ = "res://C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll/BAIDULYRIC.HTM"	baiducb.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷Ìù°É	baiducb.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt	baiducb.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{B580CF65-E151-49C3-B73F-70B13FCA8E86} = 00	baiducb.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷¸è´Ê	baiducb.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-´ÊµäËÑË÷	baiducb.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-´ÊµäËÑË÷\Contexts = 10	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar	baiducb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷ÐÂÎÅ\ = "res://C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll/BAIDUNEWS.HTM"	baiducb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷Í¼Æ¬\ = "res://C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll/BAIDUIMG.HTM"	baiducb.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷Í¼Æ¬\Contexts = 10	baiducb.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷Ìù°É\Contexts = 10	baiducb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-´ÊµäËÑË÷\ = "res://C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll/BAIDU_DIC.HTM"	baiducb.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\°Ù¶È-ËÑË÷ÍøÒ³\ = "res://C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll/BAIDUSEARCH.HTM"	baiducb.exe

Modifies registry class 64 IoCs

Processes:

baiducb.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MimeFilter.AdFilter	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.DropTarget\CLSID\ = "{7C76C055-ED6E-4535-A70F-CD476E727F67}"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.DropTarget\CurVer	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BandIE.1\CLSID	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BandIE\CurVer\ = "BaiduBarEx.BandIE.1"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{89FDCC4B-8D91-49B0-81A6-18BCFF582735}\TypeLib\Version = "1.0"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}\ = "ITool"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}\ = "AdFilter Class"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}\Programmable	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BandIE\CLSID\ = "{77FEF28E-EB96-44FF-B511-3185DEA48697}"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\InprocServer32	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6AFC2761-1253-427C-9A56-385B4609BE1D}\1.0\0\win32\ = "C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Baidu\CLSID\ = "{B580CF65-E151-49C3-B73F-70B13FCA8E86}"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.DropTarget\CurVer\ = "BaiduBarEx.DropTarget.1"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6AFC2761-1253-427C-9A56-385B4609BE1D}\1.0\ = "BaiduBarEx 1.0 Type Library"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}\TypeLib\ = "{6AFC2761-1253-427C-9A56-385B4609BE1D}"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}\ProxyStubClsid32	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BandIE\CurVer	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\InprocServer32\ThreadingModel = "Apartment"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Baidu\CurVer	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\CLSID\ = "{A7F05EE4-0426-454F-8013-C41E3596E9E9}"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\VersionIndependentProgID	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\TypeLib	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.DropTarget	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C76C055-ED6E-4535-A70F-CD476E727F67}\InprocServer32\ = "C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Baidu\CurVer\ = "BaiduBar.Baidu.1"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\CurVer\ = "BaiduBar.Tool.1"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}\ProgID\ = "MimeFilter.AdFilter.1"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}\VersionIndependentProgID\ = "MimeFilter.AdFilter"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{89FDCC4B-8D91-49B0-81A6-18BCFF582735}\TypeLib\ = "{6AFC2761-1253-427C-9A56-385B4609BE1D}"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}\TypeLib\Version = "1.0"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\Programmable	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{89FDCC4B-8D91-49B0-81A6-18BCFF582735}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}\TypeLib\Version = "1.0"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A294F8EB-86D9-4C4A-8B3E-909253761C64}\TypeLib\Version = "1.0"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\VersionIndependentProgID\ = "BaiduBar.Baidu"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool.1\CLSID\ = "{A7F05EE4-0426-454F-8013-C41E3596E9E9}"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A7F05EE4-0426-454F-8013-C41E3596E9E9}\ProgID	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{6AFC2761-1253-427C-9A56-385B4609BE1D}\1.0\FLAGS	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MimeFilter.AdFilter.1\ = "AdFilter Class"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MimeFilter.AdFilter\CurVer\ = "MimeFilter.AdFilter.1"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}\TypeLib\ = "{6AFC2761-1253-427C-9A56-385B4609BE1D}"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Baidu\ = "BaiduBar"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Tool\ = "Tool Class"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MimeFilter.AdFilter\CLSID	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.DropTarget\ = "DropTarget Class"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7C76C055-ED6E-4535-A70F-CD476E727F67}\ = "DropTarget Class"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{A294F8EB-86D9-4C4A-8B3E-909253761C64}\TypeLib	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBar.Baidu\CLSID	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B580CF65-E151-49C3-B73F-70B13FCA8E86}\Programmable	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MimeFilter.AdFilter.1\CLSID\ = "{FE14F22E-BE14-4F08-A80F-F27BC3A67B2D}"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.DropTarget.1\CLSID	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{96249369-D3DC-4AE6-8A3B-E7109D46E98D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{464C8A26-31E9-411C-9583-5B858E631DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BaiduBarEx.BandIE\CLSID	baiducb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\InprocServer32\ = "C:\\Progra~1\\Baidu\\bar\\BaiDuBar.dll"	baiducb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{77FEF28E-EB96-44FF-B511-3185DEA48697}\TypeLib	baiducb.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

is-I9LRK.tmp

pid process

1888 is-I9LRK.tmp

pid	process
1888	is-I9LRK.tmp

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

baiducb.exe

description	pid	process
Token: SeRestorePrivilege	1964	baiducb.exe
Token: SeRestorePrivilege	1964	baiducb.exe
Token: SeRestorePrivilege	1964	baiducb.exe
Token: SeRestorePrivilege	1964	baiducb.exe
Token: SeRestorePrivilege	1964	baiducb.exe
Token: SeRestorePrivilege	1964	baiducb.exe
Token: SeRestorePrivilege	1964	baiducb.exe
Token: SeRestorePrivilege	1964	baiducb.exe
Token: SeBackupPrivilege	1964	baiducb.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

1a7b95d799bfc4252f650808872bcd31_JaffaCakes118.exeis-I9LRK.tmp

description	pid	process	target process
PID 2208 wrote to memory of 1888	2208	1a7b95d799bfc4252f650808872bcd31_JaffaCakes118.exe	is-I9LRK.tmp
PID 2208 wrote to memory of 1888	2208	1a7b95d799bfc4252f650808872bcd31_JaffaCakes118.exe	is-I9LRK.tmp
PID 2208 wrote to memory of 1888	2208	1a7b95d799bfc4252f650808872bcd31_JaffaCakes118.exe	is-I9LRK.tmp
PID 2208 wrote to memory of 1888	2208	1a7b95d799bfc4252f650808872bcd31_JaffaCakes118.exe	is-I9LRK.tmp
PID 2208 wrote to memory of 1888	2208	1a7b95d799bfc4252f650808872bcd31_JaffaCakes118.exe	is-I9LRK.tmp
PID 2208 wrote to memory of 1888	2208	1a7b95d799bfc4252f650808872bcd31_JaffaCakes118.exe	is-I9LRK.tmp
PID 2208 wrote to memory of 1888	2208	1a7b95d799bfc4252f650808872bcd31_JaffaCakes118.exe	is-I9LRK.tmp
PID 1888 wrote to memory of 1964	1888	is-I9LRK.tmp	baiducb.exe
PID 1888 wrote to memory of 1964	1888	is-I9LRK.tmp	baiducb.exe
PID 1888 wrote to memory of 1964	1888	is-I9LRK.tmp	baiducb.exe
PID 1888 wrote to memory of 1964	1888	is-I9LRK.tmp	baiducb.exe
PID 1888 wrote to memory of 1964	1888	is-I9LRK.tmp	baiducb.exe
PID 1888 wrote to memory of 1964	1888	is-I9LRK.tmp	baiducb.exe
PID 1888 wrote to memory of 1964	1888	is-I9LRK.tmp	baiducb.exe

C:\Users\Admin\AppData\Local\Temp\1a7b95d799bfc4252f650808872bcd31_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1a7b95d799bfc4252f650808872bcd31_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208

C:\Users\Admin\AppData\Local\Temp\is-T84RP.tmp\is-I9LRK.tmp
"C:\Users\Admin\AppData\Local\Temp\is-T84RP.tmp\is-I9LRK.tmp" /SL4 $70120 "C:\Users\Admin\AppData\Local\Temp\1a7b95d799bfc4252f650808872bcd31_JaffaCakes118.exe" 783304 52224
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Local\Temp\is-MHLA5.tmp\baiducb.exe
"C:\Users\Admin\AppData\Local\Temp\is-MHLA5.tmp\baiducb.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1964

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\BaiduBar.dll
Filesize
286KB

MD5
e4bc62a44704db1e93d4e839781d1920

SHA1
1e9dcd259beff683a81432bf2539b047700a2f9a

SHA256
e58dfa77619ef7d60c9f7ef40db74a81643ecf1886d1960be65578b18183b318

SHA512
3bbc9e0745406863c27e9cb98bdd403b192840d905a9bba9bb02e86581d16805292c197c8a79ae6ee2f22c1ddc50f763b6e4ae95d21a9055b94abeb17ccdef04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\install.inf
Filesize
586B

MD5
c16ee16e5e62d584f951648a69624ee0

SHA1
8dc6ce55244f1af441103ccf5ab3ce82cf740bfd

SHA256
91d09fb03928ce0689b08377c745d8d49758f4d13d46c842dc073dd645f52359

SHA512
d3f2c8e18a2dbf6fb0deb4c6f8af68c11f2a3dcf50acb526117e805ac4c82c592642ba554b0fd5713a5e4a0dd0a3acf81eab3370389615634fda954c083a4b1b

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL
Filesize
90KB

MD5
d553b62a8136d41289513c6405efea2d

SHA1
db48c3fd3993ff20511e47ffad14bfbdb9f438eb

SHA256
ce7cfb626807084186b248bbf2ef776eac086da936146f7d44956c2fcfaec1f8

SHA512
4a3767e8ac1e684a9a6eaced921b9599e34d5a4e83f034c7fe42bd8fd707a2b86f51ad485933fed5015554c3f9c4cf4b1357832964cc170d8cba86092fc9d2e2

Download Submit
\Users\Admin\AppData\Local\Temp\is-MHLA5.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-MHLA5.tmp\baiducb.exe
Filesize
222KB

MD5
68af74f9069626a3aec0cf038de102db

SHA1
64d1472f511d140794fb954a6444a58c0c0b9538

SHA256
2cd991b41ed34ef85bd30005fcced10ad19cb50a99d62ff48ca86044185e591c

SHA512
a5ec034ca8f84cdf7fdc5d31ee394a03339c0266a0339ac25b442b5c4e6beb88faf13bd9848eb9fb6fd6aef4ab3ac167e6576f20d5c8f9809f1dff247fd5dfb3

Download Submit
\Users\Admin\AppData\Local\Temp\is-T84RP.tmp\is-I9LRK.tmp
Filesize
634KB

MD5
d291acbf9866b8846fe0629e690feb1a

SHA1
293314b11340d798d3c74e2416e2a43f267a25d6

SHA256
ab3e1fa210171e5ed2decc615c9328379ee3d29b55ee0e5d7ef6bece43f583eb

SHA512
320e68a67fdcf13dc25640cf68468abd9e0dc51b647f95277eebbd06c7c5ee298b1f68d4a01deb886979e42cbc3eddf16ac4db18884a96b1535598ba11ba36ed

Download Submit
memory/1888-66-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2208-0-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2208-2-0x0000000000401000-0x000000000040A000-memory.dmp

Filesize
36KB

Download
memory/2208-65-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads