63142cd4de2391551048db615c78e2360e10f146b610a10caa9c01421c686efe

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\internat = "c:\\windows\\internat.exe"	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\userun32 = "c:\\windows\\userun32.exe"	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\internat\ImagePath = "c:\\windows\\internat.exe"	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\internat = "c:\\windows\\internat.exe"	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\internat = "c:\\windows\\internat.exe"	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass32 = "c:\\windows\\lsass32.exe"	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\z:	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened (read-only)	\??\t:	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened (read-only)	\??\r:	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened (read-only)	\??\o:	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened (read-only)	\??\n:	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened (read-only)	\??\m:	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened (read-only)	\??\y:	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened (read-only)	\??\x:	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened (read-only)	\??\u:	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened (read-only)	\??\p:	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened (read-only)	\??\h:	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened (read-only)	\??\w:	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened (read-only)	\??\q:	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened (read-only)	\??\l:	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened (read-only)	\??\k:	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened (read-only)	\??\g:	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened (read-only)	\??\e:	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened (read-only)	\??\v:	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened (read-only)	\??\s:	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened (read-only)	\??\j:	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened (read-only)	\??\i:	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\regedit.exe	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\internat.exe	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened for modification	\??\c:\windows\userun32.exe	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File created	\??\c:\windows\calc.exe	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened for modification	\??\c:\windows\calc.exe	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File created	\??\c:\windows\regedit2.exe	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened for modification	\??\c:\windows\mui\modem.sys	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File created	\??\c:\windows\internat.exe	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File created	\??\c:\windows\userun32.exe	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File created	\??\c:\windows\Start Menu\Programs\Startup\msoffice.scr	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened for modification	\??\c:\windows\lsass32.exe	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File opened for modification	\??\c:\windows\regedit2.exe	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File created	\??\c:\windows\lsass32.exe	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
File created	\??\c:\windows\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\msoffice.scr	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6ABE4A8-C73A-305A-BFEF-E4FA2BC9D8A9}	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6ABE4A8-C73A-305A-BFEF-E4FA2BC9D8A9}\ThisEXE = "c:\\users\\admin\\appdata\\local\\temp\\1493f7df02a11e3cd9c85ac2e0650997_jaffacakes118.exe"	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F6ABE4A8-C73A-305A-BFEF-E4FA2BC9D8A9}\VerProg = "113"	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2256	1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1493f7df02a11e3cd9c85ac2e0650997_JaffaCakes118.exe"
1⤵
- Adds policy Run key to start application
- Sets service image path in registry
- Adds Run key to start application
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry