3645a9b383056a21637a86503a40b362985af838dbfa55cd2864e208d290a0df

Analysis

max time kernel
131s
max time network
134s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe
Size

936KB
MD5

b181ed4af9951aeb4db2f7df8c23ecf8
SHA1

bc61c0ed5954507d1148a6ed46a4229bb76ff530
SHA256

3645a9b383056a21637a86503a40b362985af838dbfa55cd2864e208d290a0df
SHA512

98a5ece85448b6b8882efa530e40c1e04d79ebb406bd128dc05e289639b87c8b912cee10c7d08a42ded710fe6695eb7c66587e978bc888d68c0949388fedc7c0
SSDEEP

24576:zeqdnkC37wocoXQTV/wOguzyQVek5X6T6Z0INbHL/L:qikC7w5Lh/LjymN6TW0erLj

Score

7^/10

bootkit discovery persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
behavioral1/files/0x0008000000016cf5-44.dat	acprotect
behavioral1/files/0x00050000000186e7-68.dat	acprotect
behavioral1/files/0x0005000000018686-72.dat	acprotect

Executes dropped EXE 2 IoCs

Processes:

sycyt1n.exesmss.exe

pid	Process
1712	sycyt1n.exe
1264	smss.exe

Loads dropped DLL 14 IoCs

Processes:

b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exesycyt1n.exesmss.exeregsvr32.exewmplayer.exe

pid	Process
1980	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe
1980	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe
1980	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe
1712	sycyt1n.exe
1712	sycyt1n.exe
1712	sycyt1n.exe
1980	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe
1264	smss.exe
1264	smss.exe
1264	smss.exe
2952	regsvr32.exe
2848	wmplayer.exe
2848	wmplayer.exe
2848	wmplayer.exe

Drops desktop.ini file(s) 7 IoCs

Processes:

wmplayer.exe

description	ioc	Process
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

wmplayer.exe

description	ioc	Process
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

wmplayer.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	wmplayer.exe

Drops file in System32 directory 4 IoCs

Processes:

sycyt1n.exewmplayer.exe

description	ioc	Process
File created	C:\Windows\SysWOW64\sycytj0n.dll	sycyt1n.exe
File created	C:\Windows\SysWOW64\fixmfs.dll	wmplayer.exe
File created	C:\Windows\SysWOW64\adsimg01.dll	wmplayer.exe
File opened for modification	C:\Windows\SysWOW64\sycytj0n.dll	sycyt1n.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1980-0-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/memory/1264-37-0x0000000000020000-0x000000000002C000-memory.dmp	upx
behavioral1/memory/1980-30-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral1/files/0x00050000000186e7-68.dat	upx
behavioral1/memory/2848-70-0x0000000005D20000-0x0000000005ED5000-memory.dmp	upx
behavioral1/memory/2848-117-0x0000000005D20000-0x0000000005ED5000-memory.dmp	upx
behavioral1/memory/2848-116-0x0000000005D20000-0x0000000005ED5000-memory.dmp	upx
behavioral1/memory/2848-120-0x0000000005D20000-0x0000000005ED5000-memory.dmp	upx
behavioral1/memory/2848-140-0x0000000005D20000-0x0000000005ED5000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

Processes:

smss.exe

description	ioc	Process
File opened for modification	C:\Program Files\Internet Explorer\IEXPLORE.EXE	smss.exe
File created	C:\Program Files\Internet Explorer\icwres.def	smss.exe
File opened for modification	C:\Program Files\Internet Explorer\icwres.def	smss.exe
File opened for modification	C:\program files\Internet Explorer\icwres.def	smss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1656	2848	WerFault.exe	33

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

regsvr32.exewmplayer.exeIEXPLORE.EXEb181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exesycyt1n.exesmss.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sycyt1n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

IEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PhishingFilter	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 605d83f76142db01	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439048513"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{35108901-AE55-11EF-AF8F-6EC443A7582C} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MINIE	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE

Modifies registry class 20 IoCs

Processes:

regsvr32.exewmplayer.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5531FD0A-6293-46B2-9075-C6845576F522}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5592D97A-B649-4606-B7DC-470BFE2A3036}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5592D97A-B649-4606-B7DC-470BFE2A3036}\InprocServer32\ = "C:\\Windows\\SysWOW64\\sycytj0n.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{5531FD0A-6293-46B2-9075-C6845576F522}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{5531FD0A-6293-46B2-9075-C6845576F522}\FilterData = 020000000000200002000000000000003070693300000000000000000a00000000000000000000003074793300000000f0000000f0000000317479330000000000010000f0000000327479330000000000010000100100003374793300000000000100002001000034747933000000000001000030010000357479330000000000010000400100003674793300000000000100005001000037747933000000000001000060010000387479330000000000010000700100003974793300000000000100008001000031706933080000000000000001000000000000000000000030747933000000000001000090010000000000000000000000000000000000007669647300001000800000aa00389b715955593200001000800000aa00389b715956313200001000800000aa00389b714934323000001000800000aa00389b714959555600001000800000aa00389b717eeb36e44f52ce119f530020af0ba7707beb36e44f52ce119f530020af0ba7707ceb36e44f52ce119f530020af0ba7707deb36e44f52ce119f530020af0ba7708eeb36e44f52ce119f530020af0ba770	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{5592D97A-B649-4606-B7DC-470BFE2A3036}\FilterData = 020000000200800002000000000000003070693300000000000000000a00000000000000000000003074793300000000f0000000f0000000317479330000000000010000f0000000327479330000000000010000100100003374793300000000000100002001000034747933000000000001000030010000357479330000000000010000400100003674793300000000000100005001000037747933000000000001000060010000387479330000000000010000700100003974793300000000000100008001000031706933080000000000000001000000000000000000000030747933000000000001000090010000000000000000000000000000000000007669647300001000800000aa00389b715955593200001000800000aa00389b715956313200001000800000aa00389b714934323000001000800000aa00389b714959555600001000800000aa00389b717eeb36e44f52ce119f530020af0ba7707beb36e44f52ce119f530020af0ba7707ceb36e44f52ce119f530020af0ba7707deb36e44f52ce119f530020af0ba7708eeb36e44f52ce119f530020af0ba770	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5531FD0A-6293-46B2-9075-C6845576F522}\InprocServer32\ = "C:\\Windows\\SysWOW64\\sycytj0n.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5592D97A-B649-4606-B7DC-470BFE2A3036}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{5531FD0A-6293-46B2-9075-C6845576F522}\CLSID = "{5531FD0A-6293-46B2-9075-C6845576F522}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{5592D97A-B649-4606-B7DC-470BFE2A3036}\CLSID = "{5592D97A-B649-4606-B7DC-470BFE2A3036}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5531FD0A-6293-46B2-9075-C6845576F522}\ = "Video Optimize"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5531FD0A-6293-46B2-9075-C6845576F522}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5531FD0A-6293-46B2-9075-C6845576F522}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5592D97A-B649-4606-B7DC-470BFE2A3036}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{5531FD0A-6293-46B2-9075-C6845576F522}\FriendlyName = "Video Optimize"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{5592D97A-B649-4606-B7DC-470BFE2A3036}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5592D97A-B649-4606-B7DC-470BFE2A3036}\ = "Video Optimize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{5592D97A-B649-4606-B7DC-470BFE2A3036}\FriendlyName = "Video Optimize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-wmplayer\CLSID = "{cd3afa96-b84f-48f0-9393-7edc34128127}"	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe

description	pid	Process
Token: SeRestorePrivilege	1980	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe
Token: SeBackupPrivilege	1980	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

wmplayer.exeIEXPLORE.EXE

pid	Process
2848	wmplayer.exe
2848	wmplayer.exe
2848	wmplayer.exe
2848	wmplayer.exe
2848	wmplayer.exe
2848	wmplayer.exe
2848	wmplayer.exe
2352	IEXPLORE.EXE

