df442bce7867eb04d2d05587dbdd7de144710d201ffb532156748a7f3bac8ff4

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27/07/2024, 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe
Size

716KB
MD5

76a486a3ce83acdba53132f1ad857ae7
SHA1

e79f56abf817e54c2b44df025c5dfa592b950744
SHA256

df442bce7867eb04d2d05587dbdd7de144710d201ffb532156748a7f3bac8ff4
SHA512

f862aee17e78dc4863bcf58151a2ddaf15994072e7503cd443c8ec0ece1950adf455af4e5bf59b0d934338a78ec51ae6a4ab25d2f3370bfb375f47aabf974ecc
SSDEEP

12288:LrgNANdEly2170FRY7kq5rfE5DWcoRdXu7Z4Wp9CbYXUR8L:QIur17YNKfEB3oK4Wp9CbRu

Score

10^/10

bootkit discovery persistence upx

Malware Config

Signatures

Suspicious use of NtCreateProcessOtherParentProcess 10 IoCs

description	pid	Process	procid_target
PID 2844 created 1256	2844	RkRealTech.exe	21
PID 2844 created 1256	2844	RkRealTech.exe	21
PID 2844 created 1256	2844	RkRealTech.exe	21
PID 2844 created 1256	2844	RkRealTech.exe	21
PID 2844 created 1256	2844	RkRealTech.exe	21
PID 2844 created 1256	2844	RkRealTech.exe	21
PID 2844 created 1256	2844	RkRealTech.exe	21
PID 2844 created 1256	2844	RkRealTech.exe	21
PID 2844 created 1256	2844	RkRealTech.exe	21
PID 2844 created 1256	2844	RkRealTech.exe	21

Detected Nirsoft tools 6 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/memory/2856-42-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral1/memory/992-45-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral1/memory/2676-47-0x00000000001B0000-0x00000000001C5000-memory.dmp	Nirsoft
behavioral1/memory/2636-63-0x0000000000400000-0x0000000000415000-memory.dmp	Nirsoft
behavioral1/memory/2676-59-0x00000000001B0000-0x00000000001C5000-memory.dmp	Nirsoft
behavioral1/memory/2676-66-0x00000000001B0000-0x00000000001C5000-memory.dmp	Nirsoft

Deletes itself 1 IoCs

pid	Process
952	cmd.exe

Executes dropped EXE 9 IoCs

pid	Process
2856	RtkSYUdp.exe
992	RtkSYUdp.exe
2728	RtkSYUdp.exe
2568	RtkSYUdp.exe
2636	RtkSYUdp.exe
2212	RtkSYUdp.exe
1964	RtkSYUdp.exe
1912	RtkSYUdp.exe
2844	RkRealTech.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/852-0-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/files/0x0006000000019571-39.dat	upx
behavioral1/memory/2676-40-0x00000000001B0000-0x00000000001C5000-memory.dmp	upx
behavioral1/memory/2856-42-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/992-45-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/2568-54-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/2636-63-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/2676-66-0x00000000001B0000-0x00000000001C5000-memory.dmp	upx
behavioral1/memory/852-71-0x0000000000400000-0x00000000004B5000-memory.dmp	upx
behavioral1/memory/1964-74-0x0000000000400000-0x0000000000415000-memory.dmp	upx
behavioral1/memory/2676-72-0x00000000001B0000-0x00000000001C5000-memory.dmp	upx
behavioral1/memory/852-103-0x0000000000400000-0x00000000004B5000-memory.dmp	upx

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini	RtkSYUdp.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.ico	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\TaoBao\Ð¡ÓÎÏ·.ico	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\TaoBao\ÌÔ±¦.tmp	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\TaoBao\4399Ð¡ÓÎÏ·.tmp	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\RkRealTech.exe	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe
File created	C:\Windows\RtkSYUdp.exe	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtkSYUdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtkSYUdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtkSYUdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtkSYUdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtkSYUdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtkSYUdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtkSYUdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RtkSYUdp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\Wow6432Node\microsoft\internet explorer\version Vector	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe

Modifies registry class 46 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open\ = "´ò¿ªÖ÷Ò³(&H)"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ\ = "ÊôÐÔ(&R)"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ\Command\ = "Rundll32.exe Shell32.dll,Control_RunDLL Inetcpl.cpl"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\InfoTip = "@shdoclc.dll,-881"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\DefaultIcon\ = "shdoclc.dll,-190"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\ÊôÐÔ\Command	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\DefaultIcon	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open\Command	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open\Command\ = "IEXPLORE.EXE %w%w%w.93%119%15.%c%o%m"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\ShellFolder	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ = "lnkfile"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\LocalizedString = "@shdoclc.dll,-880"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\ShellFolder\Attributes = "0"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{CABB0DA0-DA57-11CF-9974-0020AFD79762}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{FBF23B80-E3F0-101B-8488-00AA003E56F8}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellEx\{000214EE-0000-0000-C000-000000000046}\ = "{00021401-0000-0000-C000-000000000046}"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.1nk\ShellNew\Command = "rundll32.exe appwiz.cpl,NewLinkHere %1"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\ShellFolder\	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ = "InternetShortcut"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{000214F9-0000-0000-C000-000000000046}\ = "{FBF23B40-E3F0-101B-8488-00AA003E56F8}"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{27AEF9E8-663F-0757-829C-A93675896E86}\Shell\Open	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\PersistentHandler	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ur1\ShellEx\{00021500-0000-0000-C000-000000000046}	regedit.exe

Runs regedit.exe 12 IoCs

pid	Process
1812	regedit.exe
1732	regedit.exe
904	regedit.exe
2596	regedit.exe
2012	regedit.exe
1780	regedit.exe
1248	regedit.exe
2444	regedit.exe
1508	regedit.exe
2316	regedit.exe
2384	regedit.exe
328	regedit.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe
852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe
852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe
852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe
2844	RkRealTech.exe
2844	RkRealTech.exe
2844	RkRealTech.exe
2844	RkRealTech.exe
2844	RkRealTech.exe
2844	RkRealTech.exe
2844	RkRealTech.exe
2844	RkRealTech.exe
852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe
2844	RkRealTech.exe
2844	RkRealTech.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe
852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 2316	852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe	31
PID 852 wrote to memory of 2316	852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe	31
PID 852 wrote to memory of 2316	852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe	31
PID 852 wrote to memory of 2316	852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe	31
PID 852 wrote to memory of 2700	852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe	32
PID 852 wrote to memory of 2700	852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe	32
PID 852 wrote to memory of 2700	852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe	32
PID 852 wrote to memory of 2700	852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe	32
PID 852 wrote to memory of 2384	852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe	34
PID 852 wrote to memory of 2384	852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe	34
PID 852 wrote to memory of 2384	852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe	34
PID 852 wrote to memory of 2384	852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe	34
PID 852 wrote to memory of 2716	852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe	35
PID 852 wrote to memory of 2716	852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe	35
PID 852 wrote to memory of 2716	852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe	35
PID 852 wrote to memory of 2716	852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe	35
PID 852 wrote to memory of 2676	852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe	37
PID 852 wrote to memory of 2676	852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe	37
PID 852 wrote to memory of 2676	852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe	37
PID 852 wrote to memory of 2676	852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe	37
PID 2676 wrote to memory of 2856	2676	cmd.exe	39
PID 2676 wrote to memory of 2856	2676	cmd.exe	39
PID 2676 wrote to memory of 2856	2676	cmd.exe	39
PID 2676 wrote to memory of 2856	2676	cmd.exe	39
PID 2676 wrote to memory of 992	2676	cmd.exe	40
PID 2676 wrote to memory of 992	2676	cmd.exe	40
PID 2676 wrote to memory of 992	2676	cmd.exe	40
PID 2676 wrote to memory of 992	2676	cmd.exe	40
PID 2676 wrote to memory of 2728	2676	cmd.exe	41
PID 2676 wrote to memory of 2728	2676	cmd.exe	41
PID 2676 wrote to memory of 2728	2676	cmd.exe	41
PID 2676 wrote to memory of 2728	2676	cmd.exe	41
PID 2676 wrote to memory of 2568	2676	cmd.exe	42
PID 2676 wrote to memory of 2568	2676	cmd.exe	42
PID 2676 wrote to memory of 2568	2676	cmd.exe	42
PID 2676 wrote to memory of 2568	2676	cmd.exe	42
PID 2676 wrote to memory of 2636	2676	cmd.exe	43
PID 2676 wrote to memory of 2636	2676	cmd.exe	43
PID 2676 wrote to memory of 2636	2676	cmd.exe	43
PID 2676 wrote to memory of 2636	2676	cmd.exe	43
PID 2676 wrote to memory of 2212	2676	cmd.exe	44
PID 2676 wrote to memory of 2212	2676	cmd.exe	44
PID 2676 wrote to memory of 2212	2676	cmd.exe	44
PID 2676 wrote to memory of 2212	2676	cmd.exe	44
PID 2676 wrote to memory of 1964	2676	cmd.exe	45
PID 2676 wrote to memory of 1964	2676	cmd.exe	45
PID 2676 wrote to memory of 1964	2676	cmd.exe	45
PID 2676 wrote to memory of 1964	2676	cmd.exe	45
PID 2676 wrote to memory of 1912	2676	cmd.exe	46
PID 2676 wrote to memory of 1912	2676	cmd.exe	46
PID 2676 wrote to memory of 1912	2676	cmd.exe	46
PID 2676 wrote to memory of 1912	2676	cmd.exe	46
PID 852 wrote to memory of 2844	852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe	47
PID 852 wrote to memory of 2844	852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe	47
PID 852 wrote to memory of 2844	852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe	47
PID 852 wrote to memory of 2844	852	76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe	47
PID 2844 wrote to memory of 328	2844	RkRealTech.exe	49
PID 2844 wrote to memory of 328	2844	RkRealTech.exe	49
PID 2844 wrote to memory of 328	2844	RkRealTech.exe	49
PID 2844 wrote to memory of 328	2844	RkRealTech.exe	49
PID 2844 wrote to memory of 328	2844	RkRealTech.exe	49
PID 2844 wrote to memory of 904	2844	RkRealTech.exe	50
PID 2844 wrote to memory of 904	2844	RkRealTech.exe	50
PID 2844 wrote to memory of 904	2844	RkRealTech.exe	50

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\76a486a3ce83acdba53132f1ad857ae7_JaffaCakes118.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Runs regedit.exe
    PID:2316
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2700
- - C:\Windows\SysWOW64\regedit.exe
    C:\Windows\regedit.exe /s C:\Users\Admin\AppData\Local\Temp\bbhhhik.tmp
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Runs regedit.exe
    PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$edbs.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$rcqi.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\."
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2856
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\.."
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:992
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\desktop.ini"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      PID:2728
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\GOOGLE~1.LNK"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2568
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\LAUNCH~1.LNK"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2636
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\SHOWSD~1.LNK"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2212
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\USERPI~1"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1964
  - - C:\Windows\RtkSYUdp.exe
      C:\Windows\RtkSYUdp.exe filldelete "C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\WINDOW~1.LNK"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1912
- - C:\Windows\RkRealTech.exe
    C:\Windows\RkRealTech.exe \??\C:\Windows\regedit.exe 1256 C:\Users\Admin\AppData\Local\Temp\$rar10943.tmp
    3⤵
    - Suspicious use of NtCreateProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:952
  - - C:\Windows\SysWOW64\reg.exe
      reg delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1944
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:328
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:904
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:2596
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:2012
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1812
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1780
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1248
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:2444
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1732
- \Windows\SysWOW64\regedit.exe
  2⤵
  - Runs regedit.exe
  PID:1508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$RAVSING.bat

Filesize
361B

MD5
ee6683d37b35aefab668378230f6e956

SHA1
a0aa06d7d10963af58b44ddee5f8c177ff061917

SHA256
fb8e749b925ec65d3844e7ee48055fa6375b9fe988169fa8135ecb277452c2e2

SHA512
7ca13b1ef07a4763406aaac8a841baafd3a1054dbdd1b3a51a1a1f2a8247d47f17ce826e8ebe2468ed0d3399c7634452d89a6a99e8ab3eeec9653614ae8f33c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$dmsf.bat

Filesize
653B

MD5
fcdf1b61a26c9b4db509a2ccb1034892

SHA1
1029e10d4feb1ce86be9667f1f2a2de488b2c76c

SHA256
3bd1a36f11a40848697a6f4991409687ceb91a92f76e0d0faea7ea860f40c591

SHA512
c65af3938d2d33f3d0c13748a42f060fee681db1828787a656d67b26706d0161cbebf60c16bd0e2a48b228f217a4d08cfcc2469fc12377e35e5f287c626e490e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$edbs.bat

Filesize
59B

MD5
0cf180f20e716094bef34db0f1a39a04

SHA1
f8e9da5d8eaf347b240a77c6a9c4f494d4fc351b

SHA256
2a72298ec1d957d1d225aec50a4e6e32c5dec2f2645f25e580304e5c7ae5bb26

SHA512
a471fee35dfc685effb46fcc37d47d7210fad3fdba7cb5342b13e11f95ae7690e4053b3399bca6da7546015a479ce55a301c6934be8bab7ec9eae5aece8bdb3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$rcqi.bat

Filesize
1KB

MD5
5ed245d923fd9fa2d236979980bf54e6

SHA1
0c8939062da21c2db98575ad1e5fb03d7fa4ab28

SHA256
84d64538b8d83661d0e985a5bdb6c498264fc225e95b38ef34c1d5b43ac415f9

SHA512
2e2b5ab76bc8a3c2c6a03a9b68e68e284042e495421d179548c1622e221d303987c884a44b0da50a2573ec8e4a38fda990c307c3950a60d221f1387d00cc5b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\$rar10943.tmp

Filesize
142B

MD5
1722b85f05faa97e09cc1d98002d0711

SHA1
0a2ec5d60f6c8af838fc004e8fbb0b436437887f

SHA256
2c428a167d8dabe9b4e4e821f5d56333962208ef44bc0becbf9c968f1e583e21

SHA512
40393e3b6f958a2b0303810ba3653f55b18ff22439df78487752c92cbe0a510120b2a078b31805980ae2ceaa4465674bfc2ce03803988481fd633e2b9c3ca3b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\$rar10987.tmp

Filesize
1KB

MD5
185038ec1cc9a69a109726c8989e4cf5

SHA1
bfb62037297e8533e5f3940a32fb9505acf4fe26

SHA256
48ccff6cd96445619998a70fad77f5e655a9d146b93d0d160656619728c4e727

SHA512
bb0065a36a9bc48199943b21f3c3f10916fd15aa54201513f344464d962b5e6339e1df1b932043a914a662631f842a2f3b7a2c6e8c4e414567c5ea8ac9950391

Download Submit
C:\Users\Admin\AppData\Local\Temp\IEXPLORE.tmp

Filesize
1KB

MD5
4c45ad2c0ec57cad14fe8c633d1424e2

SHA1
c7d8d353b536b1181eca9f1ddbdaad1657ea3b54

SHA256
359cb352387bc8fb7bec9b7a54107b6bc578820dc42cd055fbed4f10aa74b58a

SHA512
26cb3ff94160f658af19b78979807a66a63202451c3cc16bf565ec94c0da9b87d714ef2dd8d4ed19c70f8cae2f3b4da9c705a0bf88d8f204ebeb657fb4e1f784

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbhhhik.tmp

Filesize
3KB

MD5
25db315b7c4e03440fc39a45d0e696f4

SHA1
e676a65ddced682543871402c65745615866813b

SHA256
afebbcbfd45e044083133fd2f575f9cee59dbff403ae376b2d2307a89b97a26c

SHA512
d10afe733da4f6c33e2859078ca307e40cf15c0e2ddde9e48b8cb3962491cc73e6b47d2fb98c56d233bef268cf1d45ac68d5835885a8b5395ee4b0c6dd0ad3d4

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\INTERN~1\QUICKL~1\Window Switcher.lnk

Filesize
64KB

MD5
fcd6bcb56c1689fcef28b57c22475bad

SHA1
1adc95bebe9eea8c112d40cd04ab7a8d75c4f961

SHA256
de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31

SHA512
73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

Download Submit
C:\Windows\RkRealTech.exe

Filesize
92KB

MD5
2c6bda6cb518fff6cc540632b797903a

SHA1
929402ee3000c149e554d77af68466ebf32a3eeb

SHA256
ad1bb9f8bb54682158a05514e35193114217ef1dc5eb6d5902652af5cd151c8e

SHA512
fc8364cae5674ccb022bc8a44bf63222dcef3a57d3ca0df1923222669044150cdb2077d148868408980fe5b352c72b6eef1c222b1a9eefecb54d2293dc968765

Download Submit
C:\Windows\RtkSYUdp.exe

Filesize
30KB

MD5
d0cd586c5c857850a188e778b971f25a

SHA1
3f584fd89e41151c389b4701d876d2bdd2885fc2

SHA256
2f6cd2ed9806a09fecce1f96cd5b3f77fc0339ddbbb4c31aab25e85fd3f268eb

SHA512
995f539c7163e0e49c7cc4687dd29dac4ac88501410d8c9935f99d993b14bf5fe349cdcdc9f61d4f308c280536b54f54ae7d041565c73a2340881f68e7b2c41c

Download Submit
memory/852-103-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/852-71-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/852-1-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/852-77-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/852-0-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/992-45-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1964-74-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2568-54-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2636-63-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2676-66-0x00000000001B0000-0x00000000001C5000-memory.dmp

Filesize
84KB

Download
memory/2676-59-0x00000000001B0000-0x00000000001C5000-memory.dmp

Filesize
84KB

Download
memory/2676-73-0x00000000001B0000-0x00000000001C5000-memory.dmp

Filesize
84KB

Download
memory/2676-60-0x00000000001B0000-0x00000000001C5000-memory.dmp

Filesize
84KB

Download
memory/2676-72-0x00000000001B0000-0x00000000001C5000-memory.dmp

Filesize
84KB

Download
memory/2676-47-0x00000000001B0000-0x00000000001C5000-memory.dmp

Filesize
84KB

Download
memory/2676-48-0x00000000001B0000-0x00000000001C5000-memory.dmp

Filesize
84KB

Download
memory/2676-49-0x00000000001B0000-0x00000000001C5000-memory.dmp

Filesize
84KB

Download
memory/2676-40-0x00000000001B0000-0x00000000001C5000-memory.dmp

Filesize
84KB

Download
memory/2856-42-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download