1600776eae25799fcf9dc16ff40b318268c8e047cc54b8d722feffdd715878ad

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
27/09/2024, 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Size

1.3MB
MD5

f980c50adc2991c839cc5503312c5c20
SHA1

c099a733b74856cd4b7d58e47e8dc9c9c6cc9bf8
SHA256

1600776eae25799fcf9dc16ff40b318268c8e047cc54b8d722feffdd715878ad
SHA512

4e5efff397b35d492ef3edf0f402665710eab6f01643ba896741d11b7165f22eef70b357a265686099bd7d2f6a6d9e4bc5180477d59af7e523b3adb046cff7c0
SSDEEP

24576:P0kV0aqnhMH1NyxOA+obMOf15BIt+/YqYFKqNTZrim7buQnqQM3:PZSaqhMyFlNf1LItzFKarlWQ

Score

8^/10

adware discovery evasion persistence privilege_escalation stealer upx

Malware Config

Signatures

Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2804	netsh.exe
2792	netsh.exe
2720	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
2740	EhStorShell32.exe
2860	wiashext32.exe
404	EhStorShell32.exe
2292	lsass.exe

Loads dropped DLL 11 IoCs

pid	Process
376	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
376	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
376	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
2860	wiashext32.exe
2908	WerFault.exe
2860	wiashext32.exe
2860	wiashext32.exe
404	EhStorShell32.exe
2740	EhStorShell32.exe
2740	EhStorShell32.exe
2292	lsass.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RTHDBPL = "C:\\Users\\Admin\\AppData\\Roaming\\SysWin\\lsass.exe"	EhStorShell32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RTHDBPL = "C:\\Users\\Admin\\AppData\\Roaming\\SysWin\\lsass.exe"	lsass.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{15E3CF67-42E6-4032-8025-D324C757BAE1}	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	wiashext32.exe
File created	C:\Windows\SysWOW64\wiashext32.exe	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\c09e0bbd1175P.manifest	wiashext32.exe
File opened for modification	C:\Windows\SysWOW64\c09e0bbd1175S.manifest	wiashext32.exe
File opened for modification	C:\Windows\SysWOW64\wiashext32.exe	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\976231626	wiashext32.exe
File opened for modification	C:\Windows\SysWOW64\c09e0bbd1175C.manifest	wiashext32.exe
File opened for modification	C:\Windows\SysWOW64\c09e0bbd1175O.manifest	wiashext32.exe
File created	C:\Windows\SysWOW64\api-ms-win-core-localization-l1-2-032.dll	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\EhStorShell32.exe	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\976231626	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/376-5-0x0000000010000000-0x0000000010086000-memory.dmp	upx
behavioral1/memory/376-9-0x0000000010000000-0x0000000010086000-memory.dmp	upx
behavioral1/memory/376-7-0x0000000000290000-0x00000000002D0000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2908	376	WerFault.exe	29

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EhStorShell32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wiashext32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EhStorShell32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lsass.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 67cfe315e64232408025d324c757bae1	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe

Modifies data under HKEY_USERS 47 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Rzoebzdhbr\CLSID	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AAAECE4-3713-4134-BA06-B16C938DA184}\32-c7-8c-a5-5f-45	wiashext32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-c7-8c-a5-5f-45\WpadDecision = "0"	wiashext32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Rzoebzdhbr\CLSID	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Rzoebzdhbr\CLSID\ = "{c5a36201-8605-482f-a758-779010d8ba5a}"	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 67cfe315e64232408025d324c757bae1	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	wiashext32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0117000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wiashext32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	wiashext32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	wiashext32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Rzoebzdhbr\CLSID	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-19	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AAAECE4-3713-4134-BA06-B16C938DA184}	wiashext32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	wiashext32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Rzoebzdhbr\CLSID\ = "{c5a36201-8605-482f-a758-779010d8ba5a}"	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	wiashext32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad	wiashext32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AAAECE4-3713-4134-BA06-B16C938DA184}\WpadNetworkName = "Network 3"	wiashext32.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Rzoebzdhbr\CLSID\ = "{c5a36201-8605-482f-a758-779010d8ba5a}"	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wiashext32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	wiashext32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	wiashext32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	wiashext32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AAAECE4-3713-4134-BA06-B16C938DA184}\WpadDecisionReason = "1"	wiashext32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AAAECE4-3713-4134-BA06-B16C938DA184}\WpadDecisionTime = b09debc68010db01	wiashext32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-c7-8c-a5-5f-45	wiashext32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Rzoebzdhbr	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Rzoebzdhbr	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-c7-8c-a5-5f-45\WpadDetectedUrl	wiashext32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wiashext32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	wiashext32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AAAECE4-3713-4134-BA06-B16C938DA184}\WpadDecision = "0"	wiashext32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0117000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	wiashext32.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\c09e0bbd = " "	wiashext32.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Internet Explorer\Main\XMLHTTP_UUID_Default = 67cfe315e64232408025d324c757bae1	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-c7-8c-a5-5f-45\WpadDecisionReason = "1"	wiashext32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-c7-8c-a5-5f-45\WpadDecisionTime = b09debc68010db01	wiashext32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{8AAAECE4-3713-4134-BA06-B16C938DA184}\WpadDecisionTime = 106dd8138110db01	wiashext32.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-c7-8c-a5-5f-45\WpadDecisionTime = 106dd8138110db01	wiashext32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Rzoebzdhbr	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	wiashext32.exe
Key created	\REGISTRY\USER\.DEFAULT	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Rzoebzdhbr\CLSID	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15E3CF67-42E6-4032-8025-D324C757BAE1}\InprocServer32\ThreadingModel = "Both"	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Rzoebzdhbr\CLSID\ = "{c5a36201-8605-482f-a758-779010d8ba5a}"	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Rzoebzdhbr	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Software\Rzoebzdhbr\CLSID\ = "{c5a36201-8605-482f-a758-779010d8ba5a}"	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj\PersistentHandler\ = "{e1ec8bb7-02c3-4bc7-9421-5722924802ca}"	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15E3CF67-42E6-4032-8025-D324C757BAE1}\InprocServer32\ = "C:\\Windows\\SysWow64\\api-ms-win-core-localization-l1-2-032.dll"	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Rzoebzdhbr\CLSID	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Software	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.fsharproj	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{c5a36201-8605-482f-a758-779010d8ba5a}	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Software\Rzoebzdhbr	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_CLASSES\Software\Rzoebzdhbr\CLSID	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15E3CF67-42E6-4032-8025-D324C757BAE1}	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{15E3CF67-42E6-4032-8025-D324C757BAE1}\InprocServer32	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000_Classes\Software\Rzoebzdhbr\CLSID	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
376	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 376 wrote to memory of 2740	376	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe	30
PID 376 wrote to memory of 2740	376	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe	30
PID 376 wrote to memory of 2740	376	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe	30
PID 376 wrote to memory of 2740	376	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe	30
PID 376 wrote to memory of 2804	376	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe	31
PID 376 wrote to memory of 2804	376	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe	31
PID 376 wrote to memory of 2804	376	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe	31
PID 376 wrote to memory of 2804	376	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe	31
PID 376 wrote to memory of 2792	376	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe	33
PID 376 wrote to memory of 2792	376	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe	33
PID 376 wrote to memory of 2792	376	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe	33
PID 376 wrote to memory of 2792	376	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe	33
PID 376 wrote to memory of 2720	376	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe	35
PID 376 wrote to memory of 2720	376	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe	35
PID 376 wrote to memory of 2720	376	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe	35
PID 376 wrote to memory of 2720	376	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe	35
PID 376 wrote to memory of 2908	376	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe	38
PID 376 wrote to memory of 2908	376	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe	38
PID 376 wrote to memory of 2908	376	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe	38
PID 376 wrote to memory of 2908	376	f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe	38
PID 2860 wrote to memory of 404	2860	wiashext32.exe	39
PID 2860 wrote to memory of 404	2860	wiashext32.exe	39
PID 2860 wrote to memory of 404	2860	wiashext32.exe	39
PID 2860 wrote to memory of 404	2860	wiashext32.exe	39
PID 2740 wrote to memory of 2292	2740	EhStorShell32.exe	40
PID 2740 wrote to memory of 2292	2740	EhStorShell32.exe	40
PID 2740 wrote to memory of 2292	2740	EhStorShell32.exe	40
PID 2740 wrote to memory of 2292	2740	EhStorShell32.exe	40

C:\Users\Admin\AppData\Local\Temp\f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f980c50adc2991c839cc5503312c5c20_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:376
- C:\Windows\SysWOW64\EhStorShell32.exe
  "C:\Windows\system32\EhStorShell32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Roaming\SysWin\lsass.exe
    "C:\Users\Admin\AppData\Roaming\SysWin\lsass.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:2292
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\wiashext32.exe" enable=yes profile=domain
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2804
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\wiashext32.exe" enable=yes profile=private
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2792
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="Windows Update Service" dir=in action=allow program="c:\windows\syswow64\wiashext32.exe" enable=yes profile=public
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:2720
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 376 -s 540
  2⤵
  - Loads dropped DLL
  - Program crash
  PID:2908

C:\Windows\SysWOW64\wiashext32.exe
C:\Windows\SysWOW64\wiashext32.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2860
- C:\ProgramData\EhStorShell32.exe
  schutz
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\976231626

Filesize
21B

MD5
bda894aeb8fcfaf7614313411a4e9a26

SHA1
1ff2ba0170d834fbc9f0f57ecd74e4b36187a83d

SHA256
3b37cde388622d2a1cbce34d9e680d37bafb06c22305ad67d263bbe497ea0e87

SHA512
c04776a757a3653fbc9e3b18177601c6456efb7b96351b938f45ab822b8e7f048900379419f9a79222021705773d34b7ae0e602282d2c36a1739161ca512067f

Download Submit
C:\Windows\SysWOW64\976231626

Filesize
109B

MD5
82fffc0eb616444d4333e880b75f12b8

SHA1
c7106599c888b5836f2658713ab2e3e34b778284

SHA256
6fe69570382668019899fada17255c550b79081fb9c987eef981f9f02465d994

SHA512
ed7387aeefe00d5819a8c18db97fe5fa1be9fa4ab04ded28fd48cdec959e71f53e52e08eed74ec9f86a0aa18e370e0c507ad93d84908068864f08b20f74bf896

Download Submit
C:\Windows\SysWOW64\wiashext32.exe

Filesize
1.3MB

MD5
f980c50adc2991c839cc5503312c5c20

SHA1
c099a733b74856cd4b7d58e47e8dc9c9c6cc9bf8

SHA256
1600776eae25799fcf9dc16ff40b318268c8e047cc54b8d722feffdd715878ad

SHA512
4e5efff397b35d492ef3edf0f402665710eab6f01643ba896741d11b7165f22eef70b357a265686099bd7d2f6a6d9e4bc5180477d59af7e523b3adb046cff7c0

Download Submit
\ProgramData\api-ms-win-core-localization-l1-2-032.dll

Filesize
239KB

MD5
af936fcf251ca2a2597a7cf62f703ef0

SHA1
a0f274563ef9544d35db91a0bc55d36a6e0ba780

SHA256
fcf2d77d7f1f407d97cb1ac018aec550c305b737c47c2c43e5c62eee15e186ba

SHA512
54c5d45f65fa75053bdd88c22206bccfb6fa93e0b6031310e5f3de18059ed5ed529c9a3bac92ca868df6214870117ca77574d9899c393c81695b5f749408e83e

Download Submit
\Windows\SysWOW64\EhStorShell32.exe

Filesize
168KB

MD5
6dc6679778c62af0bec85a4e1c80c207

SHA1
a540090ddcf9ca23774b24e040ef11d526693c47

SHA256
52896e02f8966ce7cdd7cae6097584c5988fe47c30cadfe355fe555709bbadff

SHA512
ef11d29c47fb51cf29dd382ecdf1f0e946b9c88d614d813342c08fc73a2fab01668882c90d72d9c87c80c2832af42f5b7412036ae9c5e3d24ece3464dd544b98

Download Submit
\Windows\SysWOW64\api-ms-win-core-localization-l1-2-032.dll

Filesize
392KB

MD5
19fe1beec2b852c3077d5df36ee6d499

SHA1
464b3620b179d2501011527d4f9759c94bb876e9

SHA256
7a874fa1037f56d78d60f86e499844220cc857a90416cb2c906248266a0a64e4

SHA512
3d346b537c3870e58c301f87e58bf6693340093e8f7e0e0879bf09cab35768d27d9946f1359eda54569ca4a5524a41215f95ebbe8d661081f996c419d937e3b1

Download Submit
memory/376-1-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/376-79-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/376-78-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/376-0-0x0000000000550000-0x000000000063F000-memory.dmp

Filesize
956KB

Download
memory/376-7-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/376-8-0x000000001005A000-0x0000000010085000-memory.dmp

Filesize
172KB

Download
memory/376-77-0x0000000000550000-0x000000000063F000-memory.dmp

Filesize
956KB

Download
memory/376-9-0x0000000010000000-0x0000000010086000-memory.dmp

Filesize
536KB

Download
memory/376-5-0x0000000010000000-0x0000000010086000-memory.dmp

Filesize
536KB

Download
memory/404-83-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2292-75-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2292-84-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2740-70-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2740-25-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2740-24-0x0000000000220000-0x000000000024C000-memory.dmp

Filesize
176KB

Download
memory/2860-33-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2860-81-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2860-80-0x0000000000400000-0x0000000000549000-memory.dmp

Filesize
1.3MB

Download
memory/2860-87-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download
memory/2860-102-0x0000000010000000-0x0000000010041000-memory.dmp

Filesize
260KB

Download