1de40371fceb758580032cebfd76f0ed550723d8e9d920ca817cf898fd2c7087

Analysis

max time kernel
150s
max time network
133s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
Size

7.4MB
MD5

bfb294177b4bc808140b52f0731189f0
SHA1

0cd47380795fde1c6fd6b878e70f97503887f49b
SHA256

1de40371fceb758580032cebfd76f0ed550723d8e9d920ca817cf898fd2c7087
SHA512

c1da21a31dbf7b93a56bc78f08caf262bd49f99c9852ca20c112c8306ebb29f89031d37d2e885977680efaf4061917541c4853efe114b983741e75909dbdd398
SSDEEP

196608:GGY/dTX+XkwhZqz2NSWgxOfTm6Y4RAu8VAGnD/8PrvL:GGMVXlOZqaNSdOLmUC6UWv

Score

8^/10

bootkit discovery evasion execution persistence upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\DriverCode_X64.sys	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\DriverCode_X64.sys	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\HomePageLockerUpdate\Parameters\ServiceDLL = "C:\\Program Files (x86)\\WinHomeLite\\HomeLockerUpdateServices.dll"	regsvr32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\HomePageLockerUpdate\ImagePath = "%SystemRoot%\\System32\\svchost.exe -k HomePageLockerUpdate"	regsvr32.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0008000000016c03-223.dat	acprotect
behavioral1/files/0x0007000000016ca5-322.dat	acprotect

Executes dropped EXE 4 IoCs

pid	Process
276	HomePageLocker.exe
1468	HomePageLocker.exe
1672	locker32.exe
2208	Locker64.exe

Loads dropped DLL 16 IoCs

pid	Process
2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
2468	regsvr32.exe
1904	svchost.exe
2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
1904	svchost.exe
1468	HomePageLocker.exe
1468	HomePageLocker.exe
1468	HomePageLocker.exe
1672	locker32.exe
1672	locker32.exe
1672	locker32.exe
1672	locker32.exe
2208	Locker64.exe
1228	Process not Found

UPX packed file 32 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2972-0-0x0000000000400000-0x000000000068D000-memory.dmp	upx
behavioral1/files/0x0007000000016c7c-221.dat	upx
behavioral1/files/0x0008000000016c03-223.dat	upx
behavioral1/memory/2972-228-0x0000000000400000-0x000000000068D000-memory.dmp	upx
behavioral1/memory/2468-227-0x00000000001E0000-0x000000000021D000-memory.dmp	upx
behavioral1/memory/1904-230-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/files/0x0008000000017355-295.dat	upx
behavioral1/memory/2972-308-0x0000000000400000-0x000000000068D000-memory.dmp	upx
behavioral1/memory/1904-314-0x00000000028B0000-0x0000000003139000-memory.dmp	upx
behavioral1/memory/1468-315-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/276-316-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/files/0x000a000000016cbc-321.dat	upx
behavioral1/files/0x0007000000016ca5-322.dat	upx
behavioral1/memory/1672-328-0x00000000008B0000-0x0000000000B64000-memory.dmp	upx
behavioral1/memory/1672-326-0x0000000000400000-0x00000000006AF000-memory.dmp	upx
behavioral1/memory/1468-324-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/1904-329-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/files/0x0009000000016cc4-335.dat	upx
behavioral1/files/0x0007000000016cb2-339.dat	upx
behavioral1/memory/2208-342-0x0000000000830000-0x0000000000C67000-memory.dmp	upx
behavioral1/memory/2208-341-0x0000000000400000-0x0000000000823000-memory.dmp	upx
behavioral1/memory/276-346-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral1/memory/1672-348-0x0000000000400000-0x00000000006AF000-memory.dmp	upx
behavioral1/memory/1904-350-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1672-351-0x00000000008B0000-0x0000000000B64000-memory.dmp	upx
behavioral1/memory/2208-355-0x0000000000400000-0x0000000000823000-memory.dmp	upx
behavioral1/memory/2208-357-0x0000000000830000-0x0000000000C67000-memory.dmp	upx
behavioral1/memory/1904-358-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1672-359-0x0000000000400000-0x00000000006AF000-memory.dmp	upx
behavioral1/memory/1904-363-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral1/memory/1672-364-0x0000000000400000-0x00000000006AF000-memory.dmp	upx
behavioral1/memory/1904-368-0x0000000000400000-0x000000000043D000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	locker32.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\WinHomeLite\locker64.exe	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File created	C:\Program Files (x86)\WinHomeLite\uninstall.exe	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File created	C:\Program Files (x86)\WinHomeLite\netError.log	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File created	C:\Program Files (x86)\WinHomeLite\HomePageLocker.exe	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File created	C:\Program Files (x86)\WinHomeLite\HPHelper32.dll	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WinHomeLite\HPHelper32.dll	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WinHomeLite\HPHelper64.dll	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WinHomeLite\locker32.exe	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File created	C:\Program Files (x86)\WinHomeLite\locker64.exe	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WinHomeLite\DriverCode_X86.sys	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WinHomeLite\HomeLockerUpdateServices.dll	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File created	C:\Program Files (x86)\WinHomeLite\HPHelper64.dll	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File created	C:\Program Files (x86)\WinHomeLite\locker32.exe	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WinHomeLite\uninstall.exe	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WinHomeLite\DriverCode_X64.sys	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File created	C:\Program Files (x86)\WinHomeLite\HomeLockerUpdateServices.dll	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WinHomeLite\HomePageLocker.exe	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File created	C:\Program Files (x86)\WinHomeLite\DriverCode_X64.sys	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File created	C:\Program Files (x86)\WinHomeLite\DriverCode_X86.sys	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File created	C:\Program Files (x86)\WinHomeLite\files.log	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2400	sc.exe
2872	sc.exe
1696	sc.exe
2904	sc.exe
1484	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HomePageLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HomePageLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locker32.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
1904	svchost.exe
276	HomePageLocker.exe
276	HomePageLocker.exe
1672	locker32.exe
1672	locker32.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe
1904	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	276	HomePageLocker.exe
Token: SeCreateGlobalPrivilege	1468	HomePageLocker.exe
Token: SeCreateGlobalPrivilege	1672	locker32.exe
Token: SeCreateGlobalPrivilege	1672	locker32.exe
Token: SeCreateGlobalPrivilege	2208	Locker64.exe
Token: SeCreateGlobalPrivilege	2208	Locker64.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1672	locker32.exe
1672	locker32.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
2208	Locker64.exe
1672	locker32.exe
2208	Locker64.exe
2208	Locker64.exe
1672	locker32.exe
2208	Locker64.exe
2208	Locker64.exe
1672	locker32.exe
2208	Locker64.exe
2208	Locker64.exe
1672	locker32.exe
2208	Locker64.exe
2208	Locker64.exe
1672	locker32.exe
2208	Locker64.exe
2208	Locker64.exe
1672	locker32.exe
2208	Locker64.exe
2208	Locker64.exe
1672	locker32.exe
2208	Locker64.exe
2208	Locker64.exe
1672	locker32.exe
2208	Locker64.exe
2208	Locker64.exe
1672	locker32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1672	locker32.exe
1672	locker32.exe
2208	Locker64.exe
2208	Locker64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 2752	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	31
PID 2972 wrote to memory of 2752	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	31
PID 2972 wrote to memory of 2752	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	31
PID 2972 wrote to memory of 2752	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	31
PID 2972 wrote to memory of 2904	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	33
PID 2972 wrote to memory of 2904	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	33
PID 2972 wrote to memory of 2904	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	33
PID 2972 wrote to memory of 2904	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	33
PID 2752 wrote to memory of 1600	2752	net.exe	35
PID 2752 wrote to memory of 1600	2752	net.exe	35
PID 2752 wrote to memory of 1600	2752	net.exe	35
PID 2752 wrote to memory of 1600	2752	net.exe	35
PID 2972 wrote to memory of 1976	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	37
PID 2972 wrote to memory of 1976	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	37
PID 2972 wrote to memory of 1976	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	37
PID 2972 wrote to memory of 1976	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	37
PID 2972 wrote to memory of 1484	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	38
PID 2972 wrote to memory of 1484	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	38
PID 2972 wrote to memory of 1484	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	38
PID 2972 wrote to memory of 1484	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	38
PID 1976 wrote to memory of 1340	1976	net.exe	41
PID 1976 wrote to memory of 1340	1976	net.exe	41
PID 1976 wrote to memory of 1340	1976	net.exe	41
PID 1976 wrote to memory of 1340	1976	net.exe	41
PID 2972 wrote to memory of 1676	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	42
PID 2972 wrote to memory of 1676	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	42
PID 2972 wrote to memory of 1676	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	42
PID 2972 wrote to memory of 1676	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	42
PID 2972 wrote to memory of 2400	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	43
PID 2972 wrote to memory of 2400	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	43
PID 2972 wrote to memory of 2400	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	43
PID 2972 wrote to memory of 2400	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	43
PID 1676 wrote to memory of 2420	1676	net.exe	46
PID 1676 wrote to memory of 2420	1676	net.exe	46
PID 1676 wrote to memory of 2420	1676	net.exe	46
PID 1676 wrote to memory of 2420	1676	net.exe	46
PID 2972 wrote to memory of 3068	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	47
PID 2972 wrote to memory of 3068	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	47
PID 2972 wrote to memory of 3068	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	47
PID 2972 wrote to memory of 3068	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	47
PID 2972 wrote to memory of 2872	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	48
PID 2972 wrote to memory of 2872	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	48
PID 2972 wrote to memory of 2872	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	48
PID 2972 wrote to memory of 2872	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	48
PID 3068 wrote to memory of 1608	3068	net.exe	51
PID 3068 wrote to memory of 1608	3068	net.exe	51
PID 3068 wrote to memory of 1608	3068	net.exe	51
PID 3068 wrote to memory of 1608	3068	net.exe	51
PID 2972 wrote to memory of 2512	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	52
PID 2972 wrote to memory of 2512	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	52
PID 2972 wrote to memory of 2512	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	52
PID 2972 wrote to memory of 2512	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	52
PID 2972 wrote to memory of 1696	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	54
PID 2972 wrote to memory of 1696	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	54
PID 2972 wrote to memory of 1696	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	54
PID 2972 wrote to memory of 1696	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	54
PID 2512 wrote to memory of 1980	2512	net.exe	56
PID 2512 wrote to memory of 1980	2512	net.exe	56
PID 2512 wrote to memory of 1980	2512	net.exe	56
PID 2512 wrote to memory of 1980	2512	net.exe	56
PID 2972 wrote to memory of 2468	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	57
PID 2972 wrote to memory of 2468	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	57
PID 2972 wrote to memory of 2468	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	57
PID 2972 wrote to memory of 2468	2972	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	57

C:\Users\Admin\AppData\Local\Temp\bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop HomePageLockerUpdate
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop HomePageLockerUpdate
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1600
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" delete HomePageLockerUpdate
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2904
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop HomePageLockerUpdate
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1976
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop HomePageLockerUpdate
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1340
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" delete HomePageLockerUpdate
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:1484
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop HomePageLockerUpdate
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop HomePageLockerUpdate
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2420
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" delete HomePageLockerUpdate
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2400
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop HomePageLockerUpdate
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop HomePageLockerUpdate
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1608
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" delete HomePageLockerUpdate
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2872
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop HomePageLockerUpdate
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2512
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop HomePageLockerUpdate
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1980
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" delete HomePageLockerUpdate
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:1696
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\WinHomeLite\HomeLockerUpdateServices.dll"
  2⤵
  - Server Software Component: Terminal Services DLL
  - Sets service image path in registry
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2468

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k HomePageLockerUpdate
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1904
- \??\c:\program files (x86)\winhomelite\HomePageLocker.exe
  "c:\program files (x86)\winhomelite\HomePageLocker.exe" /update
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:276
- \??\c:\program files (x86)\winhomelite\HomePageLocker.exe
  "c:\program files (x86)\winhomelite\HomePageLocker.exe" /ii:63003a005c00700072006f006700720061006d002000660069006c00650073002000280078003800360029005c00770069006e0068006f006d0065006c006900740065005c006c006f0063006b0065007200330032002e00650078006500 /cc:220063003a005c00700072006f006700720061006d002000660069006c00650073002000280078003800360029005c00770069006e0068006f006d0065006c006900740065005c006c006f0063006b0065007200330032002e006500780065002200
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1468
- - \??\c:\program files (x86)\winhomelite\locker32.exe
    "c:\program files (x86)\winhomelite\locker32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1672
  - - \??\c:\program files (x86)\winhomelite\Locker64.exe
      "c:\program files (x86)\winhomelite\Locker64.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:2208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinHomeLite\DriverCode_X64.sys

Filesize
90KB

MD5
3b16e45e48d8cbcbd18c6f1fe551d058

SHA1
5aef17d1d44d60a8011da30d505a1f0c949ca34e

SHA256
b992343d675459048122e84620c0fb04a8a79cbe01be78427cd104e620c4f05e

SHA512
5ec06f43b285d116e2bf0dd75cef32e386f4147dc02b7e4f16f8b9f37c3dcf707d11eb28484614e395ce3ff18b062ce6abb1fc4dc73ceb6ae1d7b886f8c0ca56

Download Submit
C:\Program Files (x86)\WinHomeLite\HomeLockerUpdateServices.dll

Filesize
71KB

MD5
3d5b36708d0d34914df72d1f6f4b7e29

SHA1
c89c346edf19a715c47113d9f45b97ec22bbdf44

SHA256
fe814ef776493a26d9bd7f3e4a90beae4c2548a4ab1ef3d9103cd2cc4fea8519

SHA512
79f2cf1674f1fe83088b31fc37a3d2b1da8b879a0b07471ea4ade3184a07edb8ff8c2526f1385bfddd795530d268303fd42a6c5ae93d7c3c3a3168f73fd1286a

Download Submit
C:\Program Files (x86)\WinHomeLite\locker32.exe

Filesize
805KB

MD5
7aed7d1f8caa79926eb0d2b2580e5ca9

SHA1
5379c909be25fd256de43e18a5cd675fb95c02e0

SHA256
8487bf18b9a8d2a6aa00d370aa51f99aeb6229f5f0379d4c2b11989c29cee020

SHA512
fc2c171af028b2e08c5d16a90af34fb770f0fa1e92a87b9a9d2cda192a2fa2ddb053799f5d5259bdca7339eaa67d074d25cb783e92506c438d84f5e619aa1c40

Download Submit
C:\Program Files (x86)\WinHomeLite\uninstall.exe

Filesize
1.6MB

MD5
58b7e0b462d0e9ebf480567fdf58312c

SHA1
dde2ad5799cd142d2349d9ef482cc4a8c3fae2b2

SHA256
6ca24050fa8c872d77f9fa627c56e214c8024387c6f2032d6a252c14ee3d52a7

SHA512
8c1976ad933b4b44ecfa31807c301f2e5bf4d7159637fa5144f63918f65a2703e6aa16579cff1f186ef5a0e6273068fce82dee9a227cd91085939219054bdec9

Download Submit
C:\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
\??\c:\program files (x86)\winhomelite\HPHelper32.dll

Filesize
711KB

MD5
e71bff2c69d10d14d94f01aa4c10af0a

SHA1
4592f0ce959f2e9ae06051a670d2bf65325174d0

SHA256
b8d69d9c9bdd7c751bde574a105de88aefbd984748a83bfa31ca71d98dc69bed

SHA512
52bc3b754c2ca9cc8e293ffcac705894cf2024335d540ccea227e2c025a4273805a453786083894ba43b89178d46bcca7408699dde6a30842e4124e88d3b47ae

Download Submit
\??\c:\program files (x86)\winhomelite\netError.log

Filesize
838B

MD5
fac26a0476bf37674dcb12f5ee4d7edf

SHA1
16bb5fc38f6ad0b519f4dce940cee9e747a074e6

SHA256
b0786b0e347bc9f641d93e3c4a133f458ccfc2d313037489be286438799fe312

SHA512
984a5cb2ae1a8449dd1ad4dd01e3229cea999cbac33f8cb6c54b6d06917356a8df6beff663db486bcf3d9c206a32c36e12aa6b383d96040910a9c67c60819e64

Download Submit
\Program Files (x86)\WinHomeLite\HPHelper64.dll

Filesize
975KB

MD5
3a2aeb2f479fe32445fd0d0c2ca53130

SHA1
71ff4799c359c8d8e2c34ca3b238573f33f324c4

SHA256
8ed17be3721a0d33f4a2c42452aa3d41e1f4b7f70e232c8620d92c4b266bed75

SHA512
93f516c0d018fe790cb3683dd569a969558ff2a5b1a0df7e27c0bf2a9226a35b3abe99180bf4412a138e2d1d0daed131b42f188712bbd5666057ec8d123b8930

