c06c873c3c1c3eeb329021fa62c104ccba41e436b6f634f8b6664bffe42685b2

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/10/2024, 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe
Size

72KB
MD5

41b592897f3b0e8009169493579e9b85
SHA1

6737f0aea591c4f7f6f1fed17c0513f08956492a
SHA256

c06c873c3c1c3eeb329021fa62c104ccba41e436b6f634f8b6664bffe42685b2
SHA512

0db8f1d7f426a547924baee4ac55f0f5d37909974ce98f2cbb4a70f2dc4389599603f1b0a6510d1f3f4ea12af728b23d360ef777d5dee812db1d99a515e4b889
SSDEEP

1536:LiAVSrFh3crg7PzfxrQ7BmQJa0aLZ96qo73KS6pUA6+pCSC:WAVSRh3GgTzprbQZ0Zuzd

Score

10^/10

adware bootkit discovery evasion persistence stealer upx

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	ddsxso.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	ddsxso.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2564	rundll32.exe

Deletes itself 1 IoCs

pid	Process
2848	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
752	ddsxso.exe

Loads dropped DLL 8 IoCs

pid	Process
2916	regsvr32.exe
2564	rundll32.exe
2564	rundll32.exe
2564	rundll32.exe
2564	rundll32.exe
1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe
1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe
2604	regsvr32.exe

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	ddsxso.exe
File opened (read-only)	\??\G:	ddsxso.exe
File opened (read-only)	\??\H:	ddsxso.exe
File opened (read-only)	\??\I:	ddsxso.exe
File opened (read-only)	\??\J:	ddsxso.exe
File opened (read-only)	\??\K:	ddsxso.exe
File opened (read-only)	\??\L:	ddsxso.exe
File opened (read-only)	\??\M:	ddsxso.exe

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6E28339B-7A2A-47B6-AEB2-46BA53782379}	regsvr32.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ioxk5.dll	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\dllcache\ioxk5.dll	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ioxkn.dll	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ddsxso.exe	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ggsss7.dll	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1700-0-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1700-10-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral1/memory/1700-32-0x0000000000400000-0x000000000045D000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddsxso.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\VersionIndependentProgID\ = "BhoPlugin.EyeOnIE"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib\ = "{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CurVer	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE\ = "EyeOnIE Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\ = "BhoPlugin 1.0 Type Library"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\ggsss7.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\ = "IEyeOnIE"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\VersionIndependentProgID\ = "TestAtl.ATlMy"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\ProgID\ = "BhoPlugin.EyeOnIE.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE\CurVer\ = "BhoPlugin.EyeOnIE.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ProgID\ = "TestAtl.ATlMy.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\HELPDIR\ = "C:\\Windows\\System32"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\InprocServer32\ = "C:\\Windows\\SysWow64\\ggsss7.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\Programmable	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\ = "ATlMy Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ = "IATlMy"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE.1	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}\1.0\FLAGS	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}\ = "IATlMy"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\ioxkn.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\ = "EyeOnIE Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\ProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}\TypeLib\ = "{A2D5957F-6D1A-44CE-BFBA-D448EAAB8781}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}\TypeLib\ = "{CE673B02-973C-4268-A819-DA005C782B5D}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5CC5892-346B-4F19-B304-307DD1EF1A45}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6E28339B-7A2A-47B6-AEB2-46BA53782379}\VersionIndependentProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4CF9A0D2-ED75-40CB-98C0-36DF6A30E040}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BhoPlugin.EyeOnIE\CLSID\ = "{6E28339B-7A2A-47B6-AEB2-46BA53782379}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy.1\CLSID\ = "{C4560D12-CE25-4A2E-A5D4-B5070FCBE282}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TestAtl.ATlMy\CurVer\ = "TestAtl.ATlMy.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{CE673B02-973C-4268-A819-DA005C782B5D}\1.0\0\win32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe
1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe
2564	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe
752	ddsxso.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 2916	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2916	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2916	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2916	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2916	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2916	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2916	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	28
PID 1700 wrote to memory of 2564	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	29
PID 1700 wrote to memory of 2564	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	29
PID 1700 wrote to memory of 2564	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	29
PID 1700 wrote to memory of 2564	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	29
PID 1700 wrote to memory of 2564	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	29
PID 1700 wrote to memory of 2564	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	29
PID 1700 wrote to memory of 2564	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	29
PID 1700 wrote to memory of 752	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	32
PID 1700 wrote to memory of 752	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	32
PID 1700 wrote to memory of 752	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	32
PID 1700 wrote to memory of 752	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	32
PID 1700 wrote to memory of 2604	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	34
PID 1700 wrote to memory of 2604	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	34
PID 1700 wrote to memory of 2604	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	34
PID 1700 wrote to memory of 2604	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	34
PID 1700 wrote to memory of 2604	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	34
PID 1700 wrote to memory of 2604	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	34
PID 1700 wrote to memory of 2604	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	34
PID 1700 wrote to memory of 2848	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	35
PID 1700 wrote to memory of 2848	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	35
PID 1700 wrote to memory of 2848	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	35
PID 1700 wrote to memory of 2848	1700	41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\41b592897f3b0e8009169493579e9b85_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s C:\Windows\System32\ioxkn.dll
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2916
- C:\Windows\SysWOW64\rundll32.exe
  rundll32 ioxk5.dll , InstallMyDll
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2564
- C:\Windows\SysWOW64\ddsxso.exe
  C:\Windows\system32\ddsxso.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Executes dropped EXE
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:752
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32 /s C:\Windows\System32\ggsss7.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2604
- C:\Windows\SysWOW64\cmd.exe
  cmd /c 375O540.bat
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\375O540.bat

