c3cb2cb01f17da9130df35f0df11cdb66e72d143fcfdad1070912184a1bae74f

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
03-07-2024 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

214b1d4c6fe3598b353aa82a5b043b64_JaffaCakes118.exe
Size

23KB
MD5

214b1d4c6fe3598b353aa82a5b043b64
SHA1

d1144108d42c71b1fc29121645e0959ace414d65
SHA256

c3cb2cb01f17da9130df35f0df11cdb66e72d143fcfdad1070912184a1bae74f
SHA512

d844c21794dc392e242f184f87321a25bbbaa77893e79a23200451200c0fbe83bb5e96c6cfd55801f4222133e5e01923f4d4f33967f094f951973d98ca1de132
SSDEEP

384:u8DaGTvGndbZ6QjJOJ8xY12ZEJUQY/RfNcHxBzOEsAOgm73D3YTGz:uWTedh4J8G1/bIULyAOgmP6

Score

8^/10

adware discovery persistence stealer upx

Malware Config

Signatures

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\explorer\run	isamntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\user32.dll = "C:\\Program Files (x86)\\Internet Security\\isamntr.exe"	isamntr.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation	214b1d4c6fe3598b353aa82a5b043b64_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3112	isamntr.exe
916	isamini.exe

Loads dropped DLL 1 IoCs

pid	Process
3112	isamntr.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2576-0-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral2/memory/2576-15-0x0000000000400000-0x0000000000419000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 3 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}	isamntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\	isamntr.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	isamntr.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Security\isamntr.exe	214b1d4c6fe3598b353aa82a5b043b64_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Security\isadd.dll	isamntr.exe
File created	C:\Program Files (x86)\Internet Security\isunst.exe	214b1d4c6fe3598b353aa82a5b043b64_JaffaCakes118.exe
File created	C:\Program Files (x86)\Internet Security\isamini.exe	isamntr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Search	isamntr.exe
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Internet Explorer\Main	isamntr.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}	isamntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\	isamntr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\InprocServer32	isamntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\InprocServer32\ = "C:\\Program Files (x86)\\Internet Security\\isadd.dll"	isamntr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A6ACAE64-F798-4930-AD86-BD3FB32038DB}\InprocServer32\ThreadingModel = "Apartment"	isamntr.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID	isamntr.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2576	214b1d4c6fe3598b353aa82a5b043b64_JaffaCakes118.exe
2576	214b1d4c6fe3598b353aa82a5b043b64_JaffaCakes118.exe
3112	isamntr.exe
3112	isamntr.exe
916	isamini.exe
916	isamini.exe
916	isamini.exe
3112	isamntr.exe
916	isamini.exe
3112	isamntr.exe
3112	isamntr.exe
916	isamini.exe
3112	isamntr.exe
916	isamini.exe
916	isamini.exe
3112	isamntr.exe
3112	isamntr.exe
916	isamini.exe
916	isamini.exe
916	isamini.exe
3112	isamntr.exe
3112	isamntr.exe
916	isamini.exe
3112	isamntr.exe
916	isamini.exe
3112	isamntr.exe
916	isamini.exe
3112	isamntr.exe
916	isamini.exe
3112	isamntr.exe
3112	isamntr.exe
916	isamini.exe
916	isamini.exe
3112	isamntr.exe
3112	isamntr.exe
3112	isamntr.exe
916	isamini.exe
916	isamini.exe
3112	isamntr.exe
916	isamini.exe
916	isamini.exe
3112	isamntr.exe
916	isamini.exe
3112	isamntr.exe
3112	isamntr.exe
916	isamini.exe
916	isamini.exe
916	isamini.exe
3112	isamntr.exe
3112	isamntr.exe
916	isamini.exe
916	isamini.exe
3112	isamntr.exe
3112	isamntr.exe
3112	isamntr.exe
916	isamini.exe
3112	isamntr.exe
916	isamini.exe
916	isamini.exe
3112	isamntr.exe
916	isamini.exe
3112	isamntr.exe
916	isamini.exe
916	isamini.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	2576	214b1d4c6fe3598b353aa82a5b043b64_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2576 wrote to memory of 3112	2576	214b1d4c6fe3598b353aa82a5b043b64_JaffaCakes118.exe	90
PID 2576 wrote to memory of 3112	2576	214b1d4c6fe3598b353aa82a5b043b64_JaffaCakes118.exe	90
PID 2576 wrote to memory of 3112	2576	214b1d4c6fe3598b353aa82a5b043b64_JaffaCakes118.exe	90
PID 3112 wrote to memory of 916	3112	isamntr.exe	91
PID 3112 wrote to memory of 916	3112	isamntr.exe	91
PID 3112 wrote to memory of 916	3112	isamntr.exe	91
PID 2576 wrote to memory of 2100	2576	214b1d4c6fe3598b353aa82a5b043b64_JaffaCakes118.exe	92
PID 2576 wrote to memory of 2100	2576	214b1d4c6fe3598b353aa82a5b043b64_JaffaCakes118.exe	92
PID 2576 wrote to memory of 2100	2576	214b1d4c6fe3598b353aa82a5b043b64_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\214b1d4c6fe3598b353aa82a5b043b64_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\214b1d4c6fe3598b353aa82a5b043b64_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2576
- C:\Program Files (x86)\Internet Security\isamntr.exe
  "C:\Program Files (x86)\Internet Security\isamntr.exe"
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Program Files (x86)\Internet Security\isamini.exe
    "C:\Program Files (x86)\Internet Security\isamini.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:916
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\214B1D~1.EXE > nul
  2⤵
  PID:2100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1308,i,3144109701624127473,12586215149656995128,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:8
1⤵
PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Internet Security\isadd.dll

Filesize
16KB

MD5
37f9671ee4ad25f0221af5b13374bc0f

SHA1
8c0cf9710dce4d717c23574170dcfa149346f3d4

SHA256
200f1ce0f9a344d8144476a177c3be7e5119e36ddfcafffb16ce5111abeff5bf

SHA512
637e4c46374979a4f9da12ea02a7aac5b2876892784986df18cfd6e9db2784e92cbbd52f578de8d6679a173a57d112ab77324470358cecb93f05ec483dc853c0

Download Submit
C:\Program Files (x86)\Internet Security\isamini.exe

Filesize
6KB

MD5
726b6ecac0521313fc1d734fe055089a

SHA1
d3ebeea975d7b9780fee73e26d43204fafffeb79

SHA256
98d5dba0ebb86fcaf448a016fb98e07cf0b002067a1d7597c1d857669d33bbd8

SHA512
072cf0feae04446dfd81b09d9230ed67381862031ae61dd982b84826d3ad6a20a198cff81ec174f0da88fdf01112960725116f5a788a23c0522939ed52e9cdca

Download Submit
C:\Program Files (x86)\Internet Security\isamntr.exe

Filesize
36KB

MD5
1247068c5cce64c95b1a464e661eba65

SHA1
b37d64a310fb699e858fa63d55848ede44d32ef6

SHA256
bdea3a83c8b46ab0a3f14a4630fb072cbbca089c3299b9262f4c057fa557fc0a

SHA512
3ed3c7ae599812d9c823eaa3d5044dd0ed6435efd880ba79de803f95eb98e26cf1450bd149d01fc5f48872cf1fb92f559873418c2bc5c7dea0bf44e40952a907

Download Submit
memory/2576-0-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/2576-15-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download