c56db4bb0499c957719c72f76f4b3541a10bfa0c567afbed37597669ebeb7c31

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
28/04/2024, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Size

150KB
MD5

05da866cdc40e2426903e2c3ba8bbcb6
SHA1

c8df5f665324305d51851c1f6decbf612b4be8ab
SHA256

c56db4bb0499c957719c72f76f4b3541a10bfa0c567afbed37597669ebeb7c31
SHA512

a47c949be8c5ecc6ef583587efc9939b1738fc25de2ba11d5d77c7294fcaa09271d54965fe58fb50f05f7cccaa282641c68c4819e6ad59be255221b3e1bb8818
SSDEEP

1536:cWwa6OYkIgzwOYFu/vWInvqTgiV6ZokAMOwklOcjUpkWb2TTghpwuh:lz6ODIn3u//vS4oEOXOcjWJuuth

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe \"C:\\Windows\\system32\\IExplorer.exe\""	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IExplorer.exe"	4k51k4.exe

Modifies visibility of file extensions in Explorer 2 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	SMSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	CSRSS.EXE

Modifies visiblity of hidden/system files in Explorer 2 TTPs 7 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SERVICES.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	SMSS.EXE

Disables RegEdit via registry modification 14 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Executes dropped EXE 64 IoCs

pid	Process
2372	4k51k4.exe
2472	IExplorer.exe
1468	Shell.exe
1576	Shell.exe
328	Shell.exe
1944	4k51k4.exe
608	IExplorer.exe
1408	WINLOGON.EXE
396	CSRSS.EXE
1896	SERVICES.EXE
2332	LSASS.EXE
852	SMSS.EXE
284	Shell.exe
3012	Shell.exe
2280	4k51k4.exe
1984	4k51k4.exe
1536	IExplorer.exe
1524	IExplorer.exe
2600	4k51k4.exe
2532	WINLOGON.EXE
2980	WINLOGON.EXE
2512	4k51k4.exe
2692	IExplorer.exe
2260	CSRSS.EXE
2148	CSRSS.EXE
2440	IExplorer.exe
2448	WINLOGON.EXE
2436	SERVICES.EXE
2856	CSRSS.EXE
2964	WINLOGON.EXE
1516	SERVICES.EXE
2860	LSASS.EXE
776	SERVICES.EXE
2432	CSRSS.EXE
2640	LSASS.EXE
2820	SMSS.EXE
376	4k51k4.exe
1580	LSASS.EXE
1356	IExplorer.exe
1164	SERVICES.EXE
1728	SMSS.EXE
2884	SMSS.EXE
3060	LSASS.EXE
2252	Shell.exe
2196	WINLOGON.EXE
2480	Shell.exe
2024	CSRSS.EXE
2328	SMSS.EXE
600	Shell.exe
1400	Shell.exe
1564	SERVICES.EXE
2348	Shell.exe
1592	Shell.exe
1156	LSASS.EXE
380	Shell.exe
1868	SMSS.EXE
2312	Shell.exe
944	Shell.exe
1716	Shell.exe
1232	4k51k4.exe
2120	IExplorer.exe
1892	WINLOGON.EXE
2684	CSRSS.EXE
2572	SERVICES.EXE

Loads dropped DLL 64 IoCs

pid	Process
2340	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
2340	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
1220	WerFault.exe
1220	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
1748	WerFault.exe
2372	4k51k4.exe
2372	4k51k4.exe
2372	4k51k4.exe
2372	4k51k4.exe
2372	4k51k4.exe
2372	4k51k4.exe
2372	4k51k4.exe
2372	4k51k4.exe
2372	4k51k4.exe
2372	4k51k4.exe
2372	4k51k4.exe
2372	4k51k4.exe
1904	WerFault.exe
1904	WerFault.exe
1904	WerFault.exe
1904	WerFault.exe
1408	WINLOGON.EXE
1408	WINLOGON.EXE
396	CSRSS.EXE
396	CSRSS.EXE
396	CSRSS.EXE
396	CSRSS.EXE
1408	WINLOGON.EXE
1896	SERVICES.EXE
1896	SERVICES.EXE
396	CSRSS.EXE
2332	LSASS.EXE
1408	WINLOGON.EXE
1896	SERVICES.EXE
2332	LSASS.EXE
1408	WINLOGON.EXE
1896	SERVICES.EXE
396	CSRSS.EXE
396	CSRSS.EXE
1896	SERVICES.EXE
1896	SERVICES.EXE
2332	LSASS.EXE
2332	LSASS.EXE
396	CSRSS.EXE
396	CSRSS.EXE
1408	WINLOGON.EXE
1408	WINLOGON.EXE
2332	LSASS.EXE
2332	LSASS.EXE
1896	SERVICES.EXE
1408	WINLOGON.EXE
1408	WINLOGON.EXE
396	CSRSS.EXE
396	CSRSS.EXE
1896	SERVICES.EXE
1896	SERVICES.EXE

Modifies system executable filetype association 2 TTPs 24 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\4k51k4 = "C:\\Windows\\4k51k4.exe"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LogonAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\CSRSS.EXE"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System Monitoring = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\LSASS.EXE"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSMSGS = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\WINLOGON.EXE"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\ServiceAdmin = "C:\\Users\\Admin\\Local Settings\\Application Data\\WINDOWS\\SERVICES.EXE"	4k51k4.exe

Drops desktop.ini file(s) 10 IoCs

description	ioc	Process
File opened for modification	C:\desktop.ini	SMSS.EXE
File opened for modification	C:\desktop.ini	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File created	C:\desktop.ini	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File opened for modification	F:\desktop.ini	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File opened for modification	C:\desktop.ini	WINLOGON.EXE
File opened for modification	C:\desktop.ini	CSRSS.EXE
File opened for modification	C:\desktop.ini	SERVICES.EXE
File opened for modification	C:\desktop.ini	LSASS.EXE
File created	F:\desktop.ini	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File opened for modification	C:\desktop.ini	4k51k4.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	4k51k4.exe
File opened (read-only)	\??\W:	4k51k4.exe
File opened (read-only)	\??\E:	SMSS.EXE
File opened (read-only)	\??\M:	SMSS.EXE
File opened (read-only)	\??\S:	4k51k4.exe
File opened (read-only)	\??\Q:	LSASS.EXE
File opened (read-only)	\??\V:	CSRSS.EXE
File opened (read-only)	\??\J:	WINLOGON.EXE
File opened (read-only)	\??\G:	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File opened (read-only)	\??\I:	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File opened (read-only)	\??\N:	CSRSS.EXE
File opened (read-only)	\??\O:	CSRSS.EXE
File opened (read-only)	\??\I:	WINLOGON.EXE
File opened (read-only)	\??\V:	WINLOGON.EXE
File opened (read-only)	\??\L:	LSASS.EXE
File opened (read-only)	\??\X:	LSASS.EXE
File opened (read-only)	\??\O:	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File opened (read-only)	\??\R:	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File opened (read-only)	\??\Z:	SMSS.EXE
File opened (read-only)	\??\X:	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File opened (read-only)	\??\Z:	SERVICES.EXE
File opened (read-only)	\??\Y:	LSASS.EXE
File opened (read-only)	\??\K:	SMSS.EXE
File opened (read-only)	\??\Y:	4k51k4.exe
File opened (read-only)	\??\E:	LSASS.EXE
File opened (read-only)	\??\P:	SMSS.EXE
File opened (read-only)	\??\N:	4k51k4.exe
File opened (read-only)	\??\B:	SERVICES.EXE
File opened (read-only)	\??\K:	SERVICES.EXE
File opened (read-only)	\??\R:	SERVICES.EXE
File opened (read-only)	\??\V:	SERVICES.EXE
File opened (read-only)	\??\N:	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File opened (read-only)	\??\U:	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File opened (read-only)	\??\M:	4k51k4.exe
File opened (read-only)	\??\X:	CSRSS.EXE
File opened (read-only)	\??\X:	WINLOGON.EXE
File opened (read-only)	\??\T:	LSASS.EXE
File opened (read-only)	\??\T:	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File opened (read-only)	\??\U:	4k51k4.exe
File opened (read-only)	\??\R:	CSRSS.EXE
File opened (read-only)	\??\B:	WINLOGON.EXE
File opened (read-only)	\??\G:	SERVICES.EXE
File opened (read-only)	\??\O:	LSASS.EXE
File opened (read-only)	\??\X:	SMSS.EXE
File opened (read-only)	\??\E:	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File opened (read-only)	\??\J:	CSRSS.EXE
File opened (read-only)	\??\P:	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File opened (read-only)	\??\I:	CSRSS.EXE
File opened (read-only)	\??\Y:	CSRSS.EXE
File opened (read-only)	\??\G:	WINLOGON.EXE
File opened (read-only)	\??\L:	SERVICES.EXE
File opened (read-only)	\??\P:	SERVICES.EXE
File opened (read-only)	\??\X:	SERVICES.EXE
File opened (read-only)	\??\G:	LSASS.EXE
File opened (read-only)	\??\H:	LSASS.EXE
File opened (read-only)	\??\N:	LSASS.EXE
File opened (read-only)	\??\U:	SMSS.EXE
File opened (read-only)	\??\G:	4k51k4.exe
File opened (read-only)	\??\Z:	4k51k4.exe
File opened (read-only)	\??\Y:	WINLOGON.EXE
File opened (read-only)	\??\U:	SERVICES.EXE
File opened (read-only)	\??\Y:	SERVICES.EXE
File opened (read-only)	\??\J:	LSASS.EXE
File opened (read-only)	\??\E:	CSRSS.EXE

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\shell.exe	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\shell.exe	LSASS.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	LSASS.EXE
File created	C:\Windows\SysWOW64\shell.exe	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	CSRSS.EXE
File created	C:\Windows\SysWOW64\IExplorer.exe	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	LSASS.EXE
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	SMSS.EXE
File created	C:\Windows\SysWOW64\shell.exe	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\shell.exe	SMSS.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	WINLOGON.EXE
File created	C:\Windows\SysWOW64\shell.exe	WINLOGON.EXE
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	SERVICES.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	CSRSS.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	CSRSS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\shell.exe	4k51k4.exe
File opened for modification	C:\Windows\SysWOW64\MrHelloween.scr	4k51k4.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\IExplorer.exe	SMSS.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	SERVICES.EXE
File created	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\IExplorer.exe	SMSS.EXE
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Shell.exe
File created	C:\Windows\SysWOW64\MrHelloween.scr	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\shell.exe	4k51k4.exe

Drops file in Windows directory 60 IoCs

description	ioc	Process
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\4k51k4.exe	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File created	C:\Windows\4k51k4.exe	4k51k4.exe
File created	C:\Windows\4k51k4.exe	WINLOGON.EXE
File opened for modification	C:\Windows\4k51k4.exe	SMSS.EXE
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\4k51k4.exe	LSASS.EXE
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\4k51k4.exe	4k51k4.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\4k51k4.exe	SERVICES.EXE
File opened for modification	C:\Windows\4k51k4.exe	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\4k51k4.exe	CSRSS.EXE
File created	C:\Windows\4k51k4.exe	CSRSS.EXE
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\4k51k4.exe	WINLOGON.EXE
File opened for modification	C:\Windows\4k51k4.exe	SERVICES.EXE
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	IExplorer.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\4k51k4.exe	LSASS.EXE
File created	C:\Windows\4k51k4.exe	SMSS.EXE
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	IExplorer.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File created	C:\Windows\msvbvm60.dll	Shell.exe
File opened for modification	C:\Windows\msvbvm60.dll	Shell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 8 IoCs

pid	pid_target	Process	procid_target
1220	2472	WerFault.exe	30
1748	1468	WerFault.exe	32
1904	2372	WerFault.exe	29
1616	396	WerFault.exe	39
1940	1408	WerFault.exe	38
536	1896	WerFault.exe	40
1780	2332	WerFault.exe	41
596	852	WerFault.exe	42

Modifies Control Panel 8 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	4k51k4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	4k51k4.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\Windows\\system32\\MRHELL~1.SCR"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaverIsSecure = "0"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\ScreenSaveTimeOut = "600"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\Desktop\	4k51k4.exe

Modifies registry class 27 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command	4k51k4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\batfile\shell\open\command	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\ = "File Folder"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"C:\\Windows\\system32\\shell.exe\" \"%1\" %*"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shell	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command	4k51k4.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2340	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2340	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
2372	4k51k4.exe
2472	IExplorer.exe
1468	Shell.exe
1576	Shell.exe
328	Shell.exe
1944	4k51k4.exe
608	IExplorer.exe
1408	WINLOGON.EXE
396	CSRSS.EXE
1896	SERVICES.EXE
2332	LSASS.EXE
852	SMSS.EXE
284	Shell.exe
3012	Shell.exe
2280	4k51k4.exe
1984	4k51k4.exe
1524	IExplorer.exe
1536	IExplorer.exe
2600	4k51k4.exe
2532	WINLOGON.EXE
2980	WINLOGON.EXE
2512	4k51k4.exe
2260	CSRSS.EXE
2692	IExplorer.exe
2448	WINLOGON.EXE
2436	SERVICES.EXE
2440	IExplorer.exe
2148	CSRSS.EXE
2964	WINLOGON.EXE
2856	CSRSS.EXE
1516	SERVICES.EXE
2860	LSASS.EXE
776	SERVICES.EXE
2640	LSASS.EXE
2432	CSRSS.EXE
2820	SMSS.EXE
1580	LSASS.EXE
376	4k51k4.exe
1164	SERVICES.EXE
1728	SMSS.EXE
1356	IExplorer.exe
2884	SMSS.EXE
3060	LSASS.EXE
2252	Shell.exe
2196	WINLOGON.EXE
2480	Shell.exe
2328	SMSS.EXE
2024	CSRSS.EXE
1400	Shell.exe
600	Shell.exe
1564	SERVICES.EXE
1592	Shell.exe
2348	Shell.exe
1156	LSASS.EXE
380	Shell.exe
1868	SMSS.EXE
2312	Shell.exe
944	Shell.exe
1716	Shell.exe
1232	4k51k4.exe
2120	IExplorer.exe
1892	WINLOGON.EXE
2684	CSRSS.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2372	2340	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	29
PID 2340 wrote to memory of 2372	2340	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	29
PID 2340 wrote to memory of 2372	2340	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	29
PID 2340 wrote to memory of 2372	2340	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	29
PID 2340 wrote to memory of 2472	2340	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	30
PID 2340 wrote to memory of 2472	2340	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	30
PID 2340 wrote to memory of 2472	2340	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	30
PID 2340 wrote to memory of 2472	2340	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe	30
PID 2472 wrote to memory of 1220	2472	IExplorer.exe	31
PID 2472 wrote to memory of 1220	2472	IExplorer.exe	31
PID 2472 wrote to memory of 1220	2472	IExplorer.exe	31
PID 2472 wrote to memory of 1220	2472	IExplorer.exe	31
PID 1468 wrote to memory of 1748	1468	Shell.exe	33
PID 1468 wrote to memory of 1748	1468	Shell.exe	33
PID 1468 wrote to memory of 1748	1468	Shell.exe	33
PID 1468 wrote to memory of 1748	1468	Shell.exe	33
PID 2372 wrote to memory of 1944	2372	4k51k4.exe	36
PID 2372 wrote to memory of 1944	2372	4k51k4.exe	36
PID 2372 wrote to memory of 1944	2372	4k51k4.exe	36
PID 2372 wrote to memory of 1944	2372	4k51k4.exe	36
PID 2372 wrote to memory of 608	2372	4k51k4.exe	37
PID 2372 wrote to memory of 608	2372	4k51k4.exe	37
PID 2372 wrote to memory of 608	2372	4k51k4.exe	37
PID 2372 wrote to memory of 608	2372	4k51k4.exe	37
PID 2372 wrote to memory of 1408	2372	4k51k4.exe	38
PID 2372 wrote to memory of 1408	2372	4k51k4.exe	38
PID 2372 wrote to memory of 1408	2372	4k51k4.exe	38
PID 2372 wrote to memory of 1408	2372	4k51k4.exe	38
PID 2372 wrote to memory of 396	2372	4k51k4.exe	39
PID 2372 wrote to memory of 396	2372	4k51k4.exe	39
PID 2372 wrote to memory of 396	2372	4k51k4.exe	39
PID 2372 wrote to memory of 396	2372	4k51k4.exe	39
PID 2372 wrote to memory of 1896	2372	4k51k4.exe	40
PID 2372 wrote to memory of 1896	2372	4k51k4.exe	40
PID 2372 wrote to memory of 1896	2372	4k51k4.exe	40
PID 2372 wrote to memory of 1896	2372	4k51k4.exe	40
PID 2372 wrote to memory of 2332	2372	4k51k4.exe	41
PID 2372 wrote to memory of 2332	2372	4k51k4.exe	41
PID 2372 wrote to memory of 2332	2372	4k51k4.exe	41
PID 2372 wrote to memory of 2332	2372	4k51k4.exe	41
PID 2372 wrote to memory of 852	2372	4k51k4.exe	42
PID 2372 wrote to memory of 852	2372	4k51k4.exe	42
PID 2372 wrote to memory of 852	2372	4k51k4.exe	42
PID 2372 wrote to memory of 852	2372	4k51k4.exe	42
PID 2372 wrote to memory of 1904	2372	4k51k4.exe	43
PID 2372 wrote to memory of 1904	2372	4k51k4.exe	43
PID 2372 wrote to memory of 1904	2372	4k51k4.exe	43
PID 2372 wrote to memory of 1904	2372	4k51k4.exe	43
PID 1408 wrote to memory of 2280	1408	WINLOGON.EXE	46
PID 1408 wrote to memory of 2280	1408	WINLOGON.EXE	46
PID 1408 wrote to memory of 2280	1408	WINLOGON.EXE	46
PID 1408 wrote to memory of 2280	1408	WINLOGON.EXE	46
PID 396 wrote to memory of 1984	396	CSRSS.EXE	47
PID 396 wrote to memory of 1984	396	CSRSS.EXE	47
PID 396 wrote to memory of 1984	396	CSRSS.EXE	47
PID 396 wrote to memory of 1984	396	CSRSS.EXE	47
PID 1408 wrote to memory of 1536	1408	WINLOGON.EXE	48
PID 1408 wrote to memory of 1536	1408	WINLOGON.EXE	48
PID 1408 wrote to memory of 1536	1408	WINLOGON.EXE	48
PID 1408 wrote to memory of 1536	1408	WINLOGON.EXE	48
PID 396 wrote to memory of 1524	396	CSRSS.EXE	49
PID 396 wrote to memory of 1524	396	CSRSS.EXE	49
PID 396 wrote to memory of 1524	396	CSRSS.EXE	49
PID 396 wrote to memory of 1524	396	CSRSS.EXE	49

