ead0fc1c3c02bdad700377ea7a370168961c0ab8bf3446354f6ddc12935e869b

Analysis

max time kernel
15s
max time network
17s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 17:39

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

2d3cbf910df43264235e8a4d43bd7557_JaffaCakes118.exe
Size

244KB
MD5

2d3cbf910df43264235e8a4d43bd7557
SHA1

dd4345ab1d5efee41909f9e125b398e041e30264
SHA256

ead0fc1c3c02bdad700377ea7a370168961c0ab8bf3446354f6ddc12935e869b
SHA512

de6a72a32b6be0048ea3f5d3f80432e92083def8bb0a82946f6433dabbcdf024afe2d24f173e672b353713ffab03c0afa932f9153dae0dc5e4450f219af9c5ac
SSDEEP

3072:IwJInJ1CeJ3ixPRUNk9ay+GFuzakZRNmGCKsLo7i8Q:ILnJSxPLtu2kZtCKsLo7i

Score

8^/10

adware defense_evasion persistence stealer

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 2 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Iprip\Parameters\ServiceDll = "C:\\WINDOWS\\SYSTEM32\\liprip.dll"	els.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Iprip\Parameters\ServiceDll = "C:\\Windows\\system32\\liprip.dll"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2928	els.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Iprip\ = "Service"	svchost.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Iprip\	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
2816	2d3cbf910df43264235e8a4d43bd7557_JaffaCakes118.exe
2816	2d3cbf910df43264235e8a4d43bd7557_JaffaCakes118.exe
2916	svchost.exe
2916	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\repst = "C:\\Windows\\system32\\iprep.exe"	svchost.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fsutk.dll	2d3cbf910df43264235e8a4d43bd7557_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\liprip.dll	els.exe
File opened for modification	C:\Windows\SysWOW64\fsutk.dll	svchost.exe
File created	C:\Windows\SysWOW64\iprep.exe	svchost.exe

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Autodesk	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.1	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Autodesk\AutoCAD\R16.0	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.0	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Autodesk\AutoCAD	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R18.0	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.0	svchost.exe
Key created	\REGISTRY\USER\S-1-5-18	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.2	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.1	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.2	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0"	svchost.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ProgID\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "QuickFlash"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Programmable\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\VersionIndependentProgID\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{BF50AC63-19DA-487E-AD4A-0B452D823B59}"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ThreadingModel = "Apartment"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ProgID\ = "IEHlprObj.IEHlprObj.1"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "QuickFlash"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E5CBF21-D15F-11d0-8301-00AA005B4383}\InProcServer32\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF604EFE-8897-11D1-B944-00A0C90312E1}\InProcServer32\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ = "QuickFlash"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ = "C:\\Windows\\SysWow64\\fsutk.dll"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF604EFE-8897-11D1-B944-00A0C90312E1}\InProcServer32\	els.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Programmable\	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2916	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2816	2d3cbf910df43264235e8a4d43bd7557_JaffaCakes118.exe
2928	els.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 2928	2816	2d3cbf910df43264235e8a4d43bd7557_JaffaCakes118.exe	31
PID 2816 wrote to memory of 2928	2816	2d3cbf910df43264235e8a4d43bd7557_JaffaCakes118.exe	31
PID 2816 wrote to memory of 2928	2816	2d3cbf910df43264235e8a4d43bd7557_JaffaCakes118.exe	31
PID 2816 wrote to memory of 2928	2816	2d3cbf910df43264235e8a4d43bd7557_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\2d3cbf910df43264235e8a4d43bd7557_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d3cbf910df43264235e8a4d43bd7557_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Users\Admin\AppData\Local\Temp\els.exe
  "C:\Users\Admin\AppData\Local\Temp\els.exe"
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2928

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Server Software Component: Terminal Services DLL
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2132

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\fsutk.dll

Filesize
116KB

MD5
a97ed0aae01704cf4b94d0f87225d36a

SHA1
d32a4f47f220cb0117d8a52d8b4adc51f73fb6d2

SHA256
e08c53c88af1d368b8f841d5c5649a9b185fde1498aebdbf942ef729a1799ed6

SHA512
b1e2a704c893b2095e96d20bf2e2c650156cb39816ddbf977888298aedb8a75998ce4ff9d094e83fb53542aaedfbad4e6d44ae9d80acfb1712b2015f4c75991b

Download Submit
\??\c:\$Recycle.bin\int.dat

Filesize
220KB

MD5
6ee0d65d54a3e80541b16e442a87e9f2

SHA1
b8ffde1b95125b2f1a185051cf22499683d16b6f

SHA256
e11ee5583fa78fa73f0119dc3896d889087669b61d8e3121df68fdb451b09fb8

SHA512
e61aaa9f332fb06e90d95c6f4f3011d2ae9e60fb66ed3080ab29ddb417a9315c7768b544e1a8cb212408563d37d98b5ab530153e9c27cd65dd8b7ac33f978d0a

Download Submit
\??\c:\windows\SysWOW64\liprip.dll

Filesize
84KB

MD5
a991a222878d998a8093851a804a5384

SHA1
49b407c9254daa433b2d5c2d919667a18bfb22f5

SHA256
0825cdd78ab935be92b1a1133447f6d75a0cf0d8315d8abf99541a8158dd170d

SHA512
52e35242df28fd10ae2f69b0782e9a9dcc0600f6510ddaf464fcad529a3e42d0b29c0cbe9244a5d04390be8c23c378fdb509623639ff93c2b85dfb94a2bc671f

Download Submit
\Users\Admin\AppData\Local\Temp\els.exe

Filesize
20KB

MD5
6c213102c8a7077330bf72e3030c1592

SHA1
04ed32f30010cae5c074405621dca033c8940133

SHA256
1f558cfa0fc8a53e1df635ddf977aec2c84616cdd267be1e9adf402347ba8b2e

SHA512
4a64a1796df186545107b5adf9a92508e2e5a817c31592ffaefe695bcd24e70f9c125859d7f1ada23d9831d5b72c0b9bd749e5e82c4bf94d2b7307311cd2fcd5

Download Submit
memory/528-138-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2132-83-0x0000000002D90000-0x0000000002D91000-memory.dmp

Filesize
4KB

Download
memory/2916-18-0x0000000000150000-0x0000000000170000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads