df5a612a4b3333994e26085e84e297375c27f87e86b1b63bb0ee8e7409143363

Analysis

max time kernel
149s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
26-07-2024 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe
Size

872KB
MD5

74bc06afcc8fb802c5eeee61f2b01424
SHA1

8f0ed8b5f85b1d79d81510d2ed404f0d560708f3
SHA256

df5a612a4b3333994e26085e84e297375c27f87e86b1b63bb0ee8e7409143363
SHA512

0fe4cf23a5123fbced741e8adb6f23570156820c9c923c51e9e437442d9a0b9150d785bf03beae6847d37327948506870bfea7b52857f903bbdef5327825d17a
SSDEEP

12288:3yj3TohBlkPUEcqo6i9KBkYdR/G0QAER+3Pas4wHGlafKX9AWF8Czz:3yjDohEKui9KB7dVJu+3b4wmlO3WF8Y

Score

7^/10

adware bootkit discovery persistence stealer upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

setup.exentfis.exesna.exetdsetup.exeMrup.exe

pid process

2444 setup.exe
2884 ntfis.exe
2816 sna.exe
2932 tdsetup.exe
2992 Mrup.exe

pid	process
2444	setup.exe
2884	ntfis.exe
2816	sna.exe
2932	tdsetup.exe
2992	Mrup.exe

Loads dropped DLL 20 IoCs

Processes:

74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exesetup.exetdsetup.exeregsvr32.exerundll32.exeMrup.exe

pid	process
2064	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe
2444	setup.exe
2444	setup.exe
2444	setup.exe
2064	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe
2064	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe
2064	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe
2932	tdsetup.exe
2932	tdsetup.exe
2932	tdsetup.exe
2932	tdsetup.exe
2864	regsvr32.exe
3012	rundll32.exe
3012	rundll32.exe
3012	rundll32.exe
3012	rundll32.exe
3012	rundll32.exe
2992	Mrup.exe
2992	Mrup.exe
3012	rundll32.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\sna.exe	upx
behavioral1/memory/2064-44-0x0000000001C70000-0x0000000001C9B000-memory.dmp	upx
behavioral1/memory/2816-49-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral1/memory/2816-146-0x0000000000400000-0x000000000042B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sna.exetdsetup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Local\Temp\sna.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sna.exe"	sna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Desktop = "C:\\Windows\\system32\\rundll32.exe \"C:\\Program Files (x86)\\DeskAdTop\\Run.dll\" ,Rundll"	tdsetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

tdsetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{08A312BB-5409-49FC-9347-54BB7D069AC6}	tdsetup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

tdsetup.exe

description ioc process

File opened for modification \??\PhysicalDrive0 tdsetup.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	tdsetup.exe

Drops file in System32 directory 4 IoCs

Processes:

setup.exesna.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ntfis.exe	setup.exe
File opened for modification	C:\Windows\SysWOW64\ntfis.exe	setup.exe
File opened for modification	C:\Windows\SysWOW64\wbem\sholl32.dll	sna.exe
File created	C:\Windows\SysWOW64\sbvw.ll	sna.exe

Drops file in Program Files directory 30 IoCs

Processes:

tdsetup.exerundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\DeskAdTop\_uninstall	tdsetup.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\Run.dll	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\Run.dll.zgx	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\deskipn.dll.zgx.tmp	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\DeskUn.exe	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\Run.dll.zgx.tmp	tdsetup.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\IP.dat	tdsetup.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\sinfo.ini	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\setup.tmp	tdsetup.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\deskipn.dll.zgx	tdsetup.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\DeskUn.exe	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\Mrup.exe	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\allverx.dat	tdsetup.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\Mrup.exe	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\sinfo.ini	tdsetup.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\fshook.dll.zgx	tdsetup.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\Log\ConfInfo.txt	rundll32.exe
File created	C:\Program Files (x86)\DeskAdTop\DeskUn.exe.tmp	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\IP.dat.tmp	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\Mrup.exe.tmp	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\allverx.dat.tmp	tdsetup.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\allverx.dat	tdsetup.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\deskipn.dll	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\fshook.dll.zgx	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\IP.dat	tdsetup.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\Run.dll.zgx	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\sinfo.ini.tmp	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\deskipn.dll.zgx	tdsetup.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\fshook.dll	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\fshook.dll.zgx.tmp	tdsetup.exe

Drops file in Windows directory 2 IoCs

Processes:

ntfis.exe

description ioc process

File created C:\Windows\imapi.exe ntfis.exe
File opened for modification C:\Windows\imapi.exe ntfis.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\imapi.exe	ntfis.exe
File opened for modification	C:\Windows\imapi.exe	ntfis.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ntfis.exetdsetup.exeregsvr32.exerundll32.exeMrup.exesna.exe74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exesetup.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ntfis.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tdsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mrup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

tdsetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	tdsetup.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

tdsetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	tdsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	tdsetup.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exetdsetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\ProgID\ = "bho.IEMonitor.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\InprocServer32\ = "C:\\Program Files (x86)\\DeskAdTop\\deskipn.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor.1\ = "IEMonitor Class"	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\InprocServer32	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}\1.0\FLAGS\ = "0"	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}\1.0\0	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB1C15E-017B-4BB9-9B6C-11CDF577E0CC}\ = "IIEMonitor"	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor\CurVer	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB1C15E-017B-4BB9-9B6C-11CDF577E0CC}\ProxyStubClsid32	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB1C15E-017B-4BB9-9B6C-11CDF577E0CC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	tdsetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor.1\CLSID\ = "{08A312BB-5409-49FC-9347-54BB7D069AC6}"	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\InprocServer32\ThreadingModel = "Apartment"	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}\1.0\ = "bho 1.0 Type Library"	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EBB1C15E-017B-4BB9-9B6C-11CDF577E0CC}\ = "IIEMonitor"	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EBB1C15E-017B-4BB9-9B6C-11CDF577E0CC}\TypeLib	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}\1.0\HELPDIR	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\VersionIndependentProgID\ = "bho.IEMonitor"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\ProgID	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor.1\ = "IEMonitor Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor\ = "IEMonitor Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor\CLSID\ = "{08A312BB-5409-49FC-9347-54BB7D069AC6}"	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\ProgID\ = "bho.IEMonitor.1"	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\InprocServer32\ = "C:\\Program Files (x86)\\DeskAdTop\\deskipn.dll"	tdsetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB1C15E-017B-4BB9-9B6C-11CDF577E0CC}\TypeLib	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\ = "IEMonitor Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor\CurVer\ = "bho.IEMonitor.1"	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\VersionIndependentProgID\ = "bho.IEMonitor"	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\Programmable	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}\1.0\FLAGS	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor.1\CLSID\ = "{08A312BB-5409-49FC-9347-54BB7D069AC6}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor.1	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor.1\CLSID	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\TypeLib\ = "{647BB013-E900-473E-BC10-99CF3AC365AD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor\CurVer\ = "bho.IEMonitor.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB1C15E-017B-4BB9-9B6C-11CDF577E0CC}\TypeLib\Version = "1.0"	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor\CLSID	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\ = "IEMonitor Class"	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EBB1C15E-017B-4BB9-9B6C-11CDF577E0CC}\ProxyStubClsid32	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB1C15E-017B-4BB9-9B6C-11CDF577E0CC}	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\VersionIndependentProgID	tdsetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor\ = "IEMonitor Class"	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB1C15E-017B-4BB9-9B6C-11CDF577E0CC}\TypeLib\ = "{647BB013-E900-473E-BC10-99CF3AC365AD}"	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor\CLSID\ = "{08A312BB-5409-49FC-9347-54BB7D069AC6}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}\1.0\0\win32\ = "C:\\Program Files (x86)\\DeskAdTop\\deskipn.dll"	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\DeskAdTop"	tdsetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\TypeLib\ = "{647BB013-E900-473E-BC10-99CF3AC365AD}"	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}\1.0	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}\1.0\0\win32	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EBB1C15E-017B-4BB9-9B6C-11CDF577E0CC}	tdsetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ntfis.exe

pid	process
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe
2884	ntfis.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

476
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tdsetup.exe

description pid process

Token: SeRestorePrivilege 2932 tdsetup.exe
Token: SeBackupPrivilege 2932 tdsetup.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

setup.exetdsetup.exeMrup.exerundll32.exe

pid process

2444 setup.exe
2932 tdsetup.exe
2992 Mrup.exe
3012 rundll32.exe
3012 rundll32.exe
3012 rundll32.exe

pid	process
476

description	pid	process
Token: SeRestorePrivilege	2932	tdsetup.exe
Token: SeBackupPrivilege	2932	tdsetup.exe

pid	process
2444	setup.exe
2932	tdsetup.exe
2992	Mrup.exe
3012	rundll32.exe
3012	rundll32.exe
3012	rundll32.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exetdsetup.exerundll32.exe

description	pid	process	target process
PID 2064 wrote to memory of 2444	2064	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	setup.exe
PID 2064 wrote to memory of 2444	2064	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	setup.exe
PID 2064 wrote to memory of 2444	2064	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	setup.exe
PID 2064 wrote to memory of 2444	2064	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	setup.exe
PID 2064 wrote to memory of 2444	2064	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	setup.exe
PID 2064 wrote to memory of 2444	2064	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	setup.exe
PID 2064 wrote to memory of 2444	2064	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	setup.exe
PID 2064 wrote to memory of 2816	2064	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	sna.exe
PID 2064 wrote to memory of 2816	2064	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	sna.exe
PID 2064 wrote to memory of 2816	2064	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	sna.exe
PID 2064 wrote to memory of 2816	2064	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	sna.exe
PID 2064 wrote to memory of 2932	2064	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	tdsetup.exe
PID 2064 wrote to memory of 2932	2064	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	tdsetup.exe
PID 2064 wrote to memory of 2932	2064	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	tdsetup.exe
PID 2064 wrote to memory of 2932	2064	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	tdsetup.exe
PID 2064 wrote to memory of 2932	2064	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	tdsetup.exe
PID 2064 wrote to memory of 2932	2064	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	tdsetup.exe
PID 2064 wrote to memory of 2932	2064	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	tdsetup.exe
PID 2932 wrote to memory of 2864	2932	tdsetup.exe	regsvr32.exe
PID 2932 wrote to memory of 2864	2932	tdsetup.exe	regsvr32.exe
PID 2932 wrote to memory of 2864	2932	tdsetup.exe	regsvr32.exe
PID 2932 wrote to memory of 2864	2932	tdsetup.exe	regsvr32.exe
PID 2932 wrote to memory of 2864	2932	tdsetup.exe	regsvr32.exe
PID 2932 wrote to memory of 2864	2932	tdsetup.exe	regsvr32.exe
PID 2932 wrote to memory of 2864	2932	tdsetup.exe	regsvr32.exe
PID 2932 wrote to memory of 3012	2932	tdsetup.exe	rundll32.exe
PID 2932 wrote to memory of 3012	2932	tdsetup.exe	rundll32.exe
PID 2932 wrote to memory of 3012	2932	tdsetup.exe	rundll32.exe
PID 2932 wrote to memory of 3012	2932	tdsetup.exe	rundll32.exe
PID 2932 wrote to memory of 3012	2932	tdsetup.exe	rundll32.exe
PID 2932 wrote to memory of 3012	2932	tdsetup.exe	rundll32.exe
PID 2932 wrote to memory of 3012	2932	tdsetup.exe	rundll32.exe
PID 3012 wrote to memory of 2992	3012	rundll32.exe	Mrup.exe
PID 3012 wrote to memory of 2992	3012	rundll32.exe	Mrup.exe
PID 3012 wrote to memory of 2992	3012	rundll32.exe	Mrup.exe
PID 3012 wrote to memory of 2992	3012	rundll32.exe	Mrup.exe
PID 3012 wrote to memory of 2992	3012	rundll32.exe	Mrup.exe
PID 3012 wrote to memory of 2992	3012	rundll32.exe	Mrup.exe
PID 3012 wrote to memory of 2992	3012	rundll32.exe	Mrup.exe