System policy modification 1 TTPs 35 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	CSRSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	SERVICES.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	WINLOGON.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	WINLOGON.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	CSRSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	SERVICES.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	SMSS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	4k51k4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	LSASS.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	4k51k4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1"	LSASS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SMSS.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	SERVICES.EXE

C:\Users\Admin\AppData\Local\Temp\05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\05da866cdc40e2426903e2c3ba8bbcb6_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Loads dropped DLL
- Modifies system executable filetype association
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2340
- C:\Windows\4k51k4.exe
  C:\Windows\4k51k4.exe
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Control Panel
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2372
- - C:\Windows\4k51k4.exe
    C:\Windows\4k51k4.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1944
- - C:\Windows\SysWOW64\IExplorer.exe
    C:\Windows\system32\IExplorer.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:608
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:1408
  - - C:\Windows\4k51k4.exe
      C:\Windows\4k51k4.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2280
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1536
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2980
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2148
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1516
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2640
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1728
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1408 -s 376
      4⤵
      Program crash
      PID:1940
    - - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2480
    - - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1592
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:396
  - - C:\Windows\4k51k4.exe
      C:\Windows\4k51k4.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1984
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1524
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2532
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2260
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2436
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2860
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2820
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 396 -s 372
      4⤵
      Program crash
      PID:1616
    - - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2252
    - - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1400
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:1896
  - - C:\Windows\4k51k4.exe
      C:\Windows\4k51k4.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2600
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2692
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2448
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2856
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:776
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1580
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2884
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1896 -s 344
      4⤵
      Program crash
      PID:536
    - - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:600
    - - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        5⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:380
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops desktop.ini file(s)
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2332
  - - C:\Windows\4k51k4.exe
      C:\Windows\4k51k4.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2512
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2440
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2964
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2432
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1164
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3060
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2328
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 360
      4⤵
      Program crash
      PID:1780
    - - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2348
    - - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2312
- - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
    "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:852
  - - C:\Windows\4k51k4.exe
      C:\Windows\4k51k4.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:376
  - - C:\Windows\SysWOW64\IExplorer.exe
      C:\Windows\system32\IExplorer.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1356
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2196
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2024
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1564
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1156
  - - C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
      "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:1868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 364
      4⤵
      Program crash
      PID:596
    - - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:944
    - - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1716
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 368
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1904
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:284
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:3012
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 216
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:1220
  - - C:\Windows\SysWOW64\Shell.exe
      "C:\Windows\system32\Shell.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1468 -s 240
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1748
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1576
      - C:\Windows\SysWOW64\Shell.exe
        
        "C:\Windows\system32\Shell.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:328
- C:\Windows\4k51k4.exe
  C:\Windows\4k51k4.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1232
- C:\Windows\SysWOW64\IExplorer.exe
  C:\Windows\system32\IExplorer.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2120
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1892
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2684
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  - Executes dropped EXE
  PID:2572
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  PID:3020
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  PID:2984
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE"
  2⤵
  PID:2412
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE"
  2⤵
  PID:2932
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE"
  2⤵
  PID:2532
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.EXE"
  2⤵
  PID:2980
- C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE
  "C:\Users\Admin\Local Settings\Application Data\WINDOWS\SMSS.EXE"
  2⤵
  PID:2416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\4K51K4\Folder.htt

Filesize
640B

MD5
5d142e7978321fde49abd9a068b64d97

SHA1
70020fcf7f3d6dafb6c8cd7a55395196a487bef4

SHA256
fe222b08327bbfb35cbd627c0526ba7b5755b02ce0a95823a4c0bf58e601d061

SHA512
2351284652a9a1b35006baf4727a85199406e464ac33cb4701a6182e1076aaff022c227dbe4ad6e916eba15ebad08b10719a8e86d5a0f89844a163a7d4a7bbf9

