9c2c0be7f6fc2a252852d108251c01f65ccc53ad81e75235608a33db5d44a677

Analysis

max time kernel
147s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 18:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Size

2.3MB
MD5

148327a59b3f1020a2f2cccc47d19dfb
SHA1

4bf8542cf745ab80bb8e08ad7c9effd8a918b59f
SHA256

9c2c0be7f6fc2a252852d108251c01f65ccc53ad81e75235608a33db5d44a677
SHA512

b6a097a5b5971cc7fedac0d9104e3a359652766bdf8df9d7d772c480cb9a595d78e0003bcca357696cf97e714056c36782e4319d859b3628ce22982aca320af0
SSDEEP

49152:Y8ev4j/fTa2Nj0YRJ+tqb+U/f6pN4yhW8Chlsu4I:Bev4jX7IYRJ+C+UfShWdh/j

Score

9^/10

bootkit discovery evasion persistence upx

Malware Config

Signatures

Checks for common network interception software 1 TTPs
Looks in the registry for tools like Wireshark or Fiddler commonly used to analyze network activity.
evasion

Software Discovery
T1518

Enumerates VirtualBox registry keys 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VBoxGuest	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe

Drops file in Drivers directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\etc\host_new	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
File created	C:\Windows\System32\drivers\etc\hosts	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TrustWarrior.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pdfndr.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPro_2010.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cl.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pav.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pc.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security Center.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csc.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SoftSafeness.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\securitysoldier.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\W3asbas.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntiVirus_Pro.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC_Antispyware2010.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Security Center.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveKeep.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsc.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\securitysoldier.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Secure Veteran.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\init32.exe \Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smart.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows Police Pro.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dop.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smartprotector.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cl.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveArmor.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\antivirusxppro2009.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\frmwrk32.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rwg.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smrtdefp.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Save.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusXP	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SaveKeep.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csc.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\~2.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PerAvir.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsGui.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quick Heal.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gav.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xp_antispyware.exe\Debugger = "svchost.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quick Heal.exe	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PC Security Guardian = "\"C:\\ProgramData\\7f7d6\\708.exe\" /s "	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Eset\Nod\	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
File opened (read-only)	\??\R:	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
File opened (read-only)	\??\V:	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
File opened (read-only)	\??\J:	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
File opened (read-only)	\??\Y:	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
File opened (read-only)	\??\U:	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
File opened (read-only)	\??\W:	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
File opened (read-only)	\??\Z:	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
File opened (read-only)	\??\E:	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
File opened (read-only)	\??\L:	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
File opened (read-only)	\??\N:	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
File opened (read-only)	\??\O:	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
File opened (read-only)	\??\S:	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
File opened (read-only)	\??\Q:	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
File opened (read-only)	\??\T:	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
File opened (read-only)	\??\X:	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
File opened (read-only)	\??\G:	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
File opened (read-only)	\??\H:	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
File opened (read-only)	\??\I:	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
File opened (read-only)	\??\K:	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
File opened (read-only)	\??\M:	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2772 set thread context of 4808	2772	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe	82

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4808-0-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral2/memory/4808-3-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral2/memory/4808-4-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral2/memory/4808-5-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral2/memory/4808-269-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral2/memory/4808-270-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral2/memory/4808-284-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral2/memory/4808-277-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral2/memory/4808-272-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral2/memory/4808-267-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral2/memory/4808-266-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral2/memory/4808-285-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral2/memory/4808-286-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral2/memory/4808-296-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral2/memory/4808-300-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral2/memory/4808-306-0x0000000013140000-0x000000001372D000-memory.dmp	upx
behavioral2/memory/4808-307-0x0000000013140000-0x000000001372D000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\IIL = "0"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\ltHI = "0"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\ltTST = "1741"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.DocHostUIHandler\ = "Implements DocHostUIHandler"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.DocHostUIHandler"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.DocHostUIHandler	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe"	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.DocHostUIHandler\Clsid	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4808	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 2772 wrote to memory of 4808	2772	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe	82
PID 2772 wrote to memory of 4808	2772	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe	82
PID 2772 wrote to memory of 4808	2772	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe	82
PID 2772 wrote to memory of 4808	2772	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe	82
PID 2772 wrote to memory of 4808	2772	148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\Temp\148327a59b3f1020a2f2cccc47d19dfb_JaffaCakes118.exe"
  2⤵
  - Enumerates VirtualBox registry keys
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Adds Run key to start application
  - Checks for any installed AV software in registry
  - Enumerates connected drives
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\7f7d6\708.exe

Filesize
2.3MB

MD5
148327a59b3f1020a2f2cccc47d19dfb

SHA1
4bf8542cf745ab80bb8e08ad7c9effd8a918b59f

SHA256
9c2c0be7f6fc2a252852d108251c01f65ccc53ad81e75235608a33db5d44a677

SHA512
b6a097a5b5971cc7fedac0d9104e3a359652766bdf8df9d7d772c480cb9a595d78e0003bcca357696cf97e714056c36782e4319d859b3628ce22982aca320af0

Download Submit
C:\ProgramData\PSUZBG\PSBYXUG.cfg

Filesize
196B

MD5
6e86650ad96258b23f022605c5f202d5

SHA1
321290e91871cb653441e3c87ee8b20ab5f008a0

SHA256
8c39246796530ee7588fc16486335d00d5b7273ebb26efe5833e4cfc2bcfe223

SHA512
e8a7bdf4bd2fba233a1a6cdf977d57dcb37ae46bc52bf29b4d23c6294e769069e146bcb5f56c4edbc3f93d38a226a9349f604b54156696ccdef41106cc05060c

Download Submit
C:\ProgramData\PSUZBG\PSBYXUG.cfg

Filesize
385B

MD5
8a5f470b6b5f91b116daf61eae62213c

SHA1
e8c72e463705562d4a33c1a6d1d19e7d22d3f1ce

SHA256
59b9322a871a94b891803807e4daa3e44d1cf98133875360ffc688dfadcb5685

SHA512
4d48e2bbe648bd3ee6c7cba78f3a8ecddad56506372a8b79882c844cb7552c40ddae062af2ee0619ef90d097e0475a8fabdf99e331dc9acbfc72bf6442ffae55

Download Submit
C:\ProgramData\PSUZBG\PSBYXUG.cfg

Filesize
450B

MD5
c9e85bb7261b07707eb84539d3aecabd

SHA1
eb1b1629a3c15bf0f93d535a6765e58b6e1fd8e7

SHA256
1da409eda176a32e93450554c7277fca2b121983f03450b42b1e00a2c56ff32c

SHA512
0ca119e665da3445123821db0170272b4411a588b979573b1786f19fce440592fe8bc09a724ec029ff4df27cf6ab9512aa472206977d3c799c2a62aa25958b52

Download Submit
C:\ProgramData\PSUZBG\PSBYXUG.cfg

Filesize
452B

MD5
02e3feb32f4c619ddcbd6ac6d2036b99

SHA1
742748f06def8c660e4add27d133a2d9566de651

SHA256
86b035d8a1a6919d63f7524729261c2831b64e2030f2b1a7511025f5da3ea8c5

SHA512
e21a85dd19b63cd14082a64b7fccb1df9db328b08acc4f65714a8532d911a724a0f02420cad12fe35fc839c573b08336da70f6b12c90d815d03c6dab48de9460

Download Submit
C:\ProgramData\PSUZBG\PSBYXUG.cfg

Filesize
185B

MD5
b8224e5293d4fad1927c751cc00c80e7

SHA1
270b8c752c7e93ec5485361fe6ef7b37f0b4513b

SHA256
c47da9be4fc4d757add73c49654c9179067af547d0cc758d6356e2955bbfcb61

SHA512
8fed9a509e46319529145fa2159251e43040d26080af84e44badaab1dd339c767ff75a2c473bc0abfb448b03beb96718ee34ba6bc150ed3085322878b55a22f2

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
1KB

MD5
008fba141529811128b8cd5f52300f6e

SHA1
1a350b35d82cb4bd7a924b6840c36a678105f793

SHA256
ab0e454a786ef19a3ae1337f10f47354ffa9521ea5026e9e11174eca22d86e84

SHA512
80189560b6cf180a9c1ecafc90018b48541687f52f5d49b54ca25e040b3264da053e3d4dbb0cd38caaf496e23e516de18f500b333e3cda1fd1b25c6e9632defc

Download Submit
memory/2772-2-0x0000000000400000-0x0000000000657000-memory.dmp

Filesize
2.3MB

Download
memory/4808-277-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/4808-285-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/4808-270-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/4808-284-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/4808-0-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/4808-272-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/4808-267-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/4808-6-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/4808-266-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/4808-269-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/4808-286-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/4808-296-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/4808-297-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/4808-300-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/4808-306-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/4808-307-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/4808-5-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/4808-4-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download
memory/4808-3-0x0000000013140000-0x000000001372D000-memory.dmp

Filesize
5.9MB

Download