Malware Analysis Report

2024-11-13 13:46

Sample ID 240719-xdpkpsyaqd
Target 5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118
SHA256 6974f159cb6e056fd9675ec4ecb6d271a7d6bb69711a295be593091d3bcb9e45
Tags
rat dcrat infostealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6974f159cb6e056fd9675ec4ecb6d271a7d6bb69711a295be593091d3bcb9e45

Threat Level: Known bad

The file 5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

rat dcrat infostealer persistence

Dcrat family

DcRat

Modifies WinLogon for persistence

DCRat payload

Process spawned unexpected child process

DCRat payload

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-19 18:44

Signatures

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Dcrat family

dcrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-19 18:44

Reported

2024-07-19 18:47

Platform

win7-20240708-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\hui\\hui.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\hui\\hui.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\hui\\hui.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\System32\\NlsLexicons0007\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\hui\\hui.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\System32\\NlsLexicons0007\\csrss.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\hui\\hui.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\System32\\NlsLexicons0007\\csrss.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\", \"C:\\Windows\\System32\\D3DCompiler_47\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\hui\\hui.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Windows\\System32\\NlsLexicons0007\\csrss.exe\", \"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\", \"C:\\Windows\\System32\\D3DCompiler_47\\conhost.exe\", \"C:\\Documents and Settings\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
N/A N/A C:\Windows\System32\NlsLexicons0007\csrss.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Documents and Settings\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Documents and Settings\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\hui = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\hui\\hui.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\NlsLexicons0007\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\D3DCompiler_47\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\D3DCompiler_47\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hui = "\"C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\hui\\hui.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\System32\\NlsLexicons0007\\csrss.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC\\OSPPSVC.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\NlsLexicons0007\csrss.exe C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
File created C:\Windows\System32\NlsLexicons0007\886983d96e3d3e31032c679b2d4ea91b6c05afef C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
File created C:\Windows\System32\D3DCompiler_47\conhost.exe C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
File created C:\Windows\System32\D3DCompiler_47\088424020bedd6b28ac7fd22ee35dcd7322895ce C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC\OSPPSVC.exe C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
File created C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC\1610b97d3ab4a74cd8ae104b51bea7bfcc5b9c6f C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
N/A N/A C:\Windows\System32\NlsLexicons0007\csrss.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\NlsLexicons0007\csrss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1596 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1596 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1596 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1596 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2748 wrote to memory of 2708 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2708 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2708 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2748 wrote to memory of 2708 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2708 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Adobe\hui.exe
PID 2708 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Adobe\hui.exe
PID 2708 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Adobe\hui.exe
PID 2708 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Adobe\hui.exe
PID 2572 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\Adobe\hui.exe C:\Windows\System32\NlsLexicons0007\csrss.exe
PID 2572 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\Adobe\hui.exe C:\Windows\System32\NlsLexicons0007\csrss.exe
PID 2572 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Roaming\Adobe\hui.exe C:\Windows\System32\NlsLexicons0007\csrss.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\sN8j8UtUmLUEbzv.vbe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Adobe\87tDm8T1lOvAjdSEmWMIMA3JTpcTMB.bat" "

C:\Users\Admin\AppData\Roaming\Adobe\hui.exe

"C:\Users\Admin\AppData\Roaming\Adobe\hui.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "hui" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Adobe\hui\hui.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\NlsLexicons0007\csrss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPC\OSPPSVC.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\D3DCompiler_47\conhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Documents and Settings\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\System32\NlsLexicons0007\csrss.exe

"C:\Windows\System32\NlsLexicons0007\csrss.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 host1835875.hostland.pro udp
RU 185.26.122.79:80 host1835875.hostland.pro tcp

Files

C:\Users\Admin\AppData\Roaming\Adobe\sN8j8UtUmLUEbzv.vbe

MD5 70e5d6cdf95e6c8bd3cb92a5f27b41f1
SHA1 2139d28ec203b8e56a4d4b5f35cdc971711ee16b
SHA256 ddbb5359838904c2276556b9e509443ffecba2ef2c15c97370f0a0df01a22a0d
SHA512 b49e59956fe3b04980c2e9ba174da14239277b64c15a0d4cef2af1976bbaf9c7fec4a430afa1c1f56563a9f70b6d6339872be7dd847597a84b2a52730b399f3d

C:\Users\Admin\AppData\Roaming\Adobe\87tDm8T1lOvAjdSEmWMIMA3JTpcTMB.bat

MD5 e7f48aa75e0fb6a5ff062767274b118a
SHA1 35708e08c6fd4f4d5b90d205535eaf614f616947
SHA256 75d94792b854edf88578815103ae48089e1cb0566c97c86bc3b3ecf5373778d7
SHA512 85d827e4d81a7612ae78feda079f1a82812d7a430643db6bb3863c3cfe618649eb15b574c367d070c6fc594ebaf1c8ada66390279c703f7eb88e2c8b9a21adcb

C:\Users\Admin\AppData\Roaming\Adobe\hui.exe

MD5 1b46dad7064609344351ac9efe3f9aab
SHA1 9aa8051f5ef6f800410ec669e52b415b6bf43816
SHA256 3bd60f927e3882940077fa527712e5c55a2767564b39a932c4d4941e190a4c81
SHA512 ce773799e73f0b61a793098df7a824346ec1d94d16877a272ace42a644d4fdf7d6a68b4a7c976b4b90471036f0d68b56bbfec18cffc68331c32970e7db7c57c4

memory/2572-13-0x0000000001300000-0x00000000013EE000-memory.dmp

memory/2432-32-0x00000000012E0000-0x00000000013CE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-19 18:44

Reported

2024-07-19 18:47

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SKB\\LanguageModels\\System.exe\", \"C:\\Documents and Settings\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SKB\\LanguageModels\\System.exe\", \"C:\\Documents and Settings\\WmiPrvSE.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\System.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SKB\\LanguageModels\\System.exe\", \"C:\\Documents and Settings\\WmiPrvSE.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\System.exe\", \"C:\\Windows\\System32\\rasautou\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SKB\\LanguageModels\\System.exe\", \"C:\\Documents and Settings\\WmiPrvSE.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\System.exe\", \"C:\\Windows\\System32\\rasautou\\dllhost.exe\", \"C:\\Windows\\System32\\ProximityCommon\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SKB\\LanguageModels\\System.exe\", \"C:\\Documents and Settings\\WmiPrvSE.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\System.exe\", \"C:\\Windows\\System32\\rasautou\\dllhost.exe\", \"C:\\Windows\\System32\\ProximityCommon\\fontdrvhost.exe\", \"C:\\Windows\\System32\\coredpussvr\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SKB\\LanguageModels\\System.exe\", \"C:\\Documents and Settings\\WmiPrvSE.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\System.exe\", \"C:\\Windows\\System32\\rasautou\\dllhost.exe\", \"C:\\Windows\\System32\\ProximityCommon\\fontdrvhost.exe\", \"C:\\Windows\\System32\\coredpussvr\\SppExtComObj.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\smss.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SKB\\LanguageModels\\System.exe\", \"C:\\Documents and Settings\\WmiPrvSE.exe\", \"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\System.exe\", \"C:\\Windows\\System32\\rasautou\\dllhost.exe\", \"C:\\Windows\\System32\\ProximityCommon\\fontdrvhost.exe\", \"C:\\Windows\\System32\\coredpussvr\\SppExtComObj.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\smss.exe\", \"C:\\Windows\\System32\\browseui\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SKB\\LanguageModels\\System.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\System.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Documents and Settings\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\ProximityCommon\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\coredpussvr\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Documents and Settings\\WmiPrvSE.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\System.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Windows\\System32\\ProximityCommon\\fontdrvhost.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\smss.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.5\\smss.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\SKB\\LanguageModels\\System.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\SKB\\LanguageModels\\System.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\System32\\coredpussvr\\SppExtComObj.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files\\Google\\Chrome\\Application\\SetupMetrics\\System.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\rasautou\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\rasautou\\dllhost.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\browseui\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\conhost = "\"C:\\Windows\\System32\\browseui\\conhost.exe\"" C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\rasautou\dllhost.exe C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
File created C:\Windows\System32\rasautou\5940a34987c99120d96dace90a3f93f329dcad63 C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
File created C:\Windows\System32\ProximityCommon\fontdrvhost.exe C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
File created C:\Windows\System32\ProximityCommon\5b884080fd4f94e2695da25c503f9e33b9605b83 C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
File created C:\Windows\System32\coredpussvr\SppExtComObj.exe C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
File created C:\Windows\System32\coredpussvr\e1ef82546f0b02b7e974f28047f3788b1128cce1 C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
File created C:\Windows\System32\browseui\conhost.exe C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
File created C:\Windows\System32\browseui\088424020bedd6b28ac7fd22ee35dcd7322895ce C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\69ddcba757bf72f7d36c464c71f42baab150b2b9 C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SKB\LanguageModels\System.exe C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
File opened for modification C:\Windows\SKB\LanguageModels\System.exe C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
File created C:\Windows\SKB\LanguageModels\27d1bcfc3c54e0e44ea423ffd4ee81fe73670a2a C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
N/A N/A C:\Windows\SKB\LanguageModels\System.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Adobe\hui.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SKB\LanguageModels\System.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2184 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2184 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 2684 wrote to memory of 4496 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 4496 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 4496 N/A C:\Windows\SysWOW64\WScript.exe C:\Windows\SysWOW64\cmd.exe
PID 4496 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Adobe\hui.exe
PID 4496 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\Adobe\hui.exe
PID 2656 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\Adobe\hui.exe C:\Windows\System32\cmd.exe
PID 2656 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\Adobe\hui.exe C:\Windows\System32\cmd.exe
PID 2856 wrote to memory of 3148 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2856 wrote to memory of 3148 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 2856 wrote to memory of 1852 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2856 wrote to memory of 1852 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\w32tm.exe
PID 2856 wrote to memory of 3840 N/A C:\Windows\System32\cmd.exe C:\Windows\SKB\LanguageModels\System.exe
PID 2856 wrote to memory of 3840 N/A C:\Windows\System32\cmd.exe C:\Windows\SKB\LanguageModels\System.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\5d329190630c5c051e1b2c4ad4c69abd_JaffaCakes118.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Adobe\sN8j8UtUmLUEbzv.vbe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Adobe\87tDm8T1lOvAjdSEmWMIMA3JTpcTMB.bat" "

C:\Users\Admin\AppData\Roaming\Adobe\hui.exe

"C:\Users\Admin\AppData\Roaming\Adobe\hui.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Documents and Settings\WmiPrvSE.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\System.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\rasautou\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\System32\ProximityCommon\fontdrvhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\System32\coredpussvr\SppExtComObj.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\System32\browseui\conhost.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RVuqL2qAIw.bat"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\SKB\LanguageModels\System.exe

"C:\Windows\SKB\LanguageModels\System.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 host1835875.hostland.pro udp
RU 185.26.122.79:80 host1835875.hostland.pro tcp
US 8.8.8.8:53 79.122.26.185.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Roaming\Adobe\sN8j8UtUmLUEbzv.vbe

MD5 70e5d6cdf95e6c8bd3cb92a5f27b41f1
SHA1 2139d28ec203b8e56a4d4b5f35cdc971711ee16b
SHA256 ddbb5359838904c2276556b9e509443ffecba2ef2c15c97370f0a0df01a22a0d
SHA512 b49e59956fe3b04980c2e9ba174da14239277b64c15a0d4cef2af1976bbaf9c7fec4a430afa1c1f56563a9f70b6d6339872be7dd847597a84b2a52730b399f3d

C:\Users\Admin\AppData\Roaming\Adobe\87tDm8T1lOvAjdSEmWMIMA3JTpcTMB.bat

MD5 e7f48aa75e0fb6a5ff062767274b118a
SHA1 35708e08c6fd4f4d5b90d205535eaf614f616947
SHA256 75d94792b854edf88578815103ae48089e1cb0566c97c86bc3b3ecf5373778d7
SHA512 85d827e4d81a7612ae78feda079f1a82812d7a430643db6bb3863c3cfe618649eb15b574c367d070c6fc594ebaf1c8ada66390279c703f7eb88e2c8b9a21adcb

C:\Users\Admin\AppData\Roaming\Adobe\hui.exe

MD5 1b46dad7064609344351ac9efe3f9aab
SHA1 9aa8051f5ef6f800410ec669e52b415b6bf43816
SHA256 3bd60f927e3882940077fa527712e5c55a2767564b39a932c4d4941e190a4c81
SHA512 ce773799e73f0b61a793098df7a824346ec1d94d16877a272ace42a644d4fdf7d6a68b4a7c976b4b90471036f0d68b56bbfec18cffc68331c32970e7db7c57c4

memory/2656-12-0x00007FF865C83000-0x00007FF865C85000-memory.dmp

memory/2656-13-0x0000000000200000-0x00000000002EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RVuqL2qAIw.bat

MD5 2b6d6f744795885e122a474148b9c073
SHA1 10056dad5c654ef25c6a582967c6e705cd47f441
SHA256 3d71b33602576440ae08405247fdfcb787c69a67ec98b7dc103a9ab65dd7326d
SHA512 0b09c3d64656cab580ba871264ff3e9f5c071ab9e319e740bbe1478db92a360fa64174aea62017d7ade40f547a96d0197201f5a4f66e1d691e494d55d62293fc