Analysis Overview
SHA256
768a623a22cdcd633110581f30d990823e70a62f4d17acad954b4814b2f42098
Threat Level: Likely malicious
The file 11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Server Software Component: Terminal Services DLL
Impair Defenses: Safe Mode Boot
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Installs/modifies Browser Helper Object
Drops file in System32 directory
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 12:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 12:18
Reported
2024-06-26 12:18
Platform
win7-20240508-en
Max time kernel
14s
Max time network
16s
Command Line
Signatures
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Iprip\Parameters\ServiceDll = "C:\\WINDOWS\\SYSTEM32\\liprip.dll" | C:\Users\Admin\AppData\Local\Temp\tah.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Iprip\Parameters\ServiceDll = "C:\\Windows\\system32\\liprip.dll" | C:\Windows\SysWOW64\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tah.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Iprip\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Iprip\ = "Service" | C:\Windows\SysWOW64\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\repst = "C:\\Windows\\system32\\iprep.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\fsutk.dll | C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe | N/A |
| File created | C:\WINDOWS\SysWOW64\liprip.dll | C:\Users\Admin\AppData\Local\Temp\tah.exe | N/A |
| File opened for modification | C:\WINDOWS\SysWOW64\liprip.dll | C:\Users\Admin\AppData\Local\Temp\tah.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fsutk.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\iprep.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-18 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.1 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.1 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.2 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59} | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.2 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59} | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59} | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59} | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R18.0 | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ProgID\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Programmable\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "QuickFlash" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ProgID\ = "IEHlprObj.IEHlprObj.1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Programmable\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "QuickFlash" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E5CBF21-D15F-11d0-8301-00AA005B4383}\InProcServer32\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ = "C:\\Windows\\SysWow64\\fsutk.dll" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF604EFE-8897-11D1-B944-00A0C90312E1}\InProcServer32\ | C:\Users\Admin\AppData\Local\Temp\tah.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF604EFE-8897-11D1-B944-00A0C90312E1}\InProcServer32\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ = "QuickFlash" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\VersionIndependentProgID\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{BF50AC63-19DA-487E-AD4A-0B452D823B59}" | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tah.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1196 wrote to memory of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\tah.exe |
| PID 1196 wrote to memory of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\tah.exe |
| PID 1196 wrote to memory of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\tah.exe |
| PID 1196 wrote to memory of 2416 | N/A | C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\tah.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\tah.exe
"C:\Users\Admin\AppData\Local\Temp\tah.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
Network
Files
\Users\Admin\AppData\Local\Temp\tah.exe
| MD5 | 862f32de31faa91bc93290a7b9139cd9 |
| SHA1 | f702fb688f9803788f02ee69ba2ccc467073fabb |
| SHA256 | 95937171a8176f21a1e3270dd96790bdeb56b84cf481678ea8cde69e2c135439 |
| SHA512 | 28af358eb6f2ecc60babc373f8023a66b424de851a331d15ae2f98b88b379c26d618bd635921b9547d44f02db47ad7ef2d71c340eb4b759bee2cbccf5aa5a628 |
\??\c:\$Recycle.bin\int.dat
| MD5 | 08dcc6bc02fc5141663c98d5494feda8 |
| SHA1 | e4165fa1016abab181fc892ba9029b824b0d622e |
| SHA256 | 0618ce58995eaa5d0fe37c94d495667125e0cea00fa88514b74961a50c19efda |
| SHA512 | b075cecc369719eb84fc20ac0f115b4f17f0db52a42f067a1bf4c6cde744366332fcfe47d5ca30ce630423eaaed34ecd1af12446e1de1cab31cd931bab34e3f8 |
\??\c:\windows\SysWOW64\liprip.dll
| MD5 | 16583e7ad98f91085869b33eb84c6209 |
| SHA1 | 9bf51febdf1323560f5819414620965e51573136 |
| SHA256 | b2ece41bcfa9073f25f1318943cba29ce6c7f39ec70ddd60dacc175cf69cbadf |
| SHA512 | 9c37ed04f19537120b5cd125f5c662c0c5744c4af7f33223b1bc4f67b30c9e0654c8881b9bbc6055ca9609b9fc3751e256f9b6ea4750b0c066c633a3bf865cf0 |
C:\Windows\SysWOW64\fsutk.dll
| MD5 | 6b94b3d1346abfd7835872017d019306 |
| SHA1 | 6a502f7729addddcf2861a5cb058cc647364b951 |
| SHA256 | f0d468ef5996d4cddff6b73d4feb39aecaa34ac6594612116865c18e38860887 |
| SHA512 | 64f4e3f235564eff9a313d86a45a2995f4995c9f2c1d30d677d2c8b2326eb65d1fd8f47714e8aa6fe133d8fcce587be5fa13b2674ca60ebf314d38b8e898e528 |
memory/2068-19-0x0000000000150000-0x0000000000170000-memory.dmp
memory/2476-80-0x0000000002E10000-0x0000000002E11000-memory.dmp
