Analysis
-
max time kernel
149s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
13-06-2024 13:13
Static task
static1
Behavioral task
behavioral1
Sample
a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe
-
Size
3.5MB
-
MD5
a5b7f0a8146d3d770e25c9e05c1fe51b
-
SHA1
f2bcf6db4cc162e2f21a90b1a0c47f281f4e2de6
-
SHA256
100d67245436a91cf74d6cbdb370fb88a11d6f6410333c082638b8ce979653ba
-
SHA512
66f6d133729ce9f1f6b97a7b7c60b51949455d3cd0351f0d13edfd7873538564df3d58a5cc5e958a88d5ebb0336e6d5eec5474fbf9f709aa4896aaf2fd60338d
-
SSDEEP
98304:t3bobVkwiXFlJboUaQXK1XR0ZNSHm8GeRLfWFZzr:Bbeirfa1GZN+PhLIZ/
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
drvprosetup.exedrvprosetup.tmpDPTray.exeDPStartScan.exeDriverPro.exeDriverPro.exepid process 1888 drvprosetup.exe 3028 drvprosetup.tmp 2664 DPTray.exe 2484 DPStartScan.exe 2280 DriverPro.exe 912 DriverPro.exe -
Loads dropped DLL 12 IoCs
Processes:
a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exedrvprosetup.exedrvprosetup.tmpDriverPro.exeDriverPro.exepid process 2192 a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe 1888 drvprosetup.exe 3028 drvprosetup.tmp 3028 drvprosetup.tmp 3028 drvprosetup.tmp 3028 drvprosetup.tmp 3028 drvprosetup.tmp 3028 drvprosetup.tmp 3028 drvprosetup.tmp 912 DriverPro.exe 2280 DriverPro.exe 912 DriverPro.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
drvprosetup.tmpdescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver Pro = "C:\\Program Files (x86)\\Driver Pro\\DPLauncher.exe" drvprosetup.tmp -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 22 IoCs
Processes:
drvprosetup.tmpdescription ioc process File opened for modification C:\Program Files (x86)\Driver Pro\DriverPro.exe drvprosetup.tmp File created C:\Program Files (x86)\Driver Pro\unins000.dat drvprosetup.tmp File created C:\Program Files (x86)\Driver Pro\is-UK3HT.tmp drvprosetup.tmp File created C:\Program Files (x86)\Driver Pro\is-GRFAF.tmp drvprosetup.tmp File created C:\Program Files (x86)\Driver Pro\is-FNF0D.tmp drvprosetup.tmp File opened for modification C:\Program Files (x86)\Driver Pro\7z.dll drvprosetup.tmp File opened for modification C:\Program Files (x86)\Driver Pro\DPStartScan.exe drvprosetup.tmp File created C:\Program Files (x86)\Driver Pro\is-3A39N.tmp drvprosetup.tmp File created C:\Program Files (x86)\Driver Pro\is-IODGQ.tmp drvprosetup.tmp File created C:\Program Files (x86)\Driver Pro\unins000.msg drvprosetup.tmp File opened for modification C:\Program Files (x86)\Driver Pro\unins000.dat drvprosetup.tmp File opened for modification C:\Program Files (x86)\Driver Pro\DriverPro.chm drvprosetup.tmp File created C:\Program Files (x86)\Driver Pro\is-AD4HI.tmp drvprosetup.tmp File created C:\Program Files (x86)\Driver Pro\is-0GU38.tmp drvprosetup.tmp File created C:\Program Files (x86)\Driver Pro\is-CPQI7.tmp drvprosetup.tmp File created C:\Program Files (x86)\Driver Pro\is-34C7Q.tmp drvprosetup.tmp File created C:\Program Files (x86)\Driver Pro\is-KQ5VH.tmp drvprosetup.tmp File created C:\Program Files (x86)\Driver Pro\is-B0TSH.tmp drvprosetup.tmp File opened for modification C:\Program Files (x86)\Driver Pro\DrvProHelper.dll drvprosetup.tmp File opened for modification C:\Program Files (x86)\Driver Pro\sqlite3.dll drvprosetup.tmp File opened for modification C:\Program Files (x86)\Driver Pro\DPTray.exe drvprosetup.tmp File created C:\Program Files (x86)\Driver Pro\is-HHA4O.tmp drvprosetup.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
drvprosetup.tmpdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 drvprosetup.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString drvprosetup.tmp -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
DriverPro.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS DriverPro.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer DriverPro.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName DriverPro.exe -
Script User-Agent 4 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 6 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 8 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 9 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) HTTP User-Agent header 10 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
drvprosetup.tmpDriverPro.exeDriverPro.exeDPTray.exepid process 3028 drvprosetup.tmp 3028 drvprosetup.tmp 2280 DriverPro.exe 2280 DriverPro.exe 912 DriverPro.exe 912 DriverPro.exe 2664 DPTray.exe 2664 DPTray.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
DriverPro.exedescription pid process Token: SeDebugPrivilege 2280 DriverPro.exe Token: SeIncreaseQuotaPrivilege 2280 DriverPro.exe Token: SeImpersonatePrivilege 2280 DriverPro.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
drvprosetup.tmppid process 3028 drvprosetup.tmp -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
DriverPro.exeDriverPro.exepid process 2280 DriverPro.exe 912 DriverPro.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exedrvprosetup.exedrvprosetup.tmpDriverPro.exedescription pid process target process PID 2192 wrote to memory of 1888 2192 a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe drvprosetup.exe PID 2192 wrote to memory of 1888 2192 a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe drvprosetup.exe PID 2192 wrote to memory of 1888 2192 a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe drvprosetup.exe PID 2192 wrote to memory of 1888 2192 a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe drvprosetup.exe PID 2192 wrote to memory of 1888 2192 a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe drvprosetup.exe PID 2192 wrote to memory of 1888 2192 a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe drvprosetup.exe PID 2192 wrote to memory of 1888 2192 a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe drvprosetup.exe PID 1888 wrote to memory of 3028 1888 drvprosetup.exe drvprosetup.tmp PID 1888 wrote to memory of 3028 1888 drvprosetup.exe drvprosetup.tmp PID 1888 wrote to memory of 3028 1888 drvprosetup.exe drvprosetup.tmp PID 1888 wrote to memory of 3028 1888 drvprosetup.exe drvprosetup.tmp PID 1888 wrote to memory of 3028 1888 drvprosetup.exe drvprosetup.tmp PID 1888 wrote to memory of 3028 1888 drvprosetup.exe drvprosetup.tmp PID 1888 wrote to memory of 3028 1888 drvprosetup.exe drvprosetup.tmp PID 3028 wrote to memory of 2664 3028 drvprosetup.tmp DPTray.exe PID 3028 wrote to memory of 2664 3028 drvprosetup.tmp DPTray.exe PID 3028 wrote to memory of 2664 3028 drvprosetup.tmp DPTray.exe PID 3028 wrote to memory of 2664 3028 drvprosetup.tmp DPTray.exe PID 3028 wrote to memory of 2484 3028 drvprosetup.tmp DPStartScan.exe PID 3028 wrote to memory of 2484 3028 drvprosetup.tmp DPStartScan.exe PID 3028 wrote to memory of 2484 3028 drvprosetup.tmp DPStartScan.exe PID 3028 wrote to memory of 2484 3028 drvprosetup.tmp DPStartScan.exe PID 3028 wrote to memory of 2280 3028 drvprosetup.tmp DriverPro.exe PID 3028 wrote to memory of 2280 3028 drvprosetup.tmp DriverPro.exe PID 3028 wrote to memory of 2280 3028 drvprosetup.tmp DriverPro.exe PID 3028 wrote to memory of 