1de40371fceb758580032cebfd76f0ed550723d8e9d920ca817cf898fd2c7087

Analysis

max time kernel
150s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
Size

7.4MB
MD5

bfb294177b4bc808140b52f0731189f0
SHA1

0cd47380795fde1c6fd6b878e70f97503887f49b
SHA256

1de40371fceb758580032cebfd76f0ed550723d8e9d920ca817cf898fd2c7087
SHA512

c1da21a31dbf7b93a56bc78f08caf262bd49f99c9852ca20c112c8306ebb29f89031d37d2e885977680efaf4061917541c4853efe114b983741e75909dbdd398
SSDEEP

196608:GGY/dTX+XkwhZqz2NSWgxOfTm6Y4RAu8VAGnD/8PrvL:GGMVXlOZqaNSdOLmUC6UWv

Score

8^/10

bootkit discovery evasion execution persistence upx

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\DriverCode_X64.sys	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\DriverCode_X64.sys	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\HomePageLockerUpdate\Parameters\ServiceDLL = "C:\\Program Files (x86)\\WinHomeLite\\HomeLockerUpdateServices.dll"	regsvr32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\HomePageLockerUpdate\ImagePath = "%SystemRoot%\\System32\\svchost.exe -k HomePageLockerUpdate"	regsvr32.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x000a0000000233da-222.dat	acprotect
behavioral2/files/0x000d0000000233dd-311.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe

Executes dropped EXE 4 IoCs

pid	Process
4800	HomePageLocker.exe
3944	HomePageLocker.exe
5080	locker32.exe
1644	Locker64.exe

Loads dropped DLL 8 IoCs

pid	Process
676	regsvr32.exe
4284	svchost.exe
5080	locker32.exe
5080	locker32.exe
1644	Locker64.exe
1644	Locker64.exe
3380	Process not Found
3380	Process not Found

UPX packed file 29 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3156-0-0x0000000000400000-0x000000000068D000-memory.dmp	upx
behavioral2/files/0x00090000000233dc-220.dat	upx
behavioral2/files/0x000a0000000233da-222.dat	upx
behavioral2/memory/676-224-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/files/0x0007000000023639-290.dat	upx
behavioral2/memory/3156-298-0x0000000000400000-0x000000000068D000-memory.dmp	upx
behavioral2/memory/4800-304-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral2/memory/3944-306-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral2/files/0x000b0000000233e5-307.dat	upx
behavioral2/files/0x000d0000000233dd-311.dat	upx
behavioral2/memory/5080-314-0x0000000000AB0000-0x0000000000D64000-memory.dmp	upx
behavioral2/memory/5080-313-0x0000000000400000-0x00000000006AF000-memory.dmp	upx
behavioral2/memory/3944-312-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral2/files/0x0008000000023635-317.dat	upx
behavioral2/memory/1644-321-0x0000000000400000-0x0000000000823000-memory.dmp	upx
behavioral2/files/0x00090000000233e0-320.dat	upx
behavioral2/memory/4284-323-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/1644-324-0x0000000000B60000-0x0000000000F97000-memory.dmp	upx
behavioral2/memory/1644-322-0x0000000000B60000-0x0000000000F97000-memory.dmp	upx
behavioral2/memory/4800-328-0x0000000000400000-0x0000000000C89000-memory.dmp	upx
behavioral2/memory/4284-329-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/5080-330-0x0000000000400000-0x00000000006AF000-memory.dmp	upx
behavioral2/memory/5080-331-0x0000000000AB0000-0x0000000000D64000-memory.dmp	upx
behavioral2/memory/1644-334-0x0000000000400000-0x0000000000823000-memory.dmp	upx
behavioral2/memory/1644-335-0x0000000000B60000-0x0000000000F97000-memory.dmp	upx
behavioral2/memory/4284-338-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/5080-339-0x0000000000400000-0x00000000006AF000-memory.dmp	upx
behavioral2/memory/4284-343-0x0000000000400000-0x000000000043D000-memory.dmp	upx
behavioral2/memory/4284-348-0x0000000000400000-0x000000000043D000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	locker32.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\WinHomeLite\HPHelper32.dll	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File created	C:\Program Files (x86)\WinHomeLite\HPHelper64.dll	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WinHomeLite\locker64.exe	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File created	C:\Program Files (x86)\WinHomeLite\uninstall.exe	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WinHomeLite\DriverCode_X64.sys	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File created	C:\Program Files (x86)\WinHomeLite\HomePageLocker.exe	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File created	C:\Program Files (x86)\WinHomeLite\HPHelper32.dll	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WinHomeLite\HPHelper64.dll	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File created	C:\Program Files (x86)\WinHomeLite\netError.log	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File created	C:\Program Files (x86)\WinHomeLite\DriverCode_X86.sys	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File created	C:\Program Files (x86)\WinHomeLite\HomeLockerUpdateServices.dll	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WinHomeLite\HomeLockerUpdateServices.dll	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WinHomeLite\locker32.exe	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File created	C:\Program Files (x86)\WinHomeLite\locker64.exe	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File created	C:\Program Files (x86)\WinHomeLite\DriverCode_X64.sys	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WinHomeLite\HomePageLocker.exe	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File created	C:\Program Files (x86)\WinHomeLite\locker32.exe	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WinHomeLite\uninstall.exe	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\WinHomeLite\DriverCode_X86.sys	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
File created	C:\Program Files (x86)\WinHomeLite\files.log	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4204	sc.exe
3408	sc.exe
3944	sc.exe
2984	sc.exe
4352	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HomePageLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HomePageLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	locker32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
4284	svchost.exe
4800	HomePageLocker.exe
4800	HomePageLocker.exe
5080	locker32.exe
5080	locker32.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe
4284	svchost.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeCreateGlobalPrivilege	3944	HomePageLocker.exe
Token: SeCreateGlobalPrivilege	4800	HomePageLocker.exe
Token: SeCreateGlobalPrivilege	5080	locker32.exe
Token: SeCreateGlobalPrivilege	5080	locker32.exe
Token: SeCreateGlobalPrivilege	1644	Locker64.exe
Token: SeCreateGlobalPrivilege	1644	Locker64.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5080	locker32.exe
5080	locker32.exe
1644	Locker64.exe
1644	Locker64.exe
1644	Locker64.exe
1644	Locker64.exe
1644	Locker64.exe
1644	Locker64.exe
1644	Locker64.exe
1644	Locker64.exe
1644	Locker64.exe
5080	locker32.exe
1644	Locker64.exe
5080	locker32.exe
1644	Locker64.exe
5080	locker32.exe
1644	Locker64.exe
5080	locker32.exe
1644	Locker64.exe
5080	locker32.exe
1644	Locker64.exe
5080	locker32.exe
1644	Locker64.exe
1644	Locker64.exe
5080	locker32.exe
5080	locker32.exe
1644	Locker64.exe
1644	Locker64.exe
5080	locker32.exe
5080	locker32.exe
1644	Locker64.exe
1644	Locker64.exe
5080	locker32.exe
5080	locker32.exe
1644	Locker64.exe
1644	Locker64.exe
5080	locker32.exe
5080	locker32.exe
1644	Locker64.exe
1644	Locker64.exe
5080	locker32.exe
1644	Locker64.exe
5080	locker32.exe
1644	Locker64.exe
5080	locker32.exe
5080	locker32.exe
1644	Locker64.exe
1644	Locker64.exe
5080	locker32.exe
5080	locker32.exe
1644	Locker64.exe
1644	Locker64.exe
5080	locker32.exe
5080	locker32.exe
1644	Locker64.exe
1644	Locker64.exe
5080	locker32.exe
5080	locker32.exe
1644	Locker64.exe
1644	Locker64.exe
5080	locker32.exe
5080	locker32.exe
1644	Locker64.exe
1644	Locker64.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5080	locker32.exe
5080	locker32.exe
1644	Locker64.exe
1644	Locker64.exe

Suspicious use of WriteProcessMemory 59 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 1376	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	92
PID 3156 wrote to memory of 1376	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	92
PID 3156 wrote to memory of 1376	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	92
PID 3156 wrote to memory of 4352	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	94
PID 3156 wrote to memory of 4352	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	94
PID 3156 wrote to memory of 4352	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	94
PID 1376 wrote to memory of 1436	1376	net.exe	96
PID 1376 wrote to memory of 1436	1376	net.exe	96
PID 1376 wrote to memory of 1436	1376	net.exe	96
PID 3156 wrote to memory of 3484	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	100
PID 3156 wrote to memory of 3484	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	100
PID 3156 wrote to memory of 3484	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	100
PID 3156 wrote to memory of 4204	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	102
PID 3156 wrote to memory of 4204	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	102
PID 3156 wrote to memory of 4204	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	102
PID 3484 wrote to memory of 3480	3484	net.exe	104
PID 3484 wrote to memory of 3480	3484	net.exe	104
PID 3484 wrote to memory of 3480	3484	net.exe	104
PID 3156 wrote to memory of 2276	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	107
PID 3156 wrote to memory of 2276	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	107
PID 3156 wrote to memory of 2276	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	107
PID 3156 wrote to memory of 3408	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	109
PID 3156 wrote to memory of 3408	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	109
PID 3156 wrote to memory of 3408	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	109
PID 2276 wrote to memory of 2476	2276	net.exe	111
PID 2276 wrote to memory of 2476	2276	net.exe	111
PID 2276 wrote to memory of 2476	2276	net.exe	111
PID 3156 wrote to memory of 4524	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	114
PID 3156 wrote to memory of 4524	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	114
PID 3156 wrote to memory of 4524	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	114
PID 3156 wrote to memory of 3944	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	116
PID 3156 wrote to memory of 3944	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	116
PID 3156 wrote to memory of 3944	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	116
PID 4524 wrote to memory of 2340	4524	net.exe	118
PID 4524 wrote to memory of 2340	4524	net.exe	118
PID 4524 wrote to memory of 2340	4524	net.exe	118
PID 3156 wrote to memory of 4332	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	119
PID 3156 wrote to memory of 4332	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	119
PID 3156 wrote to memory of 4332	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	119
PID 3156 wrote to memory of 2984	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	121
PID 3156 wrote to memory of 2984	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	121
PID 3156 wrote to memory of 2984	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	121
PID 4332 wrote to memory of 4816	4332	net.exe	123
PID 4332 wrote to memory of 4816	4332	net.exe	123
PID 4332 wrote to memory of 4816	4332	net.exe	123
PID 3156 wrote to memory of 676	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	125
PID 3156 wrote to memory of 676	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	125
PID 3156 wrote to memory of 676	3156	bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe	125
PID 4284 wrote to memory of 4800	4284	svchost.exe	128
PID 4284 wrote to memory of 4800	4284	svchost.exe	128
PID 4284 wrote to memory of 4800	4284	svchost.exe	128
PID 4284 wrote to memory of 3944	4284	svchost.exe	129
PID 4284 wrote to memory of 3944	4284	svchost.exe	129
PID 4284 wrote to memory of 3944	4284	svchost.exe	129
PID 3944 wrote to memory of 5080	3944	HomePageLocker.exe	130
PID 3944 wrote to memory of 5080	3944	HomePageLocker.exe	130
PID 3944 wrote to memory of 5080	3944	HomePageLocker.exe	130
PID 5080 wrote to memory of 1644	5080	locker32.exe	132
PID 5080 wrote to memory of 1644	5080	locker32.exe	132

C:\Users\Admin\AppData\Local\Temp\bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bfb294177b4bc808140b52f0731189f0_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Checks computer location settings
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop HomePageLockerUpdate
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop HomePageLockerUpdate
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1436
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" delete HomePageLockerUpdate
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:4352
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop HomePageLockerUpdate
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3484
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop HomePageLockerUpdate
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3480
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" delete HomePageLockerUpdate
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:4204
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop HomePageLockerUpdate
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop HomePageLockerUpdate
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2476
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" delete HomePageLockerUpdate
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:3408
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop HomePageLockerUpdate
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop HomePageLockerUpdate
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2340
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" delete HomePageLockerUpdate
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:3944
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop HomePageLockerUpdate
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop HomePageLockerUpdate
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4816
- C:\Windows\SysWOW64\sc.exe
  "C:\Windows\System32\sc.exe" delete HomePageLockerUpdate
  2⤵
  - Launches sc.exe
  - System Location Discovery: System Language Discovery
  PID:2984
- C:\Windows\SysWOW64\regsvr32.exe
  C:\Windows\system32\regsvr32.exe /s "C:\Program Files (x86)\WinHomeLite\HomeLockerUpdateServices.dll"
  2⤵
  - Server Software Component: Terminal Services DLL
  - Sets service image path in registry
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4396,i,6510295916244954942,10164894160290787457,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:8
1⤵
PID:4220

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k HomePageLockerUpdate -s HomePageLockerUpdate
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4284
- \??\c:\program files (x86)\winhomelite\HomePageLocker.exe
  "c:\program files (x86)\winhomelite\HomePageLocker.exe" /update
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4800
- \??\c:\program files (x86)\winhomelite\HomePageLocker.exe
  "c:\program files (x86)\winhomelite\HomePageLocker.exe" /ii:63003a005c00700072006f006700720061006d002000660069006c00650073002000280078003800360029005c00770069006e0068006f006d0065006c006900740065005c006c006f0063006b0065007200330032002e00650078006500 /cc:220063003a005c00700072006f006700720061006d002000660069006c00650073002000280078003800360029005c00770069006e0068006f006d0065006c006900740065005c006c006f0063006b0065007200330032002e006500780065002200
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3944
- - \??\c:\program files (x86)\winhomelite\locker32.exe
    "c:\program files (x86)\winhomelite\locker32.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - \??\c:\program files (x86)\winhomelite\Locker64.exe
      "c:\program files (x86)\winhomelite\Locker64.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WinHomeLite\DriverCode_X64.sys

Filesize
90KB

MD5
3b16e45e48d8cbcbd18c6f1fe551d058

SHA1
5aef17d1d44d60a8011da30d505a1f0c949ca34e

SHA256
b992343d675459048122e84620c0fb04a8a79cbe01be78427cd104e620c4f05e

SHA512
5ec06f43b285d116e2bf0dd75cef32e386f4147dc02b7e4f16f8b9f37c3dcf707d11eb28484614e395ce3ff18b062ce6abb1fc4dc73ceb6ae1d7b886f8c0ca56

Download Submit
C:\Program Files (x86)\WinHomeLite\HPHelper32.dll

Filesize
711KB

MD5
e71bff2c69d10d14d94f01aa4c10af0a

SHA1
4592f0ce959f2e9ae06051a670d2bf65325174d0

SHA256
b8d69d9c9bdd7c751bde574a105de88aefbd984748a83bfa31ca71d98dc69bed

SHA512
52bc3b754c2ca9cc8e293ffcac705894cf2024335d540ccea227e2c025a4273805a453786083894ba43b89178d46bcca7408699dde6a30842e4124e88d3b47ae

Download Submit
C:\Program Files (x86)\WinHomeLite\HPHelper64.dll

Filesize
975KB

MD5
3a2aeb2f479fe32445fd0d0c2ca53130

SHA1
71ff4799c359c8d8e2c34ca3b238573f33f324c4

SHA256
8ed17be3721a0d33f4a2c42452aa3d41e1f4b7f70e232c8620d92c4b266bed75

SHA512
93f516c0d018fe790cb3683dd569a969558ff2a5b1a0df7e27c0bf2a9226a35b3abe99180bf4412a138e2d1d0daed131b42f188712bbd5666057ec8d123b8930

Download Submit
C:\Program Files (x86)\WinHomeLite\HomeLockerUpdateServices.dll

Filesize
71KB

MD5
3d5b36708d0d34914df72d1f6f4b7e29

SHA1
c89c346edf19a715c47113d9f45b97ec22bbdf44

SHA256
fe814ef776493a26d9bd7f3e4a90beae4c2548a4ab1ef3d9103cd2cc4fea8519

SHA512
79f2cf1674f1fe83088b31fc37a3d2b1da8b879a0b07471ea4ade3184a07edb8ff8c2526f1385bfddd795530d268303fd42a6c5ae93d7c3c3a3168f73fd1286a

Download Submit
C:\Program Files (x86)\WinHomeLite\HomePageLocker.exe

Filesize
2.1MB

MD5
36414e180604cf592db3da4949eda839

SHA1
1391e5fdf0041d6c3de6e11d16369ab4c5ee0c13

SHA256
4d3f7133cf81028c6d6a766a5beb7258219ece1faa2b769ef9993528421a6d88

SHA512
8f40143e7926388c7c4ae1bd737c1169e86f35bad6fb53a9e952f5266cbe32f6515d2fb8232899e79fcf8bf9084f5cad3592edfdd7950a1c33d61f395dd310d3

Download Submit
C:\Program Files (x86)\WinHomeLite\locker64.exe

Filesize
1.0MB

MD5
8d07d1fccb9ae2ed8eee436cd71c83ff

SHA1
e1c2d567bd8f4168e0b79644c4c34bcbbea10f09

SHA256
82e39e493f33347830ed27057353e0bbd23fbdbea8317c1221895fd7ddd21fa2

SHA512
91be9628217ed9b0a9af4f35d72e7ce9b39a50976b22f68252b8fc39c44f2b9d9ab91c7150651ab466fc996ca967335337a68a8e5e6fddf198caba29263ab118

Download Submit
C:\Program Files (x86)\WinHomeLite\uninstall.exe

Filesize
1.6MB

MD5
58b7e0b462d0e9ebf480567fdf58312c

SHA1
dde2ad5799cd142d2349d9ef482cc4a8c3fae2b2

SHA256
6ca24050fa8c872d77f9fa627c56e214c8024387c6f2032d6a252c14ee3d52a7

SHA512
8c1976ad933b4b44ecfa31807c301f2e5bf4d7159637fa5144f63918f65a2703e6aa16579cff1f186ef5a0e6273068fce82dee9a227cd91085939219054bdec9

Download Submit
C:\Users\Admin\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
\??\c:\program files (x86)\winhomelite\locker32.exe

Filesize
805KB

MD5
7aed7d1f8caa79926eb0d2b2580e5ca9

SHA1
5379c909be25fd256de43e18a5cd675fb95c02e0

SHA256
8487bf18b9a8d2a6aa00d370aa51f99aeb6229f5f0379d4c2b11989c29cee020

SHA512
fc2c171af028b2e08c5d16a90af34fb770f0fa1e92a87b9a9d2cda192a2fa2ddb053799f5d5259bdca7339eaa67d074d25cb783e92506c438d84f5e619aa1c40

Download Submit
\??\c:\program files (x86)\winhomelite\netError.log

Filesize
820B

MD5
b27921e3e9fbe4ddfcda5f0c6e008af7

SHA1
34c3ab3a138a0a208bf354add976c9095559a976

SHA256
d930b87274b52442c188ffb1e627cff99a8ef9e055f4bdc6de46ae4868e84dd4

SHA512
8bd7e1cef6516bc40c5adf464bb0b2e1e5d6df3ed6ab2bed2c2347f3e35df51ae644d742ff4b1126e4ae05d1ab5f45c6316ec7506774b3e6eabde1be88e3253e

Download Submit
memory/676-224-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1644-334-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/1644-322-0x0000000000B60000-0x0000000000F97000-memory.dmp

Filesize
4.2MB

Download
memory/1644-324-0x0000000000B60000-0x0000000000F97000-memory.dmp

Filesize
4.2MB

Download
memory/1644-335-0x0000000000B60000-0x0000000000F97000-memory.dmp

Filesize
4.2MB

Download
memory/1644-321-0x0000000000400000-0x0000000000823000-memory.dmp

Filesize
4.1MB

Download
memory/3156-298-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/3156-1-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/3156-0-0x0000000000400000-0x000000000068D000-memory.dmp

Filesize
2.6MB

Download
memory/3944-306-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/3944-312-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/4284-338-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4284-329-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4284-323-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4284-343-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4284-348-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4800-304-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/4800-328-0x0000000000400000-0x0000000000C89000-memory.dmp

Filesize
8.5MB

Download
memory/5080-330-0x0000000000400000-0x00000000006AF000-memory.dmp

Filesize
2.7MB

Download
memory/5080-331-0x0000000000AB0000-0x0000000000D64000-memory.dmp

Filesize
2.7MB

Download
memory/5080-314-0x0000000000AB0000-0x0000000000D64000-memory.dmp

Filesize
2.7MB

Download
memory/5080-313-0x0000000000400000-0x00000000006AF000-memory.dmp

Filesize
2.7MB

Download
memory/5080-339-0x0000000000400000-0x00000000006AF000-memory.dmp

Filesize
2.7MB

Download