Filesize
2KB

MD5
75ba8f5a8694fd833d6d59ece1ba8d48

SHA1
1afa5180fdcc3b526726adccbe381aa2fc9cca76

SHA256
98bd50f97c48d042805a585dc7b09f35f31d181d5deed63ba298e40024c6c591

SHA512
1bc85a77b55d0fe469bc9724d7e8b6fbd0f61f98084833c0ac4b316db26265fc32d85802a88a449d93c7b80fe94cfa52847f5349e06b7441288ec30c50ae1f55

Download Submit
C:\Windows\SysWOW64\ggsss7.dll

Filesize
44KB

MD5
bbb7fcb0bc0e9202cf42d3ac4867cc6a

SHA1
941e1ad559246dd61096024affd649f4b91b49a3

SHA256
e19b4d2a026e5b56d77bd51b5a8644df3647c6540968042f991a0147ac4deaea

SHA512
02f05177e6babbb2a46efdaac8bcbbd6d0469b1016d57cad18c5dbdf702de316c0de47ff06385fbec5f25d720a7f42dba232c289eef84115fef3adecaacee49b

Download Submit
C:\Windows\SysWOW64\ioxk5.dll

Filesize
116KB

MD5
358052897c6977de6ffe7c3e039efdfb

SHA1
d17ffa797f6952c1e9f8722a70f37a589bfa7e29

SHA256
0f1372df92bd296b0086ef50616f0f0bf1e5e795d2db8153ecef4f1321bcf9b6

SHA512
034f2dc70cd6ea63ea78f9d773dec1263a484023b6ae12881985c80767d014a65cb529d60acd064a3e741c041cb8dbcbc59993c0797c9fb32425cc4d5f1c9ea9

Download Submit
C:\Windows\SysWOW64\ioxkn.dll

Filesize
40KB

MD5
69a2f0a2af1ae4075cac469b1c4377b7

SHA1
e6671fdc2a8b926bdfbd8485ad439ab845d6b080

SHA256
ae77c2dbba9c8a53e91e32ef19795202dcdc7ae1102c50a344f11a34c2f88a68

SHA512
f1e6d2a1cb8db8263df7a9f93531ff4e27750d732fe0d66834fd98be3418768aa6427f4f6a5278c98885e60db3456c7ecc76e918978fdbbd27bec119a822cf14

Download Submit
\Windows\SysWOW64\ddsxso.exe

Filesize
120KB

MD5
414f5794548aa05760a0950b08333f8c

SHA1
7eb3fa927f088c79f5a469c3a987d9b3776b7e87

SHA256
4695718b04c9931801ad7c2ff1185db5e90e84a806b5a37b60a6abb87e5feb20

SHA512
8561c979224b15c32b146c685974e8f777dc5165d385a6f656db117f7d1c6c8f8067f93b272729185f27bdb0ab619322034f264bc2e9ae717a93585f8d579700

Download Submit
memory/1700-0-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1700-10-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/1700-32-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download