d07a8d0059e78fc119c07e9c57edda973499f58f2df8fadeb11e0bede4721c6b

Analysis

max time kernel
140s
max time network
123s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
Size

6.7MB
MD5

a12f2f109381a860bd834f723551d2b8
SHA1

0864808c4782659d3608987e490151aa08a92582
SHA256

d07a8d0059e78fc119c07e9c57edda973499f58f2df8fadeb11e0bede4721c6b
SHA512

effe9fd70f5311cd80a9037e495c5906fc0a62d29139858cb9d40ee796cbcb83144e087cbf31bde0bbc02ae2065704df8ac8cc595420d4b296dea4b69a59287c
SSDEEP

196608:EUgO0Q/zDXYIrZhZx/7kQMUmTtRDAeqp+c7wncXioUwP:EJXizDLrZhb/GX6+MTU0

Score

7^/10

discovery upx

Malware Config

Signatures

Executes dropped EXE 5 IoCs

pid	Process
2688	lineage_gameguard.exe
2316	Setup.exe
2144	IKernel.exe
836	IKernel.exe
2044	iKernel.exe

Loads dropped DLL 30 IoCs

pid	Process
1344	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
2688	lineage_gameguard.exe
2688	lineage_gameguard.exe
2688	lineage_gameguard.exe
2688	lineage_gameguard.exe
2316	Setup.exe
2316	Setup.exe
2316	Setup.exe
2316	Setup.exe
2144	IKernel.exe
2144	IKernel.exe
2144	IKernel.exe
836	IKernel.exe
836	IKernel.exe
836	IKernel.exe
836	IKernel.exe
836	IKernel.exe
836	IKernel.exe
836	IKernel.exe
836	IKernel.exe
2044	iKernel.exe
2044	iKernel.exe
2044	iKernel.exe
836	IKernel.exe
2316	Setup.exe
836	IKernel.exe
836	IKernel.exe
836	IKernel.exe
836	IKernel.exe
836	IKernel.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1344-0-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1344-1-0x0000000000400000-0x0000000000421000-memory.dmp	upx
behavioral1/memory/1344-260-0x0000000000400000-0x0000000000421000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Lineage\UI5 커츠서버.ini	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Lineage\nprotect\Gameguard\Lineage\RealServer\npgmup.npz	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File created	C:\Program Files (x86)\Lineage\recovery.oh	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Lineage\nprotect\Gameguard\Lineage\RealServer	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Lineage\nprotect\Gameguard	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\corecomp.ini	IKernel.exe
File created	C:\Program Files (x86)\Lineage\nprotect\Gameguard\Lineage\RealServer\npggNT.npz	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objeec62.rra	IKernel.exe
File created	C:\Program Files (x86)\Lineage\text\option1-k.html	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File created	C:\Program Files (x86)\Lineage\nprotect\Gameguard\Lineage\RealServer\npptNT2.npz	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuseec71.rra	IKernel.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\IScript\iscreca0.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Lineage\text\option1-k.html	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File created	C:\Program Files (x86)\Lineage\UI5 로엘서버.ini	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Lineage\nprotect\Gameguard\Lineage\RealServer\update.cfg	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Lineage\nprotect\Gameguard\Lineage\RealServer\GameMon.npz	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Lineage\nprotect\Gameguard\Lineage\RealServer\teas.dll.npz	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctorec33.rra	IKernel.exe
File created	C:\Program Files (x86)\Lineage\UI5 로엘서버.exe	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Lineage\UI5 로엘서버.exe	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Lineage\nprotect\Gameguard\Lineage\RealServer\tyavn.npz	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Lineage\berryz.oh	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Lineage\change.oh	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Lineage\Tile	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File created	C:\Program Files (x86)\Lineage\nprotect\Gameguard\Lineage\RealServer\update.cfg	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Lineage\nprotect\Gameguard\Lineage\RealServer\daily.npz	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Lineage\UI5 가스트서버.ini	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Lineage\nprotect\Gameguard\Lineage\RealServer\teas.npz	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Lineage\recovery.oh	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Lineage\Tile\uistatus.xml	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Lineage\mount.ini	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File created	C:\Program Files (x86)\Lineage\UI5 가스트서버.ini	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Lineage\nprotect\Gameguard\Lineage\RealServer\Lineage.npz	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File created	C:\Program Files (x86)\Lineage\nprotect\Gameguard\Lineage\RealServer\tyav32.dll.npz	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\objectps.dll	IKernel.exe
File opened for modification	C:\Program Files (x86)\Lineage\UI5 로엘서버.ini	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File created	C:\Program Files (x86)\Lineage\nprotect\Gameguard\Lineage\RealServer\tyavd.npz	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File created	C:\Program Files (x86)\Lineage\Tile\uiextra.xml	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Lineage\text\option11-k.html	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File created	C:\Program Files (x86)\Lineage\nprotect\Gameguard\Lineage\RealServer\teasbase.npz	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\coreec14.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\Lineage\nprotect	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Lineage\Tile\uiextra.xml	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File created	C:\Program Files (x86)\Lineage\berryz.oh	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iuser.dll	IKernel.exe
File opened for modification	C:\Program Files (x86)\Lineage\UI5 파인서버.ini	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Lineage\nprotect\Gameguard\Lineage\RealServer\Splash.npz	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File created	C:\Program Files (x86)\Lineage\UI5 파인서버.exe	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Lineage\nprotect\Gameguard\Lineage\RealServer\npgg9x.npz	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File created	C:\Program Files (x86)\Lineage\gameguard.oh	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File created	C:\Program Files (x86)\Lineage\nprotect\Gameguard\Lineage\RealServer\daily.npz	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File created	C:\Program Files (x86)\Lineage\nprotect\Gameguard\Lineage\RealServer\nppt9x.npz	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Lineage\gameguard.oh	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\temp.000	Setup.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll	IKernel.exe
File created	C:\Program Files (x86)\Lineage\UI5 커츠서버.ini	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File created	C:\Program Files (x86)\Lineage\nprotect\Gameguard\Lineage\RealServer\GameMon.npz	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File created	C:\Program Files (x86)\Lineage\lineage_gameguard.exe	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\corecomp.ini	IKernel.exe
File created	C:\Program Files (x86)\Lineage\nprotect\Gameguard\Lineage\RealServer\Splash.npz	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Lineage\nprotect\Gameguard\Lineage\RealServer\tyavd.npz	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe	Setup.exe
File created	C:\Program Files (x86)\Lineage\nprotect\Gameguard\Lineage\RealServer\npgg9x.npz	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
File created	C:\Program Files (x86)\Lineage\nprotect\Gameguard\Lineage\RealServer\teas.dll.npz	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IKernel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IKernel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iKernel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lineage_gameguard.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0BA4BA22-2EF0-11D3-88C8-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptDriverWrapper.1\ = "InstallShield setup object wrapper"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9E561C6B-425D-4E3D-95CA-A2D289D7C3FB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DED5FEEC-225A-11D3-88AA-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0BA4BA22-2EF0-11D3-88C8-00C04F72F303}\ = "ISetupSharedFiles"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDF8B49D-16D0-49A5-B133-ABE7DCC23DAF}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EC3-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EE77D8B-40C1-4A2A-9B77-421907F02058}\TypeLib	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{EDE94BF2-4FB9-11D5-ABAB-00B0D02332EB}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.LogServices\ = "SetupLogServices Class"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91814EC3-B5F0-11D2-80B9-00104B1F6CEA}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}\ = "ISetupLogService"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B964AF40-4AB7-11D3-A908-00105A088FAC}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9E561C6B-425D-4E3D-95CA-A2D289D7C3FB}\ = "ISetupMainWindow4"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7D795704-435D-11D3-88FF-00C04F72F303}\TypeLib\Version = "1.0"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BDF8B49D-16D0-49A5-B133-ABE7DCC23DAF}\TypeLib	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B1B8830-C559-11D3-B289-00C04F59FBE9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0C8D0880-1AC4-11D3-A8FF-00105A088FAC}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{00345390-4F77-11D3-A908-00105A088FAC}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.LogServices\ = "SetupLogServices Class"	iKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	iKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DAB9BF17-267D-11D3-88B6-00C04F72F303}\ = "ISetupTextSubstitution"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{251753FA-FB3B-11D2-8842-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{AA7E2067-CB55-11D2-8094-00104B1F9838}\ProxyStubClsid32	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{54DADAB2-28A6-11D3-88BA-00C04F72F303}\ProxyStubClsid32	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B14-E59D-11D2-B40B-00A024B9DDDD}	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{80FDE82A-2CAA-11D3-88C3-00C04F72F303}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2064-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D8B6332-D8B1-11D2-80C5-00104B1F6CEA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{91814EBF-B5F0-11D2-80B9-00104B1F6CEA}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{94F4A332-A2AE-11D3-8378-00C04F59FBE9}\ProxyStubClsid32	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}\1.0\0	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{DED5FEEC-225A-11D3-88AA-00C04F72F303}\TypeLib\Version = "1.0"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C9CD1A93-D7B4-11D2-80C5-00104B1F6CEA}\VersionIndependentProgID\ = "Setup.User"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2065-CB55-11D2-8094-00104B1F9838}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2062-CB55-11D2-8094-00104B1F9838}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{27D2CF3C-D5B0-11D2-8094-00104B1F9838}\1.0	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{44D61997-B7D4-11D2-80BA-00104B1F6CEA}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6494206F-23EA-11D3-88B0-00C04F72F303}\TypeLib\Version = "1.0"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEBEC920-1849-11D3-A8FE-00105A088FAC}\TypeLib\ = "{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22D84EC7-E201-4432-B3ED-A9DCA3604594}\ProgID	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B15A454-9067-4878-B10E-B9DFFE03049D}\TypeLib	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7D795704-435D-11D3-88FF-00C04F72F303}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.LogServices.1\ = "SetupLogServices Class"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AA7E2086-CB55-11D2-8094-00104B1F9838}\InprocServer32\ThreadingModel = "Apartment"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B964AF40-4AB7-11D3-A908-00105A088FAC}\ = "ISetupSDMessage"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3EE77D8B-40C1-4A2A-9B77-421907F02058}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2084-CB55-11D2-8094-00104B1F9838}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{251753FA-FB3B-11D2-8842-00C04F72F303}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8415DE38-1C1D-11D3-889D-00C04F72F303}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Setup.ScriptDriverWrapper.1\CLSID	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4DFB7010-41EB-11D3-BBBA-00105A1F0D68}\ = "ISetupScriptController"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{15F051E6-59A9-11D3-A25D-06D730000000}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B15-E59D-11D2-B40B-00A024B9DDDD}\TypeLib\ = "{91814EB1-B5F0-11D2-80B9-00104B1F6CEA}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}\TypeLib\Version = "1.0"	IKernel.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 2688	1344	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe	31
PID 1344 wrote to memory of 2688	1344	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe	31
PID 1344 wrote to memory of 2688	1344	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe	31
PID 1344 wrote to memory of 2688	1344	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe	31
PID 1344 wrote to memory of 2688	1344	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe	31
PID 1344 wrote to memory of 2688	1344	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe	31
PID 1344 wrote to memory of 2688	1344	a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe	31
PID 2688 wrote to memory of 2316	2688	lineage_gameguard.exe	32
PID 2688 wrote to memory of 2316	2688	lineage_gameguard.exe	32
PID 2688 wrote to memory of 2316	2688	lineage_gameguard.exe	32
PID 2688 wrote to memory of 2316	2688	lineage_gameguard.exe	32
PID 2688 wrote to memory of 2316	2688	lineage_gameguard.exe	32
PID 2688 wrote to memory of 2316	2688	lineage_gameguard.exe	32
PID 2688 wrote to memory of 2316	2688	lineage_gameguard.exe	32
PID 2316 wrote to memory of 2144	2316	Setup.exe	33
PID 2316 wrote to memory of 2144	2316	Setup.exe	33
PID 2316 wrote to memory of 2144	2316	Setup.exe	33
PID 2316 wrote to memory of 2144	2316	Setup.exe	33
PID 2316 wrote to memory of 2144	2316	Setup.exe	33
PID 2316 wrote to memory of 2144	2316	Setup.exe	33
PID 2316 wrote to memory of 2144	2316	Setup.exe	33
PID 836 wrote to memory of 2044	836	IKernel.exe	35
PID 836 wrote to memory of 2044	836	IKernel.exe	35
PID 836 wrote to memory of 2044	836	IKernel.exe	35
PID 836 wrote to memory of 2044	836	IKernel.exe	35
PID 836 wrote to memory of 2044	836	IKernel.exe	35
PID 836 wrote to memory of 2044	836	IKernel.exe	35
PID 836 wrote to memory of 2044	836	IKernel.exe	35

C:\Users\Admin\AppData\Local\Temp\a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a12f2f109381a860bd834f723551d2b8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Program Files (x86)\Lineage\lineage_gameguard.exe
  "C:\Program Files (x86)\Lineage\lineage_gameguard.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Users\Admin\AppData\Local\Temp\pftE793.tmp\Disk1\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\pftE793.tmp\Disk1\Setup.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2316
  - - C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
      "C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServer
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2144

C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe
C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:836
- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
  "C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\corecomp.ini

Filesize
27KB

MD5
62d5f9827d867eb3e4ab9e6b338348a1

SHA1
828e72f9c845b1c0865badaef40d63fb36447293

SHA256
5214789c08ee573e904990dcd29e9e03aaf5cf12e86fae368005fd8f4e371bd5

SHA512
b38bb74dc2e528c2a58a7d14a07bd1ecaaf55168b53afc8f4718f3bf5d6f8c8b922b98551a355ebb1009f23cff02fd8596413468993a43756c4de7dfed573732

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe

Filesize
600KB

MD5
b3fd01873bd5fd163ab465779271c58f

SHA1
e1ff9981a09ab025d69ac891bfc931a776294d4d

SHA256
985eb55ecb750da812876b8569d5f1999a30a24bcc54f9bab4d3fc44dfedb931

SHA512
6674ab1d65da9892b7dd2fd37f300e087f58239262d44505b53379c676fd16da5443d2292aeaae01d3e6c40960b12f9cac651418c827d2a33c29a6cdf874be43

Download Submit
C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll

Filesize
220KB

MD5
b2f7e6dc7e4aae3147fbfc74a2ddb365

SHA1
716301112706e93f85977d79f0e8f18f17fb32a7

SHA256
4f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1

SHA512
e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83

Download Submit
C:\Program Files (x86)\Lineage\UI5 커츠서버.exe

Filesize
1.1MB

MD5
98a17f81f03a1fe48e0eea729c40b930

SHA1
78f283b89854368f3242da74890e136441b8742f

SHA256
0d580c6d60cf900a7763289e3ed33efdf4aa7645093387c951bec88677f8fcee

SHA512
52ebb7290c5b3c72bd867b43cff55810c10bcaf3021cac6170f537fccf202cf7a16bf5c1b079336479efb66e8fd39c951c65f0796950f79714d776335d8b7f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftE793.tmp\Disk1\IKernel.ex_

Filesize
338KB

MD5
93b63f516482715a784bbec3a0bf5f3a

SHA1
2478feca446576c33e96e708256d4c6c33e3fa68

SHA256
fbf95719b956b548b947436e29feb18bb884e01f75ae31b05c030ebd76605249

SHA512
2c8f29dda748e21231ab8c30c7a57735104b786120bb392eb1c20a320f2dddde392d136fd0c70853bb9af851bbe47df2955d8f9d5973b64870ac90bd12d2dd70

