isrstealer | 0359fe210e864779b977a9b12ad000fa0cbaa97ea4c8e12af197ba0a30303b58

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 17:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Size

280KB
MD5

16d143711c1d631e3034c279d6a5cb88
SHA1

fb931528d88d8e4107c5bdda1125c00a341d5656
SHA256

0359fe210e864779b977a9b12ad000fa0cbaa97ea4c8e12af197ba0a30303b58
SHA512

1824afc66ab91756d995a39acb32a8392cc59b79968fa897a750046f16141afe31014ee5a26d446659ae5ae64a67728121b18eb6b7e904ae94ddd19cc3aaf088
SSDEEP

6144:Mi1TzaLuFWa1lW6QNT1gC3B7n/4K51z2abHL/nDOYNHUbUQcDKbtavfw8a:t1TzaLulqgC3B7N50abHL/nDOYljQrbh

Score

10^/10

isrstealer evasion persistence stealer trojan

Malware Config

Signatures

ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 2 IoCs

resource	yara_rule
behavioral1/memory/2664-39-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer
behavioral1/memory/2664-36-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	reg.exe

Loads dropped DLL 4 IoCs

pid	Process
1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\explorer.exe"	REG.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\PELoader.ocx	cmd.exe
File opened for modification	C:\Windows\SysWOW64\PELoader.ocx	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 2664	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	52

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\TypeLib\ = "{4BB1DCD7-E971-4EA7-B115-745EA1467E43}"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\TypeLib\Version = "2.0"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PELoader.ocx, 30000"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RunPE.PELoader\ = "RunPE.PELoader"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\MiscStatus\1\ = "132497"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\Implemented Categories\{0DE86A57-2BAA-11CF-A229-00AA003D7352}	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\TypeLib	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\ = "RunPE.PELoader"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\ProxyStubClsid	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\ProxyStubClsid	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\Implemented Categories	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1DCD7-E971-4EA7-B115-745EA1467E43}\2.0\0\win32	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\TypeLib\ = "{4BB1DCD7-E971-4EA7-B115-745EA1467E43}"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PELoader.ocx"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\MiscStatus	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\ = "__PELoader"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\ = "PELoader"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\TypeLib\Version = "2.0"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\Control\	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RunPE.PELoader	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\TypeLib	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RunPE.PELoader\Clsid\ = "{55F8A924-246F-4EFD-B98F-14F456EDD580}"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1DCD7-E971-4EA7-B115-745EA1467E43}\2.0\0	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\TypeLib\Version = "2.0"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\ = "_PELoader"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\ProxyStubClsid32	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\InprocServer32	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\TypeLib	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1DCD7-E971-4EA7-B115-745EA1467E43}	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1DCD7-E971-4EA7-B115-745EA1467E43}\2.0	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1DCD7-E971-4EA7-B115-745EA1467E43}\2.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\PELoader.ocx"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\ProgID\ = "RunPE.PELoader"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RunPE.PELoader\Clsid	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\Implemented Categories\{0DE86A53-2BAA-11CF-A229-00AA003D7352}	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\ = "_PELoader"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\TypeLib\Version = "2.0"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\InprocServer32\ThreadingModel = "Apartment"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1DCD7-E971-4EA7-B115-745EA1467E43}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\ProxyStubClsid32	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\VERSION	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\Implemented Categories\{0DE86A52-2BAA-11CF-A229-00AA003D7352}	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1DCD7-E971-4EA7-B115-745EA1467E43}\2.0\HELPDIR	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\ProxyStubClsid32	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\TypeLib	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\ = "__PELoader"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\TypeLib\ = "{4BB1DCD7-E971-4EA7-B115-745EA1467E43}"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\VERSION\ = "2.0"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1DCD7-E971-4EA7-B115-745EA1467E43}\2.0\FLAGS	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4BB1DCD7-E971-4EA7-B115-745EA1467E43}\2.0\FLAGS\ = "2"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\TypeLib\ = "{4BB1DCD7-E971-4EA7-B115-745EA1467E43}"	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BD74B12A-7E7A-4CC6-BAE9-677963B8D0F5}\ProxyStubClsid32	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\Control	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{55F8A924-246F-4EFD-B98F-14F456EDD580}\ToolboxBitmap32	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45665203-7270-4D1C-A525-932A42FBBF10}\TypeLib	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2644	REG.exe

