1ee16ce13643fcab9f54beccdcf684a24135732f8220ef98c7c61d2a6c02ebec

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
26/05/2024, 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74ea8012a7ea46fab1ced9135e15be6f_JaffaCakes118.exe
Size

3.5MB
MD5

74ea8012a7ea46fab1ced9135e15be6f
SHA1

219f2271c4d8b5104033ed12bbb1600f96184c26
SHA256

1ee16ce13643fcab9f54beccdcf684a24135732f8220ef98c7c61d2a6c02ebec
SHA512

ac67831b3887da1ebea25b285fd3f980cc7bfc75ebd41c62f5832f35f90b6e89266653edac37004b3b3fa3eaa2047c5b4c7b3d4c16683cb25c49ffc9fe53271d
SSDEEP

98304:i3bobVkwiXFlJboUaQXK1XR0ZNSHm8GeRLfWFZzJ:wbeirfa1GZN+PhLIZ1

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
1756	drvprosetup.exe
2200	drvprosetup.tmp
2976	DPTray.exe
2264	DPStartScan.exe
1772	DriverPro.exe
1660	DriverPro.exe

Loads dropped DLL 12 IoCs

pid	Process
1276	74ea8012a7ea46fab1ced9135e15be6f_JaffaCakes118.exe
1756	drvprosetup.exe
2200	drvprosetup.tmp
2200	drvprosetup.tmp
2200	drvprosetup.tmp
2200	drvprosetup.tmp
2200	drvprosetup.tmp
2200	drvprosetup.tmp
2200	drvprosetup.tmp
1772	DriverPro.exe
1660	DriverPro.exe
1660	DriverPro.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver Pro = "C:\\Program Files (x86)\\Driver Pro\\DPLauncher.exe"	drvprosetup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Driver Pro\is-VJR0U.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\unins000.msg	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\7z.dll	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\sqlite3.dll	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-E3PPR.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-KTO34.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-QA1I6.tmp	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\unins000.dat	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\DPStartScan.exe	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\DriverPro.chm	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-TKDAM.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\unins000.dat	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-G6554.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-M6KD6.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-DMI5J.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-EFVI5.tmp	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\DPTray.exe	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\DriverPro.exe	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\DrvProHelper.dll	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-GSEOI.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-OC4F9.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-KMF91.tmp	drvprosetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	drvprosetup.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	drvprosetup.tmp

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1592	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	DriverPro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	DriverPro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	DriverPro.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2200	drvprosetup.tmp
2200	drvprosetup.tmp
1660	DriverPro.exe
1772	DriverPro.exe
1772	DriverPro.exe
1660	DriverPro.exe
2976	DPTray.exe
2976	DPTray.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1772	DriverPro.exe
Token: SeIncreaseQuotaPrivilege	1772	DriverPro.exe
Token: SeImpersonatePrivilege	1772	DriverPro.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2200	drvprosetup.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1772	DriverPro.exe
1660	DriverPro.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 1756	1276	74ea8012a7ea46fab1ced9135e15be6f_JaffaCakes118.exe	28
PID 1276 wrote to memory of 1756	1276	74ea8012a7ea46fab1ced9135e15be6f_JaffaCakes118.exe	28
PID 1276 wrote to memory of 1756	1276	74ea8012a7ea46fab1ced9135e15be6f_JaffaCakes118.exe	28
PID 1276 wrote to memory of 1756	1276	74ea8012a7ea46fab1ced9135e15be6f_JaffaCakes118.exe	28
PID 1276 wrote to memory of 1756	1276	74ea8012a7ea46fab1ced9135e15be6f_JaffaCakes118.exe	28
PID 1276 wrote to memory of 1756	1276	74ea8012a7ea46fab1ced9135e15be6f_JaffaCakes118.exe	28
PID 1276 wrote to memory of 1756	1276	74ea8012a7ea46fab1ced9135e15be6f_JaffaCakes118.exe	28
PID 1756 wrote to memory of 2200	1756	drvprosetup.exe	29
PID 1756 wrote to memory of 2200	1756	drvprosetup.exe	29
PID 1756 wrote to memory of 2200	1756	drvprosetup.exe	29
PID 1756 wrote to memory of 2200	1756	drvprosetup.exe	29
PID 1756 wrote to memory of 2200	1756	drvprosetup.exe	29
PID 1756 wrote to memory of 2200	1756	drvprosetup.exe	29
PID 1756 wrote to memory of 2200	1756	drvprosetup.exe	29
PID 2200 wrote to memory of 2976	2200	drvprosetup.tmp	31
PID 2200 wrote to memory of 2976	2200	drvprosetup.tmp	31
PID 2200 wrote to memory of 2976	2200	drvprosetup.tmp	31
PID 2200 wrote to memory of 2976	2200	drvprosetup.tmp	31
PID 2200 wrote to memory of 2264	2200	drvprosetup.tmp	32
PID 2200 wrote to memory of 2264	2200	drvprosetup.tmp	32
PID 2200 wrote to memory of 2264	2200	drvprosetup.tmp	32
PID 2200 wrote to memory of 2264	2200	drvprosetup.tmp	32
PID 2200 wrote to memory of 1772	2200	drvprosetup.tmp	33
PID 2200 wrote to memory of 1772	2200	drvprosetup.tmp	33
PID 2200 wrote to memory of 1772	2200	drvprosetup.tmp	33
PID 2200 wrote to memory of 1772	2200	drvprosetup.tmp	33
PID 2200 wrote to memory of 1660	2200	drvprosetup.tmp	34
PID 2200 wrote to memory of 1660	2200	drvprosetup.tmp	34
PID 2200 wrote to memory of 1660	2200	drvprosetup.tmp	34
PID 2200 wrote to memory of 1660	2200	drvprosetup.tmp	34
PID 1660 wrote to memory of 1592	1660	DriverPro.exe	35
PID 1660 wrote to memory of 1592	1660	DriverPro.exe	35
PID 1660 wrote to memory of 1592	1660	DriverPro.exe	35
PID 1660 wrote to memory of 1592	1660	DriverPro.exe	35

C:\Users\Admin\AppData\Local\Temp\74ea8012a7ea46fab1ced9135e15be6f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\74ea8012a7ea46fab1ced9135e15be6f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe
  C:\Users\Admin\AppData\Local\Temp\\drvprosetup.exe /VERYSILENT
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Users\Admin\AppData\Local\Temp\is-5DLCV.tmp\drvprosetup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-5DLCV.tmp\drvprosetup.tmp" /SL5="$4010A,2744501,85504,C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Program Files (x86)\Driver Pro\DPTray.exe
      "C:\Program Files (x86)\Driver Pro\DPTray.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2976
  - - C:\Program Files (x86)\Driver Pro\DPStartScan.exe
      "C:\Program Files (x86)\Driver Pro\DPStartScan.exe" /SILENT
      4⤵
      Executes dropped EXE
      PID:2264
  - - C:\Program Files (x86)\Driver Pro\DriverPro.exe
      "C:\Program Files (x86)\Driver Pro\DriverPro.exe" /INSTALL
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1772
  - - C:\Program Files (x86)\Driver Pro\DriverPro.exe
      "C:\Program Files (x86)\Driver Pro\DriverPro.exe" /START
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1660
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Driver Pro Schedule" /TR "\"C:\Program Files (x86)\Driver Pro\DPTray.exe\"" /SC ONLOGON /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Driver Pro\English.ini

Filesize
12KB

MD5
8f88e83e8022bfacd1e11529fcbac372

SHA1
2827f7593329022d8a6672133b67d542363e5be9

SHA256
d4fa4405d07c959d8578d344d1fcb3bd834003682ea96ee49b048f7d1eba8679

SHA512
dc3d181f416633a90297a43a710c77193c4b5c387037ad4084d10372a90151cba176330d4b463f07bc1c18f09c0a84be493e16e38b84946deaf081a6567af371

Download Submit
C:\Program Files (x86)\Driver Pro\sqlite3.dll

Filesize
508KB

MD5
0f66e8e2340569fb17e774dac2010e31

SHA1
406bb6854e7384ff77c0b847bf2f24f3315874a3

SHA256
de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f

SHA512
39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K7IK5.tmp\cfg.exe

Filesize
64KB

MD5
43179004d971de52656cb4da37da787f

SHA1
03ff2a7b20d00d2cc9a1d46c6ebb107516418736

SHA256
9d8f317855e892d8cf95e303bf24972442b81ab737379a937397f30d82fb5498

SHA512
7663b744c88797310eda9aaf185295b105a6423a7ce622ea5afc178072ba5a575cf812ba47660dbb0a85e74fcce4971771298e1e6dcb25d9ecdc890f89e9565d

Download Submit
C:\Users\Admin\AppData\Roaming\Driver Pro\program.log

Filesize
165B

MD5
5ccb67392d246d5376005d725208740b

SHA1
edfe3695ab03cdfd5eb329d1edc28af817b54563

SHA256
d1d2ac5ecea44fb484c681825712cb1a93f8427784b5ea34353f466dd7e95d87

SHA512
de01f5d0c512aaa3bd0bc3b52d977e71b2830f42604275ee49fed685453dedb08fb3d7b071cacefc3fcec15e00f8d7ab7bfcf0275a99465c75830c51f53e3c83

