3645a9b383056a21637a86503a40b362985af838dbfa55cd2864e208d290a0df

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 13:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe
Size

936KB
MD5

b181ed4af9951aeb4db2f7df8c23ecf8
SHA1

bc61c0ed5954507d1148a6ed46a4229bb76ff530
SHA256

3645a9b383056a21637a86503a40b362985af838dbfa55cd2864e208d290a0df
SHA512

98a5ece85448b6b8882efa530e40c1e04d79ebb406bd128dc05e289639b87c8b912cee10c7d08a42ded710fe6695eb7c66587e978bc888d68c0949388fedc7c0
SSDEEP

24576:zeqdnkC37wocoXQTV/wOguzyQVek5X6T6Z0INbHL/L:qikC7w5Lh/LjymN6TW0erLj

Score

7^/10

bootkit discovery persistence upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 3 IoCs

Detects file using ACProtect software.

Processes:

resource	yara_rule
behavioral2/files/0x000b000000023b79-28.dat	acprotect
behavioral2/files/0x000b000000023b8c-83.dat	acprotect
behavioral2/files/0x000c000000023b8b-90.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exesmss.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe

Executes dropped EXE 2 IoCs

Processes:

sycyt1n.exesmss.exe

pid	Process
468	sycyt1n.exe
4140	smss.exe

Loads dropped DLL 6 IoCs

Processes:

regsvr32.exewmplayer.exe

pid	Process
764	regsvr32.exe
3004	wmplayer.exe
3004	wmplayer.exe
3004	wmplayer.exe
3004	wmplayer.exe
3004	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

unregmp2.exewmplayer.exe

description	ioc	Process
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

wmplayer.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	wmplayer.exe

Drops file in System32 directory 4 IoCs

Processes:

sycyt1n.exewmplayer.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\sycytj0n.dll	sycyt1n.exe
File created	C:\Windows\SysWOW64\sycytj0n.dll	sycyt1n.exe
File created	C:\Windows\SysWOW64\fixmfs.dll	wmplayer.exe
File created	C:\Windows\SysWOW64\adsimg01.dll	wmplayer.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1948-0-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/memory/1948-24-0x0000000000400000-0x0000000000426000-memory.dmp	upx
behavioral2/files/0x000b000000023b8c-83.dat	upx
behavioral2/memory/3004-88-0x00000000091C0000-0x0000000009375000-memory.dmp	upx
behavioral2/memory/3004-87-0x00000000091C0000-0x0000000009375000-memory.dmp	upx
behavioral2/memory/3004-96-0x00000000091C0000-0x0000000009375000-memory.dmp	upx
behavioral2/memory/3004-98-0x00000000091C0000-0x0000000009375000-memory.dmp	upx
behavioral2/memory/3004-119-0x00000000091C0000-0x0000000009375000-memory.dmp	upx

Drops file in Program Files directory 4 IoCs

Processes:

smss.exe

description	ioc	Process
File opened for modification	C:\program files\Internet Explorer\icwres.def	smss.exe
File opened for modification	C:\Program Files\Internet Explorer\IEXPLORE.EXE	smss.exe
File created	C:\Program Files\Internet Explorer\icwres.def	smss.exe
File opened for modification	C:\Program Files\Internet Explorer\icwres.def	smss.exe

Drops file in Windows directory 2 IoCs

Processes:

svchost.exe

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
2200	764	WerFault.exe	84
1936	3004	WerFault.exe	85

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exesycyt1n.exesmss.exeregsvr32.exewmplayer.exeunregmp2.exeIEXPLORE.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sycyt1n.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	smss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

IEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\PhishingFilter	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 9c5ac702d418db01	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEIEXPLORE.EXE

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "177986946"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c00000000000000010000000083ffff0083ffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31146594"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "178612282"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31146594"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "178143004"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31146594"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439651622"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "178612282"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{362664B6-AE55-11EF-ADF2-E26222BAF6A3} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\MINIE	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31146594"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE

Modifies registry class 19 IoCs

Processes:

regsvr32.exewmplayer.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5592D97A-B649-4606-B7DC-470BFE2A3036}\InprocServer32\ = "C:\\Windows\\SysWow64\\sycytj0n.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{5531FD0A-6293-46B2-9075-C6845576F522}\CLSID = "{5531FD0A-6293-46B2-9075-C6845576F522}"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{5531FD0A-6293-46B2-9075-C6845576F522}\FilterData = 020000000000200002000000000000003070693300000000000000000a00000000000000000000003074793300000000f0000000f0000000317479330000000000010000f0000000327479330000000000010000100100003374793300000000000100002001000034747933000000000001000030010000357479330000000000010000400100003674793300000000000100005001000037747933000000000001000060010000387479330000000000010000700100003974793300000000000100008001000031706933080000000000000001000000000000000000000030747933000000000001000090010000000000000000000000000000000000007669647300001000800000aa00389b715955593200001000800000aa00389b715956313200001000800000aa00389b714934323000001000800000aa00389b714959555600001000800000aa00389b717eeb36e44f52ce119f530020af0ba7707beb36e44f52ce119f530020af0ba7707ceb36e44f52ce119f530020af0ba7707deb36e44f52ce119f530020af0ba7708eeb36e44f52ce119f530020af0ba770	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{5592D97A-B649-4606-B7DC-470BFE2A3036}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{5592D97A-B649-4606-B7DC-470BFE2A3036}\FriendlyName = "Video Optimize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{5592D97A-B649-4606-B7DC-470BFE2A3036}\CLSID = "{5592D97A-B649-4606-B7DC-470BFE2A3036}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5531FD0A-6293-46B2-9075-C6845576F522}\InprocServer32\ = "C:\\Windows\\SysWow64\\sycytj0n.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5531FD0A-6293-46B2-9075-C6845576F522}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5592D97A-B649-4606-B7DC-470BFE2A3036}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{5531FD0A-6293-46B2-9075-C6845576F522}\FriendlyName = "Video Optimize"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{5592D97A-B649-4606-B7DC-470BFE2A3036}\FilterData = 020000000200800002000000000000003070693300000000000000000a00000000000000000000003074793300000000f0000000f0000000317479330000000000010000f0000000327479330000000000010000100100003374793300000000000100002001000034747933000000000001000030010000357479330000000000010000400100003674793300000000000100005001000037747933000000000001000060010000387479330000000000010000700100003974793300000000000100008001000031706933080000000000000001000000000000000000000030747933000000000001000090010000000000000000000000000000000000007669647300001000800000aa00389b715955593200001000800000aa00389b715956313200001000800000aa00389b714934323000001000800000aa00389b714959555600001000800000aa00389b717eeb36e44f52ce119f530020af0ba7707beb36e44f52ce119f530020af0ba7707ceb36e44f52ce119f530020af0ba7707deb36e44f52ce119f530020af0ba7708eeb36e44f52ce119f530020af0ba770	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5531FD0A-6293-46B2-9075-C6845576F522}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5531FD0A-6293-46B2-9075-C6845576F522}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5592D97A-B649-4606-B7DC-470BFE2A3036}\ = "Video Optimize"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5592D97A-B649-4606-B7DC-470BFE2A3036}\InprocServer32\ThreadingModel = "Both"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{5531FD0A-6293-46B2-9075-C6845576F522}	regsvr32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4089630652-1596403869-279772308-1000\{49D047D7-CEED-4A61-AE59-E4D70A171C3B}	wmplayer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5531FD0A-6293-46B2-9075-C6845576F522}\ = "Video Optimize"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5592D97A-B649-4606-B7DC-470BFE2A3036}	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

wmplayer.exeunregmp2.exe

description	pid	Process
Token: SeShutdownPrivilege	3004	wmplayer.exe
Token: SeCreatePagefilePrivilege	3004	wmplayer.exe
Token: SeShutdownPrivilege	4928	unregmp2.exe
Token: SeCreatePagefilePrivilege	4928	unregmp2.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

wmplayer.exeIEXPLORE.EXE

pid	Process
3004	wmplayer.exe
3004	wmplayer.exe
3004	wmplayer.exe
3004	wmplayer.exe
3004	wmplayer.exe
3004	wmplayer.exe
3004	wmplayer.exe
3572	IEXPLORE.EXE

Suspicious use of SendNotifyMessage 7 IoCs

Processes:

wmplayer.exe

pid	Process
3004	wmplayer.exe
3004	wmplayer.exe
3004	wmplayer.exe
3004	wmplayer.exe
3004	wmplayer.exe
3004	wmplayer.exe
3004	wmplayer.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

smss.exewmplayer.exeIEXPLORE.EXEIEXPLORE.EXE

pid	Process
4140	smss.exe
3004	wmplayer.exe
3004	wmplayer.exe
3572	IEXPLORE.EXE
3572	IEXPLORE.EXE
628	IEXPLORE.EXE
628	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exesycyt1n.exesmss.exewmplayer.exeunregmp2.exeIEXPLORE.EXE

description	pid	Process	procid_target
PID 1948 wrote to memory of 468	1948	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe	82
PID 1948 wrote to memory of 468	1948	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe	82
PID 1948 wrote to memory of 468	1948	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe	82
PID 1948 wrote to memory of 4140	1948	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe	83
PID 1948 wrote to memory of 4140	1948	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe	83
PID 1948 wrote to memory of 4140	1948	b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe	83
PID 468 wrote to memory of 764	468	sycyt1n.exe	84
PID 468 wrote to memory of 764	468	sycyt1n.exe	84
PID 468 wrote to memory of 764	468	sycyt1n.exe	84
PID 4140 wrote to memory of 3004	4140	smss.exe	85
PID 4140 wrote to memory of 3004	4140	smss.exe	85
PID 4140 wrote to memory of 3004	4140	smss.exe	85
PID 3004 wrote to memory of 4948	3004	wmplayer.exe	88
PID 3004 wrote to memory of 4948	3004	wmplayer.exe	88
PID 3004 wrote to memory of 4948	3004	wmplayer.exe	88
PID 4948 wrote to memory of 4928	4948	unregmp2.exe	89
PID 4948 wrote to memory of 4928	4948	unregmp2.exe	89
PID 4140 wrote to memory of 3572	4140	smss.exe	103
PID 4140 wrote to memory of 3572	4140	smss.exe	103
PID 3572 wrote to memory of 628	3572	IEXPLORE.EXE	104
PID 3572 wrote to memory of 628	3572	IEXPLORE.EXE	104
PID 3572 wrote to memory of 628	3572	IEXPLORE.EXE	104

C:\Users\Admin\AppData\Local\Temp\b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b181ed4af9951aeb4db2f7df8c23ecf8_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Windows\temp\abc\sycyt1n.exe
  "C:\Windows\temp\abc\sycyt1n.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Windows\SysWOW64\regsvr32.exe
    "regsvr32.exe" sycytj0n.dll /s
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:764
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 800
      4⤵
      Program crash
      PID:2200
- C:\Windows\temp\abc\smss.exe
  "C:\Windows\temp\abc\smss.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" "C:\Windows\temp\abc\clock.avi"
    3⤵
    - Loads dropped DLL
    - Enumerates connected drives
    - Writes to the Master Boot Record (MBR)
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4948
    - - C:\Windows\system32\unregmp2.exe
        
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        5⤵
        Enumerates connected drives
        Suspicious use of AdjustPrivilegeToken
        
        PID:4928
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3004 -s 616
      4⤵
      Program crash
      PID:1936
- - C:\Program Files\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files\Internet Explorer\IEXPLORE.EXE" C:\Windows\temp\abc\smss.exe
    3⤵
    - Modifies Internet Explorer Phishing Filter
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3572
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3572 CREDAT:17410 /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:628

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 764 -ip 764
1⤵
PID:3432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:2080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3004 -ip 3004
1⤵
PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
549aeb864011f0c57644853ec90cbab9

SHA1
fd63ad25ed0824b3aa6c9bce49f55d85d0a88e3e

SHA256
8c2c91480d44c8881a3cde343916de69bcddf67dff17588e9640c4d7b01437ea

SHA512
6d6cacc4c938ff1cc53d4504fc8faa8ca2c4ddab8c0edfddfaee6039a12b9f845dca85b0ef06cad8b6a2a7f02c0b6cb47cf6ea0dda333ae21bb59d222247be7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
d85ae0ec270f84993d6af0abdf9f1887

SHA1
3a2b2c5ea0ee897846d563b1bd9d06daf0e35e84

SHA256
41b66cc9147ccd7c47ec0bb91ea5f9cc90c47bee239db7a3c64b3c0e61389810

SHA512
29988809a9d734080b4cad23d3c0436f5ccdd740a697bbeb4ab4cbd3a321eec516ff0656de6e7f7138f52c5225096229ffea3d47090feb70a4a844a014cd2878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verE635.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
256KB

MD5
abfc05c67f334befe09d4e5894cf779e

SHA1
7e11d3005a6a0a93a7b80082ac2245a421af24b5

SHA256
ffd0e68ad30fd435100ff3bdc52bb2be192de6fd59a49c3e5270e75c872f36ee

SHA512
87b65503568d2b1e2846c83e6cc958f67459664b1ca5c77d0ddd8a0fd3fa316c621e72d63ae118eb121779294a6abbf0bef65411159069e7da9595b45d4abcc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
5cabc31291f64775bfce94e1becadcd9

SHA1
37f3700749ec8ce030b1c29e53ed522b2552f2dd

SHA256
8d5f70b9b7ba3f0a5fdf035f571a71b84b30f19ae55501b22c421bc0b7b6aa79

SHA512
a702e33b3f669fa92e93e53828a737100fb386d928813ed2395a9fe7ccb95610db008f8b6128de43ee56a33438a2c0cbb4859d3c9e355c1b234f0c39125f33c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PGH3GSHW\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
e69a1c6d19ab03f7e3b4882d2abd47f3

SHA1
70b6046ef26c309f28e1ba746f8ee3042a65918d

SHA256
4d48575d126d70e5061e10de9ec2e593e60ca431da00eeb314e9a6db7090142a

SHA512
04ca7507b9704ea37b8001635f406c175bfda8f2528d35e3b26064a9c06ea272fd8b5571bb2d38076e32de4216602ea26873010fecc7992c7c74ce00e0a5e1ec

Download Submit
C:\Windows\SysWOW64\adsimg01.dll

Filesize
575KB

MD5
11e0b743578db0a51a64bd35ce96e93a

SHA1
facac9377fd187f04fb563598cd411e3e35f4029

SHA256
e44baca05dfaf83f52bf01fbcb32f23bb1381c01b0469b0986da5eb19f3e750e

SHA512
b284308b2ebac57568b142c62bbc6256dbfe46f7da861565dbe2aeb579cc897a96e384e93f7d9df152b032509537ca0d1846395ca86f8022c6e7b718efc15708

Download Submit
C:\Windows\SysWOW64\fixmfs.dll

Filesize
11KB

MD5
5564a1377b767ecbad35fdc2a45534a7

SHA1
226b1df70634eab078282e299dbf78100037439a

SHA256
03976707f64367d2894a43f725810ea5e9492d2101f2ad59a2a601bc5d9ebfce

SHA512
d06f857196bcec44d36245cfa550e4c16f6fb103e23664341284424628fa9fb7c8a9e9ad1dba9e8e0167177d2d0275b738d88db5df7f8f4d7dae1973ba8987eb

Download Submit
C:\Windows\SysWOW64\sycytj0n.dll

Filesize
865KB

MD5
c87600c9819289f144f73f3013f9679d

SHA1
755a9b426b18f2108ab89f778c1f409867218d74

SHA256
df580f72c0d5bfd4aab0d6e92dd25899fc02752f31972a2933abfe60e322afd6

SHA512
4b2bf3fa99735dc3507e588f804b761c0c25f392868672564009bb38823ba1854aba545a925973d33055d94df6c669f0631b55bb21db8d72401a1bfabd3469a6

