42b2d4146000d38b02bce260335bef61d3ce919910605b3994ae8720b381ea9b

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 15:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Size

1.4MB
MD5

ebabe4333bcf6cdab448796ec139a390
SHA1

5ff12123a229fc1a5061fdbf881e3d27bf0cc9f5
SHA256

42b2d4146000d38b02bce260335bef61d3ce919910605b3994ae8720b381ea9b
SHA512

5786c643f656a1565fe8895ebd8e3f976c23e01092f5bbc2b874bacda1d452d85ee97b87295f44d999a0c49ebe091298e4ea625efe48aa59a8a03de9253a9c3a
SSDEEP

24576:6X6Dqx0fxofckRCeTRkL7yL7IIOPfMQACGb/LoYGHo+ALgt9:fFf6fckQo80IIOPBACQ/MYGHo+Aq9

Score

8^/10

adware discovery evasion persistence privilege_escalation stealer

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2920	netsh.exe
2876	netsh.exe
2868	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
2316	EhStorShell32.exe
2928	iassvcs32.exe
1712	EhStorShell32.exe
1200	lsass.exe

Loads dropped DLL 10 IoCs

pid	Process
264	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
264	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
264	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
2928	iassvcs32.exe
2928	iassvcs32.exe
2928	iassvcs32.exe
1712	EhStorShell32.exe
2316	EhStorShell32.exe
2316	EhStorShell32.exe
1200	lsass.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RTHDBPL = "C:\\Users\\Admin\\AppData\\Roaming\\SysWin\\lsass.exe"	EhStorShell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RTHDBPL = "C:\\Users\\Admin\\AppData\\Roaming\\SysWin\\lsass.exe"	lsass.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0E86C7AE-846E-4D78-AA9A-3F1B6EC0EBCf}	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\iassvcs32.exe	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\1605435253	iassvcs32.exe
File opened for modification	C:\Windows\SysWOW64\251ee8021306C.manifest	iassvcs32.exe
File opened for modification	C:\Windows\SysWOW64\251ee8021306O.manifest	iassvcs32.exe
File opened for modification	C:\Windows\SysWOW64\251ee8021306S.manifest	iassvcs32.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	iassvcs32.exe
File opened for modification	C:\Windows\SysWOW64\1605435253	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\EhStorShell32.exe	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\iassvcs32.exe	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\251ee8021306P.manifest	iassvcs32.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-032.dll	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2392	264	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EhStorShell32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iassvcs32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = aec7860e6e84784daa9a3f1b6ec0ebcf	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DC355833-D7C6-480F-B4DC-9B45211214A9}\WpadNetworkName = "Network 3"	iassvcs32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iassvcs32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Uuchxetazu\CLSID	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Uuchxetazu\CLSID\ = "{e536629b-851e-49ab-8299-64ffd4382c00}"	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Uuchxetazu	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	iassvcs32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	iassvcs32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	iassvcs32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-ee-eb-14-41-9b\WpadDetectedUrl	iassvcs32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Uuchxetazu\CLSID	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Uuchxetazu\CLSID\ = "{e536629b-851e-49ab-8299-64ffd4382c00}"	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = aec7860e6e84784daa9a3f1b6ec0ebcf	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = aec7860e6e84784daa9a3f1b6ec0ebcf	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-ee-eb-14-41-9b\WpadDecisionTime = 8095db2aac0adb01	iassvcs32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Uuchxetazu	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DC355833-D7C6-480F-B4DC-9B45211214A9}\WpadDecisionTime = c06fffddab0adb01	iassvcs32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	iassvcs32.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Uuchxetazu\CLSID	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-ee-eb-14-41-9b\WpadDecisionReason = "1"	iassvcs32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Uuchxetazu\CLSID	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Uuchxetazu	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DC355833-D7C6-480F-B4DC-9B45211214A9}\WpadDecision = "0"	iassvcs32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-ee-eb-14-41-9b	iassvcs32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-ee-eb-14-41-9b\WpadDecisionTime = c06fffddab0adb01	iassvcs32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\251ee802 = " "	iassvcs32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00b7000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iassvcs32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	iassvcs32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DC355833-D7C6-480F-B4DC-9B45211214A9}	iassvcs32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	iassvcs32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	iassvcs32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Uuchxetazu\CLSID\ = "{e536629b-851e-49ab-8299-64ffd4382c00}"	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iassvcs32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	iassvcs32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\a2-ee-eb-14-41-9b\WpadDecision = "0"	iassvcs32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	iassvcs32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DC355833-D7C6-480F-B4DC-9B45211214A9}\WpadDecisionReason = "1"	iassvcs32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DC355833-D7C6-480F-B4DC-9B45211214A9}\a2-ee-eb-14-41-9b	iassvcs32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	iassvcs32.exe
