3b7a5c14922d4edac24abd637820a3dc8ecbf48d6331448a80c0ecc271320f9b

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 00:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

a088bef64e630bdb7d4604346ecafe9b_JaffaCakes118.exe
Size

6.9MB
MD5

a088bef64e630bdb7d4604346ecafe9b
SHA1

701d19763f78c62865cb241be109fb2da934a210
SHA256

3b7a5c14922d4edac24abd637820a3dc8ecbf48d6331448a80c0ecc271320f9b
SHA512

a02fff3295de411a9ddd5a703eb7e357f1de3eacd4ad6fe644a1fb61dd91ef5ea61abe56dcd909bc1358b2cc46a8458aa3d42b56194a048b8c292c79f20163d1
SSDEEP

196608:qcSt+pjt1N51cGZZTm3nutrdCcMys4cds:FW+pZz51hTm+Nzs4cO

Score

7^/10

aspackv2 discovery upx

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0007000000016ceb-38.dat	aspack_v212_v242

Executes dropped EXE 5 IoCs

pid	Process
2696	_inst.exe
2372	Setup.exe
2028	IKernel.exe
1236	IKernel.exe
2804	iKernel.exe

Loads dropped DLL 35 IoCs

pid	Process
2632	a088bef64e630bdb7d4604346ecafe9b_JaffaCakes118.exe
2632	a088bef64e630bdb7d4604346ecafe9b_JaffaCakes118.exe
2696	_inst.exe
2696	_inst.exe
2696	_inst.exe
2696	_inst.exe
2696	_inst.exe
2372	Setup.exe
2372	Setup.exe
2372	Setup.exe
2372	Setup.exe
2028	IKernel.exe
2028	IKernel.exe
2028	IKernel.exe
1236	IKernel.exe
1236	IKernel.exe
1236	IKernel.exe
1236	IKernel.exe
1236	IKernel.exe
1236	IKernel.exe
1236	IKernel.exe
1236	IKernel.exe
1236	IKernel.exe
1236	IKernel.exe
2804	iKernel.exe
2804	iKernel.exe
2804	iKernel.exe
1236	IKernel.exe
2372	Setup.exe
1236	IKernel.exe
1236	IKernel.exe
1236	IKernel.exe
1236	IKernel.exe
1236	IKernel.exe
1236	IKernel.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2632-0-0x0000000000400000-0x0000000000424000-memory.dmp	upx
behavioral1/memory/2632-98-0x0000000000400000-0x0000000000424000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll	IKernel.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iusef70c.rra	IKernel.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\IScript\IScrf798.rra	IKernel.exe
File opened for modification	C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\corecomp.ini	IKernel.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objef6fc.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll	IKernel.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ILogf69e.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ILog.dll	IKernel.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctorf6dd.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll	IKernel.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\IScript\IScript.dll	IKernel.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\temp.000	Setup.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\coref6dd.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\corecomp.ini	IKernel.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IKernel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iKernel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a088bef64e630bdb7d4604346ecafe9b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	_inst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IKernel.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D795704-435D-11D3-88FF-00C04F72F303}\ = "ISetupFileErrors"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54DADAB2-28A6-11D3-88BA-00C04F72F303}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC}\ = "ISetupWindowImage"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}	iKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2583251F-0A04-11D3-886B-00C04F72F303}\ = "ISetupBasicFeatureStateEvents"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4FF39B9-1A05-11D3-8896-00C04F72F303}\TypeLib\Version = "1.0"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91814EBF-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2067-CB55-11D2-8094-00104B1F9838}	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27D2CF3C-D5B0-11D2-8094-00104B1F9838}\1.0\FLAGS	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\LocalServer32	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}\TypeLib\Version = "1.0"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}\TypeLib	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0\0\win32	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptDriverWrapper.1	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C9CD1A93-D7B4-11D2-80C5-00104B1F6CEA}\VersionIndependentProgID\ = "Setup.User"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C9CD1A93-D7B4-11D2-80C5-00104B1F6CEA}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\InstallShield\\engine\\6\\Intel 32\\iuser.dll"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D8B6331-D8B1-11D2-80C5-00104B1F6CEA}\TypeLib\Version = "1.0"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8c3c1b17-e59d-11d2-b40b-00a024b9dddd}	iKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D4FF39BB-1A05-11D3-8896-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C4AAC3B1-C547-11D3-B289-00C04F59FBE9}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54DADAB3-28A6-11D3-88BA-00C04F72F303}\TypeLib\Version = "1.0"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{80FDE82A-2CAA-11D3-88C3-00C04F72F303}\ = "ISetupObjectReboot"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.User.1\CLSID	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{80FDE82A-2CAA-11D3-88C3-00C04F72F303}\TypeLib\Version = "1.0"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{761C8359-55AF-4E7B-9C83-C1A927E0F617}\ = "ISetupMedia2"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{54DADAB2-28A6-11D3-88BA-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9E561C6B-425D-4E3D-95CA-A2D289D7C3FB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDF8B49D-16D0-49A5-B133-ABE7DCC23DAF}\TypeLib\Version = "1.0"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D}\ = "ISetupLogDB2"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{112EB4F0-5A48-11D3-A90A-00105A088FAC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B16-E59D-11D2-B40B-00A024B9DDDD}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D795704-435D-11D3-88FF-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{348440B0-C79A-11D3-B28B-00C04F59FBE9}\TypeLib\Version = "1.0"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}\TypeLib\Version = "1.0"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\TypeLib\Version = "1.0"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}\1.0\0	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\TypeLib\Version = "1.0"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D4FF39BB-1A05-11D3-8896-00C04F72F303}\ = "ISetupTypes"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{39040274-3D36-11D3-88EE-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDF8B49D-16D0-49A5-B133-ABE7DCC23DAF}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80FDE82A-2CAA-11D3-88C3-00C04F72F303}\ = "ISetupObjectReboot"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptEngine\CLSID\ = "{E7D06080-238B-11D3-80D7-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2061-CB55-11D2-8094-00104B1F9838}\ = "ISetupObjects"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65D37452-0EBB-11D3-887B-00C04F72F303}\TypeLib	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.LogServices	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{61892D50-28EF-11D3-A8FF-00105A088FAC}\TypeLib\Version = "1.0"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6494206F-23EA-11D3-88B0-00C04F72F303}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3EDC2C10-66FE-11D3-A90F-00105A088FAC}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DED1EA29-3F89-11D3-BBB9-00105A1F0D68}\1.0	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838}\TypeLib\Version = "1.0"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{91814EC0-B5F0-11D2-80B9-00104B1F6CEA}\LocalServer32	iKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B12-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32	IKernel.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2696	2632	a088bef64e630bdb7d4604346ecafe9b_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2696	2632	a088bef64e630bdb7d4604346ecafe9b_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2696	2632	a088bef64e630bdb7d4604346ecafe9b_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2696	2632	a088bef64e630bdb7d4604346ecafe9b_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2696	2632	a088bef64e630bdb7d4604346ecafe9b_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2696	2632	a088bef64e630bdb7d4604346ecafe9b_JaffaCakes118.exe	30
PID 2632 wrote to memory of 2696	2632	a088bef64e630bdb7d4604346ecafe9b_JaffaCakes118.exe	30
PID 2696 wrote to memory of 2372	2696	_inst.exe	31
PID 2696 wrote to memory of 2372	2696	_inst.exe	31
PID 2696 wrote to memory of 2372	2696	_inst.exe	31
PID 2696 wrote to memory of 2372	2696	_inst.exe	31
PID 2696 wrote to memory of 2372	2696	_inst.exe	31
PID 2696 wrote to memory of 2372	2696	_inst.exe	31
PID 2696 wrote to memory of 2372	2696	_inst.exe	31
PID 2372 wrote to memory of 2028	2372	Setup.exe	32
PID 2372 wrote to memory of 2028	2372	Setup.exe	32
PID 2372 wrote to memory of 2028	2372	Setup.exe	32
PID 2372 wrote to memory of 2028	2372	Setup.exe	32
PID 2372 wrote to memory of 2028	2372	Setup.exe	32
PID 2372 wrote to memory of 2028	2372	Setup.exe	32
PID 2372 wrote to memory of 2028	2372	Setup.exe	32
PID 1236 wrote to memory of 2804	1236	IKernel.exe	34
PID 1236 wrote to memory of 2804	1236	IKernel.exe	34
PID 1236 wrote to memory of 2804	1236	IKernel.exe	34
PID 1236 wrote to memory of 2804	1236	IKernel.exe	34
PID 1236 wrote to memory of 2804	1236	IKernel.exe	34
PID 1236 wrote to memory of 2804	1236	IKernel.exe	34
PID 1236 wrote to memory of 2804	1236	IKernel.exe	34

C:\Users\Admin\AppData\Local\Temp\a088bef64e630bdb7d4604346ecafe9b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a088bef64e630bdb7d4604346ecafe9b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\_inst.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\_inst.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\PP0\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\PP0\Setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe
      "C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe" -RegServer
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2028

C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe
C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\IKernel.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1236
- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
  "C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\COMMON~1\INSTAL~1\engine\6\INTEL3~1\corecomp.ini

Filesize
27KB

MD5
243e31cac3a47d88aaf039c698928247

SHA1
ec1913f97c61d51f879374dbdb0b91bb82c38854

SHA256
a841b2a687122c08e28440c29efe7be222cc9883a6c368747172a222d930a3da

SHA512
c279faf68b41b800442c374efc9a6c715aa05143837b5355d3b85565567b15037b3af10f25b0bb474909b45bbfa69c2e18ca9cc409aeb4f153aea3ec5520e518

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\IKernel.exe

Filesize
600KB

MD5
b3fd01873bd5fd163ab465779271c58f

SHA1
e1ff9981a09ab025d69ac891bfc931a776294d4d

SHA256
985eb55ecb750da812876b8569d5f1999a30a24bcc54f9bab4d3fc44dfedb931

SHA512
6674ab1d65da9892b7dd2fd37f300e087f58239262d44505b53379c676fd16da5443d2292aeaae01d3e6c40960b12f9cac651418c827d2a33c29a6cdf874be43

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\DealerInst.ini

Filesize
422B

MD5
788cbce0781bc9a8797584ca67317d4d

SHA1
1427e63f133cd23f7c0ca76c636d77615aa3bd19

SHA256
04c0337886088d8795c999585a48e961eab08c23baaf52afae94022ba4dcac0c

SHA512
7eac6e59eea64dd99436946da4193da51ce02ad330034cc5d81cfe96d97190d7129df898e688fdd9cb7ec3afaee6cdf269570f0490f9651fa4cc1eee06a0918f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe

Filesize
35KB

MD5
cd55183dd93890a06bc73944c84c86fb

SHA1
194d1b27dd4e376d9748bf37640e03494fb73887

SHA256
20b0c376813a4dac5387e48d504aed1dd5380ae11ea0e4eab05df81cd0bf0d53

SHA512
dd0258bd8d5abbeb4203f56361c5b0ea338e7b0331632b6bbe1d3f62759f111e9a9c83b33228a9113250e805b7638fbd4717931128e8a970289399b35df39011

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.ini

Filesize
150B

MD5
b2902258c926fde375cc8caaa5fdc895

SHA1
284bbe3d5084ff23ba6012f807ed67c2e57b1281

SHA256
d14c82929e09500bdc9086cbf91cf02afcf7cba7e6422e3ee629c8f7fba4d66d

SHA512
364da074be8833cc3572ea5eebec02d0ca4f5d6cbe0c2bb7bc1894f4e8eeb829c7551065135efe67f6d761adb56b9fc500bbbd6581a5983d8e682d0dfc9b0e5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data1.cab

Filesize
517KB

MD5
299916882d7a8a2640b810ee673cc540

SHA1
ec8e1ea1f38115c040a81d546b2896e868c01bbe

SHA256
fa83d8d61a3043f87c8a5bdd2d10f8414210efd2b985db2d08630e5a17f6d7e8

SHA512
f7e8b653ba43f1030581ae8bb409f0c9729bf4c77a8d2120b08641d283e3a215a026f3f46245dcc5b260720f9f1b31684e9ee9b61edafd3fc97a5556842864b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data1.hdr

Filesize
29KB

MD5
6b494d98b4a72d890b90d972a82ba16e

SHA1
98649821eb8f0948410188328d9b6bbb55dc2b34

SHA256
3e4361866ca5d9f077bf84013ea489622436269c3ce75e9c167c1bf94081b8b0

SHA512
aa5dd5cc7527ee8976766fd9cbfce2aeef96324844db87816403d90a1d41e6fcbf108f22bf4d6c3af92d163ba3eee28ea6c3f1cf637f768768c9da06d28e2173

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\data2.cab

Filesize
5.8MB

MD5
2ef6b9f4102404b1dd9bdd756c7d93ee

SHA1
51e21d12fad0f76fecb80d7f9e054526df95d311

SHA256
d54a67dadcf936b3df6b244928e575e62c16bdd2b5877802523e08ff73b8ac36

SHA512
790dba52bef4b0813227073521308bd1da3b78a0ae4292308e24e6925a9457c27f08a3cd9b009e1214a28cb4230bfae775f91022832c535ec0580bf3c4481e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\id.lst

Filesize
40B

MD5
cf634232a67a57e25d3d456c83a6fb29

SHA1
19736826d3a6fa094382e85d01545ce949c6a8ea

SHA256
281aca601ea01c0cdc592b374929cf0bea15085fb88481787dd17b32dd45e70d

SHA512
7e9e976769db25c4487ae6a7b5a7f41562f7eeb6694d3591dd1cd7db53a62811d3f54610c868d104fca3f3a694389ef7f003947548e59669994101da727fc6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ikernel.ex_

Filesize
338KB

MD5
93b63f516482715a784bbec3a0bf5f3a

SHA1
2478feca446576c33e96e708256d4c6c33e3fa68

SHA256
fbf95719b956b548b947436e29feb18bb884e01f75ae31b05c030ebd76605249

SHA512
2c8f29dda748e21231ab8c30c7a57735104b786120bb392eb1c20a320f2dddde392d136fd0c70853bb9af851bbe47df2955d8f9d5973b64870ac90bd12d2dd70

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\layout.bin

Filesize
416B

MD5
c392d3d6fc862c16173fe7b6262aea9c

SHA1
07e68a115a752e594eb7ed107fc25639440c97b5

SHA256
02b29dfbd2a0fea444f9e64ef5c0da580302fd5d8fce6e3c6044862cd862ce9f

SHA512
310bbc832b6d098164c32c741a3161c664fc508384112b4e6ef78e472387f0cfd783e37a2bd9efd9365c7483cd1e0298567f7520655a3cad4e9d0fb4f728df1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\licenseagreement.txt

Filesize
4KB

MD5
f2dd87ae3c852e11553ac8fcb34850a3

SHA1
2429d4fc8772a04d132c88f13f72099c536fb925

SHA256
1c9454e726ccbaa9ab98884a77d7b1951085f8407f4bb158dbf24c70d9eb9723

SHA512
e4c98f74c5caf227cbe5e1f881f46d06ef2f4ca1488b2d469adda88a18e149b9f1f68e0be3abe472e48c58baff7229a00c6ad11ce2945b7c674214ba5269de38

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\logo.bmp

Filesize
154KB

MD5
6003423cafb7ce0af1129abb68b0ca20

SHA1
efd7ef6e4ae0df21aaacc78aa7da84bf7f00701d

SHA256
9b547dca642394f770c66a927760be5b2f4289c74c7b00c341631151f361d699

SHA512
f5449933a3b81a6b54ced8eedf7b78b31bca320a165dd484127277b723ddba1b4b4b2c7e88e0161127062481c09541d114c94d61f7bebe40790ca62bff183246

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\logo.gif

Filesize
2KB

MD5
662ee3775d31ed378d55b8f1ce944eb4

SHA1
f530a9a8324842f0fd9e138ff5eb253d3fcb9678

SHA256
00a3be7ca8f119570c232657350017619f89f9a4c9c46fa77bdf8540cbaf0fd5

SHA512
e8ab244ff76f3f8daf1c7a32ea11ce4e8428c9a5c02136483b988480f2a2e3192511db6eebfc2a180529d6b04cf9d4edfd8f03ab34c89d4e01a7c468bdb3f80d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\program.ico

Filesize
76KB

MD5
9f27b1fb093edb99c9c3b558c9476d69

SHA1
755825d9d0c9002099bd7a5e8b0b46f8fc31abcd

SHA256
59b5c4cef101d35b5de97acb17ad35c9d780af3ef450182fa4a359fef5491035

SHA512
96efe3280174d65b3505561088c8fe57df96dda0a478b423ebd6654a918117d0a49f6bde1442e9fb15a9de9ccb3866010b75ba053e68492f3bbf2f0e6dc903ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.bmp

Filesize
187KB

MD5
e1f87d2ecc1ea9fa43331090d5f3fc8f

SHA1
48202ac5501048d278d4e5a3a6b4190b44726a29

SHA256
0088bd557c70b274c8d5da7e19984f808c4bd4bb09f8260fec38eb92240337e7

SHA512
b7e686631619421ea09d2759388b830a125608df7617a066154fce046a72f2ebcf432eebaebc568dd6477ec67a3c76f4de8f5113d4969c7fb51edebf35b8a128

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\setup.inx

Filesize
130KB

MD5
826e7617cd0c8e4b2f6611a069f94d82

SHA1
df2398847acbcb851f818fea9c2d1c710695adcb

SHA256
35e955b7c675504d83fec83b312d8dcfdba43023e441e85d9110f8565f586caa

SHA512
01a8f2c119dccc80a542fd0abaa18fde12b354433b33ccedaeae9c3ce0da0b089e91d5f6e4e7a8a68f9b6984892b6f20b208dbac51b358d503a00a43535f99eb

Download Submit
\Program Files (x86)\Common Files\InstallShield\IScript\IScript.dll

Filesize
220KB

MD5
b2f7e6dc7e4aae3147fbfc74a2ddb365

SHA1
716301112706e93f85977d79f0e8f18f17fb32a7

SHA256
4f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1

SHA512
e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83

Download Submit
\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ILog.dll

Filesize
208KB

MD5
a2b4718bb69d081202af2aa317dc0c0b

SHA1
4f95adf0393890b36d6b06a0dd153506b4cd39b2

SHA256
69d84c8fe49021c1fd4e3e1678090c0517d753176ad74dbee25c053528373fb0

SHA512
d46062f756d9c128acf354a075ca82d39831b85145c94e9a816e5e2c09e5070f445f69abd2bc6028c6c45238a897fc93d7ac05d513286afb37492e938291e618

Download Submit
\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll

Filesize
76KB

MD5
003a6c011aac993bcde8c860988ce49b

SHA1
6d39d650dfa5ded45c4e0cb17b986893061104a7

SHA256
590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a

SHA512
032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7

Download Submit
\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll

Filesize
172KB

MD5
377765fd4de3912c0f814ee9f182feda

SHA1
a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1

SHA256
8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb

SHA512
31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710

Download Submit
\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll

Filesize
32KB

MD5
8f02b204853939f8aefe6b07b283be9a

SHA1
c161b9374e67d5fa3066ea03fc861cc0023eb3cc

SHA256
32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998

SHA512
8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\_inst.exe

Filesize
147KB

MD5
b86f240eb1ddb87b274aaaf187d0990b

SHA1
914ff8fff06b2e21a5b1c92dfc469cd30af641f3

SHA256
dff41229e0a9cb1ab9b7d3ec29d216a0d177fe101f0ea7df896a198570f3d1a0

SHA512
612a5de8becb892217d5573acf5205a7dc9d7571f7933fde1f971b812aa04cec864a1389d0f69b2cc698ab8cd0ca3085710e50ef7411489af853d4c8b6056294

Download Submit
\Users\Admin\AppData\Local\Temp\{6d9c83cb-07e8-11d5-b189-00e07d8b90c2}\isrt.dll

Filesize
304KB

MD5
f293796c3d21c70785973471d8acc129

SHA1
2c2a64bdb26c5f5ae4467b8fbf051a97e2c872cc

SHA256
f1d5b08d32931f70afec1a9cbd35757f393bbb01e015c7053d1fc3f3a3387e0e

SHA512
3a02143495087c1b8edc02fe83b0d4086c57f7b7fc28fedb5de9d7331098d72e5e909b2435e5707f622df00f2356829ff44f066005fce377b765e42c5e75e56d

Download Submit
memory/1236-186-0x0000000001F50000-0x0000000001F63000-memory.dmp

Filesize
76KB

Download
memory/1236-189-0x0000000003340000-0x0000000003378000-memory.dmp

Filesize
224KB

Download
memory/1236-194-0x0000000003380000-0x00000000033CF000-memory.dmp

Filesize
316KB

Download
memory/1236-197-0x0000000001FB0000-0x0000000001FDC000-memory.dmp

Filesize
176KB

Download
memory/2632-2-0x0000000000240000-0x0000000000264000-memory.dmp

Filesize
144KB

Download
memory/2632-1-0x0000000000240000-0x0000000000264000-memory.dmp

Filesize
144KB

Download
memory/2632-98-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2632-0-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2696-84-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download