Download Submit
C:\Windows\Temp\abc\smss.exe

Filesize
14KB

MD5
6979d5f94b45f05707e6d89003a8fe0b

SHA1
7a3b8cf3d1bad14cd928ce6dec94563eddc655d8

SHA256
7037829253fcf679328f678ef9f1b1f14fc5db1e0a58d1b479ff05ce2a3ddf5d

SHA512
df75f3927cffbc2eb62a3a898557aa561572596093c4da4e58f414d5dca6d8e1dc0a125b1b36aacf250be1d5c19eb1031a6db3c6dd738dbc14634da785bc7de6

Download Submit
C:\Windows\Temp\abc\sycyt1n.exe

Filesize
877KB

MD5
72de4c54c03e63c233278b6a260b6b32

SHA1
455b1b6bf5db8a2358c98624abcbaba2a231f730

SHA256
ab0fc7168d5a76d20bad54025127fb07023f17ff9a71be5a49b3ac00d991532b

SHA512
6f4553448f84d420e0a156ee2c31669cc231d409974ae3f5faf9eea3916c7e3f313fc6de1075bbc26dec794ffa796cca3d9c63c0007ab03de94c83aba5709a21

Download Submit
C:\Windows\temp\abc\clock.avi

Filesize
18KB

MD5
e9445af1e1b67fc32a3c87d9ce0c33b8

SHA1
4678180934c6cd61876071842db8e78da724a04a

SHA256
b475c20b53529299d0b9d49d43e25291d50dbcb7212f8377ddb27ff2e1dec83b

SHA512
2ec9c0d5377f019539c7e1fe6dc6edb2a28e3afbca9dbfb5513f78e56d350fd721698909d8b0be7ab79cefb783997ca481bce5209d9f6a592e0631f1dc6bb9f7

Download Submit
memory/764-61-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download
memory/764-30-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download
memory/1948-0-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/1948-24-0x0000000000400000-0x0000000000426000-memory.dmp

Filesize
152KB

Download
memory/3004-74-0x0000000006610000-0x0000000006620000-memory.dmp

Filesize
64KB

Download
memory/3004-66-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3004-73-0x0000000006610000-0x0000000006620000-memory.dmp

Filesize
64KB

Download
memory/3004-75-0x0000000006610000-0x0000000006620000-memory.dmp

Filesize
64KB

Download
memory/3004-72-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3004-78-0x0000000006610000-0x0000000006620000-memory.dmp

Filesize
64KB

Download
memory/3004-77-0x0000000006610000-0x0000000006620000-memory.dmp

Filesize
64KB

Download
memory/3004-76-0x0000000006610000-0x0000000006620000-memory.dmp

Filesize
64KB

Download
memory/3004-81-0x0000000006610000-0x0000000006620000-memory.dmp

Filesize
64KB

Download
memory/3004-82-0x0000000006610000-0x0000000006620000-memory.dmp

Filesize
64KB

Download
memory/3004-70-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download
memory/3004-88-0x00000000091C0000-0x0000000009375000-memory.dmp

Filesize
1.7MB

Download
memory/3004-87-0x00000000091C0000-0x0000000009375000-memory.dmp

Filesize
1.7MB

Download
memory/3004-71-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3004-67-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3004-94-0x00000000099F0000-0x00000000099FD000-memory.dmp

Filesize
52KB

Download
memory/3004-95-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download
memory/3004-96-0x00000000091C0000-0x0000000009375000-memory.dmp

Filesize
1.7MB

Download
memory/3004-65-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/3004-98-0x00000000091C0000-0x0000000009375000-memory.dmp

Filesize
1.7MB

Download
memory/3004-119-0x00000000091C0000-0x0000000009375000-memory.dmp

Filesize
1.7MB

Download
memory/3004-120-0x0000000010000000-0x00000000101AC000-memory.dmp

Filesize
1.7MB

Download
memory/3004-118-0x00000000099F0000-0x00000000099FD000-memory.dmp

Filesize
52KB

Download
memory/3004-68-0x0000000004460000-0x0000000004470000-memory.dmp

Filesize
64KB

Download
memory/4140-127-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4140-97-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4140-22-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/4140-21-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download