209a4474cb7f906d4fd6c7df839841b7944b4917ec5f65bc0c92acfa552f9040

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
Size

2.0MB
MD5

7c370cb3eb7c9e2efb5f9b053ec3065f
SHA1

21eb73bf2731ebd7b716bbc0e22498eb7dd00115
SHA256

209a4474cb7f906d4fd6c7df839841b7944b4917ec5f65bc0c92acfa552f9040
SHA512

c81f35d70702c3bd36dde354c456bc11644858400e95ff07f16d8310d75c971e2f939c487d01a05487dfc4b82186bcd446fbc7b1a133b210e0c09c6894047452
SSDEEP

49152:eaft/3yR4Epqwlvj1CPExyS+vXqKNoM+iiNH:jVqkmvjDy1N5+iid

Score

9^/10

discovery evasion execution persistence spyware stealer upx

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	3028	cscript.exe
9	1124	cscript.exe
12	2452	cscript.exe
17	1720	cscript.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	cscript.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2400	netsh.exe
3036	netsh.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000015023-9.dat	acprotect

Checks BIOS information in registry 2 TTPs 5 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SoftwareDetector.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SoftwareDetector.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SoftwareDetector.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SoftwareDetector.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SoftwareDetector.exe

Executes dropped EXE 24 IoCs

pid	Process
2036	SoftwareDetector.exe
2452	sqlite3.exe
2392	sqlite3.exe
1892	storageedit.exe
936	Updater.exe
1776	updater.exe
1724	updater.exe
1132	updater.exe
916	updater.exe
1712	SoftwareDetector.exe
304	SoftwareDetector.exe
1840	SoftwareDetector.exe
1184	bservice.exe
1428	bservice64.exe
1676	wd.exe
2740	SoftwareDetector.exe
1356	pwdg.exe
1144	Process not Found
2688	ask.exe
1436	proc.exe
1180	updater.exe
1056	updater.exe
2060	updater.exe
1272	updater.exe

Loads dropped DLL 64 IoCs

pid	Process
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
344	cscript.exe
344	cscript.exe
344	cscript.exe
344	cscript.exe
344	cscript.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
1776	updater.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
1132	updater.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
1184	bservice.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
1428	bservice64.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
1520	Process not Found
3000	cscript.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2620	Process not Found
2608	cscript.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2380	Process not Found
2716	cscript.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2432	Process not Found
2400	netsh.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2824	Process not Found
3036	netsh.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
1356	pwdg.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
1356	pwdg.exe
2688	ask.exe
1436	proc.exe
2688	ask.exe
1008	Process not Found
1124	cscript.exe
2688	ask.exe
2688	ask.exe
2688	ask.exe
1880	Process not Found
2452	cscript.exe
1624	Process not Found
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
1180	updater.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2060	updater.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
1056	updater.exe
1272	updater.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000015023-9.dat	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Coupon Server-repairJob = "wscript.exe \"C:\\Users\\Admin\\AppData\\Local\\Coupon Server\\repair.js\" \"Coupon Server-repairJob\""	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BService = "C:\\Program Files (x86)\\Bench\\BService\\1.1\\bservice.exe"	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\BService64 = "C:\\Program Files (x86)\\Bench\\BService\\1.1\\bservice64.exe"	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Wd = "C:\\Program Files (x86)\\Bench\\Wd\\wd.exe"	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bench Communicator Watcher = "C:\\Program Files (x86)\\Bench\\Proxy\\pwdg.exe"	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bench Settings Cleaner = "C:\\Program Files (x86)\\Bench\\Proxy\\cl.exe"	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Maps connected drives based on registry 3 TTPs 10 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	SoftwareDetector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	SoftwareDetector.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	SoftwareDetector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	SoftwareDetector.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	SoftwareDetector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	SoftwareDetector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	SoftwareDetector.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	SoftwareDetector.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	SoftwareDetector.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	SoftwareDetector.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Coupon Server\config.xml	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\AppFramework\appAPI_content.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\AppFramework\appAPI_webrequest.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework\storage.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework-ui\notification.html	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework-ui\theme\bubble\top-left.png	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\CanvasFramework\webrequest.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework\initialize.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework\lang.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework\utils.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Bench\BService\1.1\bhelper.dll	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Bench\BService\1.1\bservice.exe	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\FrameworkBHO.dll	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework\global.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework-ui\options.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Bench\Proxy\pwdg.exe	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Bench\Proxy\cl.exe	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\CanvasFramework\md5.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework\invoke_async.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework\io.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework-ui\context_menu_item_handler.html	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Bench\BService\1.1\bhelper64.dll	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Bench\Wd\wd.exe	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\icons\icon100.png	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Bench\NmHost\nmhost.exe	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\FrameworkEngine.exe	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework\i18n.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework\message_target.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework\messaging.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework\timer.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework\updater.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework-ui\theme\bubble\middle-left.png	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework-ui\theme\bubble\tail-left.png	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\AppFramework\jquery.min.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\CanvasFramework\registry.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework\backgroundscript_engine.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\icons\icon32.png	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework-ui\theme\bubble\tail-bottom.png	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework-ui\theme\bubble\top-right.png	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\CanvasFramework\canvas_bg.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework\base.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework\json2.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework\legacy.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework-ui\theme\bubble\bottom-left.png	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework-ui\theme\bubble\bottom-right.png	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Bench\Updater\products.xml	updater.exe
File created	C:\Program Files (x86)\Coupon Server\FrameworkBHO64.dll	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\extension_info.json	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Bench\Updater\updater.exe	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Bench\Proxy\proc.exe	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\AppFramework\appAPI_settings.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework\userscript_client.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework\userscript_engine.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework-ui\browser_button.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework\browser.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework\xhr.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework-ui\ui_base.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Bench\Updater\products.xml	updater.exe
File created	C:\Program Files (x86)\Bench\Proxy\icon.ico	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\AppFramework\appAPI_bg.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\AppFramework\appAPI_common.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework\console.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\framework-ui\context_menu.js	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
File created	C:\Program Files (x86)\Coupon Server\icons\button.png	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\bench-S-1-5-21-2297530677-1229052932-2803917579-1000.job	updater.exe
File opened for modification	C:\Windows\Tasks\bench-S-1-5-21-2297530677-1229052932-2803917579-1000.job	updater.exe
File created	C:\Windows\Tasks\bench-sys.job	Updater.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\FrameworkEngine.exe = "10000"	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\FrameworkEngine.exe = "10000"	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
1356	pwdg.exe
1676	wd.exe
1676	wd.exe
1356	pwdg.exe
1436	proc.exe
1436	proc.exe
1676	wd.exe
1676	wd.exe
1436	proc.exe
1676	wd.exe
1676	wd.exe
1436	proc.exe
1356	pwdg.exe
1356	pwdg.exe
1436	proc.exe
1676	wd.exe
1676	wd.exe
1436	proc.exe
1676	wd.exe
1676	wd.exe
1436	proc.exe
1676	wd.exe
1676	wd.exe
1356	pwdg.exe
1356	pwdg.exe
1436	proc.exe
1436	proc.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe
Token: SeDebugPrivilege	1356	pwdg.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1356	pwdg.exe
1356	pwdg.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1356	pwdg.exe
1356	pwdg.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1184	bservice.exe
1428	bservice64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2440 wrote to memory of 344	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	28
PID 2440 wrote to memory of 344	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	28
PID 2440 wrote to memory of 344	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	28
PID 2440 wrote to memory of 344	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	28
PID 344 wrote to memory of 2036	344	cscript.exe	30
PID 344 wrote to memory of 2036	344	cscript.exe	30
PID 344 wrote to memory of 2036	344	cscript.exe	30
PID 344 wrote to memory of 2036	344	cscript.exe	30
PID 344 wrote to memory of 2452	344	cscript.exe	31
PID 344 wrote to memory of 2452	344	cscript.exe	31
PID 344 wrote to memory of 2452	344	cscript.exe	31
PID 344 wrote to memory of 2452	344	cscript.exe	31
PID 344 wrote to memory of 2392	344	cscript.exe	32
PID 344 wrote to memory of 2392	344	cscript.exe	32
PID 344 wrote to memory of 2392	344	cscript.exe	32
PID 344 wrote to memory of 2392	344	cscript.exe	32
PID 344 wrote to memory of 1892	344	cscript.exe	33
PID 344 wrote to memory of 1892	344	cscript.exe	33
PID 344 wrote to memory of 1892	344	cscript.exe	33
PID 344 wrote to memory of 1892	344	cscript.exe	33
PID 2440 wrote to memory of 480	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	35
PID 2440 wrote to memory of 480	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	35
PID 2440 wrote to memory of 480	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	35
PID 2440 wrote to memory of 480	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	35
PID 480 wrote to memory of 1832	480	net.exe	37
PID 480 wrote to memory of 1832	480	net.exe	37
PID 480 wrote to memory of 1832	480	net.exe	37
PID 480 wrote to memory of 1832	480	net.exe	37
PID 2440 wrote to memory of 936	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	38
PID 2440 wrote to memory of 936	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	38
PID 2440 wrote to memory of 936	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	38
PID 2440 wrote to memory of 936	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	38
PID 2440 wrote to memory of 936	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	38
PID 2440 wrote to memory of 936	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	38
PID 2440 wrote to memory of 936	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	38
PID 2440 wrote to memory of 1776	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	39
PID 2440 wrote to memory of 1776	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	39
PID 2440 wrote to memory of 1776	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	39
PID 2440 wrote to memory of 1776	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	39
PID 2440 wrote to memory of 1776	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	39
PID 2440 wrote to memory of 1776	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	39
PID 2440 wrote to memory of 1776	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	39
PID 1776 wrote to memory of 1724	1776	updater.exe	40
PID 1776 wrote to memory of 1724	1776	updater.exe	40
PID 1776 wrote to memory of 1724	1776	updater.exe	40
PID 1776 wrote to memory of 1724	1776	updater.exe	40
PID 1776 wrote to memory of 1724	1776	updater.exe	40
PID 1776 wrote to memory of 1724	1776	updater.exe	40
PID 1776 wrote to memory of 1724	1776	updater.exe	40
PID 2440 wrote to memory of 1132	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	41
PID 2440 wrote to memory of 1132	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	41
PID 2440 wrote to memory of 1132	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	41
PID 2440 wrote to memory of 1132	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	41
PID 2440 wrote to memory of 1132	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	41
PID 2440 wrote to memory of 1132	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	41
PID 2440 wrote to memory of 1132	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	41
PID 1132 wrote to memory of 916	1132	updater.exe	42
PID 1132 wrote to memory of 916	1132	updater.exe	42
PID 1132 wrote to memory of 916	1132	updater.exe	42
PID 1132 wrote to memory of 916	1132	updater.exe	42
PID 1132 wrote to memory of 916	1132	updater.exe	42
PID 1132 wrote to memory of 916	1132	updater.exe	42
PID 1132 wrote to memory of 916	1132	updater.exe	42
PID 2440 wrote to memory of 1000	2440	7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe	43

C:\Users\Admin\AppData\Local\Temp\7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7c370cb3eb7c9e2efb5f9b053ec3065f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2440
- C:\Windows\SysWOW64\cscript.exe
  cscript.exe //Nologo "migrate.js" /iversion=20140801 /programfiles="C:\Program Files (x86)" /localapps="C:\Users\Admin\AppData\Local" /chrome-dir="" /firefox-dir="C:\Users\Admin\AppData\Local\Coupon Server\firefox" /ie-dir="C:\Program Files (x86)\Coupon Server" /product-name="Coupon Server" /installation-time="1716882275" /pid="0" /zone="0" /czoneid="" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="35852" /updateip="54.225.95.126" /version="1.1" /enable-extensions /update /chrome-id="dmcecclamecbinmplcolhaljlclhbgah" /chrome-update-url="http://dmcecclamecbinmplcolhaljlclhbgah/check/.eJwNydEKgCAMQNF_2bMEvvozMefI1dSYFkH07_l4z31hYD8gAGVrhcHBzdal1Ul-8bOl9oGqbBCGXeyAn7FKmj8VYiLFwhSlllOpaUbdlTTHDTN8P9saIQg.JAs6qe1VSPq0ITDuQRFLTjyDfpA" /close-chrome /close-firefox /close-ie
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:344
- - C:\Users\Admin\AppData\Local\Coupon Server\SoftwareDetector.exe
    SoftwareDetector.exe
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Maps connected drives based on registry
    PID:2036
- - C:\Users\Admin\AppData\Local\Coupon Server\sqlite3.exe
    "C:\Users\Admin\AppData\Local\Coupon Server\sqlite3.exe" "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_dmcecclamecbinmplcolhaljlclhbgah_0.localstorage" "SELECT value FROM ItemTable WHERE key='_GPL_zoneid';"
    3⤵
    - Executes dropped EXE
    PID:2452
- - C:\Users\Admin\AppData\Local\Coupon Server\sqlite3.exe
    "C:\Users\Admin\AppData\Local\Coupon Server\sqlite3.exe" "C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\9bot8sq2.Admin\framework-3c2422b0-c421-8dcf-b2eb-70b9b2b71607.sqlite" "SELECT value FROM user_storage WHERE key='_GPL_zoneid';"
    3⤵
    - Executes dropped EXE
    PID:2392
- - C:\Users\Admin\AppData\Local\Coupon Server\storageedit.exe
    storageedit.exe ie {F791D8AE-47E8-40A5-A913-EB2D2AF29602} get _GPL_zoneid
    3⤵
    - Executes dropped EXE
    PID:1892
- C:\Windows\SysWOW64\net.exe
  net.exe start schedule
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:480
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start schedule
    3⤵
    PID:1832
- C:\Program Files (x86)\Bench\Updater\1.7.0.0\Updater.exe
  "C:\Program Files (x86)\Bench\Updater\1.7.0.0\Updater.exe" -runmode=addsystask
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:936
- C:\Program Files (x86)\Bench\Updater\updater.exe
  "C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addtask
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
    "C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addtask
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1724
- C:\Program Files (x86)\Bench\Updater\updater.exe
  "C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\Temp\nsd20DC.tmp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
    "C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\Temp\nsd20DC.tmp"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:916
- C:\Windows\SysWOW64\cscript.exe
  cscript.exe //Nologo "main_installer.js" install /product-name="Coupon Server" /installation-time="1716882275" /pid="" /zone="" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="35852" /updateip="54.225.95.126" /version="1.1" /enable-extensions /update /chrome-id="dmcecclamecbinmplcolhaljlclhbgah" /chrome-update-url="http://dmcecclamecbinmplcolhaljlclhbgah/check/.eJwNydEKgCAMQNF_2bMEvvozMefI1dSYFkH07_l4z31hYD8gAGVrhcHBzdal1Ul-8bOl9oGqbBCGXeyAn7FKmj8VYiLFwhSlllOpaUbdlTTHDTN8P9saIQg.JAs6qe1VSPq0ITDuQRFLTjyDfpA" /close-chrome /close-firefox /close-ie
  2⤵
  PID:1000
- - C:\Users\Admin\AppData\Local\Coupon Server\SoftwareDetector.exe
    SoftwareDetector.exe
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Maps connected drives based on registry
    PID:1712
- C:\Windows\SysWOW64\cscript.exe
  cscript.exe //Nologo "installer.js" install chrome "" /product-name="Coupon Server" /installation-time="1716882275" /pid="" /zone="" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="35852" /updateip="54.225.95.126" /version="1.1" /enable-extensions /update /chrome-id="dmcecclamecbinmplcolhaljlclhbgah" /chrome-update-url="http://dmcecclamecbinmplcolhaljlclhbgah/check/.eJwNydEKgCAMQNF_2bMEvvozMefI1dSYFkH07_l4z31hYD8gAGVrhcHBzdal1Ul-8bOl9oGqbBCGXeyAn7FKmj8VYiLFwhSlllOpaUbdlTTHDTN8P9saIQg.JAs6qe1VSPq0ITDuQRFLTjyDfpA" /close-chrome /close-firefox /close-ie
  2⤵
  - Drops file in Drivers directory
  PID:1864
- - C:\Users\Admin\AppData\Local\Coupon Server\SoftwareDetector.exe
    SoftwareDetector.exe
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Maps connected drives based on registry
    PID:304
- C:\Windows\SysWOW64\cscript.exe
  cscript.exe //Nologo "chrome_gp_update.js" /product-name="Coupon Server" /installation-time="1716882275" /pid="" /zone="" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="35852" /updateip="54.225.95.126" /version="1.1" /enable-extensions /update /chrome-id="dmcecclamecbinmplcolhaljlclhbgah" /chrome-update-url="http://dmcecclamecbinmplcolhaljlclhbgah/check/.eJwNydEKgCAMQNF_2bMEvvozMefI1dSYFkH07_l4z31hYD8gAGVrhcHBzdal1Ul-8bOl9oGqbBCGXeyAn7FKmj8VYiLFwhSlllOpaUbdlTTHDTN8P9saIQg.JAs6qe1VSPq0ITDuQRFLTjyDfpA" /close-chrome /close-firefox /close-ie
  2⤵
  - Blocklisted process makes network request
  PID:3028
- - C:\Users\Admin\AppData\Local\Coupon Server\SoftwareDetector.exe
    SoftwareDetector.exe
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Maps connected drives based on registry
    PID:1840
- C:\Program Files (x86)\Bench\BService\1.1\bservice.exe
  "C:\Program Files (x86)\Bench\BService\1.1\bservice.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1184
- C:\Program Files (x86)\Bench\BService\1.1\bservice64.exe
  "C:\Program Files (x86)\Bench\BService\1.1\bservice64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:1428
- C:\Program Files (x86)\Bench\Wd\wd.exe
  "C:\Program Files (x86)\Bench\Wd\wd.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:1676
- C:\Windows\SysWOW64\cscript.exe
  cscript.exe //Nologo "installer.js" install firefox "C:\Users\Admin\AppData\Local\Coupon Server\firefox\" /product-name="Coupon Server" /installation-time="1716882275" /pid="" /zone="" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="35852" /updateip="54.225.95.126" /version="1.1" /enable-extensions /update /chrome-id="dmcecclamecbinmplcolhaljlclhbgah" /chrome-update-url="http://dmcecclamecbinmplcolhaljlclhbgah/check/.eJwNydEKgCAMQNF_2bMEvvozMefI1dSYFkH07_l4z31hYD8gAGVrhcHBzdal1Ul-8bOl9oGqbBCGXeyAn7FKmj8VYiLFwhSlllOpaUbdlTTHDTN8P9saIQg.JAs6qe1VSPq0ITDuQRFLTjyDfpA" /close-chrome /close-firefox /close-ie
  2⤵
  - Loads dropped DLL
  PID:3000
- C:\Windows\SysWOW64\cscript.exe
  cscript.exe //Nologo "installer.js" install ie "C:\Program Files (x86)\Coupon Server\" /product-name="Coupon Server" /installation-time="1716882275" /pid="" /zone="" /czoneid="12199" /nmhost-dir="C:\Program Files (x86)\Bench\NmHost" /app-id="35852" /updateip="54.225.95.126" /version="1.1" /enable-extensions /update /chrome-id="dmcecclamecbinmplcolhaljlclhbgah" /chrome-update-url="http://dmcecclamecbinmplcolhaljlclhbgah/check/.eJwNydEKgCAMQNF_2bMEvvozMefI1dSYFkH07_l4z31hYD8gAGVrhcHBzdal1Ul-8bOl9oGqbBCGXeyAn7FKmj8VYiLFwhSlllOpaUbdlTTHDTN8P9saIQg.JAs6qe1VSPq0ITDuQRFLTjyDfpA" /close-chrome /close-firefox /close-ie
  2⤵
  - Loads dropped DLL
  PID:2608
- - C:\Users\Admin\AppData\Local\Coupon Server\SoftwareDetector.exe
    SoftwareDetector.exe
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Maps connected drives based on registry
    PID:2740
- C:\Windows\SysWOW64\cscript.exe
  cscript.exe //Nologo "clear_cache.js"
  2⤵
  - Loads dropped DLL
  PID:2716
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name="proc.exe" protocol=TCP dir=in localport=3128 action=allow program="C:\Program Files (x86)\Bench\Proxy\proc.exe"
  2⤵
  - Modifies Windows Firewall
  - Loads dropped DLL
  PID:2400
- C:\Windows\SysWOW64\netsh.exe
  netsh advfirewall firewall add rule name="pwdg.exe" protocol=TCP dir=in localport=3128 action=allow program="C:\Program Files (x86)\Bench\Proxy\pwdg.exe"
  2⤵
  - Modifies Windows Firewall
  - Loads dropped DLL
  PID:3036
- C:\Program Files (x86)\Bench\Proxy\pwdg.exe
  "C:\Program Files (x86)\Bench\Proxy\pwdg.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1356
- - C:\Program Files (x86)\Bench\Proxy\proc.exe
    "C:\Program Files (x86)\Bench\Proxy\proc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1436
- C:\Users\Admin\AppData\Local\Temp\nsi1A93.tmp\ask.exe
  C:\Users\Admin\AppData\Local\Temp\nsi1A93.tmp\ask.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2688
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //Nologo "ping.js" "http://cdnstats-a.akamaihd.net/s.gif?t=prxask&ptsk=s&v=1.1.20140801&appid=35852&pid=0&zone=0" "" ""
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:1124
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //Nologo "ping.js" "http://cdnstats-a.akamaihd.net/s.gif?t=prxask&ptsk=a&v=1.1.20140801&appid=35852&pid=0&zone=0" "" ""
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    PID:2452
- C:\Program Files (x86)\Bench\Updater\updater.exe
  "C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addtask
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1180
- - C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
    "C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addtask
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:1056
- C:\Program Files (x86)\Bench\Updater\updater.exe
  "C:\Program Files (x86)\Bench\Updater\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\Coupon Server\info.xml"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2060
- - C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe
    "C:\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe" -runmode=addproduct -info="C:\Users\Admin\AppData\Local\Coupon Server\info.xml"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1272
- C:\Windows\SysWOW64\cscript.exe
  cscript.exe //Nologo "ping.js" "http://cdnstats-a.akamaihd.net/s.gif?t=canvieup&v=1.1&appid=35852&ied=20140801" "" ""
  2⤵
  - Blocklisted process makes network request
  PID:1720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Bench\BService\1.1\bhelper.dll