Download Submit
\Program Files (x86)\Driver Pro\DPStartScan.exe

Filesize
819KB

MD5
fe31b439855c9bc8af54bc83b61e3d4e

SHA1
3a4cb85b20b3bd3bb904de725eb974c4ea16a97b

SHA256
0bccf5266397c50c63d5dd23ff6c0c2afb672325a6300f2e9e44e71d4b5485e5

SHA512
5be58ac4144cd19cef6163dc056d7e540c728ba71b053082d63a53114e13ab1991e419bd2bdb0fff00f5a721ddee40f70579d7b43acbd2772be3b1d30523a97e

Download Submit
\Program Files (x86)\Driver Pro\DPTray.exe

Filesize
810KB

MD5
01f6a32f6b28d37b3155325a83d96410

SHA1
b5cbaaae0ae15ebb2985733fdce3e156555abc82

SHA256
8cb02e1a1867e40aed8a11bae3c8ea100996eb518fa0d81f3d12e02e646159d4

SHA512
42fe1c80bd408e7f9e36544dfc13a463e6fd07caef72b9706bba51899bd220b66826b4bf58a1e278bc6f805c43bf30bc60cebd8eb1aeefc328cdccbbee8d8021

Download Submit
\Program Files (x86)\Driver Pro\DriverPro.exe

Filesize
3.3MB

MD5
ec1edf352b54ab579353bf043c2014ee

SHA1
fc5fff6f090f7615d41df61d0d5757fb26b3a4b5

SHA256
0fd7ac20b7655886c6bc98efa05a7dfe5c65deb61d4d656021e4f58564a9ae08

SHA512
8fdba482728322b25585930a6dc8c707f44a66751ed66c056ef5380a4c769ef1654ae138deb7aa599f9c0641f618a13dc56022ed941acfdd2cc734fb39be8501

Download Submit
\Users\Admin\AppData\Local\Temp\drvprosetup.exe

Filesize
3.1MB

MD5
3107c28da15cc8db52ecaeb41e92fa27

SHA1
9498f3281c0b79a8f051ca9aeb0d6132dcf0ca0f

SHA256
e9318226bff1cf3225c26f0bde46ad08f2a745fe9de55153a41c7bf7eb194325

SHA512
8b2d0c2744584899ac8cc15786dd13b977958c4d3c8f2cb50b7afeb52b0a6f647bf8b20ab19d5d3b562d8804f92b8fb5828f971124b4e089c0858f0a6ad1a2b8

Download Submit
\Users\Admin\AppData\Local\Temp\is-5DLCV.tmp\drvprosetup.tmp

Filesize
1.1MB

MD5
91c38c395631d57254356e90b9a6e554

SHA1
cbe8ae15ec5c8a392b00ddbc71cf92eddd5645b4

SHA256
e9804fa0e9a0b249a69539bf9ba3f2df95648f56676a61b8988e6648308ae83d

SHA512
9f95567ceb618167899d954387771312b4895d03dcf65e5402c284af50e1ac1ec5d452a8069528a4761894dba02be7a97849be01626d1d688dc4059abf65f119

Download Submit
\Users\Admin\AppData\Local\Temp\is-K7IK5.tmp\DrvProHelper.dll

Filesize
1.3MB

MD5
dfd23a69f1a7f5385eafafde8f5582f4

SHA1
e578e02964582382d4cf90ac003bffa9dcd1dd30

SHA256
701db9616b8ca5f24694a3b9fde8b96b08fbbe14871d9f7eeb721ff29d3259d2

SHA512
740dda51de539a6c889fecfeeb157ae3ae706e9b6c59931c715ec4a660420b6667b2e01954b511ae872164bdb90be887cf3beddfb2fafad3ee945c92ecf6b174

Download Submit
\Users\Admin\AppData\Local\Temp\is-K7IK5.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1660-130-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/1660-111-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/1660-120-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/1756-25-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1756-7-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/1756-5-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1756-98-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1772-102-0x0000000060900000-0x0000000060970000-memory.dmp

Filesize
448KB

Download
memory/1772-101-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2200-97-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2200-71-0x0000000003110000-0x000000000325E000-memory.dmp

Filesize
1.3MB

Download
memory/2200-70-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2200-26-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2200-22-0x0000000003110000-0x000000000325E000-memory.dmp

Filesize
1.3MB

Download
memory/2200-13-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2264-84-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2976-110-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2976-132-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download