memory/1292-135-0x0000000002AB0000-0x0000000002AB1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 12:18
Reported
2024-06-26 12:18
Platform
win10v2004-20240226-en
Max time kernel
23s
Max time network
29s
Command Line
Signatures
Server Software Component: Terminal Services DLL
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Iprip\Parameters\ServiceDll = "C:\\WINDOWS\\SYSTEM32\\liprip.dll" | C:\Users\Admin\AppData\Local\Temp\yfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Iprip\Parameters\ServiceDll = "C:\\Windows\\system32\\liprip.dll" | C:\Windows\SysWOW64\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yfm.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Iprip\ = "Service" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Iprip\ | C:\Windows\SysWOW64\svchost.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\repst = "C:\\Windows\\system32\\iprep.exe" | C:\Windows\SysWOW64\svchost.exe | N/A |
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ | C:\Windows\SysWOW64\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\fsutk.dll | C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe | N/A |
| File created | C:\WINDOWS\SysWOW64\liprip.dll | C:\Users\Admin\AppData\Local\Temp\yfm.exe | N/A |
| File opened for modification | C:\WINDOWS\SysWOW64\liprip.dll | C:\Users\Admin\AppData\Local\Temp\yfm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fsutk.dll | C:\Windows\SysWOW64\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\iprep.exe | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59} | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Autodesk | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.2 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.2 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59} | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.1 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R18.0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59} | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Autodesk\AutoCAD\R16.0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.0 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Autodesk\AutoCAD | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "221" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.1 | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ProgID\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Programmable\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ = "C:\\Windows\\SysWow64\\fsutk.dll" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF604EFE-8897-11D1-B944-00A0C90312E1}\InProcServer32\ | C:\Users\Admin\AppData\Local\Temp\yfm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ = "QuickFlash" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "QuickFlash" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF604EFE-8897-11D1-B944-00A0C90312E1}\InProcServer32\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ProgID\ = "IEHlprObj.IEHlprObj.1" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\VersionIndependentProgID\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "QuickFlash" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Programmable\ | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{BF50AC63-19DA-487E-AD4A-0B452D823B59}" | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E5CBF21-D15F-11d0-8301-00AA005B4383}\InProcServer32\ | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yfm.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3296 wrote to memory of 3424 | N/A | C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\yfm.exe |
| PID 3296 wrote to memory of 3424 | N/A | C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\yfm.exe |
| PID 3296 wrote to memory of 3424 | N/A | C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\yfm.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\yfm.exe
"C:\Users\Admin\AppData\Local\Temp\yfm.exe"
C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Iprip
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3982855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| GB | 142.250.187.202:443 | tcp | |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\yfm.exe
| MD5 | 862f32de31faa91bc93290a7b9139cd9 |
| SHA1 | f702fb688f9803788f02ee69ba2ccc467073fabb |
| SHA256 | 95937171a8176f21a1e3270dd96790bdeb56b84cf481678ea8cde69e2c135439 |
| SHA512 | 28af358eb6f2ecc60babc373f8023a66b424de851a331d15ae2f98b88b379c26d618bd635921b9547d44f02db47ad7ef2d71c340eb4b759bee2cbccf5aa5a628 |
\??\c:\$Recycle.bin\int.dat
| MD5 | 08dcc6bc02fc5141663c98d5494feda8 |
| SHA1 | e4165fa1016abab181fc892ba9029b824b0d622e |
| SHA256 | 0618ce58995eaa5d0fe37c94d495667125e0cea00fa88514b74961a50c19efda |
| SHA512 | b075cecc369719eb84fc20ac0f115b4f17f0db52a42f067a1bf4c6cde744366332fcfe47d5ca30ce630423eaaed34ecd1af12446e1de1cab31cd931bab34e3f8 |
\??\c:\windows\SysWOW64\liprip.dll
| MD5 | 16583e7ad98f91085869b33eb84c6209 |
| SHA1 | 9bf51febdf1323560f5819414620965e51573136 |
| SHA256 | b2ece41bcfa9073f25f1318943cba29ce6c7f39ec70ddd60dacc175cf69cbadf |
| SHA512 | 9c37ed04f19537120b5cd125f5c662c0c5744c4af7f33223b1bc4f67b30c9e0654c8881b9bbc6055ca9609b9fc3751e256f9b6ea4750b0c066c633a3bf865cf0 |
C:\Windows\SysWOW64\fsutk.dll
| MD5 | 6b94b3d1346abfd7835872017d019306 |
| SHA1 | 6a502f7729addddcf2861a5cb058cc647364b951 |
| SHA256 | f0d468ef5996d4cddff6b73d4feb39aecaa34ac6594612116865c18e38860887 |
| SHA512 | 64f4e3f235564eff9a313d86a45a2995f4995c9f2c1d30d677d2c8b2326eb65d1fd8f47714e8aa6fe133d8fcce587be5fa13b2674ca60ebf314d38b8e898e528 |
memory/3236-17-0x0000000001C40000-0x0000000001C60000-memory.dmp