Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
15-04-2024 13:23
Static task
static1
Behavioral task
behavioral1
Sample
f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
WindowController_setup_06.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
WindowController_setup_06.exe
Resource
win10v2004-20240412-en
General
-
Target
f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
f1278c614f4bcb17088e0194a3e15108
-
SHA1
4f768d824d08520b5962c86b1b838c038e9806d2
-
SHA256
e30cd3c2da289af8bf3fe377fa4872ceb13356378333eaabaa349f608b0fd545
-
SHA512
8b3ec07f912e26a2a9588df61b94b00b040b69cc054200a965398f3bdb2818e9d3757c4b6c980ce654b76c4bc0b2410e8f4d31f8a430ff04504a1500fa07f854
-
SSDEEP
24576:Qr1O0K4xZpO0FmzY8537teyxC8muUC1CMlTfacNHdduJ7S2pf5HBcNqvKM+gA9:oMO5VFx9juUmCyTfao/uJ7S2pf5SeKp
Malware Config
Signatures
-
ACProtect 1.3x - 1.4x DLL software 2 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral1/files/0x0006000000016cd2-53.dat acprotect behavioral1/files/0x0006000000016cc2-57.dat acprotect -
Deletes itself 1 IoCs
pid Process 1704 cmd.exe -
Executes dropped EXE 3 IoCs
pid Process 1964 WindowController_setup_06.exe 2152 is-52LCQ.tmp 2544 _RegDLL.tmp -
Loads dropped DLL 9 IoCs
pid Process 1708 f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe 1964 WindowController_setup_06.exe 1964 WindowController_setup_06.exe 1964 WindowController_setup_06.exe 2152 is-52LCQ.tmp 2152 is-52LCQ.tmp 2152 is-52LCQ.tmp 2544 _RegDLL.tmp 2544 _RegDLL.tmp -
resource yara_rule behavioral1/files/0x0006000000016cd2-53.dat upx behavioral1/memory/2544-55-0x0000000001F70000-0x000000000209C000-memory.dmp upx behavioral1/files/0x0006000000016cc2-57.dat upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowController = "c:\\program files\\WindowController\\WindowController.exe" is-52LCQ.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Installs/modifies Browser Helper Object 2 TTPs 2 IoCs
BHOs are DLL modules which act as plugins for Internet Explorer.
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F887887B-2D45-4998-9249-0ADE4BAD9EAA} _RegDLL.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\NoExplorer = "1" _RegDLL.tmp -
Drops file in Program Files directory 11 IoCs
description ioc Process File created C:\Program Files\WindowController\is-03V98.tmp is-52LCQ.tmp File created C:\Program Files\WindowController\is-KVQ47.tmp is-52LCQ.tmp File created C:\Program Files\WindowController\is-3GRB9.tmp is-52LCQ.tmp File created C:\Program Files (x86)\WindowController\WindowController_setup_06.exe f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe File created C:\Program Files (x86)\WindowController\del_bat.cmd is-52LCQ.tmp File created C:\Program Files\WindowController\is-TAF32.tmp is-52LCQ.tmp File created C:\Program Files\WindowController\is-NCT7N.tmp is-52LCQ.tmp File created C:\Program Files\WindowController\is-ABGFQ.tmp is-52LCQ.tmp File opened for modification C:\Program Files\WindowController\unins000.dat is-52LCQ.tmp File created C:\Program Files\WindowController\unins000.dat is-52LCQ.tmp File created C:\Program Files\WindowController\is-5D2PI.tmp is-52LCQ.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 40 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA} _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\InprocServer32 _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\ProgID _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\ProgID\ = "windowcontroller.windowcontroller" _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA} _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\InprocServer32\ThreadingModel = "Apartment" _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\HELPDIR _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA} _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ = "IWindowController" _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ProxyStubClsid32 _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib\ = "{3D3A1318-C358-47E0-8E53-39FC647E85AA}" _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA} _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\ = "WindowController" _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\windowcontroller.windowcontroller _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\FLAGS _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\windowcontroller.windowcontroller\Clsid\ = "{F887887B-2D45-4998-9249-0ADE4BAD9EAA}" _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\ = "WindowController Class" _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\windowcontroller.windowcontroller\ = "WindowController" _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ = "IWindowController" _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\Version\ = "1.0" _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\0 _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\0\win32 _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib\ = "{3D3A1318-C358-47E0-8E53-39FC647E85AA}" _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\windowcontroller.windowcontroller\Clsid _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\ = "windowcontroller Library" _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\TypeLib _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\HELPDIR\ = "C:\\Program Files\\WindowController\\" _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib\Version = "1.0" _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\InprocServer32\ = "C:\\PROGRA~1\\WIC173~1\\WINDOW~1.DLL" _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\Version _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F887887B-2D45-4998-9249-0ADE4BAD9EAA}\TypeLib\ = "{3D3A1318-C358-47E0-8E53-39FC647E85AA}" _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\0\win32\ = "C:\\Program Files\\WindowController\\windowcontroller_v1.dll" _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0\FLAGS\ = "0" _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\ProxyStubClsid32 _RegDLL.tmp Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AD087366-012D-44BD-8604-EDDA1AAD3FAA}\TypeLib\Version = "1.0" _RegDLL.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{3D3A1318-C358-47E0-8E53-39FC647E85AA}\1.0 _RegDLL.tmp -
Suspicious use of WriteProcessMemory 35 IoCs
description pid Process procid_target PID 1708 wrote to memory of 1964 1708 f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe 28 PID 1708 wrote to memory of 1964 1708 f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe 28 PID 1708 wrote to memory of 1964 1708 f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe 28 PID 1708 wrote to memory of 1964 1708 f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe 28 PID 1708 wrote to memory of 1964 1708 f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe 28 PID 1708 wrote to memory of 1964 1708 f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe 28 PID 1708 wrote to memory of 1964 1708 f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe 28 PID 1708 wrote to memory of 1704 1708 f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe 29 PID 1708 wrote to memory of 1704 1708 f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe 29 PID 1708 wrote to memory of 1704 1708 f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe 29 PID 1708 wrote to memory of 1704 1708 f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe 29 PID 1708 wrote to memory of 1704 1708 f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe 29 PID 1708 wrote to memory of 1704 1708 f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe 29 PID 1708 wrote to memory of 1704 1708 f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe 29 PID 1964 wrote to memory of 2152 1964 WindowController_setup_06.exe 31 PID 1964 wrote to memory of 2152 1964 WindowController_setup_06.exe 31 PID 1964 wrote to memory of 2152 1964 WindowController_setup_06.exe 31 PID 1964 wrote to memory of 2152 1964 WindowController_setup_06.exe 31 PID 1964 wrote to memory of 2152 1964 