Runs net.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2964	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	28
PID 1720 wrote to memory of 2964	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	28
PID 1720 wrote to memory of 2964	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	28
PID 1720 wrote to memory of 2964	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	28
PID 1720 wrote to memory of 2644	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	31
PID 1720 wrote to memory of 2644	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	31
PID 1720 wrote to memory of 2644	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	31
PID 1720 wrote to memory of 2644	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	31
PID 1720 wrote to memory of 2720	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	32
PID 1720 wrote to memory of 2720	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	32
PID 1720 wrote to memory of 2720	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	32
PID 1720 wrote to memory of 2720	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	32
PID 1720 wrote to memory of 2912	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	34
PID 1720 wrote to memory of 2912	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	34
PID 1720 wrote to memory of 2912	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	34
PID 1720 wrote to memory of 2912	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	34
PID 1720 wrote to memory of 2576	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	36
PID 1720 wrote to memory of 2576	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	36
PID 1720 wrote to memory of 2576	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	36
PID 1720 wrote to memory of 2576	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	36
PID 1720 wrote to memory of 2896	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	38
PID 1720 wrote to memory of 2896	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	38
PID 1720 wrote to memory of 2896	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	38
PID 1720 wrote to memory of 2896	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	38
PID 1720 wrote to memory of 2764	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	40
PID 1720 wrote to memory of 2764	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	40
PID 1720 wrote to memory of 2764	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	40
PID 1720 wrote to memory of 2764	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	40
PID 1720 wrote to memory of 2728	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	43
PID 1720 wrote to memory of 2728	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	43
PID 1720 wrote to memory of 2728	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	43
PID 1720 wrote to memory of 2728	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	43
PID 1720 wrote to memory of 2744	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	44
PID 1720 wrote to memory of 2744	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	44
PID 1720 wrote to memory of 2744	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	44
PID 1720 wrote to memory of 2744	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	44
PID 1720 wrote to memory of 2744	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	44
PID 1720 wrote to memory of 2744	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	44
PID 1720 wrote to memory of 2744	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	44
PID 2720 wrote to memory of 2564	2720	cmd.exe	47
PID 2720 wrote to memory of 2564	2720	cmd.exe	47
PID 2720 wrote to memory of 2564	2720	cmd.exe	47
PID 2720 wrote to memory of 2564	2720	cmd.exe	47
PID 2896 wrote to memory of 2036	2896	cmd.exe	48
PID 2896 wrote to memory of 2036	2896	cmd.exe	48
PID 2896 wrote to memory of 2036	2896	cmd.exe	48
PID 2896 wrote to memory of 2036	2896	cmd.exe	48
PID 2912 wrote to memory of 2516	2912	cmd.exe	46
PID 2912 wrote to memory of 2516	2912	cmd.exe	46
PID 2912 wrote to memory of 2516	2912	cmd.exe	46
PID 2912 wrote to memory of 2516	2912	cmd.exe	46
PID 2764 wrote to memory of 2876	2764	cmd.exe	49
PID 2764 wrote to memory of 2876	2764	cmd.exe	49
PID 2764 wrote to memory of 2876	2764	cmd.exe	49
PID 2764 wrote to memory of 2876	2764	cmd.exe	49
PID 2564 wrote to memory of 2740	2564	net.exe	50
PID 2564 wrote to memory of 2740	2564	net.exe	50
PID 2564 wrote to memory of 2740	2564	net.exe	50
PID 2564 wrote to memory of 2740	2564	net.exe	50
PID 2516 wrote to memory of 3000	2516	net.exe	51
PID 2516 wrote to memory of 3000	2516	net.exe	51
PID 2516 wrote to memory of 3000	2516	net.exe	51
PID 2516 wrote to memory of 3000	2516	net.exe	51
PID 1720 wrote to memory of 2664	1720	16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe	52

C:\Users\Admin\AppData\Local\Temp\16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\16d143711c1d631e3034c279d6a5cb88_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\rst.bat" "
  2⤵
  PID:2964
- C:\Windows\SysWOW64\REG.exe
  REG ADD HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v "Explorer" /d "C:\Users\Admin\AppData\Local\Temp\explorer.exe" /t REG_SZ
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop "Security Center"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2720
- - C:\Windows\SysWOW64\net.exe
    net stop "Security Center"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Security Center"
      4⤵
      PID:2740
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c net stop SharedAccess
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\net.exe
    net stop SharedAccess
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop SharedAccess
      4⤵
      PID:3000
- C:\Windows\SysWOW64\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess" /v Start /t REG_DWORD /d 0x4 /f
  2⤵
  PID:2576
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /v Start /t REG_DWORD /d 0x4 /f
    3⤵
    - Modifies security service
    PID:2036
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\reg.exe
    reg add "HKLM\SYSTEM\CurrentControlSet\Services\wscsvc" /v Start /t REG_DWORD /d 0x4 /f
    3⤵
    - Modifies security service
    PID:2876
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\copy.bat" "
  2⤵
  - Drops file in System32 directory
  PID:2728
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 C:\Windows\system32\PELoader.ocx /s
  2⤵
  PID:2744
- C:\Windows\SysWOW64\cmd.exe
  cmd
  2⤵
  PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\PELoader.ocx

Filesize
28KB

MD5
5b19a2d3c7a1c97fcbac23d9c0661c0c

SHA1
34bff82bd1008e6bbc7afaaa48be6a977cbc7de7

SHA256
26387fa757f9d8a0e8532d330b5b3bbfee37c2df0125f43d458c36e95cab9a25

SHA512
b23fd7d09da6814351f3156f9bff0ed3fb7328f17324fb5ffc0483069d9f1187793f622fb92140fa4c9a9b308614c823783891247d50912bee28c794cbacc748

Download Submit
C:\Users\Admin\AppData\Local\Temp\copy.bat

Filesize
90B

MD5
cfb653509db21d1f42180210a19477ac

SHA1
34ef6c12321929363aad04a802c709a07c6e075c

SHA256
9fd81e595efb9d9f949ba3a0360297a258d21c74a6fcb676b4ed7ecb42e5c0c2

SHA512
a37b46519e41a38799b8742a629bc9d51614b696984792c75e4a4db091f79a8206caaf7bbdb1fdc9f86592e6b3cca4228346e477244d4bccf17fbc9113dfc06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.rst

Filesize
280KB

MD5
16d143711c1d631e3034c279d6a5cb88

SHA1
fb931528d88d8e4107c5bdda1125c00a341d5656

SHA256
0359fe210e864779b977a9b12ad000fa0cbaa97ea4c8e12af197ba0a30303b58

SHA512
1824afc66ab91756d995a39acb32a8392cc59b79968fa897a750046f16141afe31014ee5a26d446659ae5ae64a67728121b18eb6b7e904ae94ddd19cc3aaf088

Download Submit
C:\Users\Admin\AppData\Local\Temp\rst.bat

Filesize
280B

MD5
0df18a68e203268750eea8f099deac66

SHA1
ce8c8edcb67dde60f239705b2c0315a30fb65fc9

SHA256
87093bdce5668ba3a3e01083229df751c311c457cddb3eab7169f3ceac0b187c

SHA512
dec1faae69be706874e04b8ef10ead52d63ada3e693dcff87a9855b9fa18fd3dd16f1133b6498ddfb0fb05c1dd5e0d5ff7f50f1639956ceea7a46a0b096eaa5f

Download Submit
memory/2664-39-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2664-40-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2664-36-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2664-35-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2664-34-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads