98b7ae6e91fe56a7597d1559967fad5ecc42e46c5021587dfa4be6c444412514

Analysis

max time kernel
146s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/06/2024, 07:43

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9783960bd13fc9f6e266f220c5a174aa_JaffaCakes118.exe
Size

3.5MB
MD5

9783960bd13fc9f6e266f220c5a174aa
SHA1

6a483c098d04152ed62b4e53600e819eaad163b4
SHA256

98b7ae6e91fe56a7597d1559967fad5ecc42e46c5021587dfa4be6c444412514
SHA512

2f808cbca7eeeaaac626d7519caad4ea407345b542c8a249179567d4da0c54cd8a05f6dd6dc9179a51ad23f4ce456490f212eea6c37dff6376ba8bd5884ae606
SSDEEP

98304:X3bobVkwiXFlJboUaQXK1XR0ZNSHm8GeRLfWFZzl:Hbeirfa1GZN+PhLIZZ

Score

7^/10

discovery persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

pid	Process
2160	drvprosetup.exe
2308	drvprosetup.tmp
3008	DPTray.exe
2772	DPStartScan.exe
1916	DriverPro.exe
1192	DriverPro.exe

Loads dropped DLL 12 IoCs

pid	Process
1132	9783960bd13fc9f6e266f220c5a174aa_JaffaCakes118.exe
2160	drvprosetup.exe
2308	drvprosetup.tmp
2308	drvprosetup.tmp
2308	drvprosetup.tmp
2308	drvprosetup.tmp
2308	drvprosetup.tmp
2308	drvprosetup.tmp
2308	drvprosetup.tmp
1192	DriverPro.exe
1916	DriverPro.exe
1192	DriverPro.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver Pro = "C:\\Program Files (x86)\\Driver Pro\\DPLauncher.exe"	drvprosetup.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Driver Pro\is-N64GO.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-LV2BU.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\unins000.dat	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-54J3I.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-DD7PS.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-NMK6K.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-0TIT4.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-R3SFL.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-FNAUL.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\unins000.msg	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\DPTray.exe	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\DPStartScan.exe	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\unins000.dat	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\DrvProHelper.dll	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\sqlite3.dll	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-SAQ6I.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-63AHF.tmp	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-AJD5F.tmp	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\7z.dll	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\DriverPro.chm	drvprosetup.tmp
File opened for modification	C:\Program Files (x86)\Driver Pro\DriverPro.exe	drvprosetup.tmp
File created	C:\Program Files (x86)\Driver Pro\is-D8PJT.tmp	drvprosetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	drvprosetup.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	drvprosetup.tmp

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1400	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	DriverPro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	DriverPro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	DriverPro.exe

Script User-Agent 3 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	6	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	7	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	8	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2308	drvprosetup.tmp
2308	drvprosetup.tmp
1192	DriverPro.exe
1916	DriverPro.exe
1192	DriverPro.exe
1916	DriverPro.exe
3008	DPTray.exe
3008	DPTray.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1916	DriverPro.exe
Token: SeIncreaseQuotaPrivilege	1916	DriverPro.exe
Token: SeImpersonatePrivilege	1916	DriverPro.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2308	drvprosetup.tmp

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1192	DriverPro.exe
1916	DriverPro.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 2160	1132	9783960bd13fc9f6e266f220c5a174aa_JaffaCakes118.exe	28
PID 1132 wrote to memory of 2160	1132	9783960bd13fc9f6e266f220c5a174aa_JaffaCakes118.exe	28
PID 1132 wrote to memory of 2160	1132	9783960bd13fc9f6e266f220c5a174aa_JaffaCakes118.exe	28
PID 1132 wrote to memory of 2160	1132	9783960bd13fc9f6e266f220c5a174aa_JaffaCakes118.exe	28
PID 1132 wrote to memory of 2160	1132	9783960bd13fc9f6e266f220c5a174aa_JaffaCakes118.exe	28
PID 1132 wrote to memory of 2160	1132	9783960bd13fc9f6e266f220c5a174aa_JaffaCakes118.exe	28
PID 1132 wrote to memory of 2160	1132	9783960bd13fc9f6e266f220c5a174aa_JaffaCakes118.exe	28
PID 2160 wrote to memory of 2308	2160	drvprosetup.exe	29
PID 2160 wrote to memory of 2308	2160	drvprosetup.exe	29
PID 2160 wrote to memory of 2308	2160	drvprosetup.exe	29
PID 2160 wrote to memory of 2308	2160	drvprosetup.exe	29
PID 2160 wrote to memory of 2308	2160	drvprosetup.exe	29
PID 2160 wrote to memory of 2308	2160	drvprosetup.exe	29
PID 2160 wrote to memory of 2308	2160	drvprosetup.exe	29
PID 2308 wrote to memory of 3008	2308	drvprosetup.tmp	31
PID 2308 wrote to memory of 3008	2308	drvprosetup.tmp	31
PID 2308 wrote to memory of 3008	2308	drvprosetup.tmp	31
PID 2308 wrote to memory of 3008	2308	drvprosetup.tmp	31
PID 2308 wrote to memory of 2772	2308	drvprosetup.tmp	32
PID 2308 wrote to memory of 2772	2308	drvprosetup.tmp	32
PID 2308 wrote to memory of 2772	2308	drvprosetup.tmp	32
PID 2308 wrote to memory of 2772	2308	drvprosetup.tmp	32
PID 2308 wrote to memory of 1916	2308	drvprosetup.tmp	33
PID 2308 wrote to memory of 1916	2308	drvprosetup.tmp	33
PID 2308 wrote to memory of 1916	2308	drvprosetup.tmp	33
PID 2308 wrote to memory of 1916	2308	drvprosetup.tmp	33
PID 2308 wrote to memory of 1192	2308	drvprosetup.tmp	34
PID 2308 wrote to memory of 1192	2308	drvprosetup.tmp	34
PID 2308 wrote to memory of 1192	2308	drvprosetup.tmp	34
PID 2308 wrote to memory of 1192	2308	drvprosetup.tmp	34
PID 1192 wrote to memory of 1400	1192	DriverPro.exe	35
PID 1192 wrote to memory of 1400	1192	DriverPro.exe	35
PID 1192 wrote to memory of 1400	1192	DriverPro.exe	35
PID 1192 wrote to memory of 1400	1192	DriverPro.exe	35