Filesize
52KB

MD5
72b1a3d56f812839ae5ba3420a5ed812

SHA1
0fadb783c6c38284e5819bcaded2a1c50503f7af

SHA256
cc54e42139a9f01777833c5fbe9e545e008c74b6fa0abbc37d6d29d9976098be

SHA512
5bca01f36822e4345c792e9a65cb9823bed6ab8e7406906e089731c464056b9330dee014a968a5b4c069e72f682cf8167b131e6cc5cdb5478eb36aef6994b2b8

Download Submit
C:\Program Files (x86)\Bench\BService\1.1\bhelper64.dll

Filesize
108KB

MD5
1ee6f52ca4a576a5a21f11bc91634fa1

SHA1
cc88403e0541a0f8ab9ebc3beb4eef27132cee1d

SHA256
eee40028b8d3074cdd8c44714c04ee514578fddc21bcad9fb35624b4ab3e7865

SHA512
1295e08d0cc43c6297ede90aff02f75783939dfe39b6a93de0a701de2e2c84325e6b17374e4adcdf975579935c2cbd6ba39c840ec2bbe2e0bb5908921298d106

Download Submit
C:\Program Files (x86)\Bench\BService\1.1\bservice64.exe

Filesize
108KB

MD5
f51d7d7a34492a032c2eee93a53308f3

SHA1
c9976887ba98e303142d710b450957c5c8ae0d3f

SHA256
9b4f14184ad6291b9f919214d973b747b26118a4ffc6dcac5fbdd1309b45379c

SHA512
66490aad7a4aab96cd62e8ec7638e1e9de43cb277ec840fd4106ff4b1053ed077e4d4d450ff2890fe3c6cd29051fb98f2d206ca73f50bcb0c80271c80f54e7d5

