Analysis Overview
SHA256
def88cd2ce3ab3e358aa9f6cb73e5eef7de3c753c2b1b3bac6269ec19fbf288c
Threat Level: Likely malicious
The file f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Adds policy Run key to start application
Checks computer location settings
Loads dropped DLL
Deletes itself
Executes dropped EXE
UPX packed file
Checks installed software on the system
Installs/modifies Browser Helper Object
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-15 05:24
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-15 05:24
Reported
2024-04-15 05:27
Platform
win7-20240221-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\user32.dll = "C:\\Program Files (x86)\\Internet Security\\isamntr.exe" | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Security\isamini.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6ACAE64-F798-4930-AD86-BD3FB32038DB} | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\ | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Internet Security\isamntr.exe | C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Internet Security\isunst.exe | C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Internet Security\isadd.dll | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| File created | C:\Program Files (x86)\Internet Security\isamini.exe | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Search | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB} | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\ | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\InprocServer32 | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Security\\isadd.dll" | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\InprocServer32\ThreadingModel = "Apartment" | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe"
C:\Program Files (x86)\Internet Security\isamntr.exe
"C:\Program Files (x86)\Internet Security\isamntr.exe"
C:\Program Files (x86)\Internet Security\isamini.exe
"C:\Program Files (x86)\Internet Security\isamini.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\F06A37~1.EXE > nul
Network
Files
memory/2204-0-0x0000000000400000-0x0000000000419000-memory.dmp
\Program Files (x86)\Internet Security\isamntr.exe
| MD5 | 791dce91546dee755a7b00770f78c616 |
| SHA1 | 768661283866843df31dd40f9192aba8a379e0fd |
| SHA256 | ffa369b3138b4d9d8707f9c494f254a8a5c6e67c2fd0ebcb1ebe643dc95e153a |
| SHA512 | 069b7e663858bac0479d36dadb8c6a68d56a7f60bcc981248b515dec0a4e4edc77ffdb8d74545e59a556cd4745dc27ad7ae02c60963d89addfe1a4d5fb8845f9 |
\Program Files (x86)\Internet Security\isadd.dll
| MD5 | c3aba1388c6f0e377325b3bece5acf26 |
| SHA1 | 6322d51f910706279ec15ac40452e9103e38013f |
| SHA256 | 374a359d5498fa74bd7c61aaeb5cfed50693f5f08b3f9c5a7ebb08204cc995b1 |
| SHA512 | 838c94fc418567c26c7d62cae61a66a825211e74d99e4afad8d4db461f35f2d5b52580bfef8e4e70f37beadd7db387725854bf39d60cd128bfde3c26ffeeaa3b |
\Program Files (x86)\Internet Security\isamini.exe
| MD5 | 4faf36a30d06189d4636de34ca4af4a2 |
| SHA1 | c5edfd714b74300894456b97044320003ec1c58b |
| SHA256 | 31d6bf2ffef30e3e4f1f1a9dbb7f57e6b6eec7ed0b84719d5bf0a680631045fc |
| SHA512 | 918edade94444b2632614eb9a021b89a61a070ad631ec4c3972cbea8f110c09a03838ccd09de2d678a1a3b96aef52191367aeff6bb6812555b542aa21319ae59 |
memory/2204-21-0x0000000000400000-0x0000000000419000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-15 05:24
Reported
2024-04-15 05:27
Platform
win10v2004-20240412-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\user32.dll = "C:\\Program Files (x86)\\Internet Security\\isamntr.exe" | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Security\isamini.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6ACAE64-F798-4930-AD86-BD3FB32038DB} | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\ | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Internet Security\isamini.exe | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| File created | C:\Program Files (x86)\Internet Security\isamntr.exe | C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\Internet Security\isadd.dll | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| File created | C:\Program Files (x86)\Internet Security\isunst.exe | C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Internet Explorer\Search | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1826666146-2574340311-1877551059-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB} | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\ | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\InprocServer32 | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Security\\isadd.dll" | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\InprocServer32\ThreadingModel = "Apartment" | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID | C:\Program Files (x86)\Internet Security\isamntr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f06a37081157af03b1f89ebd3c7bef91_JaffaCakes118.exe"
C:\Program Files (x86)\Internet Security\isamntr.exe
"C:\Program Files (x86)\Internet Security\isamntr.exe"
C:\Program Files (x86)\Internet Security\isamini.exe
"C:\Program Files (x86)\Internet Security\isamini.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\F06A37~1.EXE > nul
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.114.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.16.208.104.in-addr.arpa | udp |
Files
memory/3620-0-0x0000000000400000-0x0000000000419000-memory.dmp
C:\Program Files (x86)\Internet Security\isamntr.exe
| MD5 | 791dce91546dee755a7b00770f78c616 |
| SHA1 | 768661283866843df31dd40f9192aba8a379e0fd |
| SHA256 | ffa369b3138b4d9d8707f9c494f254a8a5c6e67c2fd0ebcb1ebe643dc95e153a |
| SHA512 | 069b7e663858bac0479d36dadb8c6a68d56a7f60bcc981248b515dec0a4e4edc77ffdb8d74545e59a556cd4745dc27ad7ae02c60963d89addfe1a4d5fb8845f9 |
C:\Program Files (x86)\Internet Security\isadd.dll
| MD5 | c3aba1388c6f0e377325b3bece5acf26 |
| SHA1 | 6322d51f910706279ec15ac40452e9103e38013f |
| SHA256 | 374a359d5498fa74bd7c61aaeb5cfed50693f5f08b3f9c5a7ebb08204cc995b1 |
| SHA512 | 838c94fc418567c26c7d62cae61a66a825211e74d99e4afad8d4db461f35f2d5b52580bfef8e4e70f37beadd7db387725854bf39d60cd128bfde3c26ffeeaa3b |
C:\Program Files (x86)\Internet Security\isamini.exe
| MD5 | 4faf36a30d06189d4636de34ca4af4a2 |
| SHA1 | c5edfd714b74300894456b97044320003ec1c58b |
| SHA256 | 31d6bf2ffef30e3e4f1f1a9dbb7f57e6b6eec7ed0b84719d5bf0a680631045fc |
| SHA512 | 918edade94444b2632614eb9a021b89a61a070ad631ec4c3972cbea8f110c09a03838ccd09de2d678a1a3b96aef52191367aeff6bb6812555b542aa21319ae59 |
memory/3620-14-0x0000000000400000-0x0000000000419000-memory.dmp