2280 3028 drvprosetup.tmp DriverPro.exe PID 3028 wrote to memory of 912 3028 drvprosetup.tmp DriverPro.exe PID 3028 wrote to memory of 912 3028 drvprosetup.tmp DriverPro.exe PID 3028 wrote to memory of 912 3028 drvprosetup.tmp DriverPro.exe PID 3028 wrote to memory of 912 3028 drvprosetup.tmp DriverPro.exe PID 912 wrote to memory of 2300 912 DriverPro.exe schtasks.exe PID 912 wrote to memory of 2300 912 DriverPro.exe schtasks.exe PID 912 wrote to memory of 2300 912 DriverPro.exe schtasks.exe PID 912 wrote to memory of 2300 912 DriverPro.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\drvprosetup.exeC:\Users\Admin\AppData\Local\Temp\\drvprosetup.exe /VERYSILENT2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp"C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp" /SL5="$70122,2744501,85504,C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe" /VERYSILENT3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Program Files (x86)\Driver Pro\DPTray.exe"C:\Program Files (x86)\Driver Pro\DPTray.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2664 -
C:\Program Files (x86)\Driver Pro\DPStartScan.exe"C:\Program Files (x86)\Driver Pro\DPStartScan.exe" /SILENT4⤵
- Executes dropped EXE
PID:2484 -
C:\Program Files (x86)\Driver Pro\DriverPro.exe"C:\Program Files (x86)\Driver Pro\DriverPro.exe" /INSTALL4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2280 -
C:\Program Files (x86)\Driver Pro\DriverPro.exe"C:\Program Files (x86)\Driver Pro\DriverPro.exe" /START4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Driver Pro Schedule" /TR "\"C:\Program Files (x86)\Driver Pro\DPTray.exe\"" /SC ONLOGON /RL HIGHEST /F5⤵
- Creates scheduled task(s)
PID:2300
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Driver Pro\English.iniFilesize
12KB
MD58f88e83e8022bfacd1e11529fcbac372
SHA12827f7593329022d8a6672133b67d542363e5be9
SHA256d4fa4405d07c959d8578d344d1fcb3bd834003682ea96ee49b048f7d1eba8679
SHA512dc3d181f416633a90297a43a710c77193c4b5c387037ad4084d10372a90151cba176330d4b463f07bc1c18f09c0a84be493e16e38b84946deaf081a6567af371
-
C:\Users\Admin\AppData\Local\Temp\is-0HRLA.tmp\cfg.exeFilesize
64KB
MD5a464065959fed4a5b3e1c06e73bb407c
SHA19b83c38aa9b5779952e4888e6b47b83c48c09e56
SHA25648a7231316437ecd2ab1abff5f08975a4f90b6f63968e8502c6fef883ee4e0e1
SHA51202006577deb8e634a72802263674af38379137e9db389b03073b7f586bda7fa65eb58a5b2b53eb80b0f2185a9b26c9c0f64b5aa742670070901ae8f712b790b3
-
C:\Users\Admin\AppData\Roaming\Driver Pro\PCInfo.iniFilesize
88B
MD53b62e36031fd00795f71c4b2b0ad413a
SHA1b466528c55814460a85e7b1bd422b18bd5b090f0
SHA2565049c6aa0bac6ff280bb594612908bc00906e66895b93be2d33fda6ecae1b987
SHA5122d85dedfc40ab8450138880400a0318940fffd810488ab0d7417e00b01fd9257e800801d7ae2ca33eb07889ecc03e84fb05528f7992e6e6683d8dfe329f61ffd
-
C:\Users\Admin\AppData\Roaming\Driver Pro\program.logFilesize
165B
MD54d463fd2dcedafbb78d16faa06f7fdf2
SHA102de82b5d93f9e556ac7299db0d6e86d3894b031
SHA2562efffa9fba1f09f80866c1c963aa47dbfa9b270b18aa27f5cd712d7b58e191af
SHA512e44e9324723e06b1b07f28f74f43f2f83424b38ed81f0b971e036ce3f6e770b6b8d530819216101789d30c91b17de8b86f8e8d3e604f8e5eb7af38b4a6f0841f
-
\Program Files (x86)\Driver Pro\DPStartScan.exeFilesize
819KB
MD5fe31b439855c9bc8af54bc83b61e3d4e
SHA13a4cb85b20b3bd3bb904de725eb974c4ea16a97b
SHA2560bccf5266397c50c63d5dd23ff6c0c2afb672325a6300f2e9e44e71d4b5485e5
SHA5125be58ac4144cd19cef6163dc056d7e540c728ba71b053082d63a53114e13ab1991e419bd2bdb0fff00f5a721ddee40f70579d7b43acbd2772be3b1d30523a97e
-
\Program Files (x86)\Driver Pro\DPTray.exeFilesize