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

wmplayer.exe

pid	Process
2848	wmplayer.exe
2848	wmplayer.exe
2848	wmplayer.exe
2848	wmplayer.exe
2848	wmplayer.exe
2848	wmplayer.exe
2848	wmplayer.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

smss.exewmplayer.exeIEXPLORE.EXEIEXPLORE.EXE

pid	Process
1264	smss.exe
2848	wmplayer.exe
2848	wmplayer.exe
2352	IEXPLORE.EXE
2352	IEXPLORE.EXE
1672	IEXPLORE.EXE
1672	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exesycyt1n.exesmss.exewmplayer.exeIEXPLORE.EXE

description	pid	Process	procid_target
PID 1980 wrote to memory of 1712	1980	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe	30
PID 1980 wrote to memory of 1712	1980	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe	30
PID 1980 wrote to memory of 1712	1980	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe	30
PID 1980 wrote to memory of 1712	1980	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe	30
PID 1980 wrote to memory of 1712	1980	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe	30
PID 1980 wrote to memory of 1712	1980	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe	30
PID 1980 wrote to memory of 1712	1980	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe	30
PID 1980 wrote to memory of 1264	1980	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe	31
PID 1980 wrote to memory of 1264	1980	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe	31
PID 1980 wrote to memory of 1264	1980	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe	31
PID 1980 wrote to memory of 1264	1980	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe	31
PID 1980 wrote to memory of 1264	1980	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe	31
PID 1980 wrote to memory of 1264	1980	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe	31
PID 1980 wrote to memory of 1264	1980	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe	31
PID 1712 wrote to memory of 2952	1712	sycyt1n.exe	32
PID 1712 wrote to memory of 2952	1712	sycyt1n.exe	32
PID 1712 wrote to memory of 2952	1712	sycyt1n.exe	32
PID 1712 wrote to memory of 2952	1712	sycyt1n.exe	32
PID 1712 wrote to memory of 2952	1712	sycyt1n.exe	32
PID 1712 wrote to memory of 2952	1712	sycyt1n.exe	32
PID 1712 wrote to memory of 2952	1712	sycyt1n.exe	32
PID 1264 wrote to memory of 2848	1264	smss.exe	33
PID 1264 wrote to memory of 2848	1264	smss.exe	33
PID 1264 wrote to memory of 2848	1264	smss.exe	33
PID 1264 wrote to memory of 2848	1264	smss.exe	33
PID 1264 wrote to memory of 2848	1264	smss.exe	33
PID 1264 wrote to memory of 2848	1264	smss.exe	33
PID 1264 wrote to memory of 2848	1264	smss.exe	33
PID 1264 wrote to memory of 2352	1264	smss.exe	36
PID 1264 wrote to memory of 2352	1264	smss.exe	36
PID 1264 wrote to memory of 2352	1264	smss.exe	36
PID 1264 wrote to memory of 2352	1264	smss.exe	36
PID 2848 wrote to memory of 1656	2848	wmplayer.exe	37
PID 2848 wrote to memory of 1656	2848	wmplayer.exe	37
PID 2848 wrote to memory of 1656	2848	wmplayer.exe	37
PID 2848 wrote to memory of 1656	2848	wmplayer.exe	37
PID 2848 wrote to memory of 1656	2848	wmplayer.exe	37
PID 2848 wrote to memory of 1656	2848	wmplayer.exe	37
PID 2848 wrote to memory of 1656	2848	wmplayer.exe	37
PID 2352 wrote to memory of 1672	2352	IEXPLORE.EXE	38
PID 2352 wrote to memory of 1672	2352	IEXPLORE.EXE	38
PID 2352 wrote to memory of 1672	2352	IEXPLORE.EXE	38
PID 2352 wrote to memory of 1672	2352	IEXPLORE.EXE	38
PID 2352 wrote to memory of 1672	2352	IEXPLORE.EXE	38
PID 2352 wrote to memory of 1672	2352	IEXPLORE.EXE	38
PID 2352 wrote to memory of 1672	2352	IEXPLORE.EXE	38

