a6a289746093f6fdf796182730aad23191710fdd456db16149ec5d2bb7e35878

Analysis

max time kernel
15s
max time network
18s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
08/10/2024, 21:26

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

25afa22d22a1aba6b3bc1fc2515b0ea3_JaffaCakes118.exe
Size

244KB
MD5

25afa22d22a1aba6b3bc1fc2515b0ea3
SHA1

d5b87eb29ee867ae173cc8a5872208d3e55ba2ca
SHA256

a6a289746093f6fdf796182730aad23191710fdd456db16149ec5d2bb7e35878
SHA512

0dbcf12f0babc966b61d24db9a404dd0c54a14a9590dd0dadd28818b419f3343c8838b6cb23a0a7e353aa6345ebdff5a7ff28dd193719f7f081c746af1b6e6f9
SSDEEP

3072:cwJIp7cy+4+eW3s0cD6TtNpgSE0fn3Qx0hEqcmhBVjqeGoEqc9im/6TePHPmrCdX:cLJcyvEX7TtNSSE0fgxNW5ki89uCHB

Score

8^/10

adware defense_evasion discovery persistence stealer

Malware Config

Signatures

Server Software Component: Terminal Services DLL 1 TTPs 2 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Iprip\Parameters\ServiceDll = "C:\\WINDOWS\\SYSTEM32\\liprip.dll"	zgn.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Iprip\Parameters\ServiceDll = "C:\\Windows\\system32\\liprip.dll"	svchost.exe

Executes dropped EXE 1 IoCs

pid	Process
2900	zgn.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Iprip\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Iprip\ = "Service"	svchost.exe

Loads dropped DLL 4 IoCs

pid	Process
2684	25afa22d22a1aba6b3bc1fc2515b0ea3_JaffaCakes118.exe
2684	25afa22d22a1aba6b3bc1fc2515b0ea3_JaffaCakes118.exe
2748	svchost.exe
2748	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\repst = "C:\\Windows\\system32\\iprep.exe"	svchost.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fsutk.dll	25afa22d22a1aba6b3bc1fc2515b0ea3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\liprip.dll	zgn.exe
File opened for modification	C:\Windows\SysWOW64\fsutk.dll	svchost.exe
File created	C:\Windows\SysWOW64\iprep.exe	svchost.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	25afa22d22a1aba6b3bc1fc2515b0ea3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zgn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies data under HKEY_USERS 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-18	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.1	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Autodesk	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.0	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Autodesk\AutoCAD	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.2	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R18.0	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.1	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Flags = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Autodesk\AutoCAD\R16.0	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R17.0	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Version = "*"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Autodesk\AutoCAD\R16.2	svchost.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0E5CBF21-D15F-11d0-8301-00AA005B4383}\InProcServer32\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ProgID\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ProgID\ = "IEHlprObj.IEHlprObj.1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Programmable\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\CurVer\ = "IEHlprObj.IEHlprObj.1"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\ = "QuickFlash"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF604EFE-8897-11D1-B944-00A0C90312E1}\InProcServer32\	zgn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\ = "QuickFlash"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\CLSID\ = "{BF50AC63-19DA-487E-AD4A-0B452D823B59}"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AF604EFE-8897-11D1-B944-00A0C90312E1}\InProcServer32\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\Programmable\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj\ = "QuickFlash"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ = "C:\\Windows\\SysWow64\\fsutk.dll"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\InprocServer32\ThreadingModel = "Apartment"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\VersionIndependentProgID\	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BF50AC63-19DA-487E-AD4A-0B452D823B59}\VersionIndependentProgID\ = "IEHlprObj.IEHlprObj"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IEHlprObj.IEHlprObj.1\	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2748	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2684	25afa22d22a1aba6b3bc1fc2515b0ea3_JaffaCakes118.exe
2900	zgn.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 2900	2684	25afa22d22a1aba6b3bc1fc2515b0ea3_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2900	2684	25afa22d22a1aba6b3bc1fc2515b0ea3_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2900	2684	25afa22d22a1aba6b3bc1fc2515b0ea3_JaffaCakes118.exe	30
PID 2684 wrote to memory of 2900	2684	25afa22d22a1aba6b3bc1fc2515b0ea3_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\25afa22d22a1aba6b3bc1fc2515b0ea3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\25afa22d22a1aba6b3bc1fc2515b0ea3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\zgn.exe
  "C:\Users\Admin\AppData\Local\Temp\zgn.exe"
  2⤵
  - Server Software Component: Terminal Services DLL
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:2900

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Server Software Component: Terminal Services DLL
- Impair Defenses: Safe Mode Boot
- Loads dropped DLL
- Adds Run key to start application
- Installs/modifies Browser Helper Object
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:1900

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zgn.exe

Filesize
20KB

MD5
9d9f21bae7abe44941a5244856046370

SHA1
9ccdb559287f48fb17baffb910c62cbb64607209

SHA256
5e7aa65bbd61071a101b3f2930f700eb1158dfe280843de559a5ca83269869ce

SHA512
61daf2adafad09493a174c8a36dfeccfc21411cbaa2bcbdda7dfab6ffac5dab187a944ae3a5474bd3671345d1630cdc679ffd8b3907e10ee688108f3d04164e8

Download Submit
C:\Windows\SysWOW64\fsutk.dll

Filesize
116KB

MD5
4ace9cc414efaf0b623d6a3ec0b9a4ea

SHA1
dd90c3faeee868bfa14830c754fba57fbb57365b

SHA256
5e821d9479aae637e50fe69df852dbd7290ba7c1e23a673681afdd9cce752702

SHA512
49b28e907ccc774d453985e1825d7da6ec7c9618cea52f068407e5b96be0dd7691cea8366be2b373ece2988d4a55a8b6666fc59dfc677455e700ebd91755c074

Download Submit
\??\c:\$Recycle.bin\int.dat

Filesize
220KB

MD5
eb2d760a608a00335de9e7d11a228870

SHA1
63b0d15450c79b2cad22ddb82b917dc5b979c57f

SHA256
990a0b7b2fa2e7b2b798629b539c96fe85dd03da336c31ab59f4f31c9b71aa05

SHA512
0e4ce27c32010194cc694706f3fa44cd4ee9d55cbf33cda567ad8ad7f2c5ebdcd2bfb13d9bffb7d6033e70bae985749225380176ed46429028c4edb9860e75e4

Download Submit
\??\c:\windows\SysWOW64\liprip.dll

Filesize
84KB

MD5
4c08a606a6c58c54f1d6b446513be973

SHA1
b5b5b6e2f32d87df9706e23bda35b055042bacc1

SHA256
c4a6ab71557d1964b9ab577fa80c46495266fa5aa5c37c03bbdc89f495a4e88c

SHA512
5280326b2610007dea42f8c69d43638c6bb54a5e062d0109e7c135334b20b78ec69429130b41ffc8b7751e4fa4882302259708b72cd7408b3835a8daa3de27d7

Download Submit
memory/1900-89-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/2228-152-0x0000000002AB0000-0x0000000002AB1000-memory.dmp

Filesize
4KB

Download
memory/2748-18-0x0000000000210000-0x0000000000230000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads