218f6f03046a19ccbdc91f45959eb43def38bf11fe296c5ca57192ab5454d5b9

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
20/08/2024, 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Size

1.3MB
MD5

ad68925c8de4f346723ddc172b416e4d
SHA1

80553a650296fe664ea25ca567ae85353517f1a2
SHA256

218f6f03046a19ccbdc91f45959eb43def38bf11fe296c5ca57192ab5454d5b9
SHA512

a464c8026407c0d1d8912e14022109d1a72d445f4d1cc9ab0878f19d21f332baa8a2e500a81790f08862b9e1bd5f7984a0387ea1a6bdc0200ae182c65156d2c4
SSDEEP

24576:dy/PLameAu9Spf5Gb7PLg79JLR8rdegEjrObHXa1Kkdi6CZQroBUc:d+LarAu9qRGbo9H8rGUHXs/fCoW

Score

8^/10

adware discovery evasion persistence privilege_escalation stealer upx

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2132	netsh.exe
2736	netsh.exe
2676	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
3028	EhStorShell32.exe
2684	chtbrkr32.exe
2060	EhStorShell32.exe
1712	lsass.exe

Loads dropped DLL 10 IoCs

pid	Process
2468	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
2468	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
2468	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
2684	chtbrkr32.exe
2684	chtbrkr32.exe
2684	chtbrkr32.exe
2060	EhStorShell32.exe
3028	EhStorShell32.exe
3028	EhStorShell32.exe
1712	lsass.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2468-6-0x0000000010000000-0x0000000010088000-memory.dmp	upx
behavioral1/memory/2468-9-0x0000000010000000-0x0000000010088000-memory.dmp	upx
behavioral1/memory/2468-86-0x0000000010000000-0x0000000010088000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RTHDBPL = "C:\\Users\\Admin\\AppData\\Roaming\\SysWin\\lsass.exe"	EhStorShell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RTHDBPL = "C:\\Users\\Admin\\AppData\\Roaming\\SysWin\\lsass.exe"	lsass.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0D90B357-76A9-4712-8296-6B0E76DC7E98}	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\72d486621324C.manifest	chtbrkr32.exe
File opened for modification	C:\Windows\SysWOW64\72d486621324O.manifest	chtbrkr32.exe
File opened for modification	C:\Windows\SysWOW64\72d486621324S.manifest	chtbrkr32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	chtbrkr32.exe
File created	C:\Windows\SysWOW64\EhStorShell32.exe	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\chtbrkr32.exe	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\142250261	chtbrkr32.exe
File opened for modification	C:\Windows\SysWOW64\72d486621324P.manifest	chtbrkr32.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-032.dll	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\142250261	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\chtbrkr32.exe	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3000	2468	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chtbrkr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EhStorShell32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EhStorShell32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 57b3900da976124782966b0e76dc7e98	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	chtbrkr32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3798A8AE-FB76-474B-AE20-C92EF03B2E06}\WpadDecisionTime = b09786dea1f2da01	chtbrkr32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3798A8AE-FB76-474B-AE20-C92EF03B2E06}\WpadNetworkName = "Network 3"	chtbrkr32.exe
Key created	\REGISTRY\USER\.DEFAULT	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	chtbrkr32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	chtbrkr32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	chtbrkr32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3798A8AE-FB76-474B-AE20-C92EF03B2E06}\52-48-2f-57-c8-e9	chtbrkr32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-48-2f-57-c8-e9\WpadDecisionReason = "1"	chtbrkr32.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Rgkihjjewq	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 57b3900da976124782966b0e76dc7e98	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	chtbrkr32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	chtbrkr32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	chtbrkr32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-48-2f-57-c8-e9\WpadDecisionTime = b09786dea1f2da01	chtbrkr32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0097000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	chtbrkr32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\72d48662 = " "	chtbrkr32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3798A8AE-FB76-474B-AE20-C92EF03B2E06}\WpadDecisionTime = 70bd622ba2f2da01	chtbrkr32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-48-2f-57-c8-e9\WpadDetectedUrl	chtbrkr32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	chtbrkr32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	chtbrkr32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3798A8AE-FB76-474B-AE20-C92EF03B2E06}\WpadDecision = "0"	chtbrkr32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-48-2f-57-c8-e9	chtbrkr32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-48-2f-57-c8-e9\WpadDecisionTime = 70bd622ba2f2da01	chtbrkr32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Rgkihjjewq\CLSID	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Rgkihjjewq	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	chtbrkr32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\52-48-2f-57-c8-e9\WpadDecision = "0"	chtbrkr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Rgkihjjewq\CLSID\ = "{7bb748c5-fea2-46ca-930e-475059598fae}"	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 57b3900da976124782966b0e76dc7e98	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	chtbrkr32.exe
Key created	\REGISTRY\USER\S-1-5-19	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Rgkihjjewq\CLSID\ = "{7bb748c5-fea2-46ca-930e-475059598fae}"	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	chtbrkr32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3798A8AE-FB76-474B-AE20-C92EF03B2E06}\WpadDecisionReason = "1"	chtbrkr32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Rgkihjjewq\CLSID	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Rgkihjjewq	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Rgkihjjewq\CLSID\ = "{7bb748c5-fea2-46ca-930e-475059598fae}"	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0097000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	chtbrkr32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{3798A8AE-FB76-474B-AE20-C92EF03B2E06}	chtbrkr32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Rgkihjjewq\CLSID	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Rgkihjjewq\CLSID	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	chtbrkr32.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7bb748c5-fea2-46ca-930e-475059598fae}	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Software	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Rgkihjjewq\CLSID	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler\ = "{1a8e967a-9f11-4194-bbcc-58df4af9fdc4}"	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D90B357-76A9-4712-8296-6B0E76DC7E98}\InprocServer32	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D90B357-76A9-4712-8296-6B0E76DC7E98}\InprocServer32\ThreadingModel = "Both"	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Rgkihjjewq\CLSID\ = "{7bb748c5-fea2-46ca-930e-475059598fae}"	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Software\Rgkihjjewq	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Software\Rgkihjjewq\CLSID	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_CLASSES\Software\Rgkihjjewq\CLSID\ = "{7bb748c5-fea2-46ca-930e-475059598fae}"	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Rgkihjjewq	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3450744190-3404161390-554719085-1000_Classes\Software\Rgkihjjewq\CLSID	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D90B357-76A9-4712-8296-6B0E76DC7E98}	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0D90B357-76A9-4712-8296-6B0E76DC7E98}\InprocServer32\ = "C:\\Windows\\SysWow64\\api-ms-win-core-localization-l1-2-032.dll"	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2468	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 3028	2468	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe	31
PID 2468 wrote to memory of 3028	2468	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe	31
PID 2468 wrote to memory of 3028	2468	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe	31
PID 2468 wrote to memory of 3028	2468	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe	31
PID 2468 wrote to memory of 2132	2468	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe	32
PID 2468 wrote to memory of 2132	2468	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe	32
PID 2468 wrote to memory of 2132	2468	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe	32
PID 2468 wrote to memory of 2132	2468	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe	32
PID 2468 wrote to memory of 2736	2468	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe	34
PID 2468 wrote to memory of 2736	2468	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe	34
PID 2468 wrote to memory of 2736	2468	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe	34
PID 2468 wrote to memory of 2736	2468	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe	34
PID 2468 wrote to memory of 2676	2468	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe	36
PID 2468 wrote to memory of 2676	2468	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe	36
PID 2468 wrote to memory of 2676	2468	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe	36
PID 2468 wrote to memory of 2676	2468	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe	36
PID 2468 wrote to memory of 3000	2468	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe	39
PID 2468 wrote to memory of 3000	2468	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe	39
PID 2468 wrote to memory of 3000	2468	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe	39
PID 2468 wrote to memory of 3000	2468	ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe	39
PID 2684 wrote to memory of 2060	2684	chtbrkr32.exe	40
PID 2684 wrote to memory of 2060	2684	chtbrkr32.exe	40
PID 2684 wrote to memory of 2060	2684	chtbrkr32.exe	40
PID 2684 wrote to memory of 2060	2684	chtbrkr32.exe	40
PID 3028 wrote to memory of 1712	3028	EhStorShell32.exe	41
PID 3028 wrote to memory of 1712	3028	EhStorShell32.exe	41
PID 3028 wrote to memory of 1712	3028	EhStorShell32.exe	41
PID 3028 wrote to memory of 1712	3028	EhStorShell32.exe	41

C:\Users\Admin\AppData\Local\Temp\ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ad68925c8de4f346723ddc172b416e4d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\SysWOW64\EhStorShell32.exe
  "C:\Windows\system32\EhStorShell32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Users\Admin\AppData\Roaming\SysWin\lsass.exe
    "C:\Users\Admin\AppData\Roaming\SysWin\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:1712
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\chtbrkr32.exe" enable=yes profile=domain
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2132
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\chtbrkr32.exe" enable=yes profile=private
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2736
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\chtbrkr32.exe" enable=yes profile=public
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2676
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2468 -s 420
  2⤵
  - Program crash
  PID:3000

C:\Windows\SysWOW64\chtbrkr32.exe
C:\Windows\SysWOW64\chtbrkr32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2684
- C:\ProgramData\EhStorShell32.exe
  schutz
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\142250261