C:\Users\Admin\AppData\Local\Temp\b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\temp\abc\sycyt1n.exe
  "C:\Windows\temp\abc\sycyt1n.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\regsvr32.exe
    "regsvr32.exe" sycytj0n.dll /s
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2952
- C:\Windows\temp\abc\smss.exe
  "C:\Windows\temp\abc\smss.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Windows\temp\abc\clock.avi"
    3⤵
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Enumerates connected drives
    - Writes to the Master Boot Record (MBR)
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2848
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2848 -s 296
      4⤵
      Program crash
      PID:1656
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Windows\temp\abc\smss.exe
    3⤵
    - Modifies Internet Explorer Phishing Filter
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2352 CREDAT:275457 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76d8520709ca88365cf0a3d8b91fb50f

SHA1
fb96bcfcc0af7e6c5fbf1be6add03f8c43b15359

SHA256
f4c9dfbc48ad0a36301eeb1e0effff7ce8388ed3dfe75f3dbac60665e521eb14

SHA512
c8e0891eb98d1abe1d3f6f96f8e543f76836cab3dcdfcc6d450d52e979897cc79be4b4197911198c3855009bca6405da54d2829fde3794e329e3c538bab1ec95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4092c87ffafb197125578ee6f206e394

SHA1
a50e9fcdc65035e11dc2787aaa0d87afb5917d08

SHA256
af94d1b8a0e80a4f5886cffb156ed95ca04b4799afab593124108470b2f9f1e6

SHA512
2384f9d51a3ae10090490777e4cb3030e6594f076aafffaf5f30919e77377b623914967d9a35c69c9d21d7ed7d44b199e7998efcbb004cada89aae59c4c38d49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0a5059d1960c8baf7506d76d62b2fc7

SHA1
8c740409446fbaaede19b70491d5411fe2033c8e

SHA256
3a1e3ad51e4d196a23e7c0c940bf7a25c6905e4ac47a7f8acd6e306f8373e878

SHA512
6c3304693e13c872911427f791e524abef82a9c8f9834ac1b456934fac0dfb16ed72897fa6f18270abae3458c046a57bb7b573ff3360714a2755a7646f90c181

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b882ac0250bdc5985d82c4cd90b1d2b7

SHA1
3478554475480d4df711f54b0f64c00328f6dfe1

SHA256
7b0c05587c0bb93a6f1b4bd854dfbe212606b1b67623a4bf5c06ab4a22c3d413

SHA512
6296fbeaabcf56ee17b6eefcf64d694f5de5db7f89fe7766d4e71fb74d03ec45eff23a996e047da7953922d462f8694dc2c7d899ce234f2b076f66ad5f7287ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41c29e3d4254f5bdd0697270758ca8b8

SHA1
4c1bba981b141aa620207c9d7bdbaaa0a3a95dfd

SHA256
23583f1c33de05ecc9f5156190febfcf15947a3ab6770145bac860eb42b60e8d

SHA512
0b44d4763a38e6e1cd2ca19df00e630dc06c4996c36762ae22a953aee5206ff9f7bf123cb68bd8eee0de51e8ae42e1df972af6b72f2aa8e21ba253606c0c897b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8eeb782df0622ab07592dac6559cb36c

SHA1
b936882611b25dfd82ccc1f2feb586a9ee5de92e

SHA256
6888230be37fd09d4f4626d94604245b4c5e415e0ee2dcc9e34aac6217f9c4bd

SHA512
87c5d7f1c55f31d0228bfabe90bb2f4ffafb1695b1fa6ea5e9dc77915e2593764c77a207efd52a1736a4d60387f6bfb98f019c0536be7d441f0673b979b4948a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d9878bf27f287b7a00e413391e7f006

SHA1
175a3437412fec2fb8f4c10b97d7727b744fab44

SHA256
e51796e76b57740d6748ba4c2d54a40124d0ae4e29258e7ea6a5f986848d20ff

SHA512
a26b40d963d4f8b6964815375164c4fcd9fcb8cf18fa6e0ad846d0eaaf5ea587ebba4cc15bf4113530c7f80db3dce75814a4be5472428b26bb03b6d67fc66c23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3fa1640025d2ca9397beb41c05423f9

SHA1
00b2a8b11f7a866e1def59c398707b282c3df713

SHA256
b9a56c2b5bc93fe27752cd6739c2bbfb57e1f4d7a3d2de98dd56226050e88209

SHA512
163a9dfd0c1fb0d7a57b6de985b35706f9b3e68a013efa328a66f7000630845f03da008cb442a5aadf60d0df2db986c953613920a312c0458e94f4964bacc9ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93c42bc77354d04f1b0c3ec71d22e530

SHA1
e3ee8dc7523a12eae12572df9d80e42538bfa099

SHA256
cd181c3a25364dae47eb55b03a04f78cf214864250b794fd6e642881483fff12

SHA512
91c61d63f32a69aa2f401b683536acccf84345d8ac9be8505be186baedf578c171013ce7d5e3ba01ee10c9e460f037725f7be8ff21f4977a5fbfb08fabb00942

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB1A3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB254.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\SysWOW64\sycytj0n.dll

Filesize
865KB

MD5
c87600c9819289f144f73f3013f9679d

SHA1
755a9b426b18f2108ab89f778c1f409867218d74

SHA256
df580f72c0d5bfd4aab0d6e92dd25899fc02752f31972a2933abfe60e322afd6

SHA512
4b2bf3fa99735dc3507e588f804b761c0c25f392868672564009bb38823ba1854aba545a925973d33055d94df6c669f0631b55bb21db8d72401a1bfabd3469a6

Download Submit
C:\Windows\Temp\abc\sycyt1n.exe

Filesize
877KB

MD5
72de4c54c03e63c233278b6a260b6b32

SHA1
455b1b6bf5db8a2358c98624abcbaba2a231f730

SHA256
ab0fc7168d5a76d20bad54025127fb07023f17ff9a71be5a49b3ac00d991532b

SHA512
6f4553448f84d420e0a156ee2c31669cc231d409974ae3f5faf9eea3916c7e3f313fc6de1075bbc26dec794ffa796cca3d9c63c0007ab03de94c83aba5709a21

Download Submit
C:\Windows\temp\abc\clock.avi

Filesize
18KB

MD5
e9445af1e1b67fc32a3c87d9ce0c33b8

SHA1
4678180934c6cd61876071842db8e78da724a04a

SHA256
b475c20b53529299d0b9d49d43e25291d50dbcb7212f8377ddb27ff2e1dec83b

SHA512
2ec9c0d5377f019539c7e1fe6dc6edb2a28e3afbca9dbfb5513f78e56d350fd721698909d8b0be7ab79cefb783997ca481bce5209d9f6a592e0631f1dc6bb9f7

Download Submit
\Windows\SysWOW64\adsimg01.dll

Filesize
575KB

MD5
11e0b743578db0a51a64bd35ce96e93a

SHA1
facac9377fd187f04fb563598cd411e3e35f4029

SHA256
e44baca05dfaf83f52bf01fbcb32f23bb1381c01b0469b0986da5eb19f3e750e

SHA512
b284308b2ebac57568b142c62bbc6256dbfe46f7da861565dbe2aeb579cc897a96e384e93f7d9df152b032509537ca0d1846395ca86f8022c6e7b718efc15708

Download Submit
\Windows\SysWOW64\fixmfs.dll

Filesize
11KB

MD5
5564a1377b767ecbad35fdc2a45534a7

SHA1
226b1df70634eab078282e299dbf78100037439a

SHA256
03976707f64367d2894a43f725810ea5e9492d2101f2ad59a2a601bc5d9ebfce

SHA512
d06f857196bcec44d36245cfa550e4c16f6fb103e23664341284424628fa9fb7c8a9e9ad1dba9e8e0167177d2d0275b738d88db5df7f8f4d7dae1973ba8987eb

