Malware Analysis Report

2025-03-14 23:05

Sample ID 240406-3xv5gsfd53
Target e395f9565145faa01b7734de5f32da17_JaffaCakes118
SHA256 03cb90f0cefca65507b87ba0258e359a009f4792f79d4d85c56913fddc67ebd5
Tags
upx bootkit discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

03cb90f0cefca65507b87ba0258e359a009f4792f79d4d85c56913fddc67ebd5

Threat Level: Shows suspicious behavior

The file e395f9565145faa01b7734de5f32da17_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

upx bootkit discovery persistence

Loads dropped DLL

ACProtect 1.3x - 1.4x DLL software

Checks computer location settings

Executes dropped EXE

UPX packed file

Writes to the Master Boot Record (MBR)

Adds Run key to start application

Checks installed software on the system

Drops file in System32 directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 23:54

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 23:54

Reported

2024-04-06 23:56

Platform

win7-20240221-en

Max time kernel

142s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e395f9565145faa01b7734de5f32da17_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Media Pass\MediaPass.exe N/A
N/A N/A C:\Program Files\Media Pass\MediaPassK.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Media Pass = "C:\\Program Files\\Media Pass\\MediaPassK.exe" C:\Program Files\Media Pass\MediaPass.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ide21201.vxd C:\Program Files\Media Pass\MediaPass.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Media Pass\MediaPassC.dll C:\Users\Admin\AppData\Local\Temp\e395f9565145faa01b7734de5f32da17_JaffaCakes118.exe N/A
File created C:\Program Files\Media Pass\MediaPassK.exe C:\Users\Admin\AppData\Local\Temp\e395f9565145faa01b7734de5f32da17_JaffaCakes118.exe N/A
File created C:\Program Files\Media Pass\Info.txt C:\Users\Admin\AppData\Local\Temp\e395f9565145faa01b7734de5f32da17_JaffaCakes118.exe N/A
File created C:\Program Files\Media Pass\MediaPass.exe C:\Users\Admin\AppData\Local\Temp\e395f9565145faa01b7734de5f32da17_JaffaCakes118.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F652B511-F470-11EE-9502-E299A69EE862} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F652B513-F470-11EE-9502-E299A69EE862}.dat = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\ProgID C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0 C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0\FLAGS C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7} C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0\HELPDIR C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\TypeLib\ = "{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}" C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{735C5A0C-F79F-47A1-8CA1-2A2E482662A8}\ = "LoaderX" C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\LocalServer32\ = "\"C:\\PROGRA~1\\MEDIAP~1\\MEDIAP~2.EXE\"" C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPass.Installer\CLSID\ = "{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}" C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\TypeLib C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\ = "IInstaller" C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\ = "IInstaller" C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\ProxyStubClsid32 C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\ProxyStubClsid32 C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\TypeLib C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\TypeLib C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0\FLAGS\ = "0" C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPass.Installer\CLSID C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\TypeLib\Version = "1.0" C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0\0\win32 C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPass.Installer\CurVer C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPass.Installer\CurVer\ = "MediaPass.Installer" C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\VersionIndependentProgID C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0\0 C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\TypeLib\Version = "1.0" C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9} C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LoaderX.EXE C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\ProgID\ = "MediaPass.Installer" C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\LocalServer32 C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0\0\win32\ = "C:\\Program Files\\Media Pass\\MediaPass.exe" C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0\HELPDIR\ = "C:\\Program Files\\Media Pass\\" C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9} C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\TypeLib\ = "{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}" C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LoaderX.EXE\AppID = "{735C5A0C-F79F-47A1-8CA1-2A2E482662A8}" C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\Implemented Categories C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPass.Installer C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\AppID = "{735C5A0C-F79F-47A1-8CA1-2A2E482662A8}" C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\VersionIndependentProgID\ = "MediaPass.Installer" C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\ = "Installer Class" C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\TypeLib\ = "{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}" C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\Programmable C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0\ = "LoaderX 1.0 Type Library" C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{735C5A0C-F79F-47A1-8CA1-2A2E482662A8} C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C} C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPass.Installer\ = "Installer Class" C:\Program Files\Media Pass\MediaPass.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Media Pass\MediaPass.exe N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\e395f9565145faa01b7734de5f32da17_JaffaCakes118.exe C:\Program Files\Media Pass\MediaPass.exe
PID 2008 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\e395f9565145faa01b7734de5f32da17_JaffaCakes118.exe C:\Program Files\Media Pass\MediaPass.exe
PID 2008 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\e395f9565145faa01b7734de5f32da17_JaffaCakes118.exe C:\Program Files\Media Pass\MediaPass.exe
PID 2008 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\e395f9565145faa01b7734de5f32da17_JaffaCakes118.exe C:\Program Files\Media Pass\MediaPass.exe
PID 2680 wrote to memory of 2608 N/A C:\Program Files\Media Pass\MediaPass.exe C:\Program Files\Media Pass\MediaPassK.exe
PID 2680 wrote to memory of 2608 N/A C:\Program Files\Media Pass\MediaPass.exe C:\Program Files\Media Pass\MediaPassK.exe
PID 2680 wrote to memory of 2608 N/A C:\Program Files\Media Pass\MediaPass.exe C:\Program Files\Media Pass\MediaPassK.exe
PID 2680 wrote to memory of 2608 N/A C:\Program Files\Media Pass\MediaPass.exe C:\Program Files\Media Pass\MediaPassK.exe
PID 2680 wrote to memory of 2632 N/A C:\Program Files\Media Pass\MediaPass.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2680 wrote to memory of 2632 N/A C:\Program Files\Media Pass\MediaPass.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2680 wrote to memory of 2632 N/A C:\Program Files\Media Pass\MediaPass.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2680 wrote to memory of 2632 N/A C:\Program Files\Media Pass\MediaPass.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2632 wrote to memory of 2588 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2632 wrote to memory of 2588 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2632 wrote to memory of 2588 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2632 wrote to memory of 2588 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\e395f9565145faa01b7734de5f32da17_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e395f9565145faa01b7734de5f32da17_JaffaCakes118.exe"

C:\Program Files\Media Pass\MediaPass.exe

"C:\Program Files\Media Pass\MediaPass.exe"

C:\Program Files\Media Pass\MediaPassK.exe

"C:\Program Files\Media Pass\MediaPassK.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2632 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 public.windupdates.com udp

Files

memory/2008-3-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files\Media Pass\MediaPass.exe

MD5 b5406943cf884d35d9d60017c29a74e3
SHA1 fd9a992c23075ca9750a1367d537437b373d4255
SHA256 df53640a1cc9c9c227c4a2d0ebadd910c9b30bb61467a0546a69b0031c450eeb
SHA512 586b1d433469957d6b89b82f91ebf9b76ec680196c64cfd3a5651947c1d9f8e11d15101f513306a04c25ee40b1e7e9f5d13f96948fe005420331252c3164f5f2

memory/2008-12-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2008-14-0x00000000003E0000-0x00000000003FF000-memory.dmp

memory/2680-15-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Program Files\Media Pass\Info.txt

MD5 746db4d74f7e44fe0a62377c578d2fa4
SHA1 4249fa1900317576d540b6caffcd9b367a96a9e5
SHA256 d9c9e34b2d94e8e1e0355830221ace8615058d874adac0494d139c4db568c7ec
SHA512 b0651cdd5652ce4c459d1e060ddefa05d7b651ad7d183255fa2c33bf030444b9825da376b08b1fcdfb9e6156def3eca08c7e1e1bea0177cd9fa694b24046661c

C:\Program Files\Media Pass\MediaPassC.dll

MD5 68921b28f721011d5071c1ded3134080
SHA1 28ff42bc2b8f9f88b5a8bb5540e8034169b70db9
SHA256 58b48e9d4486b58b41585563bd666c7fe7e1b445d8a33add65edf2e2af380d87
SHA512 612710f15e3582c4cbf873c5af57ac7e3d43858e3186bc7072ba1dc86a30be8c7e8c21199e9e066ad46f8f18dff9412e027dd2910e4ece6746edf1af8c5e733d

C:\Program Files\Media Pass\MediaPassK.exe

MD5 d6bb470d4427b6add2d11b5f537a8448
SHA1 a1936bfcedf41a60024535c26352ae383de6f1fe
SHA256 abb30a55602c97b96cb64d2d32e7331326ed895e463129c6203049cbfd693b81
SHA512 fd4d3df6611ab88567b9d038c702f3c788f01d4be568a5267a5ff6112c63281fab6843feb3f7f54e3266bf2e63c26e9268529c49efbe48e21d0ee1145a90d2e7

memory/2680-23-0x0000000010000000-0x000000001002A000-memory.dmp

memory/2680-25-0x0000000001DB0000-0x0000000001DBE000-memory.dmp

memory/2608-27-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2608-29-0x0000000010000000-0x000000001002A000-memory.dmp

memory/2680-31-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2680-32-0x0000000010000000-0x000000001002A000-memory.dmp

memory/2608-33-0x0000000000400000-0x000000000040E000-memory.dmp

memory/2008-35-0x00000000003E0000-0x00000000003FF000-memory.dmp

memory/2680-36-0x0000000001DB0000-0x0000000001DBE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 23:54

Reported

2024-04-06 23:56

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e395f9565145faa01b7734de5f32da17_JaffaCakes118.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\e395f9565145faa01b7734de5f32da17_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Media Pass\MediaPass.exe N/A
N/A N/A C:\Program Files\Media Pass\MediaPassK.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Media Pass = "C:\\Program Files\\Media Pass\\MediaPassK.exe" C:\Program Files\Media Pass\MediaPass.exe N/A

Checks installed software on the system

discovery

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ide21201.vxd C:\Program Files\Media Pass\MediaPass.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Media Pass\MediaPassC.dll C:\Users\Admin\AppData\Local\Temp\e395f9565145faa01b7734de5f32da17_JaffaCakes118.exe N/A
File created C:\Program Files\Media Pass\MediaPassK.exe C:\Users\Admin\AppData\Local\Temp\e395f9565145faa01b7734de5f32da17_JaffaCakes118.exe N/A
File created C:\Program Files\Media Pass\Info.txt C:\Users\Admin\AppData\Local\Temp\e395f9565145faa01b7734de5f32da17_JaffaCakes118.exe N/A
File created C:\Program Files\Media Pass\MediaPass.exe C:\Users\Admin\AppData\Local\Temp\e395f9565145faa01b7734de5f32da17_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F4898C36-F470-11EE-AE4D-5E2396FD2BC6} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Recovery\PendingDelete C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F4898C38-F470-11EE-AE4D-5E2396FD2BC6}.dat = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\MINIE C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPass.Installer C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\Programmable C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7} C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0\FLAGS C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\TypeLib C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\TypeLib\ = "{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}" C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\TypeLib\Version = "1.0" C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\TypeLib C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\AppID = "{735C5A0C-F79F-47A1-8CA1-2A2E482662A8}" C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0\0\win32 C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0\HELPDIR\ = "C:\\Program Files\\Media Pass\\" C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\ = "IInstaller" C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\ProgID C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPass.Installer\CurVer C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPass.Installer\CurVer\ = "MediaPass.Installer" C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\VersionIndependentProgID C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\TypeLib\ = "{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}" C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\Implemented Categories C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LoaderX.EXE\AppID = "{735C5A0C-F79F-47A1-8CA1-2A2E482662A8}" C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0\0\win32\ = "C:\\Program Files\\Media Pass\\MediaPass.exe" C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPass.Installer\ = "Installer Class" C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\TypeLib\Version = "1.0" C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\VersionIndependentProgID\ = "MediaPass.Installer" C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0\ = "LoaderX 1.0 Type Library" C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\TypeLib C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\ = "Installer Class" C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0\0 C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C} C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0\HELPDIR C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9} C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{735C5A0C-F79F-47A1-8CA1-2A2E482662A8} C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9} C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPass.Installer\CLSID\ = "{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}" C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0\FLAGS\ = "0" C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\LocalServer32 C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}\1.0 C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\ProxyStubClsid32 C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\LoaderX.EXE C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MediaPass.Installer\CLSID C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\ProgID\ = "MediaPass.Installer" C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{735C5A0C-F79F-47A1-8CA1-2A2E482662A8}\ = "LoaderX" C:\Program Files\Media Pass\MediaPass.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\ProxyStubClsid32 C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\TypeLib\ = "{15696AE2-6EA4-47F4-BEA6-A3D32693EFC7}" C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1E5E0D38-214B-4085-AD2A-D2290E6A2D2C}\LocalServer32\ = "\"C:\\PROGRA~1\\MEDIAP~1\\MEDIAP~2.EXE\"" C:\Program Files\Media Pass\MediaPass.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00ADA225-EA6C-4FB3-82E8-68189201CCB9}\ = "IInstaller" C:\Program Files\Media Pass\MediaPass.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Media Pass\MediaPass.exe N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1376 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\e395f9565145faa01b7734de5f32da17_JaffaCakes118.exe C:\Program Files\Media Pass\MediaPass.exe
PID 1376 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\e395f9565145faa01b7734de5f32da17_JaffaCakes118.exe C:\Program Files\Media Pass\MediaPass.exe
PID 1376 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\e395f9565145faa01b7734de5f32da17_JaffaCakes118.exe C:\Program Files\Media Pass\MediaPass.exe
PID 2312 wrote to memory of 4212 N/A C:\Program Files\Media Pass\MediaPass.exe C:\Program Files\Media Pass\MediaPassK.exe
PID 2312 wrote to memory of 4212 N/A C:\Program Files\Media Pass\MediaPass.exe C:\Program Files\Media Pass\MediaPassK.exe
PID 2312 wrote to memory of 4212 N/A C:\Program Files\Media Pass\MediaPass.exe C:\Program Files\Media Pass\MediaPassK.exe
PID 2312 wrote to memory of 4016 N/A C:\Program Files\Media Pass\MediaPass.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2312 wrote to memory of 4016 N/A C:\Program Files\Media Pass\MediaPass.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 4016 wrote to memory of 5080 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4016 wrote to memory of 5080 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4016 wrote to memory of 5080 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\e395f9565145faa01b7734de5f32da17_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e395f9565145faa01b7734de5f32da17_JaffaCakes118.exe"

C:\Program Files\Media Pass\MediaPass.exe

"C:\Program Files\Media Pass\MediaPass.exe"

C:\Program Files\Media Pass\MediaPassK.exe

"C:\Program Files\Media Pass\MediaPassK.exe"

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4016 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 public.windupdates.com udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 99.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/1376-0-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files\Media Pass\MediaPass.exe

MD5 b5406943cf884d35d9d60017c29a74e3
SHA1 fd9a992c23075ca9750a1367d537437b373d4255
SHA256 df53640a1cc9c9c227c4a2d0ebadd910c9b30bb61467a0546a69b0031c450eeb
SHA512 586b1d433469957d6b89b82f91ebf9b76ec680196c64cfd3a5651947c1d9f8e11d15101f513306a04c25ee40b1e7e9f5d13f96948fe005420331252c3164f5f2

memory/2312-15-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1376-14-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files\Media Pass\MediaPassK.exe

MD5 d6bb470d4427b6add2d11b5f537a8448
SHA1 a1936bfcedf41a60024535c26352ae383de6f1fe
SHA256 abb30a55602c97b96cb64d2d32e7331326ed895e463129c6203049cbfd693b81
SHA512 fd4d3df6611ab88567b9d038c702f3c788f01d4be568a5267a5ff6112c63281fab6843feb3f7f54e3266bf2e63c26e9268529c49efbe48e21d0ee1145a90d2e7

C:\Program Files\Media Pass\Info.txt

MD5 746db4d74f7e44fe0a62377c578d2fa4
SHA1 4249fa1900317576d540b6caffcd9b367a96a9e5
SHA256 d9c9e34b2d94e8e1e0355830221ace8615058d874adac0494d139c4db568c7ec
SHA512 b0651cdd5652ce4c459d1e060ddefa05d7b651ad7d183255fa2c33bf030444b9825da376b08b1fcdfb9e6156def3eca08c7e1e1bea0177cd9fa694b24046661c

C:\Program Files\Media Pass\MediaPassC.dll

MD5 68921b28f721011d5071c1ded3134080
SHA1 28ff42bc2b8f9f88b5a8bb5540e8034169b70db9
SHA256 58b48e9d4486b58b41585563bd666c7fe7e1b445d8a33add65edf2e2af380d87
SHA512 612710f15e3582c4cbf873c5af57ac7e3d43858e3186bc7072ba1dc86a30be8c7e8c21199e9e066ad46f8f18dff9412e027dd2910e4ece6746edf1af8c5e733d

memory/2312-22-0x0000000010000000-0x000000001002A000-memory.dmp

memory/4212-24-0x0000000000400000-0x000000000040E000-memory.dmp

memory/4212-26-0x0000000010000000-0x000000001002A000-memory.dmp

memory/2312-29-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2312-30-0x0000000010000000-0x000000001002A000-memory.dmp