Download Submit
C:\4k51k4.exe

Filesize
150KB

MD5
1523e36aeef239101629b4be86d9fa79

SHA1
020d1154946350715b6821a8e9078d8766f16994

SHA256
e458c123ffba1f0747d50f324fc6f16f08525642fb5ae411369cb23ab0abce73

SHA512
9b35b4c686856919f8f3fb8a8b30059bbfd5e8ccee9247d25eab5a18c9a5c3cea654ff93ab6b971e461ac6269a148a677583eef08742e5e5b294e7eb1e0a0567

Download Submit
C:\Puisi.txt

Filesize
442B

MD5
001424d7974b9a3995af292f6fcfe171

SHA1
f8201d49d594d712c8450679c856c2e8307d2337

SHA256
660ecfcd91ba19959d0c348724da95d7fd6dd57359898e6e3bcce600ff3c797d

SHA512
66ec4330b9a9961a2926516ec96d71e3311f67a61e6ac3070303453d26fa4fdc9524296f583c0e2179414f1a0d795cedbd094a83f5ecd3f1faa0cccfe4276657

Download Submit
C:\Users\Admin\AppData\Local\services.exe

Filesize
150KB

MD5
05da866cdc40e2426903e2c3ba8bbcb6

SHA1
c8df5f665324305d51851c1f6decbf612b4be8ab

SHA256
c56db4bb0499c957719c72f76f4b3541a10bfa0c567afbed37597669ebeb7c31

SHA512
a47c949be8c5ecc6ef583587efc9939b1738fc25de2ba11d5d77c7294fcaa09271d54965fe58fb50f05f7cccaa282641c68c4819e6ad59be255221b3e1bb8818

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\CSRSS.EXE

Filesize
150KB

MD5
e68bcf3a137dac9f6864da3952e81223

SHA1
5ac4e01ea418db213788181825d00e45d449811b

SHA256
d48222d56a40cb8605a6318fc3349f603843205d38cc9fc2f20317b2b1261474

SHA512
568561586acde06ef0e133ccfc012ee6b04b7c1a1375a13178ee7a07c2ee1e0a3f19bf6f0d3d0a871d4be6df458bd806190d34517678c85b38a29db518b90a10

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\LSASS.exe

Filesize
150KB

MD5
74e2bb695cdaeae6c2b6eb8fae96c73b

SHA1
9a5c6b8fee8a6808e5d651a5e63e959c09f34b96

SHA256
bcd9d0e910686c462e3e701899b93f7b98053778c198be79a94ff20e54241377

SHA512
21debf2d4dac577b7e110ef9b869b1f98f77170ec250a9130295a6ba25db99e4751fa8e36d797ad4390f91e1dbc883560efa61b38554d11e4da29a0d18c87b9d

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\SERVICES.EXE

Filesize
150KB

MD5
e6a07d6b3d08834e770cb0e779ad5070

SHA1
675b4ac3cfe12977a485935f16b08fedb8f9b61a

SHA256
1a4c84c0be1abac86e08aa4431ffe25b51ffeaa53ce39550c49cfd8ac1e8f121

SHA512
f59bcf41279ea0cae062607928fc44650189d540b746dede44943ca38f5715e2213051b0baab3a3a5f0f6c89a1e7d9497ffb1c2bdd073652a1fa56126077ae91

Download Submit
C:\Users\Admin\Local Settings\Application Data\WINDOWS\WINLOGON.EXE

Filesize
150KB

MD5
f2663a4524a5c50b342e4bd95f40f419

SHA1
a3c4b2327836a7ebc92ff741fc829e5efbaf5fb2

SHA256
22e006c601710cca7cbe6f3bae88a9300db9036d09c5a4efe79d370d284b5ba3

SHA512
222bb1382427fbcbff587687304efd2a73dd9665d86fe26de763e2e1c161bb762b1ba60b2c45e3f7f334fbdc301ed826c88c715bf999387207a35d5dc4d75710

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
150KB

MD5
b9c752975f0fada8fa1d28e0280974b8

SHA1
56888996cc9aba0949e15af10d2b8765c8ecc12e

SHA256
6d068faae63c61d50ef0832f4bedc22cb1fae85add032e63d8e7da2c115d379c

SHA512
ea09138de2e676624605257ba50622da24dd8341d470a11d715e9c72c2635fd73baaf56392c28586d888652eefeb79aaa6bbd1576322603e30ed70fc702b37e1

Download Submit
C:\Users\All Users\Start Menu\Programs\Startup\Empty.pif

Filesize
150KB

MD5
a3a5231d6f12463c8f1ded3eeef85246

SHA1
5c7beeb2406f2c6867b183393360492d292d56ad

SHA256
230760ffe58e4271bb12e948df15416215a9c66f0db1be51554530e50eb6159a

SHA512
f94b8b8d2320d829c627e117f32e21e7bf0d0c587f5952c7b40f005db879e2c78eb10ed2444c67f39fc85397a8cc75272101e82976d136b64e4a015696ae8b74

Download Submit
C:\Windows\4k51k4.exe

Filesize
150KB

MD5
508b43f2f3548bec6c60c94bfde4abc3

SHA1
9da03f7ffb0226ac2f9e365ca568b60bff6dc56f

SHA256
85b3659eb325f5b5530fe1bf0620b6c2b395a0d98ba64c4be97e40a9066bd5df

SHA512
a63a1b86730e1ab797aad34d77f23032002a2f38cf94b6369a555af355b54b23e014965dec31ab61508d53cb168d3ae2900c3c0fd7e3e10992d5922512b1fcb5

Download Submit
C:\Windows\SysWOW64\MrHelloween.scr

Filesize
150KB

MD5
ce8fbe7e9918fa5dba056ea6cdea50af

SHA1
a008ea2f6afeb8e9a56a2bccd830ac8a400cba05

SHA256
0d7496a8ac5ad7ee7850fa3f553dbe369c5b0a9ef062e7ef0676b1c27325258d

SHA512
97898bba94632b2058439544381c8788ef3f8fa84c4b64e2e354c3d264615a03f963bbec563968226127be2bf87034380f05488d5337f357202382143963e95c

Download Submit
C:\Windows\msvbvm60.dll

Filesize
1.3MB

MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\SysWOW64\IExplorer.exe

Filesize
150KB

MD5
4ad22f32782f2e9eb2cb79e7819ce95f

SHA1
36e34a8111f60494adbcfa8619a5ac176e329823

SHA256
35bae5cbeb46bbc42f3e6aafecec844ffb0447c216a38e8dff1132929b0f86fc

SHA512
829d58c6398af06b417b8d3eafbb2b4e4ffb90b8ba92aec4eed635cf4dc25a2779e8c6957b6b2f21c89198171e1c974c53cc61c76750a4ee81b00477ed9b0c97

Download Submit
\Windows\SysWOW64\shell.exe

Filesize
150KB

MD5
3e020aa11416229b464731ad1bf719d6

SHA1
e434d28895b73332e074320881ffcf2e22d0e992

SHA256
4734a0ac53acc70dbd153be3db272146589f24367372e7abc78fbd2ce574672e

SHA512
62ffcc4fcf8b89651919d5f00c5a3aebfefb8e2038508d8b4b7b42e807ab727126ab7925c9d1ec6d90cde8c08906bf6f1e3cb07af38cc046d0a9a99223c53196

Download Submit
memory/376-423-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1408-216-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1468-131-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/1944-203-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/1984-317-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2280-313-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2340-0-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2372-113-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2440-375-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2440-376-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2472-123-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2512-374-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2600-347-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2600-351-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/2600-346-0x0000000000230000-0x0000000000240000-memory.dmp

Filesize
64KB

Download
memory/2964-382-0x0000000000220000-0x0000000000230000-memory.dmp

Filesize
64KB

Download