Key created	\REGISTRY\USER\.DEFAULT	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	iassvcs32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	iassvcs32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{DC355833-D7C6-480F-B4DC-9B45211214A9}\WpadDecisionTime = 8095db2aac0adb01	iassvcs32.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Uuchxetazu	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Software\Uuchxetazu\CLSID	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Software\Uuchxetazu\CLSID\ = "{e536629b-851e-49ab-8299-64ffd4382c00}"	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E86C7AE-846E-4D78-AA9A-3F1B6EC0EBCf}	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E86C7AE-846E-4D78-AA9A-3F1B6EC0EBCf}\InprocServer32\ = "C:\\Windows\\SysWow64\\api-ms-win-core-localization-l1-2-032.dll"	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Software\Uuchxetazu	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler\ = "{cac90fb3-9c94-4f23-b202-6cb13f5c1e6e}"	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E86C7AE-846E-4D78-AA9A-3F1B6EC0EBCf}\InprocServer32	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E86C7AE-846E-4D78-AA9A-3F1B6EC0EBCf}\InprocServer32\ThreadingModel = "Both"	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Software\Uuchxetazu\CLSID	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Uuchxetazu\CLSID	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Uuchxetazu\CLSID\ = "{e536629b-851e-49ab-8299-64ffd4382c00}"	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e536629b-851e-49ab-8299-64ffd4382c00}	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Software	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
264	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 264 wrote to memory of 2316	264	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe	31
PID 264 wrote to memory of 2316	264	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe	31
PID 264 wrote to memory of 2316	264	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe	31
PID 264 wrote to memory of 2316	264	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe	31
PID 264 wrote to memory of 2868	264	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe	32
PID 264 wrote to memory of 2868	264	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe	32
PID 264 wrote to memory of 2868	264	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe	32
PID 264 wrote to memory of 2868	264	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe	32
PID 264 wrote to memory of 2920	264	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe	33
PID 264 wrote to memory of 2920	264	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe	33
PID 264 wrote to memory of 2920	264	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe	33
PID 264 wrote to memory of 2920	264	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe	33
PID 264 wrote to memory of 2876	264	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe	36
PID 264 wrote to memory of 2876	264	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe	36
PID 264 wrote to memory of 2876	264	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe	36
PID 264 wrote to memory of 2876	264	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe	36
PID 264 wrote to memory of 2392	264	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe	39
PID 264 wrote to memory of 2392	264	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe	39
PID 264 wrote to memory of 2392	264	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe	39
PID 264 wrote to memory of 2392	264	ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe	39
PID 2928 wrote to memory of 1712	2928	iassvcs32.exe	40
PID 2928 wrote to memory of 1712	2928	iassvcs32.exe	40
PID 2928 wrote to memory of 1712	2928	iassvcs32.exe	40
PID 2928 wrote to memory of 1712	2928	iassvcs32.exe	40
PID 2316 wrote to memory of 1200	2316	EhStorShell32.exe	41
PID 2316 wrote to memory of 1200	2316	EhStorShell32.exe	41
PID 2316 wrote to memory of 1200	2316	EhStorShell32.exe	41
PID 2316 wrote to memory of 1200	2316	EhStorShell32.exe	41

C:\Users\Admin\AppData\Local\Temp\ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ebabe4333bcf6cdab448796ec139a390_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:264
- C:\Windows\SysWOW64\EhStorShell32.exe
  "C:\Windows\system32\EhStorShell32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Users\Admin\AppData\Roaming\SysWin\lsass.exe
    "C:\Users\Admin\AppData\Roaming\SysWin\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    PID:1200
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\iassvcs32.exe" enable=yes profile=domain
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2868
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\iassvcs32.exe" enable=yes profile=private
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2920
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\iassvcs32.exe" enable=yes profile=public
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2876
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 264 -s 572
  2⤵
  - Program crash
  PID:2392

C:\Windows\SysWOW64\iassvcs32.exe
C:\Windows\SysWOW64\iassvcs32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2928
- C:\ProgramData\EhStorShell32.exe
  schutz
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\1605435253