Download Submit
\Windows\Temp\abc\smss.exe

Filesize
14KB

MD5
6979d5f94b45f05707e6d89003a8fe0b

SHA1
7a3b8cf3d1bad14cd928ce6dec94563eddc655d8

SHA256
7037829253fcf679328f678ef9f1b1f14fc5db1e0a58d1b479ff05ce2a3ddf5d

SHA512
df75f3927cffbc2eb62a3a898557aa561572596093c4da4e58f414d5dca6d8e1dc0a125b1b36aacf250be1d5c19eb1031a6db3c6dd738dbc14634da785bc7de6

Download Submit
memory/1264-36-0x0000000000020000-0x000000000002C000-memory.dmp

Filesize
48KB

Download
memory/1264-42-0x0000000003120000-0x0000000003BDA000-memory.dmp

Filesize
10.7MB

Download
memory/1264-35-0x0000000000020000-0x000000000002C000-memory.dmp

Filesize
48KB

Download
memory/1264-37-0x0000000000020000-0x000000000002C000-memory.dmp

Filesize
48KB

Download
memory/1264-38-0x000000000040B000-0x000000000040C000-memory.dmp

Filesize
4KB

Download
memory/1264-60-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1264-59-0x000000000040B000-0x000000000040C000-memory.dmp

Filesize
4KB

Download
memory/1264-39-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1264-137-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1980-30-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1980-1-0x00000000002E0000-0x0000000000306000-memory.dmp

Filesize
152KB

Download
memory/1980-2-0x00000000002E0000-0x0000000000306000-memory.dmp

Filesize
152KB

Download
memory/1980-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/2848-120-0x0000000005D20000-0x0000000005ED5000-memory.dmp

Filesize
1.7MB

Download
memory/2848-74-0x0000000004920000-0x000000000492D000-memory.dmp

Filesize
52KB

Download
memory/2848-75-0x00000000047C0000-0x00000000047CA000-memory.dmp

Filesize
40KB

Download
memory/2848-76-0x00000000047C0000-0x00000000047CA000-memory.dmp

Filesize
40KB

Download
memory/2848-77-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download
memory/2848-78-0x0000000004800000-0x000000000480A000-memory.dmp

Filesize
40KB

Download
memory/2848-117-0x0000000005D20000-0x0000000005ED5000-memory.dmp

Filesize
1.7MB

Download
memory/2848-116-0x0000000005D20000-0x0000000005ED5000-memory.dmp

Filesize
1.7MB

Download
memory/2848-71-0x00000000047C0000-0x00000000047CA000-memory.dmp

Filesize
40KB

Download
memory/2848-70-0x0000000005D20000-0x0000000005ED5000-memory.dmp

Filesize
1.7MB

Download
memory/2848-140-0x0000000005D20000-0x0000000005ED5000-memory.dmp

Filesize
1.7MB

Download
memory/2848-142-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download
memory/2848-143-0x0000000004920000-0x000000000492D000-memory.dmp

Filesize
52KB

Download
memory/2848-65-0x0000000000420000-0x000000000042A000-memory.dmp

Filesize
40KB

Download
memory/2848-64-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download
memory/2848-61-0x0000000004800000-0x000000000480A000-memory.dmp

Filesize
40KB

Download
memory/2848-62-0x0000000004800000-0x000000000480A000-memory.dmp

Filesize
40KB

Download
memory/2848-54-0x00000000047C0000-0x00000000047CA000-memory.dmp

Filesize
40KB

Download
memory/2848-56-0x00000000047C0000-0x00000000047CA000-memory.dmp

Filesize
40KB

Download
memory/2848-57-0x00000000047C0000-0x00000000047CA000-memory.dmp

Filesize
40KB

Download
memory/2848-58-0x00000000047C0000-0x00000000047CA000-memory.dmp

Filesize
40KB

Download
memory/2848-55-0x00000000047C0000-0x00000000047CA000-memory.dmp

Filesize
40KB

Download
memory/2952-48-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download
memory/2952-46-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download