Malware Analysis Report

2024-10-10 12:06

Sample ID 240613-qf89kazfpc
Target a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118
SHA256 100d67245436a91cf74d6cbdb370fb88a11d6f6410333c082638b8ce979653ba
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

100d67245436a91cf74d6cbdb370fb88a11d6f6410333c082638b8ce979653ba

Threat Level: Shows suspicious behavior

The file a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Script User-Agent

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 13:13

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 13:13

Reported

2024-06-13 13:15

Platform

win7-20240220-en

Max time kernel

149s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Driver Pro = "C:\\Program Files (x86)\\Driver Pro\\DPLauncher.exe" C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Driver Pro\DriverPro.exe C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A
File created C:\Program Files (x86)\Driver Pro\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A
File created C:\Program Files (x86)\Driver Pro\is-UK3HT.tmp C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A
File created C:\Program Files (x86)\Driver Pro\is-GRFAF.tmp C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A
File created C:\Program Files (x86)\Driver Pro\is-FNF0D.tmp C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A
File opened for modification C:\Program Files (x86)\Driver Pro\7z.dll C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A
File opened for modification C:\Program Files (x86)\Driver Pro\DPStartScan.exe C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A
File created C:\Program Files (x86)\Driver Pro\is-3A39N.tmp C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A
File created C:\Program Files (x86)\Driver Pro\is-IODGQ.tmp C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A
File created C:\Program Files (x86)\Driver Pro\unins000.msg C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A
File opened for modification C:\Program Files (x86)\Driver Pro\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A
File opened for modification C:\Program Files (x86)\Driver Pro\DriverPro.chm C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A
File created C:\Program Files (x86)\Driver Pro\is-AD4HI.tmp C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A
File created C:\Program Files (x86)\Driver Pro\is-0GU38.tmp C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A
File created C:\Program Files (x86)\Driver Pro\is-CPQI7.tmp C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A
File created C:\Program Files (x86)\Driver Pro\is-34C7Q.tmp C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A
File created C:\Program Files (x86)\Driver Pro\is-KQ5VH.tmp C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A
File created C:\Program Files (x86)\Driver Pro\is-B0TSH.tmp C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A
File opened for modification C:\Program Files (x86)\Driver Pro\DrvProHelper.dll C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A
File opened for modification C:\Program Files (x86)\Driver Pro\sqlite3.dll C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A
File opened for modification C:\Program Files (x86)\Driver Pro\DPTray.exe C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A
File created C:\Program Files (x86)\Driver Pro\is-HHA4O.tmp C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Driver Pro\DriverPro.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Driver Pro\DriverPro.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Driver Pro\DriverPro.exe N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Driver Pro\DriverPro.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files (x86)\Driver Pro\DriverPro.exe N/A
Token: SeImpersonatePrivilege N/A C:\Program Files (x86)\Driver Pro\DriverPro.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Driver Pro\DriverPro.exe N/A
N/A N/A C:\Program Files (x86)\Driver Pro\DriverPro.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2192 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe
PID 2192 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe
PID 2192 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe
PID 2192 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe
PID 2192 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe
PID 2192 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe
PID 2192 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe
PID 1888 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp
PID 1888 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp
PID 1888 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp
PID 1888 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp
PID 1888 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp
PID 1888 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp
PID 1888 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp
PID 3028 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp C:\Program Files (x86)\Driver Pro\DPTray.exe
PID 3028 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp C:\Program Files (x86)\Driver Pro\DPTray.exe
PID 3028 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp C:\Program Files (x86)\Driver Pro\DPTray.exe
PID 3028 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp C:\Program Files (x86)\Driver Pro\DPTray.exe
PID 3028 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp C:\Program Files (x86)\Driver Pro\DPStartScan.exe
PID 3028 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp C:\Program Files (x86)\Driver Pro\DPStartScan.exe
PID 3028 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp C:\Program Files (x86)\Driver Pro\DPStartScan.exe
PID 3028 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp C:\Program Files (x86)\Driver Pro\DPStartScan.exe
PID 3028 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp C:\Program Files (x86)\Driver Pro\DriverPro.exe
PID 3028 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp C:\Program Files (x86)\Driver Pro\DriverPro.exe
PID 3028 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp C:\Program Files (x86)\Driver Pro\DriverPro.exe
PID 3028 wrote to memory of 2280 N/A C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp C:\Program Files (x86)\Driver Pro\DriverPro.exe
PID 3028 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp C:\Program Files (x86)\Driver Pro\DriverPro.exe
PID 3028 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp C:\Program Files (x86)\Driver Pro\DriverPro.exe
PID 3028 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp C:\Program Files (x86)\Driver Pro\DriverPro.exe
PID 3028 wrote to memory of 912 N/A C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp C:\Program Files (x86)\Driver Pro\DriverPro.exe
PID 912 wrote to memory of 2300 N/A C:\Program Files (x86)\Driver Pro\DriverPro.exe C:\Windows\SysWOW64\schtasks.exe
PID 912 wrote to memory of 2300 N/A C:\Program Files (x86)\Driver Pro\DriverPro.exe C:\Windows\SysWOW64\schtasks.exe
PID 912 wrote to memory of 2300 N/A C:\Program Files (x86)\Driver Pro\DriverPro.exe C:\Windows\SysWOW64\schtasks.exe
PID 912 wrote to memory of 2300 N/A C:\Program Files (x86)\Driver Pro\DriverPro.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe

C:\Users\Admin\AppData\Local\Temp\\drvprosetup.exe /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp" /SL5="$70122,2744501,85504,C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe" /VERYSILENT

C:\Program Files (x86)\Driver Pro\DPTray.exe

"C:\Program Files (x86)\Driver Pro\DPTray.exe"

C:\Program Files (x86)\Driver Pro\DPStartScan.exe

"C:\Program Files (x86)\Driver Pro\DPStartScan.exe" /SILENT

C:\Program Files (x86)\Driver Pro\DriverPro.exe

"C:\Program Files (x86)\Driver Pro\DriverPro.exe" /INSTALL

C:\Program Files (x86)\Driver Pro\DriverPro.exe

"C:\Program Files (x86)\Driver Pro\DriverPro.exe" /START

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Driver Pro Schedule" /TR "\"C:\Program Files (x86)\Driver Pro\DPTray.exe\"" /SC ONLOGON /RL HIGHEST /F

Network

Country Destination Domain Proto
US 8.8.8.8:53 idriverpro.com udp
US 8.8.8.8:53 idriverpro.net udp
US 8.8.8.8:53 idriverpro.org udp
US 23.82.12.31:80 idriverpro.org tcp
US 8.8.8.8:53 ww1.idriverpro.org udp
US 199.59.243.226:80 ww1.idriverpro.org tcp
US 23.82.12.31:80 idriverpro.org tcp
US 23.82.12.31:80 idriverpro.org tcp
US 8.8.8.8:53 bi.secure-download.net udp
US 8.8.8.8:53 service.smartpcupdate.com udp
DE 94.130.13.99:80 service.smartpcupdate.com tcp
DE 94.130.13.99:80 service.smartpcupdate.com tcp

Files

\Users\Admin\AppData\Local\Temp\drvprosetup.exe

MD5 3107c28da15cc8db52ecaeb41e92fa27
SHA1 9498f3281c0b79a8f051ca9aeb0d6132dcf0ca0f
SHA256 e9318226bff1cf3225c26f0bde46ad08f2a745fe9de55153a41c7bf7eb194325
SHA512 8b2d0c2744584899ac8cc15786dd13b977958c4d3c8f2cb50b7afeb52b0a6f647bf8b20ab19d5d3b562d8804f92b8fb5828f971124b4e089c0858f0a6ad1a2b8

memory/1888-5-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1888-7-0x0000000000401000-0x0000000000412000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-5QQQ6.tmp\drvprosetup.tmp

MD5 91c38c395631d57254356e90b9a6e554
SHA1 cbe8ae15ec5c8a392b00ddbc71cf92eddd5645b4
SHA256 e9804fa0e9a0b249a69539bf9ba3f2df95648f56676a61b8988e6648308ae83d
SHA512 9f95567ceb618167899d954387771312b4895d03dcf65e5402c284af50e1ac1ec5d452a8069528a4761894dba02be7a97849be01626d1d688dc4059abf65f119

memory/3028-13-0x0000000000400000-0x0000000000522000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-0HRLA.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-0HRLA.tmp\DrvProHelper.dll

MD5 dfd23a69f1a7f5385eafafde8f5582f4
SHA1 e578e02964582382d4cf90ac003bffa9dcd1dd30
SHA256 701db9616b8ca5f24694a3b9fde8b96b08fbbe14871d9f7eeb721ff29d3259d2
SHA512 740dda51de539a6c889fecfeeb157ae3ae706e9b6c59931c715ec4a660420b6667b2e01954b511ae872164bdb90be887cf3beddfb2fafad3ee945c92ecf6b174

memory/3028-22-0x0000000003030000-0x000000000317E000-memory.dmp

memory/1888-25-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3028-28-0x0000000000400000-0x0000000000522000-memory.dmp

memory/3028-26-0x0000000000400000-0x0000000000522000-memory.dmp

memory/3028-27-0x0000000003030000-0x000000000317E000-memory.dmp

\Program Files (x86)\Driver Pro\DriverPro.exe

MD5 ec1edf352b54ab579353bf043c2014ee
SHA1 fc5fff6f090f7615d41df61d0d5757fb26b3a4b5
SHA256 0fd7ac20b7655886c6bc98efa05a7dfe5c65deb61d4d656021e4f58564a9ae08
SHA512 8fdba482728322b25585930a6dc8c707f44a66751ed66c056ef5380a4c769ef1654ae138deb7aa599f9c0641f618a13dc56022ed941acfdd2cc734fb39be8501

\Program Files (x86)\Driver Pro\DPTray.exe

MD5 01f6a32f6b28d37b3155325a83d96410
SHA1 b5cbaaae0ae15ebb2985733fdce3e156555abc82
SHA256 8cb02e1a1867e40aed8a11bae3c8ea100996eb518fa0d81f3d12e02e646159d4
SHA512 42fe1c80bd408e7f9e36544dfc13a463e6fd07caef72b9706bba51899bd220b66826b4bf58a1e278bc6f805c43bf30bc60cebd8eb1aeefc328cdccbbee8d8021

C:\Program Files (x86)\Driver Pro\English.ini

MD5 8f88e83e8022bfacd1e11529fcbac372
SHA1 2827f7593329022d8a6672133b67d542363e5be9
SHA256 d4fa4405d07c959d8578d344d1fcb3bd834003682ea96ee49b048f7d1eba8679
SHA512 dc3d181f416633a90297a43a710c77193c4b5c387037ad4084d10372a90151cba176330d4b463f07bc1c18f09c0a84be493e16e38b84946deaf081a6567af371

\Program Files (x86)\Driver Pro\DPStartScan.exe

MD5 fe31b439855c9bc8af54bc83b61e3d4e
SHA1 3a4cb85b20b3bd3bb904de725eb974c4ea16a97b
SHA256 0bccf5266397c50c63d5dd23ff6c0c2afb672325a6300f2e9e44e71d4b5485e5
SHA512 5be58ac4144cd19cef6163dc056d7e540c728ba71b053082d63a53114e13ab1991e419bd2bdb0fff00f5a721ddee40f70579d7b43acbd2772be3b1d30523a97e

C:\Users\Admin\AppData\Local\Temp\is-0HRLA.tmp\cfg.exe

MD5 a464065959fed4a5b3e1c06e73bb407c
SHA1 9b83c38aa9b5779952e4888e6b47b83c48c09e56
SHA256 48a7231316437ecd2ab1abff5f08975a4f90b6f63968e8502c6fef883ee4e0e1
SHA512 02006577deb8e634a72802263674af38379137e9db389b03073b7f586bda7fa65eb58a5b2b53eb80b0f2185a9b26c9c0f64b5aa742670070901ae8f712b790b3

memory/2484-84-0x0000000000400000-0x00000000004D1000-memory.dmp

\Program Files (x86)\Driver Pro\sqlite3.dll

MD5 0f66e8e2340569fb17e774dac2010e31
SHA1 406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256 de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA512 39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

memory/3028-98-0x0000000000400000-0x0000000000522000-memory.dmp

memory/1888-99-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2280-102-0x0000000000400000-0x0000000000755000-memory.dmp

memory/2280-103-0x0000000060900000-0x0000000060970000-memory.dmp

C:\Users\Admin\AppData\Roaming\Driver Pro\PCInfo.ini

MD5 3b62e36031fd00795f71c4b2b0ad413a
SHA1 b466528c55814460a85e7b1bd422b18bd5b090f0
SHA256 5049c6aa0bac6ff280bb594612908bc00906e66895b93be2d33fda6ecae1b987
SHA512 2d85dedfc40ab8450138880400a0318940fffd810488ab0d7417e00b01fd9257e800801d7ae2ca33eb07889ecc03e84fb05528f7992e6e6683d8dfe329f61ffd

memory/2664-111-0x0000000000400000-0x00000000004D1000-memory.dmp

memory/912-112-0x0000000000400000-0x0000000000755000-memory.dmp

C:\Users\Admin\AppData\Roaming\Driver Pro\program.log

MD5 4d463fd2dcedafbb78d16faa06f7fdf2
SHA1 02de82b5d93f9e556ac7299db0d6e86d3894b031
SHA256 2efffa9fba1f09f80866c1c963aa47dbfa9b270b18aa27f5cd712d7b58e191af
SHA512 e44e9324723e06b1b07f28f74f43f2f83424b38ed81f0b971e036ce3f6e770b6b8d530819216101789d30c91b17de8b86f8e8d3e604f8e5eb7af38b4a6f0841f

memory/912-121-0x0000000000400000-0x0000000000755000-memory.dmp

memory/912-131-0x0000000000400000-0x0000000000755000-memory.dmp

memory/2664-136-0x0000000000400000-0x00000000004D1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 13:13

Reported

2024-06-13 13:15

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

54s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-HSG3S.tmp\drvprosetup.tmp N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\is-HSG3S.tmp\drvprosetup.tmp N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\is-HSG3S.tmp\drvprosetup.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a5b7f0a8146d3d770e25c9e05c1fe51b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe

C:\Users\Admin\AppData\Local\Temp\\drvprosetup.exe /VERYSILENT

C:\Users\Admin\AppData\Local\Temp\is-HSG3S.tmp\drvprosetup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-HSG3S.tmp\drvprosetup.tmp" /SL5="$B0064,2744501,85504,C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe" /VERYSILENT

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 idriverpro.com udp
US 8.8.8.8:53 idriverpro.net udp
US 8.8.8.8:53 idriverpro.org udp

Files

C:\Users\Admin\AppData\Local\Temp\drvprosetup.exe

MD5 3107c28da15cc8db52ecaeb41e92fa27
SHA1 9498f3281c0b79a8f051ca9aeb0d6132dcf0ca0f
SHA256 e9318226bff1cf3225c26f0bde46ad08f2a745fe9de55153a41c7bf7eb194325
SHA512 8b2d0c2744584899ac8cc15786dd13b977958c4d3c8f2cb50b7afeb52b0a6f647bf8b20ab19d5d3b562d8804f92b8fb5828f971124b4e089c0858f0a6ad1a2b8

memory/5012-3-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5012-5-0x0000000000401000-0x0000000000412000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-HSG3S.tmp\drvprosetup.tmp

MD5 91c38c395631d57254356e90b9a6e554
SHA1 cbe8ae15ec5c8a392b00ddbc71cf92eddd5645b4
SHA256 e9804fa0e9a0b249a69539bf9ba3f2df95648f56676a61b8988e6648308ae83d
SHA512 9f95567ceb618167899d954387771312b4895d03dcf65e5402c284af50e1ac1ec5d452a8069528a4761894dba02be7a97849be01626d1d688dc4059abf65f119

memory/5008-9-0x0000000000400000-0x0000000000522000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-C7JB6.tmp\DrvProHelper.dll

MD5 dfd23a69f1a7f5385eafafde8f5582f4
SHA1 e578e02964582382d4cf90ac003bffa9dcd1dd30
SHA256 701db9616b8ca5f24694a3b9fde8b96b08fbbe14871d9f7eeb721ff29d3259d2
SHA512 740dda51de539a6c889fecfeeb157ae3ae706e9b6c59931c715ec4a660420b6667b2e01954b511ae872164bdb90be887cf3beddfb2fafad3ee945c92ecf6b174

memory/5008-18-0x0000000003360000-0x00000000034AE000-memory.dmp

memory/5012-21-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5008-22-0x0000000000400000-0x0000000000522000-memory.dmp

memory/5008-23-0x0000000003360000-0x00000000034AE000-memory.dmp

memory/5008-25-0x0000000000400000-0x0000000000522000-memory.dmp

memory/5008-27-0x0000000000400000-0x0000000000522000-memory.dmp

memory/5008-32-0x0000000000400000-0x0000000000522000-memory.dmp

memory/5012-34-0x0000000000400000-0x000000000041F000-memory.dmp