810KB
MD501f6a32f6b28d37b3155325a83d96410
SHA1b5cbaaae0ae15ebb2985733fdce3e156555abc82
SHA2568cb02e1a1867e40aed8a11bae3c8ea100996eb518fa0d81f3d12e02e646159d4
SHA51242fe1c80bd408e7f9e36544dfc13a463e6fd07caef72b9706bba51899bd220b66826b4bf58a1e278bc6f805c43bf30bc60cebd8eb1aeefc328cdccbbee8d8021
-
\Program Files (x86)\Driver Pro\DriverPro.exeFilesize
3.3MB
MD5ec1edf352b54ab579353bf043c2014ee
SHA1fc5fff6f090f7615d41df61d0d5757fb26b3a4b5
SHA2560fd7ac20b7655886c6bc98efa05a7dfe5c65deb61d4d656021e4f58564a9ae08
SHA5128fdba482728322b25585930a6dc8c707f44a66751ed66c056ef5380a4c769ef1654ae138deb7aa599f9c0641f618a13dc56022ed941acfdd2cc734fb39be8501
-
\Program Files (x86)\Driver Pro\sqlite3.dllFilesize
508KB
MD50f66e8e2340569fb17e774dac2010e31
SHA1406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA51239275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05
-
\Users\Admin\AppData\Local\Temp\drvprosetup.exeFilesize
3.1MB
MD53107c28da15cc8db52ecaeb41e92fa27
SHA19498f3281c0b79a8f051ca9aeb0d6132dcf0ca0f
SHA256e9318226bff1cf3225c26f0bde46ad08f2a745fe9de55153a41c7bf7eb194325
SHA5128b2d0c2744584899ac8cc15786dd13b977958c4d3c8f2cb50b7afeb52b0a6f647bf8b20ab19d5d3b562d8804f92b8fb5828f971124b4e089c0858f0a6ad1a2b8
-
\Users\Admin\AppData\Local\Temp\is-0HRLA.tmp\DrvProHelper.dllFilesize
1.3MB
MD5dfd23a69f1a7f5385eafafde8f5582f4
SHA1e578e02964582382d4cf90ac003bffa9dcd1dd30
SHA256701db9616b8ca5f24694a3b9fde8b96b08fbbe14871d9f7eeb721ff29d3259d2
SHA512740dda51de539a6c889fecfeeb157ae3ae706e9b6c59931c715ec4a660420b6667b2e01954b511ae872164bdb90be887cf3beddfb2fafad3ee945c92ecf6b174
-
\Users\Admin\AppData\Local\Temp\is-0HRLA.tmp\_isetup\_shfoldr.dllFilesize
22KB
MD592dc6ef532fbb4a5c3201469a5b5eb63
SHA13e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA2569884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA5129908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3
-
\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmpFilesize
1.1MB
MD591c38c395631d57254356e90b9a6e554
SHA1cbe8ae15ec5c8a392b00ddbc71cf92eddd5645b4
SHA256e9804fa0e9a0b249a69539bf9ba3f2df95648f56676a61b8988e6648308ae83d
SHA5129f95567ceb618167899d954387771312b4895d03dcf65e5402c284af50e1ac1ec5d452a8069528a4761894dba02be7a97849be01626d1d688dc4059abf65f119
-
memory/912-131-0x0000000000400000-0x0000000000755000-memory.dmpFilesize
3.3MB
-
memory/912-112-0x0000000000400000-0x0000000000755000-memory.dmpFilesize
3.3MB
-
memory/912-121-0x0000000000400000-0x0000000000755000-memory.dmpFilesize
3.3MB
-
memory/1888-25-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1888-99-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/1888-7-0x0000000000401000-0x0000000000412000-memory.dmpFilesize
68KB
-
memory/1888-5-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/2280-102-0x0000000000400000-0x0000000000755000-memory.dmpFilesize
3.3MB
-
memory/2280-103-0x0000000060900000-0x0000000060970000-memory.dmpFilesize
448KB
-
memory/2484-84-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/2664-111-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/2664-136-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/3028-98-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/3028-27-0x0000000003030000-0x000000000317E000-memory.dmpFilesize
1.3MB
-
memory/3028-26-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/3028-28-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB
-
memory/3028-22-0x0000000003030000-0x000000000317E000-memory.dmpFilesize
1.3MB
-
memory/3028-13-0x0000000000400000-0x0000000000522000-memory.dmpFilesize
1.1MB