Analysis Overview
SHA256
68cd687dcf221e3554322289a9ddc329aabbd81c7b9f59673a9524845e9ee0fe
Threat Level: Known bad
The file 6bd85fcadad2eb861b7e915c249f3d60_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
NanoCore
Sets file to hidden
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Checks whether UAC is enabled
Adds Run key to start application
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Views/modifies file attributes
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Enumerates system info in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-23 18:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-23 18:20
Reported
2024-05-23 18:23
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
NanoCore
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\6bd85fcadad2eb861b7e915c249f3d60_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.sfx.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RarSFX1\setup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\is-KKVD2.tmp\jlmwi23v.tjt.tmp | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.sfx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0oiwolkb.3uw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jlmwi23v.tjt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-KKVD2.tmp\jlmwi23v.tjt.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-4DEO4.tmp-dbinst\setup.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsv.exe" | C:\Users\Admin\AppData\Local\Temp\0oiwolkb.3uw.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\0oiwolkb.3uw.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DDP Service\ddpsv.exe | C:\Users\Admin\AppData\Local\Temp\0oiwolkb.3uw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DDP Service\ddpsv.exe | C:\Users\Admin\AppData\Local\Temp\0oiwolkb.3uw.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0oiwolkb.3uw.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0oiwolkb.3uw.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\0oiwolkb.3uw.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\is-KKVD2.tmp\jlmwi23v.tjt.tmp | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-4DEO4.tmp-dbinst\setup.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6bd85fcadad2eb861b7e915c249f3d60_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6bd85fcadad2eb861b7e915c249f3d60_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.bat"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.sfx.exe
setup.sfx.exe -pError-Code:d5d9t-6gh3j56l-5fg56tg8t-5bh25h51d -d\ProgramData\ProductData\
C:\Users\Admin\AppData\Local\Temp\RarSFX1\setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\setup.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4028,i,13281073920029625837,8253721632651544158,262144 --variations-seed-version --mojo-platform-channel-handle=3888 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\0oiwolkb.3uw.exe
"C:\Users\Admin\AppData\Local\Temp\0oiwolkb.3uw.exe"
C:\Users\Admin\AppData\Local\Temp\jlmwi23v.tjt.exe
"C:\Users\Admin\AppData\Local\Temp\jlmwi23v.tjt.exe"
C:\Users\Admin\AppData\Local\Temp\is-KKVD2.tmp\jlmwi23v.tjt.tmp
"C:\Users\Admin\AppData\Local\Temp\is-KKVD2.tmp\jlmwi23v.tjt.tmp" /SL5="$80164,25547327,139264,C:\Users\Admin\AppData\Local\Temp\jlmwi23v.tjt.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9CF.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA9B.tmp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO Y "
C:\Windows\SysWOW64\xcopy.exe
xcopy /s "\ProgramData\ProductData\setup.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
C:\Users\Admin\AppData\Local\Temp\is-4DEO4.tmp-dbinst\setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-4DEO4.tmp-dbinst\setup.exe" "C:\Users\Admin\AppData\Local\Temp\jlmwi23v.tjt.exe" /title="Driver Booster 8" /dbver=8.0.2.189 /eula="C:\Users\Admin\AppData\Local\Temp\is-4DEO4.tmp-dbinst\EULA.rtf" /showlearnmore /pmtproduct /nochromepmt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | connectionservices.ddns.net | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | update.iobit.com | udp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 8.8.8.8:53 | 140.20.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | connectionservices.ddns.net | udp |
| US | 8.8.8.8:53 | connectionservices.ddns.net | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | connectionservices.ddns.net | udp |
| US | 8.8.8.8:53 | connectionservices.ddns.net | udp |
| US | 8.8.8.8:53 | connectionservices.ddns.net | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | connectionservices.ddns.net | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | connectionservices.ddns.net | udp |
| US | 8.8.8.8:53 | connectionservices.ddns.net | udp |
| US | 8.8.8.8:53 | connectionservices.ddns.net | udp |
| US | 8.8.8.8:53 | connectionservices.ddns.net | udp |
| US | 8.8.8.8:53 | connectionservices.ddns.net | udp |
| US | 8.8.8.8:53 | connectionservices.ddns.net | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | connectionservices.ddns.net | udp |
| US | 8.8.8.8:53 | connectionservices.ddns.net | udp |
| US | 8.8.8.8:53 | connectionservices.ddns.net | udp |
| US | 8.8.8.8:53 | connectionservices.ddns.net | udp |
| US | 8.8.8.8:53 | connectionservices.ddns.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.bat
| MD5 | 7777443c9691b71473a0e5e773189f6b |
| SHA1 | e02bb60953a3a23a50c90b6cc6904d9dd07d75e5 |
| SHA256 | 50c2c0247120e2decd4e8261d82f025664a1586f87bba754b2a51cf22c944703 |
| SHA512 | 1b35b682297177d9af2ef1a5a478489ffccf2ba5fb09afb24468c64de3927ae3dc231549eeda55f619681734e5e15a8351959ae3ea9ca867a3820a61e0691aa0 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.sfx.exe
| MD5 | 312e727989d1cf225a7903a5509d3fc7 |
| SHA1 | c12ed945e6eed43606a23da45e1a84544585617c |
| SHA256 | 648e3e8f917e605cfcd5f2ad6ace2162aa51f3504515c5a6fbd80f130e7289bf |
| SHA512 | 37c69772a4983f33af5b867d2519c81c48b4daa75144289ebc3f51a05dac3c561a9fc4ba65ef68ceb053115f374ba2f3c083c82edb4cdaec7d00de15ba7af188 |
C:\Users\Admin\AppData\Local\Temp\RarSFX1\setup.exe
| MD5 | 07d505a12f5a480501f9812e309d1f36 |
| SHA1 | 91b4e9bf6109052fe6ea13ddd8778d1a221608c7 |
| SHA256 | 5d354da97dcce4b47662b776c3f42469429e810a47e867597f71e8eaa5c2eac0 |
| SHA512 | 7d60a21d6d512b7b31227469efe1d5cc226c37dc144ddf38f26610d8ed9a93677e87191f5980ba1fcd89577975cfa5cae094f10f6fdf4dff329a2abc15b5ff1d |
C:\Users\Admin\AppData\Local\Temp\0oiwolkb.3uw.exe
| MD5 | 8aed5cd5b97c7f0b8d5edb9078967b89 |
| SHA1 | 43bbaac407e6bc56340ff97653d1c29f234072f3 |
| SHA256 | 60a47a892350d7523bb3d9d4919f9f308f74960006a5fcf6b61e53a27d36ec5e |
| SHA512 | f37ca53b4942a833ac64d2ec03339a57cb1b5759f5974b38b63f47d6a4a1f721f1e5adbe5cd61455b9843d42d52a87cdea64912e4ce34c26bca5f37beab5a125 |
C:\Users\Admin\AppData\Local\Temp\jlmwi23v.tjt.exe
| MD5 | f48260a7fc69fd78d267a2d99b3060c7 |
| SHA1 | 86842077806b9edb575bf8a83d3f10417b61930a |
| SHA256 | 0068b9b06eb62b6df2831b87dca70fff589133a4579a43381e08a79a6991d3b6 |
| SHA512 | 260efc4df1a66ac13432911e620ac465496989795edfbeb65f12b8b203c9047767ab192a0a4bac6dbf4f8e24b2e4e57a4588c1e69468ab41165e43e4b969fa9a |
memory/876-44-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-KKVD2.tmp\jlmwi23v.tjt.tmp
| MD5 | 5e68859c0b4a4b3a30bdfc94b8317bc9 |
| SHA1 | 06a34be233b89832090eb8f646c968a09d40a145 |
| SHA256 | 3e9126730a72f811dffc8f6e598af754ec598fd8f864704c372c37a07c559956 |
| SHA512 | 36c45a8c41b800a548003319c46b880d4fe8194df72e791519c491b58e8256fd18ecd2cf5c494561ba89213e1c696914ab5576a453b3dc01b29dd72a60cdfea9 |
C:\Users\Admin\AppData\Local\Temp\tmp9CF.tmp
| MD5 | c31b363b72b67ee17d083eac2b989998 |
| SHA1 | cadaaa5167f57d35f31841e1fc1c1c20f845f74c |
| SHA256 | d022a215f8f179573729a08a4d6bdc2871eba1a49e455b81970e85d11099be21 |
| SHA512 | d9fe743f3bed6c9a3dd7c1ea276ec90d6b12c3fcda5bcff9b368ff4d01c591db6e2ea4d014188bc790e6c1d2134d2ff56564cf88c9f6ef12342b7b0d17d92ed0 |
C:\Users\Admin\AppData\Local\Temp\tmpA9B.tmp
| MD5 | 93d357e6194c8eb8d0616a9f592cc4bf |
| SHA1 | 5cc3a3d95d82cb88f65cb6dc6c188595fa272808 |
| SHA256 | a18de0ef2102d2546c7afd07ad1d7a071a0e59aff0868cf3937a145f24feb713 |
| SHA512 | 4df079387f6a76e0deb96ab4c11f6cffa62a8b42dc4970e885dab10351fade2d9e933663c141b76409657f85f1bf9dbb533d92dce52dc62598aafc4793743f7f |
C:\Users\Admin\AppData\Local\Temp\is-4DEO4.tmp\EULA.rtf
| MD5 | b0381f0ba7ead83ea3bd882c1de4cd48 |
| SHA1 | c740f811623061595d76fce2ebb4e69d34316f3b |
| SHA256 | 44bc9472169403484a0d384f1ca81989ef7e4b07441758e8a0110078933cbcb5 |
| SHA512 | 6cfb8bc562d22843d043411720db97d0b4cbac96a20983d83d19e59b8428ec202f2532cc5af254438dc34fca4161abbd3f6bac8d397590e41b6d41e60700e78a |
C:\Users\Admin\AppData\Local\Temp\is-4DEO4.tmp-dbinst\setup.exe
| MD5 | c8604ed9dc488875b199f8c83031dc29 |
| SHA1 | 1574782285f4687e989f577cfe1c8596216b16cc |
| SHA256 | ffaa1c48b31db37b8ca65575c5bacad4a08804734161ec4494765a6fe1c3e1bd |
| SHA512 | e159cfda5fadfe5e8f42b5f4e673af690b71b61526f055e4265ed2cbe5d0c1ba46d98ac3456c608795074b193a3a6eacf2ba0c19c1cb9e56eae077c5f554846c |
memory/2520-105-0x0000000000400000-0x0000000000531000-memory.dmp
memory/876-106-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\45435.7644460764\install_cfg.upt
| MD5 | da8dba956f21b27b2b3c03479dd09ade |
| SHA1 | 739fc48aed431124eebbee1941ab4e35bdadecd1 |
| SHA256 | a79dcef4a16f4f9f620577390bb87991f2fa35492170dd712ba1443834cfe077 |
| SHA512 | d338fba3ca5c0043f6ec157b15bf479b88951c8cf559e8675f3af846dacbcf1e54b73532402e6bfa8cbfa78af5ba48f3673156a853061a22fc01b08f1c07fdf8 |
C:\Users\Admin\AppData\Local\Temp\1716488449\ENGLISH.lng
| MD5 | 99dfdd13b99baf01a05de43c88100eff |
| SHA1 | a44236d444ee2375c813806a3d4a252cf0f68f25 |
| SHA256 | 8df866abe9006b70d12bd293c9591bc65ea1f393657fc16dc215083bc8099a16 |
| SHA512 | 85ed1484e882bf407196c57ba4b38f0c4e33723bcaa94da02f18e4dfb337bf3ecd4f31628cfd3f51b0933930b1805483d81849e9e41e7dc982cb566c7062c978 |
memory/4836-215-0x0000000000400000-0x0000000000B68000-memory.dmp
memory/4836-216-0x0000000000400000-0x0000000000B68000-memory.dmp
memory/4836-217-0x0000000000400000-0x0000000000B68000-memory.dmp
memory/4836-218-0x0000000000400000-0x0000000000B68000-memory.dmp
memory/4836-219-0x0000000000400000-0x0000000000B68000-memory.dmp
memory/4836-220-0x0000000000400000-0x0000000000B68000-memory.dmp
memory/4836-221-0x0000000000400000-0x0000000000B68000-memory.dmp
memory/4836-222-0x0000000000400000-0x0000000000B68000-memory.dmp
memory/4836-223-0x0000000000400000-0x0000000000B68000-memory.dmp
memory/4836-224-0x0000000000400000-0x0000000000B68000-memory.dmp
memory/4836-225-0x0000000000400000-0x0000000000B68000-memory.dmp
memory/4836-226-0x0000000000400000-0x0000000000B68000-memory.dmp
memory/4836-227-0x0000000000400000-0x0000000000B68000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-23 18:20
Reported
2024-05-23 18:22
Platform
win7-20240220-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
NanoCore
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.sfx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX1\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lzdobb1d.n5u.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\t254gngf.fky.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-35M7O.tmp\t254gngf.fky.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-301QO.tmp-dbinst\setup.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Subsystem = "C:\\Program Files (x86)\\TCP Subsystem\\tcpss.exe" | C:\Users\Admin\AppData\Local\Temp\lzdobb1d.n5u.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\lzdobb1d.n5u.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\TCP Subsystem\tcpss.exe | C:\Users\Admin\AppData\Local\Temp\lzdobb1d.n5u.exe | N/A |
| File opened for modification | C:\Program Files (x86)\TCP Subsystem\tcpss.exe | C:\Users\Admin\AppData\Local\Temp\lzdobb1d.n5u.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier | C:\Windows\SysWOW64\xcopy.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lzdobb1d.n5u.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\lzdobb1d.n5u.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\lzdobb1d.n5u.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\is-35M7O.tmp\t254gngf.fky.tmp | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-301QO.tmp-dbinst\setup.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6bd85fcadad2eb861b7e915c249f3d60_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6bd85fcadad2eb861b7e915c249f3d60_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.bat" "
C:\Windows\SysWOW64\attrib.exe
attrib +s +h "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.bat"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.sfx.exe
setup.sfx.exe -pError-Code:d5d9t-6gh3j56l-5fg56tg8t-5bh25h51d -d\ProgramData\ProductData\
C:\Users\Admin\AppData\Local\Temp\RarSFX1\setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX1\setup.exe"
C:\Users\Admin\AppData\Local\Temp\lzdobb1d.n5u.exe
"C:\Users\Admin\AppData\Local\Temp\lzdobb1d.n5u.exe"
C:\Users\Admin\AppData\Local\Temp\t254gngf.fky.exe
"C:\Users\Admin\AppData\Local\Temp\t254gngf.fky.exe"
C:\Users\Admin\AppData\Local\Temp\is-35M7O.tmp\t254gngf.fky.tmp
"C:\Users\Admin\AppData\Local\Temp\is-35M7O.tmp\t254gngf.fky.tmp" /SL5="$201C6,25547327,139264,C:\Users\Admin\AppData\Local\Temp\t254gngf.fky.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "TCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2B74.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "TCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2C3F.tmp"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" ECHO Y "
C:\Windows\SysWOW64\xcopy.exe
xcopy /s "\ProgramData\ProductData\setup.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
C:\Users\Admin\AppData\Local\Temp\is-301QO.tmp-dbinst\setup.exe
"C:\Users\Admin\AppData\Local\Temp\is-301QO.tmp-dbinst\setup.exe" "C:\Users\Admin\AppData\Local\Temp\t254gngf.fky.exe" /title="Driver Booster 8" /dbver=8.0.2.189 /eula="C:\Users\Admin\AppData\Local\Temp\is-301QO.tmp-dbinst\EULA.rtf" /showlearnmore /pmtproduct /nochromepmt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | connectionservices.ddns.net | udp |
| US | 8.8.8.8:53 | update.iobit.com | udp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
| US | 152.199.20.140:80 | update.iobit.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.bat
| MD5 | 7777443c9691b71473a0e5e773189f6b |
| SHA1 | e02bb60953a3a23a50c90b6cc6904d9dd07d75e5 |
| SHA256 | 50c2c0247120e2decd4e8261d82f025664a1586f87bba754b2a51cf22c944703 |
| SHA512 | 1b35b682297177d9af2ef1a5a478489ffccf2ba5fb09afb24468c64de3927ae3dc231549eeda55f619681734e5e15a8351959ae3ea9ca867a3820a61e0691aa0 |
\Users\Admin\AppData\Local\Temp\RarSFX0\setup.sfx.exe
| MD5 | 312e727989d1cf225a7903a5509d3fc7 |
| SHA1 | c12ed945e6eed43606a23da45e1a84544585617c |
| SHA256 | 648e3e8f917e605cfcd5f2ad6ace2162aa51f3504515c5a6fbd80f130e7289bf |
| SHA512 | 37c69772a4983f33af5b867d2519c81c48b4daa75144289ebc3f51a05dac3c561a9fc4ba65ef68ceb053115f374ba2f3c083c82edb4cdaec7d00de15ba7af188 |
\Users\Admin\AppData\Local\Temp\RarSFX1\setup.exe
| MD5 | 07d505a12f5a480501f9812e309d1f36 |
| SHA1 | 91b4e9bf6109052fe6ea13ddd8778d1a221608c7 |
| SHA256 | 5d354da97dcce4b47662b776c3f42469429e810a47e867597f71e8eaa5c2eac0 |
| SHA512 | 7d60a21d6d512b7b31227469efe1d5cc226c37dc144ddf38f26610d8ed9a93677e87191f5980ba1fcd89577975cfa5cae094f10f6fdf4dff329a2abc15b5ff1d |
\Users\Admin\AppData\Local\Temp\lzdobb1d.n5u.exe
| MD5 | 8aed5cd5b97c7f0b8d5edb9078967b89 |
| SHA1 | 43bbaac407e6bc56340ff97653d1c29f234072f3 |
| SHA256 | 60a47a892350d7523bb3d9d4919f9f308f74960006a5fcf6b61e53a27d36ec5e |
| SHA512 | f37ca53b4942a833ac64d2ec03339a57cb1b5759f5974b38b63f47d6a4a1f721f1e5adbe5cd61455b9843d42d52a87cdea64912e4ce34c26bca5f37beab5a125 |
C:\Users\Admin\AppData\Local\Temp\t254gngf.fky.exe
| MD5 | f48260a7fc69fd78d267a2d99b3060c7 |
| SHA1 | 86842077806b9edb575bf8a83d3f10417b61930a |
| SHA256 | 0068b9b06eb62b6df2831b87dca70fff589133a4579a43381e08a79a6991d3b6 |
| SHA512 | 260efc4df1a66ac13432911e620ac465496989795edfbeb65f12b8b203c9047767ab192a0a4bac6dbf4f8e24b2e4e57a4588c1e69468ab41165e43e4b969fa9a |
memory/2856-54-0x0000000000400000-0x000000000042C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-35M7O.tmp\t254gngf.fky.tmp
| MD5 | 5e68859c0b4a4b3a30bdfc94b8317bc9 |
| SHA1 | 06a34be233b89832090eb8f646c968a09d40a145 |
| SHA256 | 3e9126730a72f811dffc8f6e598af754ec598fd8f864704c372c37a07c559956 |
| SHA512 | 36c45a8c41b800a548003319c46b880d4fe8194df72e791519c491b58e8256fd18ecd2cf5c494561ba89213e1c696914ab5576a453b3dc01b29dd72a60cdfea9 |
C:\Users\Admin\AppData\Local\Temp\tmp2B74.tmp
| MD5 | 93ea5dcbc2399a9a44a2450fea7d2f11 |
| SHA1 | 14176b0467c737fcddb80819e666d9a5903c4cf0 |
| SHA256 | 04eebc75acbce4881c913063cc70136d3d0f18c004fed42297f56ac7a1b1d144 |
| SHA512 | 864636e7c97fdcb1b086d3ed9b1a0ccb64065d0b248f7f41592b7e77c8205dacc5417846e546fc2e1381bcd1aad9fe156040a663650b5a794fa9dcbf7f5da3f2 |
C:\Users\Admin\AppData\Local\Temp\tmp2C3F.tmp
| MD5 | 4b7ef560289c0f62d0baf6f14f48a57a |
| SHA1 | 8331acb90dde588aa3196919f6e847f398fd06d1 |
| SHA256 | 062844155306130d6fafc4fe10ac9e5ddd2ed462532b729c50cdc979c0d83207 |
| SHA512 | ecaa27c4b703d95f9f9b37d8c339982970482e7dab968c2010e0aa644bbfa31973111aafb827565af30c423d1d14e4ff997ec149614e713ff7ef3456894d02d8 |
\Users\Admin\AppData\Local\Temp\is-301QO.tmp\DriverBooster.exe
| MD5 | 90eed3fddccd0e74feb3f9b63f932567 |
| SHA1 | cd8f47544ca0c9384a2f0e57c0342a5b924bd4b2 |
| SHA256 | 079789218c40ce50f29f7bf1ba3baeee5d6036b47fe4dcfbdc0a187b510a24c2 |
| SHA512 | c1e7b10de55200e2f7bc433a2f3b0725265a1d6fa729db799d12fde34c9d2a9d1e0f8e1b33f1d2625998e3de731db7b2a624be6261e3537a516adcb146adaa1c |
C:\Users\Admin\AppData\Local\Temp\is-301QO.tmp-dbinst\setup.exe
| MD5 | c8604ed9dc488875b199f8c83031dc29 |
| SHA1 | 1574782285f4687e989f577cfe1c8596216b16cc |
| SHA256 | ffaa1c48b31db37b8ca65575c5bacad4a08804734161ec4494765a6fe1c3e1bd |
| SHA512 | e159cfda5fadfe5e8f42b5f4e673af690b71b61526f055e4265ed2cbe5d0c1ba46d98ac3456c608795074b193a3a6eacf2ba0c19c1cb9e56eae077c5f554846c |
C:\Users\Admin\AppData\Local\Temp\45435.7642934722\install_cfg.upt
| MD5 | da8dba956f21b27b2b3c03479dd09ade |
| SHA1 | 739fc48aed431124eebbee1941ab4e35bdadecd1 |
| SHA256 | a79dcef4a16f4f9f620577390bb87991f2fa35492170dd712ba1443834cfe077 |
| SHA512 | d338fba3ca5c0043f6ec157b15bf479b88951c8cf559e8675f3af846dacbcf1e54b73532402e6bfa8cbfa78af5ba48f3673156a853061a22fc01b08f1c07fdf8 |
C:\Users\Admin\AppData\Local\Temp\1716488436\ENGLISH.lng
| MD5 | 99dfdd13b99baf01a05de43c88100eff |
| SHA1 | a44236d444ee2375c813806a3d4a252cf0f68f25 |
| SHA256 | 8df866abe9006b70d12bd293c9591bc65ea1f393657fc16dc215083bc8099a16 |
| SHA512 | 85ed1484e882bf407196c57ba4b38f0c4e33723bcaa94da02f18e4dfb337bf3ecd4f31628cfd3f51b0933930b1805483d81849e9e41e7dc982cb566c7062c978 |
memory/1060-244-0x0000000000400000-0x0000000000531000-memory.dmp
memory/2856-246-0x0000000000400000-0x000000000042C000-memory.dmp
memory/2276-248-0x0000000000400000-0x0000000000B68000-memory.dmp