C:\Users\Admin\AppData\Local\Temp\9783960bd13fc9f6e266f220c5a174aa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9783960bd13fc9f6e266f220c5a174aa_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe
  C:\Users\Admin\AppData\Local\Temp\\drvprosetup.exe /VERYSILENT
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Users\Admin\AppData\Local\Temp\is-3H1SB.tmp\drvprosetup.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-3H1SB.tmp\drvprosetup.tmp" /SL5="$80022,2744501,85504,C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe" /VERYSILENT
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\Program Files (x86)\Driver Pro\DPTray.exe
      "C:\Program Files (x86)\Driver Pro\DPTray.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3008
  - - C:\Program Files (x86)\Driver Pro\DPStartScan.exe
      "C:\Program Files (x86)\Driver Pro\DPStartScan.exe" /SILENT
      4⤵
      Executes dropped EXE
      PID:2772
  - - C:\Program Files (x86)\Driver Pro\DriverPro.exe
      "C:\Program Files (x86)\Driver Pro\DriverPro.exe" /INSTALL
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1916
  - - C:\Program Files (x86)\Driver Pro\DriverPro.exe
      "C:\Program Files (x86)\Driver Pro\DriverPro.exe" /START
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1192
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\System32\schtasks.exe" /Create /TN "Driver Pro Schedule" /TR "\"C:\Program Files (x86)\Driver Pro\DPTray.exe\"" /SC ONLOGON /RL HIGHEST /F
        5⤵
        Creates scheduled task(s)
        
        PID:1400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Driver Pro\English.ini

Filesize
12KB

MD5
8f88e83e8022bfacd1e11529fcbac372

SHA1
2827f7593329022d8a6672133b67d542363e5be9

SHA256
d4fa4405d07c959d8578d344d1fcb3bd834003682ea96ee49b048f7d1eba8679

SHA512
dc3d181f416633a90297a43a710c77193c4b5c387037ad4084d10372a90151cba176330d4b463f07bc1c18f09c0a84be493e16e38b84946deaf081a6567af371

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O2QPP.tmp\cfg.exe

Filesize
64KB

MD5
0d6f95239fc7575f6356b7f9de24e4fc

SHA1
27433dfc46ab0538b176ca2e4504ac84d77c8bb8

SHA256
3b5abe6dd5dcfb988c358fe5082d12c614a9f4e692f67d3455345c1e1d971321

SHA512
746b6a6ac091017c8c06835ee41ddb4a8878d6aa716de7a9de36bbcc40ec6e02d2f78050c68d1f8f29fc2e532e695a193e6ce3f0285f384d5a429c7eb030b667

Download Submit
C:\Users\Admin\AppData\Roaming\Driver Pro\PCInfo.ini

Filesize
88B

MD5
3b62e36031fd00795f71c4b2b0ad413a

SHA1
b466528c55814460a85e7b1bd422b18bd5b090f0

SHA256
5049c6aa0bac6ff280bb594612908bc00906e66895b93be2d33fda6ecae1b987

SHA512
2d85dedfc40ab8450138880400a0318940fffd810488ab0d7417e00b01fd9257e800801d7ae2ca33eb07889ecc03e84fb05528f7992e6e6683d8dfe329f61ffd

Download Submit
C:\Users\Admin\AppData\Roaming\Driver Pro\program.log

Filesize
164B

MD5
1a1db15dbdf60b0cdfc5ea8c0e90fbe2

SHA1
60ab656a5370cf4c87fafe811ff9a9dd7b667634

SHA256
aa026f6060cb63c10cfb6ca8e4dea60ab6f39e0959bd67aabdb4455a3e86f447

SHA512
847dab3aa4266866b6f5bb5e31d99317cda9e9dee66c4dc9d29e4d1ccbcd55bff105ed37236a6fef7e93d5cf4f236db5ce953a190c7e7ec43097a7150f5ed940

Download Submit
\Program Files (x86)\Driver Pro\DPStartScan.exe

Filesize
819KB

MD5
fe31b439855c9bc8af54bc83b61e3d4e

SHA1
3a4cb85b20b3bd3bb904de725eb974c4ea16a97b

SHA256
0bccf5266397c50c63d5dd23ff6c0c2afb672325a6300f2e9e44e71d4b5485e5

SHA512
5be58ac4144cd19cef6163dc056d7e540c728ba71b053082d63a53114e13ab1991e419bd2bdb0fff00f5a721ddee40f70579d7b43acbd2772be3b1d30523a97e

Download Submit
\Program Files (x86)\Driver Pro\DPTray.exe

Filesize
810KB

MD5
01f6a32f6b28d37b3155325a83d96410

SHA1
b5cbaaae0ae15ebb2985733fdce3e156555abc82

SHA256
8cb02e1a1867e40aed8a11bae3c8ea100996eb518fa0d81f3d12e02e646159d4

SHA512
42fe1c80bd408e7f9e36544dfc13a463e6fd07caef72b9706bba51899bd220b66826b4bf58a1e278bc6f805c43bf30bc60cebd8eb1aeefc328cdccbbee8d8021

Download Submit
\Program Files (x86)\Driver Pro\DriverPro.exe

Filesize
3.3MB

MD5
ec1edf352b54ab579353bf043c2014ee

SHA1
fc5fff6f090f7615d41df61d0d5757fb26b3a4b5

SHA256
0fd7ac20b7655886c6bc98efa05a7dfe5c65deb61d4d656021e4f58564a9ae08

SHA512
8fdba482728322b25585930a6dc8c707f44a66751ed66c056ef5380a4c769ef1654ae138deb7aa599f9c0641f618a13dc56022ed941acfdd2cc734fb39be8501

Download Submit
\Program Files (x86)\Driver Pro\sqlite3.dll

Filesize
508KB

MD5
0f66e8e2340569fb17e774dac2010e31

SHA1
406bb6854e7384ff77c0b847bf2f24f3315874a3

SHA256
de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f

SHA512
39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

Download Submit
\Users\Admin\AppData\Local\Temp\drvprosetup.exe

Filesize
3.1MB

MD5
3107c28da15cc8db52ecaeb41e92fa27

SHA1
9498f3281c0b79a8f051ca9aeb0d6132dcf0ca0f

SHA256
e9318226bff1cf3225c26f0bde46ad08f2a745fe9de55153a41c7bf7eb194325

SHA512
8b2d0c2744584899ac8cc15786dd13b977958c4d3c8f2cb50b7afeb52b0a6f647bf8b20ab19d5d3b562d8804f92b8fb5828f971124b4e089c0858f0a6ad1a2b8

Download Submit
\Users\Admin\AppData\Local\Temp\is-3H1SB.tmp\drvprosetup.tmp

Filesize
1.1MB

MD5
91c38c395631d57254356e90b9a6e554

SHA1
cbe8ae15ec5c8a392b00ddbc71cf92eddd5645b4

SHA256
e9804fa0e9a0b249a69539bf9ba3f2df95648f56676a61b8988e6648308ae83d

SHA512
9f95567ceb618167899d954387771312b4895d03dcf65e5402c284af50e1ac1ec5d452a8069528a4761894dba02be7a97849be01626d1d688dc4059abf65f119

Download Submit
\Users\Admin\AppData\Local\Temp\is-O2QPP.tmp\DrvProHelper.dll

Filesize
1.3MB

MD5
dfd23a69f1a7f5385eafafde8f5582f4

SHA1
e578e02964582382d4cf90ac003bffa9dcd1dd30

SHA256
701db9616b8ca5f24694a3b9fde8b96b08fbbe14871d9f7eeb721ff29d3259d2

SHA512
740dda51de539a6c889fecfeeb157ae3ae706e9b6c59931c715ec4a660420b6667b2e01954b511ae872164bdb90be887cf3beddfb2fafad3ee945c92ecf6b174

Download Submit
\Users\Admin\AppData\Local\Temp\is-O2QPP.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1192-115-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/1192-112-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/1192-121-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/1192-131-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/1916-103-0x0000000060900000-0x0000000060970000-memory.dmp

Filesize
448KB

Download
memory/1916-102-0x0000000000400000-0x0000000000755000-memory.dmp

Filesize
3.3MB

Download
memory/2160-7-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/2160-99-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2160-5-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2160-25-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2308-28-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2308-27-0x0000000003050000-0x000000000319E000-memory.dmp

Filesize
1.3MB

Download
memory/2308-22-0x0000000003050000-0x000000000319E000-memory.dmp

Filesize
1.3MB

Download
memory/2308-13-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2308-26-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2308-95-0x0000000000400000-0x0000000000522000-memory.dmp

Filesize
1.1MB

Download
memory/2772-84-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/3008-111-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/3008-133-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download