Download Submit
C:\Program Files (x86)\Bench\Proxy\pwdg.exe

Filesize
124KB

MD5
0a16c6f1e4a1e76cef7d141793e64f72

SHA1
f6737481135233960131b48fa9bd074cb53ddca1

SHA256
418af7d8ab8703076c87da0d283933dfc9a6719d938ce3b699dc441cec64738f

SHA512
f7681544de517eb1f52200583b047953333d913bf5a5dba1038f0fa91cdb09d5448f2a334117b6388aeeb6db348ebbe7d32380a19db7cafbaea75405647946d3

Download Submit
C:\Program Files (x86)\Coupon Server\extension_info.json

Filesize
1KB

MD5
4a5004d28dfffea9057e282813fb2c6a

SHA1
4a42635585b2e51d240d1ec63aa60cead2e62b16

SHA256
8bbfe301759a876c9b7f22d47d3b489c36d11d310142123808f34f39fe5fbcb5

SHA512
12ecdb2a4274a8b4607835613d7c138861479ed4ec3bd060188208f83015523fb5212c60a34aaa8eed722204608f5cd0fda0f426ea33c36f3ae5b016e7f8e552

Download Submit
C:\Users\Admin\AppData\Local\Coupon Server\SoftwareDetector.exe

Filesize
77KB

MD5
5c6fc5a2b2699c95f30eda0fe744317e

SHA1
f23db8cfcef0485cb0fc3ac9cd66c3d2a27d26db

SHA256
40545a3c30b0e1b090fb2a281cdb552a3da67a58bc9551594684558d27237833

SHA512
759ff1c52f61b482da5f90dde06e576bd63aa61f7571421c5768c0a71c6a219b887fe92fd9e7d28e3e496378983b949015291d346b8be5828f812471a0d0cff9

Download Submit
C:\Users\Admin\AppData\Local\Coupon Server\chrome_gp_update.js

Filesize
2KB

MD5
c15a7afa4a3ed3464df40e6eb840cc73

SHA1
51807d6d3f2567de9c4716b32f91ecc8839cc117

SHA256
41fe7e7445819a935215fd0928f5bb1bb3a2e3df36f0c27111c99cb716064f18

SHA512
90c7a06ceafc6cc7ab35254b3f394702d10881f363527b8fe2e2c6b3fec391141333fe7153a5cae83a6f8889fd55e7a478f1d979497d557fabcb4bcff9cc7ae7

Download Submit
C:\Users\Admin\AppData\Local\Coupon Server\chrome_installer.js

Filesize
6KB

MD5
b84e6bbca06fb8a9489da545c7eefa57

SHA1
76035835e1777bfff7d86e7d056392d7bd37e3a7

SHA256
aa681b9306c2c020e2164660e266c7298b31fc8b21c1b3abd5151358047ecb1f

SHA512
a560f81cdb76ac68f4e056df85789b8576e3f66b408f7a0da1c68f4efe46b63ca17734de20dd476386aa4a9e9122db7800ca8a19475d1d52f121c76db3a89dc4

Download Submit
C:\Users\Admin\AppData\Local\Coupon Server\common.js

Filesize
13KB

MD5
b2138aac6406d0c00245703bba442164

SHA1
269be35d6d0c909dfd08950134d7d8d9261c057c

SHA256
bb03ad0805409eced066c7c3dac7696761ffcc69a73f21d2ed0b8e13ed731f76

SHA512
f450fc962f12d9a9141a01ee7ce93f539909df89b2af01b31c74996f83659ce475c096265633e9f0193cb8e7cc816f042bfab3d5c781d0cc1d24e0df8ebb6c51

Download Submit
C:\Users\Admin\AppData\Local\Coupon Server\firefox\extension_info.json

Filesize
1KB

MD5
53eed557c7f6cb7c7d2c49c7a61a828a

SHA1
b3ef3b08a3456e868028fe20b6ba892b7b85fcdd

SHA256
3042da5164b873164651fc16338cb51d1730b94ab3cbfd604ef0a22d4b1634c4

SHA512
892ec8d76f0585e9631b1ac40453f87f60139c4fc28f9b37d62b8ee04ced581ea897d889c7eda3bbf42f2416a459259054f7cd9418945865aae560f773a174e5

Download Submit
C:\Users\Admin\AppData\Local\Coupon Server\firefox_installer.js

Filesize
6KB

MD5
6e8d14076e1b88eb8e5f1be916807a9b

SHA1
d99d91a0ec88d8d3ff20c983607ae0df539a3200

SHA256
c03190cd1fe25cd564fe69ef0c9b4ab1cf4d2fc51118aac60389f68f73953b27

SHA512
76b47fba913aa7b5b281584a5145b43a426a54e7ca49ade7682db0171bed67288cb748d6e88d8c8043484c9adfad6a86253d1252fe5e361bba835940f33b59a5

Download Submit
C:\Users\Admin\AppData\Local\Coupon Server\ie_installer.js

Filesize
3KB

MD5
3de39b38af916bcf07f7a68c5b065ffe

SHA1
5a9dd39ca54f4fc76f805879669b25c5ad29d213

SHA256
1bba4e6523b1a0581c008b6d7b348260a2f9f61a22daf445ed6ffa37c970c2b8

SHA512
893c2e487a37366fea9ba8e8a61064af5c63ae5937a026ba3565872758caa6653125abcea74d84f6c2ee95c23fce030f403159c6fde6616c0ed7f1af28e0a479

Download Submit
C:\Users\Admin\AppData\Local\Coupon Server\installer.js

Filesize
799B

MD5
1d2e2b33ed23d2687ac7551613e3ce10

SHA1
738fdf284c336d88f8fc178371aa073a75ac4f0f

SHA256
e6bc0ed8424b80085a08df410ad0d43ba37b052ccadfb6450a2337f37ca1288f

SHA512
af221b4bcb6e00015aced99bd47db97ad994441ee5f251106686a6da05d98289a6783a5c0ccd8e50b76216b53f1d4ab3cfda6c7fc8108b4e2f56f512cb4e7393

Download Submit
C:\Users\Admin\AppData\Local\Coupon Server\main_installer.js

Filesize
1KB

MD5
4ca1909eb243f179f48935c8106fdbc9

SHA1
cbc20846bb8b96fcf3b3bbb9d80709c8024a8366

SHA256
7acaec9a466eb71fc663f6c6c3bc41ec080f544b4e864cd1e5d6d3cd06230232

SHA512
66cc6deee36443539e6fa66ec7ef7ca0932b9b9a085296648a4448628ae21efd53a56cd592f242c5f17e88d7924b1510af1d49da220a6980aa1d004deae199a8

Download Submit
C:\Users\Admin\AppData\Local\Coupon Server\migrate.js

Filesize
4KB

MD5
7c936cb5190fc3ad0b581a562875e9a4

SHA1
ec727ee61e1598bafaf0085817151cc3a9d741c4

SHA256
9770fd38208bf2b6e1676f833a90f0f5129bae080fd890614d719b43c290c167

SHA512
987e4093e606d2ada424c3681f21a23cd8d4135a995c1286407aef3c1dcdbecec42be30961c9bb2fe92ac5a9ee5eb2715fc9c12192e6a328295f7dad28cbc341

Download Submit
C:\Users\Admin\AppData\Local\Coupon Server\projectInstaller.js

Filesize
2KB

MD5
bbefb0cf1671348f473ee527184c88f8

SHA1
4c983756e534bd3eaf33d3926bfb8b28de7b725a

SHA256
434653e061129008f0471f1c774d5b69da345a399ee2288ae2526993b67a2e3f

SHA512
c182d049bc5bacbbae389007bd46f8411a6367efe99783e0f17ce458d50c517f5928e6f180b73823bf763931069f12b91063f4a1d86ba77271bdbde175b0c543

Download Submit
C:\Users\Admin\AppData\Local\Coupon Server\sqlite3.exe

Filesize
481KB

MD5
82771129b12517cf5c6e2244d14e8360

SHA1
4e2a55e517f0e1324d3e8840e7db41f3883e4a01

SHA256
3441036aa8be132d8476bbee2648e966db130e3fdba1eb97c9972d55248bf9bc

SHA512
862028b3ae8bf3ae8e218326a5df634b19d816bcd86b830675214713e543d7672cead28e3178ef23081d508501630e4ef622066f123681c3c6d98d19e6e20c46

Download Submit
C:\Users\Admin\AppData\Local\Coupon Server\storageedit.exe

Filesize
73KB

MD5
ce8dcc1beadec52dd545174b12ac0b0b

SHA1
e6518a880c5f3561340310f468a8fc3ae379c2de

SHA256
3a2ecbde1415deaf9ea6786e0739d1392807a36f29d838824957aabbeffb407d

SHA512
73a08b869cdf0d01650756ba6083308f82a940325e6ef9b20358f68b489edf21f7720e15e874be4d2aed071be7c7b2e4c5a1a87bbfe4048da0c2a87697540ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd20DC.tmp

Filesize
328B

MD5
dc319c0badb088e49524b21ffe309fff

SHA1
cce86c789ebf0ad28ec1fa067ebee03d8f6a1bc5

SHA256
8aebf487a44350ba83fd49ba742d3edf75eec109125354233f5a570459a40c4e

SHA512
ab3a0f00b976f39d1235a0f20b9d75ea8e60c02e5b44f85adabaa432c04e5a2c56f6446aaee470014fc898d77a99cecb7ed247c66c68bf779de5b8b3a247e78a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nso2BC4.tmp\nsDialogs.dll

Filesize
11KB

MD5
790d227d847f7571c8d58a79057a469e

SHA1
75c347b1441383c61166b615dfd6e7e65b04629f

SHA256
37e99ab9db0045870e31db147438cf0c69b6fcdec4f3737a9743c447cbc0c3c0

SHA512
5821605bfb3e57ddfcc1a74829968814aae92b13cb713ef3628913d9112d493117e8aa9cc437770facdcd2d4bd1e53a271d491e6b4d3e4cff53bd027f4b07f4c

