d8ef5dee0a4b60e1d4988f7ecbd23e7de89e8a3e45e70f60cb472d6ff89c87df

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
19-07-2024 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Size

1.3MB
MD5

5c964b00f42d449c70c160710f02bcb5
SHA1

1b49080b9e0826e7f17efa9d77443facd82e6fbf
SHA256

d8ef5dee0a4b60e1d4988f7ecbd23e7de89e8a3e45e70f60cb472d6ff89c87df
SHA512

9713ac29a55ce7ff10c7263f9da03a27a66f034476a3e8b286ba029195d61304ffee22d9e5663cc9be99f5418a788b84b2caeb6c4be62833a86757df1cd27b59
SSDEEP

24576:dvLE+68vl9upnoIDUhkul/xdjFmJ3PUKvDNju03gX9KarXL:dvY+6clknvgbhFmJ3Pr9gX9KajL

Score

8^/10

adware evasion persistence privilege_escalation stealer upx

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2732	netsh.exe
2644	netsh.exe
2724	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
3052	EhStorShell32.exe
2608	untfs32.exe
1836	EhStorShell32.exe
2804	lsass.exe

Loads dropped DLL 10 IoCs

pid	Process
1732	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
1732	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
1732	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
2608	untfs32.exe
2608	untfs32.exe
2608	untfs32.exe
1836	EhStorShell32.exe
3052	EhStorShell32.exe
3052	EhStorShell32.exe
2804	lsass.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1732-5-0x0000000010000000-0x0000000010087000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RTHDBPL = "C:\\Users\\Admin\\AppData\\Roaming\\SysWin\\lsass.exe"	EhStorShell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RTHDBPL = "C:\\Users\\Admin\\AppData\\Roaming\\SysWin\\lsass.exe"	lsass.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{100FD3A9-8D4A-4B6B-9BF0-5DF4E96AAB2c}	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-032.dll	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\1710994757	untfs32.exe
File opened for modification	C:\Windows\SysWOW64\1f55a2321293P.manifest	untfs32.exe
File opened for modification	C:\Windows\SysWOW64\1f55a2321293C.manifest	untfs32.exe
File opened for modification	C:\Windows\SysWOW64\1f55a2321293O.manifest	untfs32.exe
File created	C:\Windows\SysWOW64\EhStorShell32.exe	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\1710994757	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\untfs32.exe	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\untfs32.exe	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\1f55a2321293S.manifest	untfs32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	untfs32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process
2880	1732	WerFault.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = a9d30f104a8d6b4b9bf05df4e96aab2c	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\1f55a232 = " "	untfs32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	untfs32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	untfs32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3502DF43-B7FB-4639-BED9-E61F7BD9135B}\WpadDecisionTime = 50c435adf2d9da01	untfs32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-4d-26-0b-9d-06\WpadDetectedUrl	untfs32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3502DF43-B7FB-4639-BED9-E61F7BD9135B}\WpadDecisionTime = 10ea11faf2d9da01	untfs32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Oltozyjhao\CLSID	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Oltozyjhao	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	untfs32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	untfs32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	untfs32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Oltozyjhao\CLSID\ = "{54966b03-7ba6-42bc-8c03-6a8617d97bb1}"	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	untfs32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3502DF43-B7FB-4639-BED9-E61F7BD9135B}\de-4d-26-0b-9d-06	untfs32.exe
Key created	\REGISTRY\USER\.DEFAULT	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Oltozyjhao\CLSID\ = "{54966b03-7ba6-42bc-8c03-6a8617d97bb1}"	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Oltozyjhao\CLSID	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	untfs32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	untfs32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	untfs32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-4d-26-0b-9d-06\WpadDecisionTime = 10ea11faf2d9da01	untfs32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Oltozyjhao\CLSID	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Oltozyjhao\CLSID\ = "{54966b03-7ba6-42bc-8c03-6a8617d97bb1}"	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Oltozyjhao	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0087000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	untfs32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	untfs32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-4d-26-0b-9d-06\WpadDecisionReason = "1"	untfs32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	untfs32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Oltozyjhao\CLSID	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Oltozyjhao	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3502DF43-B7FB-4639-BED9-E61F7BD9135B}\WpadDecisionReason = "1"	untfs32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3502DF43-B7FB-4639-BED9-E61F7BD9135B}\WpadDecision = "0"	untfs32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-4d-26-0b-9d-06	untfs32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0087000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	untfs32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-4d-26-0b-9d-06\WpadDecision = "0"	untfs32.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = a9d30f104a8d6b4b9bf05df4e96aab2c	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	untfs32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	untfs32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3502DF43-B7FB-4639-BED9-E61F7BD9135B}	untfs32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3502DF43-B7FB-4639-BED9-E61F7BD9135B}\WpadNetworkName = "Network 3"	untfs32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\de-4d-26-0b-9d-06\WpadDecisionTime = 50c435adf2d9da01	untfs32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = a9d30f104a8d6b4b9bf05df4e96aab2c	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Software\Oltozyjhao\CLSID\ = "{54966b03-7ba6-42bc-8c03-6a8617d97bb1}"	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{100FD3A9-8D4A-4B6B-9BF0-5DF4E96AAB2c}\InprocServer32	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Software	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Software\Oltozyjhao	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler\ = "{7c144242-d872-45f6-b678-e8377d042e7a}"	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{100FD3A9-8D4A-4B6B-9BF0-5DF4E96AAB2c}\InprocServer32\ThreadingModel = "Both"	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Oltozyjhao	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{54966b03-7ba6-42bc-8c03-6a8617d97bb1}	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Software\Oltozyjhao\CLSID	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{100FD3A9-8D4A-4B6B-9BF0-5DF4E96AAB2c}	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{100FD3A9-8D4A-4B6B-9BF0-5DF4E96AAB2c}\InprocServer32\ = "C:\\Windows\\SysWow64\\api-ms-win-core-localization-l1-2-032.dll"	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Oltozyjhao\CLSID	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Oltozyjhao\CLSID\ = "{54966b03-7ba6-42bc-8c03-6a8617d97bb1}"	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Software\Oltozyjhao\CLSID	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1732	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 3052	1732	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe	30
PID 1732 wrote to memory of 3052	1732	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe	30
PID 1732 wrote to memory of 3052	1732	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe	30
PID 1732 wrote to memory of 3052	1732	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe	30
PID 1732 wrote to memory of 2724	1732	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2724	1732	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2724	1732	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2724	1732	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe	31
PID 1732 wrote to memory of 2644	1732	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe	33
PID 1732 wrote to memory of 2644	1732	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe	33
PID 1732 wrote to memory of 2644	1732	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe	33
PID 1732 wrote to memory of 2644	1732	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe	33
PID 1732 wrote to memory of 2732	1732	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe	35
PID 1732 wrote to memory of 2732	1732	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe	35
PID 1732 wrote to memory of 2732	1732	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe	35
PID 1732 wrote to memory of 2732	1732	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe	35
PID 1732 wrote to memory of 2880	1732	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe	38
PID 1732 wrote to memory of 2880	1732	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe	38
PID 1732 wrote to memory of 2880	1732	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe	38
PID 1732 wrote to memory of 2880	1732	5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe	38
PID 2608 wrote to memory of 1836	2608	untfs32.exe	39
PID 2608 wrote to memory of 1836	2608	untfs32.exe	39
PID 2608 wrote to memory of 1836	2608	untfs32.exe	39
PID 2608 wrote to memory of 1836	2608	untfs32.exe	39
PID 3052 wrote to memory of 2804	3052	EhStorShell32.exe	40
PID 3052 wrote to memory of 2804	3052	EhStorShell32.exe	40
PID 3052 wrote to memory of 2804	3052	EhStorShell32.exe	40
PID 3052 wrote to memory of 2804	3052	EhStorShell32.exe	40

C:\Users\Admin\AppData\Local\Temp\5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5c964b00f42d449c70c160710f02bcb5_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Windows\SysWOW64\EhStorShell32.exe
  "C:\Windows\system32\EhStorShell32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Users\Admin\AppData\Roaming\SysWin\lsass.exe
    "C:\Users\Admin\AppData\Roaming\SysWin\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:2804
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\untfs32.exe" enable=yes profile=domain
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2724
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\untfs32.exe" enable=yes profile=private
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2644
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\untfs32.exe" enable=yes profile=public
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2732
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1732 -s 564
  2⤵
  - Program crash
  PID:2880

C:\Windows\SysWOW64\untfs32.exe
C:\Windows\SysWOW64\untfs32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2608
- C:\ProgramData\EhStorShell32.exe
  schutz
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1836

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\EhStorShell32.exe

Filesize
1.3MB

MD5
5c964b00f42d449c70c160710f02bcb5

SHA1
1b49080b9e0826e7f17efa9d77443facd82e6fbf

SHA256
d8ef5dee0a4b60e1d4988f7ecbd23e7de89e8a3e45e70f60cb472d6ff89c87df

SHA512
9713ac29a55ce7ff10c7263f9da03a27a66f034476a3e8b286ba029195d61304ffee22d9e5663cc9be99f5418a788b84b2caeb6c4be62833a86757df1cd27b59

Download Submit
C:\Windows\SysWOW64\1710994757

Filesize
29B

MD5
31659628fde8ad0dfe92db37c3892cfb

SHA1
8be48bbd14a27a32282e7c2d83c38eb50455f3d8

SHA256
f1cf50218b2d47007e22351e8b7f273bbfbc034a52853c86c2ca1956d7ded9b8

SHA512
4b07dfaf6c5119a2077da4e51a316ee886d30c0055b43c25aa7407f9f96390ad96079aa709b90c96fe4b2500622a6b3414d500bface041abf5f5ca9dadf50e60

Download Submit
C:\Windows\SysWOW64\1710994757

Filesize
117B

MD5
9b43243eb4958620cf61a307a47d1289

SHA1
ff9c0da465c1cbf42e043ff9a2b8e30613380802

SHA256
bb19366846d82a3f24fc10eca32f6e31a62d12e0f4e304dfb707cf739bfccf2c

SHA512
4c529f26dfc6f749946c3f9b41682f517346c1ef1f0c826729008752317f7d7f82b082216a92709995796805299d7981782860d17f2575f631d589e6bf8c1068

Download Submit
C:\Windows\SysWOW64\EhStorShell32.exe

Filesize
176KB

MD5
0f4c8320820f8a1f7fe2a613177b064f

SHA1
95c48049c4a43d95cba7859e926201977683c299

SHA256
3ef64fbffa365364ca68d4712de844ab467f4834ac2a1d04f0f429a2da6a2608

SHA512
15622c943ddaf466d1fa01e88a0b202e253172c9681bbaad6d3a1190d10172c048ee8010bf2d6365e06c4d1bdcbbb1f7f3a972748901ab1aee9bd290dcb9c1c6

Download Submit
\ProgramData\api-ms-win-core-localization-l1-2-032.dll

Filesize
241KB

MD5
86158c58b6b2a6174a1b0cf216cae774

SHA1
0f6ad629f6033ba038f594fe407e272beb2c8de7

SHA256
71cac98adb7f0a63c63140eaf25916e878e636e32da8262abbbd14ad39dc0459

SHA512
4f1817544a98377e15644278eb4f1d0110ac8512c0c2147dfa0f894eb06754f9bcd3db4b713d034ea26c5437c4bd345d74167fb1e955664348583ca10e3ccd19

Download Submit
\Windows\SysWOW64\api-ms-win-core-localization-l1-2-032.dll

Filesize
411KB

MD5
e17107eb480d82bf8857d5505b031c68

SHA1
f4a10e60b79649a4fbcc7fe5d51f4a9ad0b26a43

SHA256
492ba54e9d5f8e9848947130ecbc97ac1d368658272b3ba1d83ae84948c85712

SHA512
a9105de8cb94700d6032151f72307371e1ee11801e10de8a5307612f228c3d7249f83bde8b9d6bc73284fd28dda630e773103982e4c388f0df2dfcf6d7ab14b5

Download Submit
memory/1732-82-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1732-7-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1732-1-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1732-0-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1732-5-0x0000000010000000-0x0000000010087000-memory.dmp

Filesize
540KB

Download
memory/1836-86-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2608-106-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2608-39-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2608-85-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2608-84-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2804-81-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2804-87-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3052-31-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3052-76-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3052-30-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download