df5a612a4b3333994e26085e84e297375c27f87e86b1b63bb0ee8e7409143363

Analysis

max time kernel
149s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 16:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe
Size

872KB
MD5

74bc06afcc8fb802c5eeee61f2b01424
SHA1

8f0ed8b5f85b1d79d81510d2ed404f0d560708f3
SHA256

df5a612a4b3333994e26085e84e297375c27f87e86b1b63bb0ee8e7409143363
SHA512

0fe4cf23a5123fbced741e8adb6f23570156820c9c923c51e9e437442d9a0b9150d785bf03beae6847d37327948506870bfea7b52857f903bbdef5327825d17a
SSDEEP

12288:3yj3TohBlkPUEcqo6i9KBkYdR/G0QAER+3Pas4wHGlafKX9AWF8Czz:3yjDohEKui9KB7dVJu+3b4wmlO3WF8Y

Score

7^/10

adware bootkit discovery persistence stealer upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

Processes:

setup.exentfis.exesna.exetdsetup.exeMrup.exe

pid process

3732 setup.exe
3236 ntfis.exe
4576 sna.exe
1356 tdsetup.exe
2280 Mrup.exe
Loads dropped DLL 5 IoCs

Processes:

tdsetup.exeregsvr32.exerundll32.exe

pid process

1356 tdsetup.exe
4196 regsvr32.exe
2256 rundll32.exe
2256 rundll32.exe
2256 rundll32.exe

pid	process
3732	setup.exe
3236	ntfis.exe
4576	sna.exe
1356	tdsetup.exe
2280	Mrup.exe

pid	process
1356	tdsetup.exe
4196	regsvr32.exe
2256	rundll32.exe
2256	rundll32.exe
2256	rundll32.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\sna.exe	upx
behavioral2/memory/4576-47-0x0000000000400000-0x000000000042B000-memory.dmp	upx
behavioral2/memory/4576-132-0x0000000000400000-0x000000000042B000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

sna.exetdsetup.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Local\Temp\sna.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sna.exe"	sna.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Desktop = "C:\\Windows\\system32\\rundll32.exe \"C:\\Program Files (x86)\\DeskAdTop\\Run.dll\" ,Rundll"	tdsetup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

Processes:

tdsetup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{08A312BB-5409-49FC-9347-54BB7D069AC6}	tdsetup.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

tdsetup.exe

description ioc process

File opened for modification \??\PhysicalDrive0 tdsetup.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	tdsetup.exe

Drops file in System32 directory 4 IoCs

Processes:

setup.exesna.exe

description	ioc	process
File created	C:\Windows\SysWOW64\ntfis.exe	setup.exe
File opened for modification	C:\Windows\SysWOW64\ntfis.exe	setup.exe
File opened for modification	C:\Windows\SysWOW64\wbem\sholl32.dll	sna.exe
File created	C:\Windows\SysWOW64\sbvw.ll	sna.exe

Drops file in Program Files directory 30 IoCs

Processes:

tdsetup.exerundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\DeskAdTop\deskipn.dll.zgx.tmp	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\DeskUn.exe	tdsetup.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\allverx.dat	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\fshook.dll.zgx	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\Mrup.exe	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\sinfo.ini	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\setup.tmp	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\allverx.dat	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\DeskUn.exe.tmp	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\fshook.dll.zgx.tmp	tdsetup.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\Run.dll.zgx	tdsetup.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\deskipn.dll	tdsetup.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\deskipn.dll.zgx	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\Run.dll.zgx.tmp	tdsetup.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\fshook.dll.zgx	tdsetup.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\IP.dat	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\Run.dll.zgx	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\allverx.dat.tmp	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\Mrup.exe.tmp	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\sinfo.ini.tmp	tdsetup.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\Log\ConfInfo.txt	rundll32.exe
File created	C:\Program Files (x86)\DeskAdTop\_uninstall	tdsetup.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\DeskUn.exe	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\IP.dat	tdsetup.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\Mrup.exe	tdsetup.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\Run.dll	tdsetup.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\sinfo.ini	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\deskipn.dll.zgx	tdsetup.exe
File opened for modification	C:\Program Files (x86)\DeskAdTop\fshook.dll	tdsetup.exe
File created	C:\Program Files (x86)\DeskAdTop\IP.dat.tmp	tdsetup.exe

Drops file in Windows directory 4 IoCs

Processes:

ntfis.exe

description	ioc	process
File created	C:\Windows\imapi.exe	ntfis.exe
File opened for modification	C:\Windows\imapi.exe	ntfis.exe
File created	C:\Windows\dataacess.dll	ntfis.exe
File opened for modification	C:\Windows\dataacess.dll	ntfis.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

sna.exetdsetup.exeregsvr32.exerundll32.exeMrup.exe74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exesetup.exentfis.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sna.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tdsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mrup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ntfis.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

tdsetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	tdsetup.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

tdsetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	tdsetup.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	tdsetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes"	tdsetup.exe

Modifies registry class 64 IoCs

Processes:

tdsetup.exeregsvr32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBB1C15E-017B-4BB9-9B6C-11CDF577E0CC}\TypeLib\Version = "1.0"	tdsetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\ = "IEMonitor Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\ = "IEMonitor Class"	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}\1.0\0	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB1C15E-017B-4BB9-9B6C-11CDF577E0CC}\TypeLib	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB1C15E-017B-4BB9-9B6C-11CDF577E0CC}\TypeLib\ = "{647BB013-E900-473E-BC10-99CF3AC365AD}"	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}\1.0	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}\1.0\0\win32	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB1C15E-017B-4BB9-9B6C-11CDF577E0CC}	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor.1\CLSID\ = "{08A312BB-5409-49FC-9347-54BB7D069AC6}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\TypeLib\ = "{647BB013-E900-473E-BC10-99CF3AC365AD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\ProgID\ = "bho.IEMonitor.1"	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\InprocServer32\ = "C:\\Program Files (x86)\\DeskAdTop\\deskipn.dll"	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBB1C15E-017B-4BB9-9B6C-11CDF577E0CC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor\ = "IEMonitor Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\ProgID\ = "bho.IEMonitor.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}\1.0\0\win32\ = "C:\\Program Files (x86)\\DeskAdTop\\deskipn.dll"	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBB1C15E-017B-4BB9-9B6C-11CDF577E0CC}\ProxyStubClsid32	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor\CLSID\ = "{08A312BB-5409-49FC-9347-54BB7D069AC6}"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\InprocServer32	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}\1.0\HELPDIR	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor.1\ = "IEMonitor Class"	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor.1\ = "IEMonitor Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor\CurVer\ = "bho.IEMonitor.1"	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\DeskAdTop"	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB1C15E-017B-4BB9-9B6C-11CDF577E0CC}\TypeLib\Version = "1.0"	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor.1\CLSID\ = "{08A312BB-5409-49FC-9347-54BB7D069AC6}"	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor\ = "IEMonitor Class"	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}	tdsetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor.1\CLSID	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\VersionIndependentProgID\ = "bho.IEMonitor"	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB1C15E-017B-4BB9-9B6C-11CDF577E0CC}\ = "IIEMonitor"	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\TypeLib\ = "{647BB013-E900-473E-BC10-99CF3AC365AD}"	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}\1.0\FLAGS\ = "0"	tdsetup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\TypeLib	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}\1.0\ = "bho 1.0 Type Library"	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBB1C15E-017B-4BB9-9B6C-11CDF577E0CC}	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\TypeLib	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBB1C15E-017B-4BB9-9B6C-11CDF577E0CC}\TypeLib	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\VersionIndependentProgID	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\InprocServer32	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor\CLSID\ = "{08A312BB-5409-49FC-9347-54BB7D069AC6}"	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\VersionIndependentProgID\ = "bho.IEMonitor"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor.1	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor\CLSID	tdsetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{647BB013-E900-473E-BC10-99CF3AC365AD}\1.0\FLAGS	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor\CurVer\ = "bho.IEMonitor.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\bho.IEMonitor\CurVer	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{EBB1C15E-017B-4BB9-9B6C-11CDF577E0CC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08A312BB-5409-49FC-9347-54BB7D069AC6}\InprocServer32\ThreadingModel = "Apartment"	tdsetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{EBB1C15E-017B-4BB9-9B6C-11CDF577E0CC}\ = "IIEMonitor"	tdsetup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ntfis.exe

pid	process
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe
3236	ntfis.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

pid process

660
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

setup.exetdsetup.exeMrup.exerundll32.exe

pid process

3732 setup.exe
1356 tdsetup.exe
2280 Mrup.exe
2256 rundll32.exe
2256 rundll32.exe
2256 rundll32.exe

pid	process
660

pid	process
3732	setup.exe
1356	tdsetup.exe
2280	Mrup.exe
2256	rundll32.exe
2256	rundll32.exe
2256	rundll32.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exetdsetup.exerundll32.exe

description	pid	process	target process
PID 3880 wrote to memory of 3732	3880	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	setup.exe
PID 3880 wrote to memory of 3732	3880	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	setup.exe
PID 3880 wrote to memory of 3732	3880	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	setup.exe
PID 3880 wrote to memory of 4576	3880	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	sna.exe
PID 3880 wrote to memory of 4576	3880	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	sna.exe
PID 3880 wrote to memory of 4576	3880	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	sna.exe
PID 3880 wrote to memory of 1356	3880	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	tdsetup.exe
PID 3880 wrote to memory of 1356	3880	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	tdsetup.exe
PID 3880 wrote to memory of 1356	3880	74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe	tdsetup.exe
PID 1356 wrote to memory of 4196	1356	tdsetup.exe	regsvr32.exe
PID 1356 wrote to memory of 4196	1356	tdsetup.exe	regsvr32.exe
PID 1356 wrote to memory of 4196	1356	tdsetup.exe	regsvr32.exe
PID 1356 wrote to memory of 2256	1356	tdsetup.exe	rundll32.exe
PID 1356 wrote to memory of 2256	1356	tdsetup.exe	rundll32.exe
PID 1356 wrote to memory of 2256	1356	tdsetup.exe	rundll32.exe
PID 2256 wrote to memory of 2280	2256	rundll32.exe	Mrup.exe
PID 2256 wrote to memory of 2280	2256	rundll32.exe	Mrup.exe
PID 2256 wrote to memory of 2280	2256	rundll32.exe	Mrup.exe

C:\Users\Admin\AppData\Local\Temp\74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\74bc06afcc8fb802c5eeee61f2b01424_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3880

C:\Users\Admin\AppData\Local\Temp\setup.exe
C:\Users\Admin\AppData\Local\Temp\\setup.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3732

C:\Users\Admin\AppData\Local\Temp\sna.exe
C:\Users\Admin\AppData\Local\Temp\\sna.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4576

C:\Users\Admin\AppData\Local\Temp\tdsetup.exe
C:\Users\Admin\AppData\Local\Temp\\tdsetup.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1356

C:\Windows\SysWOW64\regsvr32.exe
regsvr32 "C:\Program Files (x86)\DeskAdTop\deskipn.dll" -s
3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4196

C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe "C:\Program Files (x86)\DeskAdTop\Run.dll" ,Rundll
3⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2256

C:\Program Files (x86)\DeskAdTop\Mrup.exe
"C:\Program Files (x86)\DeskAdTop\Mrup.exe"
4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2280

C:\Windows\SysWOW64\ntfis.exe
C:\Windows\SysWOW64\ntfis.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DeskAdTop\Mrup.exe

Filesize
24KB

MD5
8745c4c253f75e6b12f950eee825c720

SHA1
a695f4d8bfb5f02b578916e31dd8c25d812cf6d7

SHA256
c0865a3b6c45d600fa04a0cadb92277f2b51a70c477c15ec1a9a8ea415a87b8a

SHA512
98dbcdc0b579309ad40976ebee7246c7b03175bca32e37c80d108f766e576c1959f295c1adb7fc2ef35c12e460df820007762105f5d09ee979a9410ea0f4b399

Download Submit
C:\Program Files (x86)\DeskAdTop\Run.dll

Filesize
100KB

MD5
157f5fab137c377e35435ca54c81342b

SHA1
ee8f3c010edd4c9372d081bf2d4299c8377c81da

SHA256
3a4917128c9eed22a75558e637df27d9b1d78dbf7830133fe3c3da18cd21c13f

SHA512
dd0e363e6852766b0a01b76f587a4a741b0b65cf4c93a670b076e472ed25744ca86320de0c11bcf8b07dc54a03fec94b5f5aa47bad630117db3bfc0fd946fe34

Download Submit
C:\Program Files (x86)\DeskAdTop\deskipn.dll

Filesize
32KB

MD5
dcafc4fd75a69079384ed570dc534f11

SHA1
087a8eebccc450155282cb07b8338907504a6eed

SHA256
43e317a3c1cb4f4239eb685d14e38be7bde4413eb09c5e5903c078fcc81dc68c

SHA512
3bd03e87d98a7e735f04d164fd753a01e837134fc960273f2479ba01a0bcff02241ee3d81350c88df659d78da161155d60cc77afd9c5bb19d8177e1645e52663

Download Submit
C:\Program Files (x86)\DeskAdTop\fshook.dll

Filesize
28KB

MD5
cecd38d3777d9332d23f6c55f89b33b5

SHA1
a798242c512ba0c0d821f028dce26f5b98f0ac97

SHA256
a5ac8f7cbc068487f761462af28313bc9a48fd3cc3bd042dca0d0a6d2f54ce9b

SHA512
b2da9ce6321bb3c27863c4b88689e343c470b5b87a88767f4194e66be8fcc9d36a2e4322612e2db80e0c8d44794c9c059193569aa207f4c562152c1fc630b1cd

Download Submit
C:\Program Files (x86)\DeskAdTop\ip.dat

Filesize
24B

MD5
0d87d522011c4c250f60a3fa4e744310

SHA1
e05367920ee8681b2a3ac42db2137b105b090d6f

SHA256
95d50984688698344c925332224fe99578d1064df44d3b5df3169a0167be6515

SHA512
e85f668da0419020e1f9bb00f34fbe29295e7fc0f995edf66f69e3ea5243ceb7260317d0d464056bfd95668f12d03d277fa86bfc4aac70564d2f9ce0387b896e

Download Submit
C:\Program Files (x86)\DeskAdTop\sinfo.ini

Filesize
135B

MD5
c26bde1ed5371fae0d0edcaaf9cca068

SHA1
3e053fa3dff335541359248d0cf3bddd80cfc2e1

SHA256
1bba2c003e4e24ddd3f8ab5b8aebba2715db4a88b8c3d6fee5968c4498ab4629

SHA512
705f6e872ea648f05a39fae05b195b9a589af86cbff1ce649dba39efc45ab1a071768a0eb093f6c0055987375f17adc6d4f2d237a28e937e22a71dc007c6eab2

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.exe

Filesize
484KB

MD5
45b27b8341ef36cde36cf74416c90ba8

SHA1
a6f85ab8ec9326b94613fe15b4909dd255d2ee13

SHA256
d335b9302e9b466815cc1c128316dadae246e9759070e34cb1ecc9c8f749313b

SHA512
03cfed97c931bc8fa6d9534e1a42da61692db1776a8a3155c27f776e42397dbb937ce4d125f766ab2f089d134db378b34b78f7aa6dfe7fa4eac6db2062212079

Download Submit
C:\Users\Admin\AppData\Local\Temp\sna.exe

Filesize
54KB

MD5
a6c4df92b7dfa426ceca14210759d175

SHA1
c804ca009fd94ee059fb4af305e7375759dba81a

SHA256
6f969d0fe34c8873e4130b5b85b8c8810faadf18068d4aeaeccc199a5b132224

SHA512
4aae93b251b9df0d71e693ac8981178f50ee27f44219d6a4d11f13134828373ce120a86f9eaf5cbe4e7da506943f10ad6fb1c6f0e3c0c44c50ee1a7a3b2ff3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdsetup.exe

Filesize
117KB

MD5
426a50013aca9bd57cee7cccf0097f6f

SHA1
e539c50a24e8d3cad614dbc317b97ff0b2ec2a8a

SHA256
a9294cc082eb2797c08e4de90fc730fe5867536867d90bea7d63382f5602c2d1

SHA512
96bf5e02e35228a71f330144617d4f71cff3c9fe0959e2614dc1ac823dd7b2966f5329219bd03c6d605f30cb164c5670017c4061fc5ccab72dba28367e96de8c

Download Submit
C:\Windows\SysWOW64\ntfis.exe

Filesize
408KB

MD5
4749bd76ab7e9eab2b29d5e9bea120aa

SHA1
3bd6130d80dc1869afb2cdc871ea43aa969d79c5

SHA256
23ee3930e748b7fd6e786cbc6f578675a01e725d86e4e4205aa1cc4b8d25f261

SHA512
a95ab7302d9205d84c3d35b6c5480e1b825ef0c54c27bf95b8d04547d78aa3a56b3e88ccf9ed53109b2208534e6795c89fb7a3a0f7dff472337acc32013c50b2

Download Submit
C:\Windows\SysWOW64\sbvw.ll

Filesize
6KB

MD5
5fe859f2d13cacd55135a14bf57dd445

SHA1
679237dc33ecceb6623b996fa973bba8d5d736e5

SHA256
598c1c3135c43eeea1c6028ced92b6a7c3ad1cb88149555a5c3a70b8d1bd8a7c

SHA512
085129a140f00acb6397cc4563552fdd5f75f5355d383c5afe373d9664c879832738412eba4c6448e5a1e8f4866d4aa4e412df031e9d49f4faad87ad4bb3b306

Download Submit
memory/3880-0-0x0000000000400000-0x00000000004DB040-memory.dmp

Filesize
876KB

Download
memory/3880-138-0x0000000000400000-0x00000000004DB040-memory.dmp

Filesize
876KB

Download
memory/3880-139-0x0000000000400000-0x00000000004DB040-memory.dmp

Filesize
876KB

Download
memory/4576-47-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/4576-132-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download