Filesize
41B

MD5
7361e0c1b9bd14993c4873941090e766

SHA1
7aaaa81f9408629f41d343fc6643f0cac7a0ceea

SHA256
0abcdb85523e544de8fad2e6d337cb16ae3bba6fa45bfe7ada8ac9c8f6a63cbd

SHA512
022376a1f142d8a09867b81423386dda27ae4f52702f79a270b8ae6d69a6f1919c7dac6d9d2f59623b8fc2c9d2fd6041dbf8c698757fb2bc4c1c5af70b2b7331

Download Submit
C:\Windows\SysWOW64\1605435253

Filesize
129B

MD5
5b4f97b55f8613f6b82c17794ac61445

SHA1
84247c69edd486070042c223cac27dd5fb4b5297

SHA256
a7a6906a823f044860fed9e6df78b8d8b15bc095ea08f2570049244584b4f4a5

SHA512
c508bc6b5402bae7d2c1b20b11acbdca9925643720eca73c9899e7a139c64c678a359ce0730da6d46a482cde8c7f03723fe58a22e4fd8ac6047209734c8ad8e3

Download Submit
C:\Windows\SysWOW64\iassvcs32.exe

Filesize
1.4MB

MD5
ebabe4333bcf6cdab448796ec139a390

SHA1
5ff12123a229fc1a5061fdbf881e3d27bf0cc9f5

SHA256
42b2d4146000d38b02bce260335bef61d3ce919910605b3994ae8720b381ea9b

SHA512
5786c643f656a1565fe8895ebd8e3f976c23e01092f5bbc2b874bacda1d452d85ee97b87295f44d999a0c49ebe091298e4ea625efe48aa59a8a03de9253a9c3a

Download Submit
\ProgramData\api-ms-win-core-localization-l1-2-032.dll

Filesize
247KB

MD5
a3742330894728d2ff5177a32b04b166

SHA1
c462b3821672c610e2b9262445cad369ee274da5

SHA256
64abda05fe3866f57e658c3742167f79a25d252a5235778db868a70b55280b3d

SHA512
464ff71a1adf2e80d3768e448e7970966ad0f892315f2c059b0df55809b14eb3ae5cff638ec597dfc714234add8d373485665a75d68218856296e9f1ee277e70

Download Submit
\Windows\SysWOW64\EhStorShell32.exe

Filesize
203KB

MD5
507af5f955490f0a912010466326865b

SHA1
2af1cf8da7e28ac1a0838d91bf68af6658ac25d0

SHA256
dc42bb982b74b0b63b844e09507e0bdecfadaeb14411137c2f12e5ea9efab721

SHA512
41ea11d54fa08013985445cc6f77ca3c67beba0b9eec5515f906ef653809f8fb3773cb9379ed7e252e4ccaea31f0c6edd85bb97b146e0ce27aed3403859fe0b5

Download Submit
\Windows\SysWOW64\api-ms-win-core-localization-l1-2-032.dll

Filesize
435KB

MD5
67bb1544028be7c717089cc0ccccaf82

SHA1
dac9dcab26818f6f796f8b3800076fdc58879c05

SHA256
d978c1f6ec71ebb7d0f49a9ed230d1c0de2581af555c4513734e86b2fb83b73c

SHA512
bb8fd00802e269ad90ebfb72908c77a30e003f221c5cc45242242cae6f1cbe02d63971ed273d74aa641cbfb2cc45d468329992680c051cef698e2b75b33dbdf7

Download Submit
memory/264-5-0x0000000000570000-0x0000000000609000-memory.dmp

Filesize
612KB

Download
memory/264-85-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/264-6-0x0000000010000000-0x0000000010081000-memory.dmp

Filesize
516KB

Download
memory/264-0-0x0000000001E60000-0x0000000001F64000-memory.dmp

Filesize
1.0MB

Download
memory/264-1-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/264-83-0x0000000001E60000-0x0000000001F64000-memory.dmp

Filesize
1.0MB

Download
memory/264-84-0x0000000000570000-0x0000000000609000-memory.dmp

Filesize
612KB

Download
memory/1200-89-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1200-82-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/1712-88-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/2316-32-0x00000000003C0000-0x00000000003EE000-memory.dmp

Filesize
184KB

Download
memory/2316-77-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2316-33-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2928-87-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/2928-86-0x0000000000400000-0x000000000056B000-memory.dmp

Filesize
1.4MB

Download
memory/2928-42-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download
memory/2928-108-0x0000000010000000-0x0000000010042000-memory.dmp

Filesize
264KB

Download