Filesize
30B

MD5
c2389ed519f1079d9b472acd9b8d2b5d

SHA1
e678f8dd6c817841178a44be438c0d60ea93edf0

SHA256
1c0e6439f8fd7634fc0e0eec37b471945f97b736054d117902589723dcc621a9

SHA512
2c26cf40619593fe4d365f14a3e56ffbb3c889d1f9fd7e925e63a84ca31c4f0101b76515becbc831eee20c02ed413b2f921729bef8ebbffbd73d2cf3a67ea786

Download Submit
C:\Windows\SysWOW64\142250261

Filesize
118B

MD5
95e03b888e2a8e4bd54813052d14add6

SHA1
25a1f3c013df44792dc18ee6762155c5b9f5a1cb

SHA256
db20a5eb7f17ea7917fdd49ac8c5a257a0403441ef3a632e1f2a1ed991421630

SHA512
c2873a365e00f9eed6d849729f4f1cdd8a73dc19ed1e53202faf3e4e763f9366d6632601cc2edde68fabe825e594797fe4ed3a75839fa285a957ad2c9ecd25c5

Download Submit
C:\Windows\SysWOW64\chtbrkr32.exe

Filesize
1.3MB

MD5
ad68925c8de4f346723ddc172b416e4d

SHA1
80553a650296fe664ea25ca567ae85353517f1a2

SHA256
218f6f03046a19ccbdc91f45959eb43def38bf11fe296c5ca57192ab5454d5b9

SHA512
a464c8026407c0d1d8912e14022109d1a72d445f4d1cc9ab0878f19d21f332baa8a2e500a81790f08862b9e1bd5f7984a0387ea1a6bdc0200ae182c65156d2c4

Download Submit
\ProgramData\api-ms-win-core-localization-l1-2-032.dll

Filesize
237KB

MD5
89bb9ca773905940857029d2ebbaf05c

SHA1
7e54d91335ccfc6a71133b009ff967b260e27a07

SHA256
49ef211378801ab5697f63be3724f7be9b1059ca9ac3fd2ac70f803240c81dc6

SHA512
939c11450a3c2277be8ce1ce8ece1963ce8585d8ac2f94bb568b96c9ef769e11944e7e9a8d4f829b59262f519357eda142a4bdcb0ca454fd60f6df153c360737

Download Submit
\Windows\SysWOW64\EhStorShell32.exe

Filesize
201KB

MD5
2f7a846ff1e1107d0e4294aa1d258422

SHA1
c3e23bb7cacae31ac6dd462345a40dca2489f512

SHA256
d4dd7b5a74766aae1b4821dcd2afddaabb3e25ba109d3ba74ac3989458928d37

SHA512
f8e31fa3f8327dcb2453531bd4a8e3940418944881088fcce240d8a8e8bbeb593b6ebe6dc69057dc3b95f5bda8cfdc2ea2d0e6869f6e0d646010393033da48c9

Download Submit
\Windows\SysWOW64\api-ms-win-core-localization-l1-2-032.dll

Filesize
404KB

MD5
259772a6ea6441040e71b60077021e0f

SHA1
16221b086215c9bbbfddaeafa4cfb0c5a520cdc5

SHA256
dc47c9ab64dab7f3cf2c46bb63cc36c3e508a770d303d07a40cacb06dc9183a4

SHA512
89f3d69525a57e4f6571fe9e5064b1426a7f40087b14bc36213b93c9aea02de40d4ce2323c82ca929bf8aebc0249e5072eae36411ee4a95eab4a51fd1214651e

Download Submit
memory/1712-92-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1712-82-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/2060-91-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2468-6-0x0000000010000000-0x0000000010088000-memory.dmp

Filesize
544KB

Download
memory/2468-86-0x0000000010000000-0x0000000010088000-memory.dmp

Filesize
544KB

Download
memory/2468-5-0x0000000000330000-0x0000000000379000-memory.dmp

Filesize
292KB

Download
memory/2468-0-0x0000000000560000-0x0000000000657000-memory.dmp

Filesize
988KB

Download
memory/2468-9-0x0000000010000000-0x0000000010088000-memory.dmp

Filesize
544KB

Download
memory/2468-8-0x000000001005B000-0x0000000010086000-memory.dmp

Filesize
172KB

Download
memory/2468-87-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2468-1-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2468-84-0x0000000000560000-0x0000000000657000-memory.dmp

Filesize
988KB

Download
memory/2468-85-0x000000001005B000-0x0000000010086000-memory.dmp

Filesize
172KB

Download
memory/2684-88-0x0000000000400000-0x000000000055B000-memory.dmp

Filesize
1.4MB

Download
memory/2684-89-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/2684-41-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/2684-95-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/2684-110-0x0000000010000000-0x0000000010040000-memory.dmp

Filesize
256KB

Download
memory/3028-33-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3028-77-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/3028-32-0x00000000002C0000-0x00000000002EC000-memory.dmp

Filesize
176KB

Download