Download Submit
\Program Files (x86)\WinHomeLite\HomePageLocker.exe

Filesize
2.1MB

MD5
36414e180604cf592db3da4949eda839

SHA1
1391e5fdf0041d6c3de6e11d16369ab4c5ee0c13

SHA256
4d3f7133cf81028c6d6a766a5beb7258219ece1faa2b769ef9993528421a6d88

SHA512
8f40143e7926388c7c4ae1bd737c1169e86f35bad6fb53a9e952f5266cbe32f6515d2fb8232899e79fcf8bf9084f5cad3592edfdd7950a1c33d61f395dd310d3

Download Submit
\Program Files (x86)\WinHomeLite\locker64.exe

Filesize
1.0MB

MD5
8d07d1fccb9ae2ed8eee436cd71c83ff

SHA1
e1c2d567bd8f4168e0b79644c4c34bcbbea10f09

SHA256
82e39e493f33347830ed27057353e0bbd23fbdbea8317c1221895fd7ddd21fa2

SHA512
91be9628217ed9b0a9af4f35d72e7ce9b39a50976b22f68252b8fc39c44f2b9d9ab91c7150651ab466fc996ca967335337a68a8e5e6fddf198caba29263ab118

Download Submit
memory/276-346-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/276-316-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/1468-324-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/1468-315-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/1468-325-0x0000000003CD0000-0x0000000003F7F000-memory.dmp

Filesize
2.7MB

Download
memory/1468-349-0x0000000003CD0000-0x0000000003F7F000-memory.dmp

Filesize
2.7MB

Download
memory/1672-348-0x0000000000400000-0x00000000006AF000-memory.dmp

Filesize
2.7MB

Download
memory/1672-334-0x0000000003C40000-0x00000000044C9000-memory.dmp

Filesize
8.5MB

Download
memory/1672-364-0x0000000000400000-0x00000000006AF000-memory.dmp

Filesize
2.7MB

Download
memory/1672-359-0x0000000000400000-0x00000000006AF000-memory.dmp

Filesize
2.7MB

Download
memory/1672-352-0x00000000045D0000-0x00000000049F3000-memory.dmp

Filesize
4.1MB

Download
memory/1672-328-0x00000000008B0000-0x0000000000B64000-memory.dmp

Filesize
2.7MB

Download
memory/1672-326-0x0000000000400000-0x00000000006AF000-memory.dmp

Filesize
2.7MB

Download
memory/1672-351-0x00000000008B0000-0x0000000000B64000-memory.dmp

Filesize
2.7MB

Download
memory/1672-340-0x00000000045D0000-0x00000000049F3000-memory.dmp

Filesize
4.1MB

Download
memory/1672-332-0x0000000003C40000-0x00000000044C9000-memory.dmp

Filesize
8.5MB

Download
memory/1904-230-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1904-347-0x00000000028B0000-0x0000000003139000-memory.dmp

Filesize
8.5MB

Download
memory/1904-329-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1904-368-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1904-363-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1904-314-0x00000000028B0000-0x0000000003139000-memory.dmp

Filesize
8.5MB

Download
memory/1904-358-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1904-350-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2208-357-0x0000000000830000-0x0000000000C67000-memory.dmp

Filesize
4.2MB

Download
memory/2208-355-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2208-342-0x0000000000830000-0x0000000000C67000-memory.dmp

Filesize
4.2MB

Download
memory/2208-341-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/2468-227-0x00000000001E0000-0x000000000021D000-memory.dmp

Filesize
244KB

Download
memory/2972-1-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2972-299-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2972-304-0x0000000000850000-0x0000000000860000-memory.dmp

Filesize
64KB

Download
memory/2972-224-0x0000000003E00000-0x0000000004689000-memory.dmp

Filesize
8.5MB

Download
memory/2972-226-0x0000000003E00000-0x0000000004689000-memory.dmp

Filesize
8.5MB

Download
memory/2972-0-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/2972-298-0x0000000000850000-0x0000000000860000-memory.dmp

Filesize
64KB

Download
memory/2972-228-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/2972-308-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download