C:\Users\Admin\AppData\Local\Temp\74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064

C:\Users\Admin\AppData\Local\Temp\setup.exe
C:\Users\Admin\AppData\Local\Temp\\setup.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2444

C:\Users\Admin\AppData\Local\Temp\sna.exe
C:\Users\Admin\AppData\Local\Temp\\sna.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2816

C:\Users\Admin\AppData\Local\Temp\tdsetup.exe
C:\Users\Admin\AppData\Local\Temp\\tdsetup.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 "C:\Program Files (x86)\DeskAdTop\deskipn.dll" -s
3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2864

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\DeskAdTop\Run.dll" ,Rundll
3⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012

C:\Program Files (x86)\DeskAdTop\Mrup.exe
"C:\Program Files (x86)\DeskAdTop\Mrup.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2992

C:\Windows\SysWOW64\ntfis.exe
C:\Windows\SysWOW64\ntfis.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2884

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DeskAdTop\Run.dll
Filesize
100KB

MD5
157f5fab137c377e35435ca54c81342b

SHA1
ee8f3c010edd4c9372d081bf2d4299c8377c81da

SHA256
3a4917128c9eed22a75558e637df27d9b1d78dbf7830133fe3c3da18cd21c13f

SHA512
dd0e363e6852766b0a01b76f587a4a741b0b65cf4c93a670b076e472ed25744ca86320de0c11bcf8b07dc54a03fec94b5f5aa47bad630117db3bfc0fd946fe34

Download Submit
C:\Program Files (x86)\DeskAdTop\ip.dat
Filesize
24B

MD5
0d87d522011c4c250f60a3fa4e744310

SHA1
e05367920ee8681b2a3ac42db2137b105b090d6f

SHA256
95d50984688698344c925332224fe99578d1064df44d3b5df3169a0167be6515

SHA512
e85f668da0419020e1f9bb00f34fbe29295e7fc0f995edf66f69e3ea5243ceb7260317d0d464056bfd95668f12d03d277fa86bfc4aac70564d2f9ce0387b896e

Download Submit
C:\Program Files (x86)\DeskAdTop\sinfo.ini
Filesize
135B

MD5
a817ee8b23bb4ca71588a8a1ac9dfe70

SHA1
25825f9543cf2799f5e9351b5167736f612401df

SHA256
4cf37d9f919200a9d8718034118beb365d539f4eef3a4ccb24d7e084c7f5dc75

SHA512
9f2d579d31f1330a32d059923007c1403d35ee92c41500a9c329ef8c59247a6dfa50adc2190f8784df587eb83c360ebf72a93676f9dee20020e0cd9bf8db44dd

Download Submit
C:\Windows\SysWOW64\ntfis.exe
Filesize
408KB

MD5
4749bd76ab7e9eab2b29d5e9bea120aa

SHA1
3bd6130d80dc1869afb2cdc871ea43aa969d79c5

SHA256
23ee3930e748b7fd6e786cbc6f578675a01e725d86e4e4205aa1cc4b8d25f261

SHA512
a95ab7302d9205d84c3d35b6c5480e1b825ef0c54c27bf95b8d04547d78aa3a56b3e88ccf9ed53109b2208534e6795c89fb7a3a0f7dff472337acc32013c50b2

Download Submit
C:\Windows\SysWOW64\sbvw.ll
Filesize
6KB

MD5
5fe859f2d13cacd55135a14bf57dd445

SHA1
679237dc33ecceb6623b996fa973bba8d5d736e5

SHA256
598c1c3135c43eeea1c6028ced92b6a7c3ad1cb88149555a5c3a70b8d1bd8a7c

SHA512
085129a140f00acb6397cc4563552fdd5f75f5355d383c5afe373d9664c879832738412eba4c6448e5a1e8f4866d4aa4e412df031e9d49f4faad87ad4bb3b306

Download Submit
\Program Files (x86)\DeskAdTop\Mrup.exe
Filesize
24KB

MD5
8745c4c253f75e6b12f950eee825c720

SHA1
a695f4d8bfb5f02b578916e31dd8c25d812cf6d7

SHA256
c0865a3b6c45d600fa04a0cadb92277f2b51a70c477c15ec1a9a8ea415a87b8a

SHA512
98dbcdc0b579309ad40976ebee7246c7b03175bca32e37c80d108f766e576c1959f295c1adb7fc2ef35c12e460df820007762105f5d09ee979a9410ea0f4b399

Download Submit
\Program Files (x86)\DeskAdTop\deskipn.dll
Filesize
32KB

MD5
dcafc4fd75a69079384ed570dc534f11

SHA1
087a8eebccc450155282cb07b8338907504a6eed

SHA256
43e317a3c1cb4f4239eb685d14e38be7bde4413eb09c5e5903c078fcc81dc68c

SHA512
3bd03e87d98a7e735f04d164fd753a01e837134fc960273f2479ba01a0bcff02241ee3d81350c88df659d78da161155d60cc77afd9c5bb19d8177e1645e52663

Download Submit
\Program Files (x86)\DeskAdTop\fshook.dll
Filesize
28KB

MD5
cecd38d3777d9332d23f6c55f89b33b5

SHA1
a798242c512ba0c0d821f028dce26f5b98f0ac97

SHA256
a5ac8f7cbc068487f761462af28313bc9a48fd3cc3bd042dca0d0a6d2f54ce9b

SHA512
b2da9ce6321bb3c27863c4b88689e343c470b5b87a88767f4194e66be8fcc9d36a2e4322612e2db80e0c8d44794c9c059193569aa207f4c562152c1fc630b1cd

Download Submit
\Users\Admin\AppData\Local\Temp\setup.exe
Filesize
484KB

MD5
45b27b8341ef36cde36cf74416c90ba8

SHA1
a6f85ab8ec9326b94613fe15b4909dd255d2ee13

SHA256
d335b9302e9b466815cc1c128316dadae246e9759070e34cb1ecc9c8f749313b

SHA512
03cfed97c931bc8fa6d9534e1a42da61692db1776a8a3155c27f776e42397dbb937ce4d125f766ab2f089d134db378b34b78f7aa6dfe7fa4eac6db2062212079

Download Submit
\Users\Admin\AppData\Local\Temp\sna.exe
Filesize
54KB

MD5
a6c4df92b7dfa426ceca14210759d175

SHA1
c804ca009fd94ee059fb4af305e7375759dba81a

SHA256
6f969d0fe34c8873e4130b5b85b8c8810faadf18068d4aeaeccc199a5b132224

SHA512
4aae93b251b9df0d71e693ac8981178f50ee27f44219d6a4d11f13134828373ce120a86f9eaf5cbe4e7da506943f10ad6fb1c6f0e3c0c44c50ee1a7a3b2ff3b8

Download Submit
\Users\Admin\AppData\Local\Temp\tdsetup.exe
Filesize
117KB

MD5
426a50013aca9bd57cee7cccf0097f6f

SHA1
e539c50a24e8d3cad614dbc317b97ff0b2ec2a8a

SHA256
a9294cc082eb2797c08e4de90fc730fe5867536867d90bea7d63382f5602c2d1

SHA512
96bf5e02e35228a71f330144617d4f71cff3c9fe0959e2614dc1ac823dd7b2966f5329219bd03c6d605f30cb164c5670017c4061fc5ccab72dba28367e96de8c

Download Submit
memory/2064-0-0x0000000000400000-0x00000000004DB040-memory.dmp

Filesize
876KB

Download
memory/2064-44-0x0000000001C70000-0x0000000001C9B000-memory.dmp

Filesize
172KB

Download
memory/2064-42-0x0000000001C70000-0x0000000001C9B000-memory.dmp

Filesize
172KB

Download
memory/2064-147-0x0000000000400000-0x00000000004DB040-memory.dmp

Filesize
876KB

Download
memory/2064-148-0x0000000000400000-0x00000000004DB040-memory.dmp

Filesize
876KB

Download
memory/2816-49-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/2816-146-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download