Malware Analysis Report

2025-03-15 00:50

Sample ID 240626-pgssjatgqa
Target 11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118
SHA256 768a623a22cdcd633110581f30d990823e70a62f4d17acad954b4814b2f42098
Tags
adware defense_evasion persistence stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

768a623a22cdcd633110581f30d990823e70a62f4d17acad954b4814b2f42098

Threat Level: Likely malicious

The file 11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

adware defense_evasion persistence stealer

Server Software Component: Terminal Services DLL

Impair Defenses: Safe Mode Boot

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Installs/modifies Browser Helper Object

Drops file in System32 directory

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 12:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 12:18

Reported

2024-06-26 12:18

Platform

win7-20240508-en

Max time kernel

14s

Max time network

16s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe"

Signatures

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Iprip\Parameters\ServiceDll = "C:\\WINDOWS\\SYSTEM32\\liprip.dll" C:\Users\Admin\AppData\Local\Temp\tah.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Iprip\Parameters\ServiceDll = "C:\\Windows\\system32\\liprip.dll" C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tah.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Iprip\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Iprip\ = "Service" C:\Windows\SysWOW64\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\repst = "C:\\Windows\\system32\\iprep.exe" C:\Windows\SysWOW64\svchost.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\fsutk.dll C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe N/A
File created C:\WINDOWS\SysWOW64\liprip.dll C:\Users\Admin\AppData\Local\Temp\tah.exe N/A
File opened for modification C:\WINDOWS\SysWOW64\liprip.dll C:\Users\Admin\AppData\Local\Temp\tah.exe N/A
File opened for modification C:\Windows\SysWOW64\fsutk.dll C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\iprep.exe C:\Windows\SysWOW64\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-18 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.1 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.0 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.0 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.1 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.2 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59} C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20 C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.2 C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59} C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59} C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59} C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R18.0 C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ProgID\ C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Programmable\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "QuickFlash" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ProgID\ = "IEHlprObj.IEHlprObj.1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Programmable\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "QuickFlash" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E5CBF21-D15F-11d0-8301-00AA005B4383}\InProcServer32\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ = "C:\\Windows\\SysWow64\\fsutk.dll" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF604EFE-8897-11D1-B944-00A0C90312E1}\InProcServer32\ C:\Users\Admin\AppData\Local\Temp\tah.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF604EFE-8897-11D1-B944-00A0C90312E1}\InProcServer32\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ = "QuickFlash" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\VersionIndependentProgID\ C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{BF50AC63-19DA-487E-AD4A-0B452D823B59}" C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tah.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\tah.exe

"C:\Users\Admin\AppData\Local\Temp\tah.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x1

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\tah.exe

MD5 862f32de31faa91bc93290a7b9139cd9
SHA1 f702fb688f9803788f02ee69ba2ccc467073fabb
SHA256 95937171a8176f21a1e3270dd96790bdeb56b84cf481678ea8cde69e2c135439
SHA512 28af358eb6f2ecc60babc373f8023a66b424de851a331d15ae2f98b88b379c26d618bd635921b9547d44f02db47ad7ef2d71c340eb4b759bee2cbccf5aa5a628

\??\c:\$Recycle.bin\int.dat

MD5 08dcc6bc02fc5141663c98d5494feda8
SHA1 e4165fa1016abab181fc892ba9029b824b0d622e
SHA256 0618ce58995eaa5d0fe37c94d495667125e0cea00fa88514b74961a50c19efda
SHA512 b075cecc369719eb84fc20ac0f115b4f17f0db52a42f067a1bf4c6cde744366332fcfe47d5ca30ce630423eaaed34ecd1af12446e1de1cab31cd931bab34e3f8

\??\c:\windows\SysWOW64\liprip.dll

MD5 16583e7ad98f91085869b33eb84c6209
SHA1 9bf51febdf1323560f5819414620965e51573136
SHA256 b2ece41bcfa9073f25f1318943cba29ce6c7f39ec70ddd60dacc175cf69cbadf
SHA512 9c37ed04f19537120b5cd125f5c662c0c5744c4af7f33223b1bc4f67b30c9e0654c8881b9bbc6055ca9609b9fc3751e256f9b6ea4750b0c066c633a3bf865cf0

C:\Windows\SysWOW64\fsutk.dll

MD5 6b94b3d1346abfd7835872017d019306
SHA1 6a502f7729addddcf2861a5cb058cc647364b951
SHA256 f0d468ef5996d4cddff6b73d4feb39aecaa34ac6594612116865c18e38860887
SHA512 64f4e3f235564eff9a313d86a45a2995f4995c9f2c1d30d677d2c8b2326eb65d1fd8f47714e8aa6fe133d8fcce587be5fa13b2674ca60ebf314d38b8e898e528

memory/2068-19-0x0000000000150000-0x0000000000170000-memory.dmp

memory/2476-80-0x0000000002E10000-0x0000000002E11000-memory.dmp

memory/1292-135-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 12:18

Reported

2024-06-26 12:18

Platform

win10v2004-20240226-en

Max time kernel

23s

Max time network

29s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe"

Signatures

Server Software Component: Terminal Services DLL

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Iprip\Parameters\ServiceDll = "C:\\WINDOWS\\SYSTEM32\\liprip.dll" C:\Users\Admin\AppData\Local\Temp\yfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Iprip\Parameters\ServiceDll = "C:\\Windows\\system32\\liprip.dll" C:\Windows\SysWOW64\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\yfm.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Iprip\ = "Service" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Iprip\ C:\Windows\SysWOW64\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\repst = "C:\\Windows\\system32\\iprep.exe" C:\Windows\SysWOW64\svchost.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ C:\Windows\SysWOW64\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\fsutk.dll C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe N/A
File created C:\WINDOWS\SysWOW64\liprip.dll C:\Users\Admin\AppData\Local\Temp\yfm.exe N/A
File opened for modification C:\WINDOWS\SysWOW64\liprip.dll C:\Users\Admin\AppData\Local\Temp\yfm.exe N/A
File opened for modification C:\Windows\SysWOW64\fsutk.dll C:\Windows\SysWOW64\svchost.exe N/A
File created C:\Windows\SysWOW64\iprep.exe C:\Windows\SysWOW64\svchost.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19 C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59} C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Autodesk C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.2 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.2 C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59} C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.1 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*" C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R18.0 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\Software C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.0 C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59} C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Autodesk\AutoCAD\R16.0 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.0 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Autodesk\AutoCAD C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "221" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.1 C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ProgID\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Programmable\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ = "C:\\Windows\\SysWow64\\fsutk.dll" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF604EFE-8897-11D1-B944-00A0C90312E1}\InProcServer32\ C:\Users\Admin\AppData\Local\Temp\yfm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ = "QuickFlash" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "QuickFlash" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AF604EFE-8897-11D1-B944-00A0C90312E1}\InProcServer32\ C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ProgID\ = "IEHlprObj.IEHlprObj.1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\VersionIndependentProgID\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "QuickFlash" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Programmable\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{BF50AC63-19DA-487E-AD4A-0B452D823B59}" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0E5CBF21-D15F-11d0-8301-00AA005B4383}\InProcServer32\ C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\11f19953e60b9fb51290e6e2c957ef83_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\yfm.exe

"C:\Users\Admin\AppData\Local\Temp\yfm.exe"

C:\Windows\SysWOW64\svchost.exe

C:\Windows\SysWOW64\svchost.exe -k netsvcs -s Iprip

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa3982855 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 84.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\yfm.exe

MD5 862f32de31faa91bc93290a7b9139cd9
SHA1 f702fb688f9803788f02ee69ba2ccc467073fabb
SHA256 95937171a8176f21a1e3270dd96790bdeb56b84cf481678ea8cde69e2c135439
SHA512 28af358eb6f2ecc60babc373f8023a66b424de851a331d15ae2f98b88b379c26d618bd635921b9547d44f02db47ad7ef2d71c340eb4b759bee2cbccf5aa5a628

\??\c:\$Recycle.bin\int.dat

MD5 08dcc6bc02fc5141663c98d5494feda8
SHA1 e4165fa1016abab181fc892ba9029b824b0d622e
SHA256 0618ce58995eaa5d0fe37c94d495667125e0cea00fa88514b74961a50c19efda
SHA512 b075cecc369719eb84fc20ac0f115b4f17f0db52a42f067a1bf4c6cde744366332fcfe47d5ca30ce630423eaaed34ecd1af12446e1de1cab31cd931bab34e3f8

\??\c:\windows\SysWOW64\liprip.dll

MD5 16583e7ad98f91085869b33eb84c6209
SHA1 9bf51febdf1323560f5819414620965e51573136
SHA256 b2ece41bcfa9073f25f1318943cba29ce6c7f39ec70ddd60dacc175cf69cbadf
SHA512 9c37ed04f19537120b5cd125f5c662c0c5744c4af7f33223b1bc4f67b30c9e0654c8881b9bbc6055ca9609b9fc3751e256f9b6ea4750b0c066c633a3bf865cf0

C:\Windows\SysWOW64\fsutk.dll

MD5 6b94b3d1346abfd7835872017d019306
SHA1 6a502f7729addddcf2861a5cb058cc647364b951
SHA256 f0d468ef5996d4cddff6b73d4feb39aecaa34ac6594612116865c18e38860887
SHA512 64f4e3f235564eff9a313d86a45a2995f4995c9f2c1d30d677d2c8b2326eb65d1fd8f47714e8aa6fe133d8fcce587be5fa13b2674ca60ebf314d38b8e898e528

memory/3236-17-0x0000000001C40000-0x0000000001C60000-memory.dmp