0a0b6b4e25df3afae5bf65f6a227eda5ae9c7b6b959cb94c5d171b2ed2fead4d

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e8b7dd81153ebc916967cd6c85334d3_JaffaCakes118.exe
Size

5.8MB
MD5

6e8b7dd81153ebc916967cd6c85334d3
SHA1

5e45f2ee1227b32d7e2bf48232810ea2bfb7f0c0
SHA256

0a0b6b4e25df3afae5bf65f6a227eda5ae9c7b6b959cb94c5d171b2ed2fead4d
SHA512

1890af3fb52f75ffc807b53db80e88c8c39089f028948b6bdf3da6af21479d48c5378ac18e0d5d1eef9c299d0f78a380f0036db3548b3da0ff991c583024dfaf
SSDEEP

98304:U2wc10DlRAGQz/bgNzRSq+S8Y0TXcSfkaFMOoPKhh3DunjgQYXGt//S:U2LGQz/bgNzRSNysXcSfkOM6hhzunENJ

Score

8^/10

evasion persistence

Malware Config

Signatures

Blocks application from running via registry modification 5 IoCs

Adds application to list of disallowed applications.

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	SMΔRTP.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	SMΔRTP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "Mshta.exe"	SMΔRTP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "powershell.exe"	SMΔRTP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "bitsadmin.exe"	SMΔRTP.exe

Executes dropped EXE 5 IoCs

pid	Process
2756	Smadav1350-Update.exe
348	SMΔRTP.exe
1852	SmadavProtect64.exe
1096	Process not Found
2212	Process not Found

Loads dropped DLL 20 IoCs

pid	Process
2132	6e8b7dd81153ebc916967cd6c85334d3_JaffaCakes118.exe
2132	6e8b7dd81153ebc916967cd6c85334d3_JaffaCakes118.exe
2132	6e8b7dd81153ebc916967cd6c85334d3_JaffaCakes118.exe
2132	6e8b7dd81153ebc916967cd6c85334d3_JaffaCakes118.exe
2756	Smadav1350-Update.exe
2756	Smadav1350-Update.exe
2756	Smadav1350-Update.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
1852	SmadavProtect64.exe
1204	Process not Found
1744	Process not Found
2944	Process not Found
3040	Process not Found
2328	regsvr32.exe
2356	regsvr32.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C}\InprocServer32\ = "C:\\Program Files (x86)\\Smadav\\SmadExtc64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMΔRT-Protection = "C:\\Program Files (x86)\\Smadav\\SMΔRTP.exe rts"	SMΔRTP.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	Smadav1350-Update.exe
File opened (read-only)	\??\Y:	Smadav1350-Update.exe
File opened (read-only)	\??\Z:	Smadav1350-Update.exe
File opened (read-only)	\??\G:	SMΔRTP.exe
File opened (read-only)	\??\K:	SMΔRTP.exe
File opened (read-only)	\??\M:	SMΔRTP.exe
File opened (read-only)	\??\O:	SMΔRTP.exe
File opened (read-only)	\??\B:	Smadav1350-Update.exe
File opened (read-only)	\??\S:	Smadav1350-Update.exe
File opened (read-only)	\??\B:	SMΔRTP.exe
File opened (read-only)	\??\E:	SMΔRTP.exe
File opened (read-only)	\??\I:	SMΔRTP.exe
File opened (read-only)	\??\P:	SMΔRTP.exe
File opened (read-only)	\??\S:	SMΔRTP.exe
File opened (read-only)	\??\T:	SMΔRTP.exe
File opened (read-only)	\??\L:	Smadav1350-Update.exe
File opened (read-only)	\??\R:	SMΔRTP.exe
File opened (read-only)	\??\X:	SMΔRTP.exe
File opened (read-only)	\??\E:	Smadav1350-Update.exe
File opened (read-only)	\??\G:	Smadav1350-Update.exe
File opened (read-only)	\??\R:	Smadav1350-Update.exe
File opened (read-only)	\??\L:	SMΔRTP.exe
File opened (read-only)	\??\H:	Smadav1350-Update.exe
File opened (read-only)	\??\N:	Smadav1350-Update.exe
File opened (read-only)	\??\Q:	Smadav1350-Update.exe
File opened (read-only)	\??\X:	Smadav1350-Update.exe
File opened (read-only)	\??\J:	SMΔRTP.exe
File opened (read-only)	\??\N:	SMΔRTP.exe
File opened (read-only)	\??\Q:	SMΔRTP.exe
File opened (read-only)	\??\J:	Smadav1350-Update.exe
File opened (read-only)	\??\K:	Smadav1350-Update.exe
File opened (read-only)	\??\O:	Smadav1350-Update.exe
File opened (read-only)	\??\W:	Smadav1350-Update.exe
File opened (read-only)	\??\A:	SMΔRTP.exe
File opened (read-only)	\??\U:	SMΔRTP.exe
File opened (read-only)	\??\V:	SMΔRTP.exe
File opened (read-only)	\??\W:	SMΔRTP.exe
File opened (read-only)	\??\Y:	SMΔRTP.exe
File opened (read-only)	\??\A:	Smadav1350-Update.exe
File opened (read-only)	\??\M:	Smadav1350-Update.exe
File opened (read-only)	\??\P:	Smadav1350-Update.exe
File opened (read-only)	\??\T:	Smadav1350-Update.exe
File opened (read-only)	\??\U:	Smadav1350-Update.exe
File opened (read-only)	\??\V:	Smadav1350-Update.exe
File opened (read-only)	\??\H:	SMΔRTP.exe
File opened (read-only)	\??\Z:	SMΔRTP.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\regsvr32.exe	SMΔRTP.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Smadav\Smadav.loov	Smadav1350-Update.exe
File created	C:\Program Files (x86)\Smadav\SmadExtMenu.dll	Smadav1350-Update.exe
File created	C:\Program Files (x86)\Smadav\SmadEngine.dll	Smadav1350-Update.exe
File created	C:\Program Files (x86)\Smadav\SmadHook64c.dll	Smadav1350-Update.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe	SMΔRTP.exe
File created	C:\Program Files (x86)\Smadav\SmadHook32c.dll	Smadav1350-Update.exe
File created	C:\Program Files (x86)\Smadav\SmadavProtect32.exe	Smadav1350-Update.exe
File created	C:\Program Files (x86)\Smadav\SmadavProtect64.exe	Smadav1350-Update.exe
File created	C:\Program Files (x86)\Smadav\SmadavHelper.exe	Smadav1350-Update.exe
File created	C:\Program Files (x86)\Smadav\Readme.txt	Smadav1350-Update.exe
File created	C:\Program Files (x86)\Smadav\SMΔRTP.exe	Smadav1350-Update.exe
File created	C:\Program Files (x86)\Smadav\SmadExtMenu64.dll	Smadav1350-Update.exe
File created	C:\Program Files (x86)\Smadav\Smadav-Updater.exe	Smadav1350-Update.exe
File opened for modification	C:\Program Files (x86)\Smadav\SmadEngine.dll	Smadav1350-Update.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1032	schtasks.exe

Modifies registry class 9 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\SmadExt\ = "{8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C}\InprocServer32\ = "C:\\Program Files (x86)\\Smadav\\SmadExtc64.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\SmadExt	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\SmadExt	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\SmadExt\ = "{8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8AB81E72-CB2F-11D3-8D3B-AC2F34F1FA3C}\ = "SmadExt Class"	regsvr32.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	SMΔRTP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	SMΔRTP.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	SMΔRTP.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	SMΔRTP.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2756	Smadav1350-Update.exe
2756	Smadav1350-Update.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2756	Smadav1350-Update.exe
Token: SeDebugPrivilege	2756	Smadav1350-Update.exe
Token: SeShutdownPrivilege	348	SMΔRTP.exe
Token: SeDebugPrivilege	348	SMΔRTP.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
348	SMΔRTP.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2756	Smadav1350-Update.exe
348	SMΔRTP.exe
348	SMΔRTP.exe
1852	SmadavProtect64.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2756	2132	6e8b7dd81153ebc916967cd6c85334d3_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2756	2132	6e8b7dd81153ebc916967cd6c85334d3_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2756	2132	6e8b7dd81153ebc916967cd6c85334d3_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2756	2132	6e8b7dd81153ebc916967cd6c85334d3_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2756	2132	6e8b7dd81153ebc916967cd6c85334d3_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2756	2132	6e8b7dd81153ebc916967cd6c85334d3_JaffaCakes118.exe	28
PID 2132 wrote to memory of 2756	2132	6e8b7dd81153ebc916967cd6c85334d3_JaffaCakes118.exe	28
PID 2756 wrote to memory of 348	2756	Smadav1350-Update.exe	29
PID 2756 wrote to memory of 348	2756	Smadav1350-Update.exe	29
PID 2756 wrote to memory of 348	2756	Smadav1350-Update.exe	29
PID 2756 wrote to memory of 348	2756	Smadav1350-Update.exe	29
PID 348 wrote to memory of 1032	348	SMΔRTP.exe	30
PID 348 wrote to memory of 1032	348	SMΔRTP.exe	30
PID 348 wrote to memory of 1032	348	SMΔRTP.exe	30
PID 348 wrote to memory of 1032	348	SMΔRTP.exe	30
PID 348 wrote to memory of 1852	348	SMΔRTP.exe	33
PID 348 wrote to memory of 1852	348	SMΔRTP.exe	33
PID 348 wrote to memory of 1852	348	SMΔRTP.exe	33
PID 348 wrote to memory of 1852	348	SMΔRTP.exe	33
PID 348 wrote to memory of 2328	348	SMΔRTP.exe	37
PID 348 wrote to memory of 2328	348	SMΔRTP.exe	37
PID 348 wrote to memory of 2328	348	SMΔRTP.exe	37
PID 348 wrote to memory of 2328	348	SMΔRTP.exe	37
PID 348 wrote to memory of 2328	348	SMΔRTP.exe	37
PID 348 wrote to memory of 2328	348	SMΔRTP.exe	37
PID 348 wrote to memory of 2328	348	SMΔRTP.exe	37
PID 2328 wrote to memory of 2356	2328	regsvr32.exe	38
PID 2328 wrote to memory of 2356	2328	regsvr32.exe	38
PID 2328 wrote to memory of 2356	2328	regsvr32.exe	38
PID 2328 wrote to memory of 2356	2328	regsvr32.exe	38
PID 2328 wrote to memory of 2356	2328	regsvr32.exe	38
PID 2328 wrote to memory of 2356	2328	regsvr32.exe	38
PID 2328 wrote to memory of 2356	2328	regsvr32.exe	38

C:\Users\Admin\AppData\Local\Temp\6e8b7dd81153ebc916967cd6c85334d3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6e8b7dd81153ebc916967cd6c85334d3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Roaming\Smadav\Update1350\Smadav1350-Update.exe
  "C:\Users\Admin\AppData\Roaming\Smadav\Update1350\Smadav1350-Update.exe" slt
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Program Files (x86)\Smadav\SMΔRTP.exe
    "C:\Program Files (x86)\Smadav\SMΔRTP.exe" rtc
    3⤵
    - Blocks application from running via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:348
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\system32\schtasks.exe" /create /tn "smadav" /xml "C:\Users\Admin\AppData\Roaming\Smadav\smadav.xml"
      4⤵
      Creates scheduled task(s)
      PID:1032
  - - C:\Program Files (x86)\Smadav\SmadavProtect64.exe
      "C:\Program Files (x86)\Smadav\SmadavProtect64.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetWindowsHookEx
      PID:1852
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files (x86)\Smadav\SmadExtc64.dll"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2328
    - - C:\Windows\system32\regsvr32.exe
        
        /s "C:\Program Files (x86)\Smadav\SmadExtc64.dll"
        5⤵
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab588E.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar58FE.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Roaming\Smadav\Update1350\Readme.txt

Filesize
20KB

MD5
fc0039902c200e248d91a29f7284ce27

SHA1
cac93ff81a3f74fc835e314b3491e97dba55ae66

SHA256
642029c8be51ee7be9434aff393ddd0c2d5f5eca987b4ef74fb6d2fd454de309

SHA512
3cd0d057a83c10faab37a0373959b9baf7b1d4faaf995a39e241cb8494488ad72a934a9cabba689d4cf9b0adeccc08b74ca4bc8b8bf102e9fe87f250c1243e9c

Download Submit
C:\Users\Admin\AppData\Roaming\Smadav\Update1350\SmadExtMenu.dll

Filesize
102KB

MD5
8664c342e54226b9310f36bedf1fd3f3

SHA1
7c2b98ea13483869cc14749a9764c519b2ededdc

SHA256
f645315156626921e177c32a52bc130d62050be2d8f0e9a400a85ef8dd79fb70

SHA512
c64e0fea71a67da52e3fa397af50b69217515ac589203f30e8f50913941262ff17bf3fe3a10f61854245154d1de7d13e51f46973b90ece537f33445d7d2d71a8

Download Submit
C:\Users\Admin\AppData\Roaming\Smadav\Update1350\SmadExtMenu64.dll

Filesize
110KB

MD5
88b17c40fdcb541b1a3865f6e138f172

SHA1
1bdaf9a1a2fcbeb97ef1e0938507ee0e0bb95eae

SHA256
8ad35ed3589fda9737499b6a5cdef240a80f7aba50fbe3c92d562a00d16a0b77

SHA512
5129ae7142ed9569f88b0e5c5d83f5a30a671ae236f3a144a0799bc67226fb5be12f6ae006774f39271a63961206cfb30c738f28b91d8a75f96cb79d3f2368da

Download Submit
C:\Users\Admin\AppData\Roaming\Smadav\Update1350\SmadHook32c.dll

Filesize
74KB

MD5
0559f6b65e0f9637c4feedc75a0d5e9c

SHA1
8b3e3a4501682ec4b1a69fef3aa91bf6fd9ad09c

SHA256
3b30456e6aa2ed946ac4c464a9885c944659f3650d7b50e17e2c2c7e9fb40504

SHA512
29631e7ccf5ca425c65b03239ec54b8b00aacb662b149ff2283348b68fe5cae9b6d357b394b4f187c5c2e8e1acdcddcbc46397e6c262fa513b21f75550adcb7c

Download Submit
C:\Users\Admin\AppData\Roaming\Smadav\Update1350\SmadHook64c.dll

Filesize
79KB

MD5
a9f63ea781c1c6dee62178b90a47122b

SHA1
3e720fbb7f662686334a71975109b0d59d999572

SHA256
d0a178bfad1b8b08335e1bcdfb1c4dc6914c4b7d28962ceb83ca6f5d365400f4

SHA512
7da3e651cc68313cece1c238f0c7d2c44565cadca20baa6bac59975a3a85f4e1fc1ca6c01b1a6e0a07881ba820685e4fee43682de2a167c1f253e1b283d59a64

Download Submit
C:\Users\Admin\AppData\Roaming\Smadav\Update1350\Smadav-Updater.exe

Filesize
91KB

MD5
93c0e3a80b75758120ee278c5123e698

SHA1
29020a4b5d9ae79ebb4f3f6e71a0153908b3c7f0

SHA256
150f54a0aa90f659190a1ad3bc138a2f4330c9c291eebfbbceb59a54ae28342a

SHA512
bc6928fa9633bcec0da74217f89cedb33c81ad381d2a33fdacc04e900375f78843a2bb9b1898ee8974b6d3249bc9bd14f94819ee082c3a0c95144cdef210ee1a

Download Submit
C:\Users\Admin\AppData\Roaming\Smadav\Update1350\Smadav.loov

Filesize
3.9MB

MD5
fc08c6d48f0b74c14bb51aa80c75fbde

SHA1
c19283abfccd000930741dee5471e17521d8482e

SHA256
9bf48691e2a0ef54f3d5ade886ef04a1e3d5b843218dd576f16a4d9f65537a4b

SHA512
152e92171db41a4cb6f03db8bd76ad073b306322e5a94a6825413f74541906c8c7962e72d1d27d964fcecc5a1213dbfb9aeed49f1b95e209007c638c603ba120

Download Submit
C:\Users\Admin\AppData\Roaming\Smadav\Update1350\SmadavHelper.exe

Filesize
141KB

MD5
723ddb0ae654f2588c9c84419cacfa21

SHA1
fb763384587d945dcb6de5e2299be9bc8c5edcb6

SHA256
9ee04c5c99b1e9a351cfc1c2a2db4ca44944778ae0a0f814f7a33d621119d30a

SHA512
62a71a1a262ee91d10f567ece6527419907a64a06567efb75c046e116b27a8360106b06936a77392d19c8f1fbac3876681e90b58fffbff3d7b4d168dd1629f4a

Download Submit
C:\Users\Admin\AppData\Roaming\Smadav\Update1350\SmadavProtect32.exe

Filesize
65KB

MD5
155de7d464125b8c35b22dae37428aba

SHA1
598a81402437a1a7844b9a7ab17f9d7a606aa4b9

SHA256
4f54a6555a7a3bec84e8193d2ff9ae75eb7f06110505e78337fa2f515790a562

SHA512
74fb67f791a28804891a324c626f847e41e54743049f31b8b033d11c2dc0357b9f440431552f1e690e3b381d9898b294d9a40ab4ce560773c03bfdfebf52fd5a

Download Submit
C:\Users\Admin\AppData\Roaming\Smadav\Update1350\SmadavProtect64.exe

Filesize
68KB

MD5
e0860f86501ae7b6dc8b899baf990461

SHA1
fe6f25edbf107f2977dce2b274cadf8bb5718e37

SHA256
fae713e25b667f1c42ebbea239f7b1e13ba5dc99b225251a82e65608b3710be7

SHA512
a25319ba501d2e51029f0f93c2f7e6aa981ebc22dc0c374c7038ddd6323683dc7dfb8beece132e3e6207e8bbe7e3207e3ffaec94e5624ce3abe8b3a6a8366b8f

Download Submit
C:\Users\Admin\AppData\Roaming\Smadav\smadav.xml

Filesize
2KB

MD5
4d5d867e7af077e2a061f645561c69f5

SHA1
6102e907a4104b24a7b3b6a5d7af705272a763e7

SHA256
13637a1bf6e753bb35858157b2c308bf11aea522de6fdfd31dcee8177db8ac53

SHA512
230b247827f37db5abc3e8dbf616ffad229c020f5621f29efe2a90dd218a1dd418c4bd11368a917778337ba37649440e29836c0db7f0f18a00782f1462e739c5

Download Submit
\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe

Filesize
89KB

MD5
901aa7a38ce13f14b6bbec38c0595698

SHA1
6abd81a46557f72680eb9e5fc74223b8c9c32088

SHA256
1e95f2048e2a1782807d52e9816ed267355718e24d01ff07ace73d965ede388a

SHA512
34bb4f656423021873363ec8dd1908fd1d01017e607ff8bc79fea3176ffb18f3281dcf21f7bedcd96c4ddbcff70bb2943435a18e31ddfb6f6c5bd226bf901672

Download Submit
\Users\Admin\AppData\Roaming\Smadav\Update1350\SmadEngine.dll

Filesize
2.0MB

MD5
261e5c68c36dfa0117ece262a930c491

SHA1
5224b3a1c3f35664cf2b375e6d05f465c1282dbf

SHA256
20056e4d321b46b95c683b4e2c1c4c640808ec12c279c9a926c3940d57a819ab

SHA512
dc7a29a842a0b7af16b65ce25d1e3a225f5d78ef011e9d26a7d89419ca2bb2630132f96d3e431cec2d6ec1da7d7f58b00af1dea2e3997fc8b09ee0b4d368d60a

Download Submit
\Users\Admin\AppData\Roaming\Smadav\Update1350\Smadav1350-Update.exe

Filesize
1.8MB

MD5
0fd95bbc6908244cf1bc7234d05bab33

SHA1
b1374661391ba84dbed1395d9c5b0635e4f65899

SHA256
b55f4d9fcad0be6a44b370f83af3daae1c09ed8d8925746ae25b68785356f0d7

SHA512
65b9282cf71c23ca9a75ec53e1a5d3b3f3a6b16a805b2a3f5592d12a47a8287d4384b802b3421b5233b058615d7a2d0ce65949d0384fcfa59c43e6c56fb86320

Download Submit
memory/348-109-0x0000000005FC0000-0x000000000600F000-memory.dmp

Filesize
316KB

Download
memory/348-108-0x0000000005F60000-0x0000000005FB8000-memory.dmp

Filesize
352KB

Download