WindowController_setup_06.exe 31 PID 1964 wrote to memory of 2152 1964 WindowController_setup_06.exe 31 PID 1964 wrote to memory of 2152 1964 WindowController_setup_06.exe 31 PID 2152 wrote to memory of 2612 2152 is-52LCQ.tmp 32 PID 2152 wrote to memory of 2612 2152 is-52LCQ.tmp 32 PID 2152 wrote to memory of 2612 2152 is-52LCQ.tmp 32 PID 2152 wrote to memory of 2612 2152 is-52LCQ.tmp 32 PID 2152 wrote to memory of 2612 2152 is-52LCQ.tmp 32 PID 2152 wrote to memory of 2612 2152 is-52LCQ.tmp 32 PID 2152 wrote to memory of 2612 2152 is-52LCQ.tmp 32 PID 2152 wrote to memory of 2544 2152 is-52LCQ.tmp 34 PID 2152 wrote to memory of 2544 2152 is-52LCQ.tmp 34 PID 2152 wrote to memory of 2544 2152 is-52LCQ.tmp 34 PID 2152 wrote to memory of 2544 2152 is-52LCQ.tmp 34 PID 2152 wrote to memory of 2544 2152 is-52LCQ.tmp 34 PID 2152 wrote to memory of 2544 2152 is-52LCQ.tmp 34 PID 2152 wrote to memory of 2544 2152 is-52LCQ.tmp 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f1278c614f4bcb17088e0194a3e15108_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Program Files (x86)\WindowController\WindowController_setup_06.exe"C:\Program Files (x86)\WindowController\WindowController_setup_06.exe" /VERYSILENT2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp"C:\Users\Admin\AppData\Local\Temp\is-C3GJP.tmp\is-52LCQ.tmp" /SL4 $40156 "C:\Program Files (x86)\WindowController\WindowController_setup_06.exe" 1217223 52224 /VERYSILENT3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /C ""C:\Program Files (x86)\WindowController\del_bat.cmd""4⤵PID:2612
-
-
C:\Users\Admin\AppData\Local\Temp\is-HVL5A.tmp\_isetup\_RegDLL.tmp_RegDLL.tmp 552 5444⤵
- Executes dropped EXE
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Modifies registry class
PID:2544
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\del_nsis_bat.cmd" "2⤵
- Deletes itself
PID:1704
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
244B
MD5569c447b88ee6ee87a0d575fc064c735
SHA1c6d4a65b6ae7cd71d3d147de18623ea608fab20a
SHA256ec05b65ae7c94229a78f0a7265027f69f7b722dd30960f7f9775dc39e68e820c
SHA5121ff2b42c4fd16c10b93a65ff07ad9c300f3ce30b1b7a88f4f4db8c35741378b0feb4a049ff16e48c46a259118fbf3e08d2accaac717474be5eb2185946fd5be5
-
Filesize
425KB
MD542fa974b082ae577576fe5d4116b0ea7
SHA1f374a519c41c73e5e40f281d25ec91325ff8c103
SHA256b8220fa29179648237f3614d42a0e47f6b704df731cca293d72eb6be79e70a45
SHA51260c9069ce07a71e97572b2307d508e47cb470154918875429e2a08a0d506a099ebf7f2c075dffd44d3d321b4c6521fd15c162b03020468a9f857171abf711e48
-
Filesize
285B
MD53670ebb3297f13962c71489c50e5fc4a
SHA19b58125817e1ed3fafd54c89dcd8880b45e8d27f
SHA2565a48071bfbb02ec1cdda615f83a973d98ba2a339fc10520e11719cf08a3ccde0
SHA51299c08672a993ad55c9e9de663209543e936aef6e2137af2f3941ff27f6e8283e3c550611e25bd5669c0a4834618266e047039cd69ea59214cd6f7a04ba76a714
-
Filesize
1.4MB
MD55f47cf5504f99f7a6a20ea11e393ed75
SHA1081ba58a5a211efa949b6536b477b9f211f1a0ea
SHA256a3164eb1974835b112230abb7460da2b4c328dfed3c85283c792911e86f90f5b
SHA5124c8e48d14124fdcbb5a4624c77557c94b3bd756fbb2bf98d37b5a4355b3fd902e0fb335d5fb8b4a939e5df04e9c52e426225426c80af07f2876a23dd3a93a5f2
-
Filesize
274KB
MD589f0fd81f69f1a20ba0951d8694b4437
SHA1f3c56f20cf8a6f6dd210b287b6a22210d252ec6b
SHA256c5e209f7c5e2a2e58537e7d4a5e6c4a6a557ac0ec72a4eb16a490e248945e57a
SHA51251f358397a4fef954f42b3dfde6b877ffc4938567aae1d085f65d837b63a17c4bf10b9a1c29b7541e2adfcbc909b5fb832af62f06774a2557a6e4ce776d062fd
-
Filesize
656KB
MD54fa180886ff7c0fd86a65f760ede6318
SHA12c89c271c71531362e84ddab5d3028f0756a9281
SHA2561d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c
SHA512a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd
-
Filesize
3KB
MD5c594b792b9c556ea62a30de541d2fb03
SHA169e0207515e913243b94c2d3a116d232ff79af5f
SHA2565dcc1e0a197922907bca2c4369f778bd07ee4b1bbbdf633e987a028a314d548e
SHA512387bd07857b0de67c04e0abf89b754691683f30515726045ff382da9b6b7f36570e38fae9eca5c4f0110ce9bb421d8045a5ec273c4c47b5831948564763ed144
-
Filesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3