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftE793.tmp\Disk1\data1.cab

Filesize
453KB

MD5
0fe01c2170adc2be5ec06608c9ee298b

SHA1
46d49fb8a0187483e105622cd32ef2492b6831cd

SHA256
32d026c17b1a8165ea0cb6b5a5eb6a74f567924fbdd710dc3bcedfbe33c82f87

SHA512
d3540ac5c52c4943aa529f7f1524e776b93d06cec0087eb85d814f5143e63b2ff12ab8a7aa6d5cbc19789cf6fae2c3fdd0364ed4fd331bfe19ed78bb7ce2eaf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftE793.tmp\Disk1\layout.bin

Filesize
417B

MD5
e2dd315cda9e2607a9a33384cff6d94f

SHA1
e5e0b83878fd6ea291f9c275f734f8869fb55547

SHA256
1ede9a843f334dc331733d8b66f91cd8f50f69e92cb71a5d9529b1d5af8cd731

SHA512
fd3d607fede79059b85f2897a6a5791ee67774c3be14a8e590d21ca56ff40bc3002b8403fc22773bf65d0b3a8d092238bbf647f80eb4de73a595d6442b4cee48

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftE793.tmp\Disk1\setup.ini

Filesize
140B

MD5
ca192f75d33a1434cf2750e44fa3493e

SHA1
27a3885ae07b9407688d99bc2be85bfd6e8ded10

SHA256
989867477d28e9854ab50ee6c4c0e39bf1fd83043f9306ee92ef891de987d337

SHA512
dafcbee0eea378fd32f6866e61207a0d80a166278a05b05f2d35f1dced81c4f99266fbdcd3b2df97dcf70a2debfd281830615c4ff15cff0be4c5ab2d228bc4fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftE793.tmp\Disk1\setup.inx

Filesize
132KB

MD5
bd2e199765c4c1c4a5281f86b609d208

SHA1
9a29063fbf4460b05c60daa70e85b31a45b9af40

SHA256
64bca4ca85af8f868f1a6187aca97f5b462c3815f84d0764ca25a8154b4c02fc

SHA512
c142b6e7ddf85f1dce9fa82c4b9e483bd6b75802aaa1585d6fd2774864e58b66926d07a01048afcf882c6ce21fb0ceb864153d7383fe3d0b47ec013a138a9dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftE793.tmp\pftw1.pkg

Filesize
1008KB

MD5
0d4bb019966d91bd70011c9f6fa86410

SHA1
567b7cd319296e7190c4ab9290e470b86f085a5e

SHA256
578f5164e8bd0edcfc749f4bcf59e498b1b349d0c9a770dfb167e0fc06311596

SHA512
936103cf5329c8655b19613d4f1aca3d5c9cdf0ce55185e0a2106c1cae18e0688985ef0087402bdb7a24200417488b4bb29dad7d6b709097a6de9a63316cddd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\plfE772.tmp

Filesize
4KB

MD5
859c28d6d1c611164c06de940bb48feb

SHA1
2022c18825a6f618e40e263ad2162f064bc79e32

SHA256
a58265bdfd38bee93a000f5a7650b646bcd74a2e3269bc51edd0ebd2382eed1d

SHA512
07c94b027027fbc5855623268c3b1f3654c0fb8401c25f75554c10bc0559e80b8f744a7dc6c4c45ca7b91b994a47e9f1b3f92c804edf590e40e6e54a79939699

Download Submit
\??\c:\users\admin\appdata\local\temp\pfte793.tmp\disk1\data1.hdr

Filesize
11KB

MD5
83205cf1d3bcfabebfd299e111f080d1

SHA1
2e218aa4fc8738d081f6aa19fbf80be382e24d97

SHA256
cff64013ffbef8b5ad1ea51405fd0ac3b9ab4cd048c3f8f54c8ac2b1590b2234

SHA512
8bf4c74cd3392627fcba093ee5fbc27de5c73c3835bc2d98b33e98832a0ea20a62a6285303a9f7b43db8287ccfa95332c157ae2336b580247814a3eae42f632e

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll

Filesize
76KB

MD5
003a6c011aac993bcde8c860988ce49b

SHA1
6d39d650dfa5ded45c4e0cb17b986893061104a7

SHA256
590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a

SHA512
032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll

Filesize
172KB

MD5
377765fd4de3912c0f814ee9f182feda

SHA1
a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1

SHA256
8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb

SHA512
31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll

Filesize
32KB

MD5
8f02b204853939f8aefe6b07b283be9a

SHA1
c161b9374e67d5fa3066ea03fc861cc0023eb3cc

SHA256
32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998

SHA512
8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

Download Submit
\Program Files (x86)\Lineage\lineage_gameguard.exe

Filesize
1.3MB

MD5
b2a556c5c2c58788b348166b938695df

SHA1
22f30b5081e07893fe26b4d8b078a955c8f79c7d

SHA256
949ace88e5ff082986c4a99bddead461685aab5a9c1d9293682bfc4b2cf4e368

SHA512
a9cbe276eed4b9a0d2960116dee5fa6ce4fab775fdcc294d9744c30547e46488bd4ba062b2c0ba7bafd950f07534ad67933e9e3869b32df0a0a4073d388e8520

Download Submit
\Users\Admin\AppData\Local\Temp\pftE793.tmp\Disk1\Setup.exe

Filesize
164KB

MD5
fb6674a519505cc93e28cf600bbc23a3

SHA1
d5dbd3dabc4872710d5bdabfb3829f976efe92c6

SHA256
fe95a9fc8b2cdb5add76fbd326b1a11801eaa43c7d908f20cbdf413fd4d8dfde

SHA512
fd4e93d545a704bbc197bcbfd1731c24fffff7aa05db11ed4ad9bcac458253b8fb368d13e48df3d3d322044f4d4cc9e134c24cc7bee4079110f591623e988912

Download Submit
\Users\Admin\AppData\Local\Temp\{B75328CF-2F22-4E25-97D3-58E327761E41}\_IsRes.dll

Filesize
232KB

MD5
8e52ecbeb2b3979b2f1a83e4f4b685de

SHA1
55c586ae4fe712592707295cfe3aa14bc5ddb17e

SHA256
37e6d4e558b6ba0be41cfd9d4014f768b66ab45d94adf1991f8c51d8d5425e1d

SHA512
ac19bba38746e95b7b37e2c0666100d21b3313e3132a181b0ad4f22cb5c403505a41a265024f3c7204294ea6596e2d19f0f620d915122ba9410b7b7dd770690d

Download Submit
\Users\Admin\AppData\Local\Temp\{B75328CF-2F22-4E25-97D3-58E327761E41}\isrt.dll

Filesize
324KB

MD5
61c056d2df7ab769d6fd801869b828a9

SHA1
4213d0395692fa4181483ffb04eef4bda22cceee

SHA256
148d8f53bba9a8d5558b192fb4919a5b0d9cb7fd9f8e481660f8667de4e89b66

SHA512
a2da2558c44e80973badc2e5f283cec254a12dfbcc66c352c8f394e03b1e50f98551303eab6f7995ac4afd5a503bd29b690d778b0526233efc781695ed9e9172

Download Submit
memory/836-242-0x0000000000B80000-0x0000000000B93000-memory.dmp

Filesize
76KB

Download
memory/836-245-0x00000000034C0000-0x00000000034F8000-memory.dmp

Filesize
224KB

Download
memory/836-250-0x0000000003850000-0x00000000038A3000-memory.dmp

Filesize
332KB

Download
memory/836-254-0x0000000003450000-0x000000000347C000-memory.dmp

Filesize
176KB

Download
memory/1344-0-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1344-1-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download
memory/1344-260-0x0000000000400000-0x0000000000421000-memory.dmp

Filesize
132KB

Download