Download Submit
\Program Files (x86)\Bench\BService\1.1\bservice.exe

Filesize
51KB

MD5
a7bea13873210cdfccb51f54c2799a83

SHA1
ccfcd73f208f834c854e46e6f31db11aada5cf08

SHA256
e5f5765909b57d992640fb4a48815b0b4e84588b98eef61423dc77e8dc1afa26

SHA512
435a16fda6cc3b9e5087e3747a262e05341f89a96529eea182875ca86f23fd23f21a0759973c3f08a8114f2cd2fd589401f3188f08481730deb06fac8d5d00fe

Download Submit
\Program Files (x86)\Bench\Updater\1.7.0.0\updater.exe

Filesize
410KB

MD5
599e0d1af556792f220f3d394b99a7f9

SHA1
5d470ff7475a5b13f7bfa2f1c85a9fcd87e99aa7

SHA256
faed52125c6d007df297356dcce72532ac9fc0e4db131e43442022f479411d62

SHA512
4c7ea1db060459404b1149b401ed4ca1000d49e2fc96b42180995f00beb090b539e25f6fe4113f311adebe03dfeac3e006354a0b26ab78c73f9520ab4cd6937c

Download Submit
\Program Files (x86)\Bench\Updater\updater.exe

Filesize
65KB

MD5
ce92902a512b35ed0d6c3965c8518aca

SHA1
38822f744246b72aefa8b3af625cb63c810771ec

SHA256
7c846faf4db707eab53b6364885128a3ab389728b49db492403608eba60a6873

SHA512
b852649195bc701fa52a772a0116fb85e99bd3c6529c2aa1718878b7cd8361adaed6f85e560652ce3fe988352f5d1d2d8b9c9b7fb0f02a8c6ceb865c14c79ea6

Download Submit
\Program Files (x86)\Bench\Wd\wd.exe

Filesize
90KB

MD5
506bb43c05afe64fd3d5034d39c208be

SHA1
558b9f18f39f980bb52f023d2aefe3522591aae9

SHA256
5ab5c2450a621db03bd1f0b602adbfe1a73b4d27cb5b1d6ff5adcc026f3830c2

SHA512
1eba87a6ceb4d392a73003de9c0316551d7c0f26cb739dee0e3625f3f75563831a7b920909fe89c7e8f3afb54db16892f23d4182ec263e3c3768c0e23291a9bd

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1A93.tmp\System.dll

Filesize
23KB

MD5
125aebb055446fb52aa5956cf99e8a9a

SHA1
6b58fd08a8ff2763219cc6b0dcdb875f9970f850

SHA256
2e1b11ee20e5061ea86dc6b01e3efc659e887540afcab7317cdfd6a8eff87ec3

SHA512
5f85e48bd3ae2fd2be0595b93cbf74674e0281210688dcc73691178b295a702e8d43898afb6e5d8b7e82de98b4ee28194c9838ddf8279cde85f7fe48d34dc8b7

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1A93.tmp\md5dll.dll

Filesize
6KB

MD5
0745ff646f5af1f1cdd784c06f40fce9

SHA1
bf7eba06020d7154ce4e35f696bec6e6c966287f

SHA256
fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70

SHA512
8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1A93.tmp\nsExec.dll

Filesize
8KB

MD5
249ae678f0dac4c625c6de6aca53823a

SHA1
6ac2b9e90e8445fed4c45c5dbf2d0227cd3b5201

SHA256
7298024a36310b7c4c112be87b61b62a0b1be493e2d5252a19e5e976daf674ce

SHA512
66e4081a40f3191bf28b810cf8411cb3c8c3e3ec5943e18d6672414fb5e7b4364f862cba44c9115c599ac90890ef02a773e254e7c979e930946bc52b0693aad7

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1A93.tmp\nsProcess.dll

Filesize
4KB

MD5
05450face243b3a7472407b999b03a72

SHA1
ffd88af2e338ae606c444390f7eaaf5f4aef2cd9

SHA256
95fe9d92512ff2318cc2520311ef9145b2cee01209ab0e1b6e45c7ce1d4d0e89

SHA512
f4cbe30166aff20a226a7150d93a876873ba699d80d7e9f46f32a9b4753fa7966c3113a3124340b39ca67a13205463a413e740e541e742903e3f89af5a53ad3b

Download Submit
\Users\Admin\AppData\Local\Temp\nsi1A93.tmp\nsProcess2.dll

Filesize
35KB

MD5
6e96ea8b0dfdb326c0852a5b64d920a6

SHA1
5ea182cb6ae5c104ca064fa8464df8ed1904eaa7

SHA256
b8762c09c2b45fc836c65a9052951de05177651d278e4cf154c754d9f5573e7a

SHA512
02d0bd8f16ddad829b80764926f1e6dcfb35b60fbce02bec0a7fc2011164d86f633074af012de71fae33b90732ec4c7633f8a70ab24c19717926757f9c56fb4f

Download Submit
memory/2392-185-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2440-18-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/2440-17-0x0000000010000000-0x0000000010009000-memory.dmp

Filesize
36KB

Download
memory/2440-371-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2440-372-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/2452-182-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2688-348-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download