Analysis Overview
SHA256
8b8fbeb1aaef887b118e19dbb247e06fa6dff48bf75ea12ed3c058a8079134ca
Threat Level: Known bad
The file 23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Trickbot x86 loader
Trickbot
Stops running service(s)
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Drops file in System32 directory
Launches sc.exe
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-08 06:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-08 06:41
Reported
2024-05-08 06:43
Platform
win7-20231129-en
Max time kernel
122s
Max time network
123s
Command Line
Signatures
Trickbot
Trickbot x86 loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\EMP.DAT | C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 5005e9ea12a1da01 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" | C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" | C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe
C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {ACBE96C3-4888-450D-BBEB-8A9F59D7CC75} S-1-5-18:NT AUTHORITY\System:Service:
C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe
C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
Network
Files
memory/1720-0-0x0000000000401000-0x0000000000404000-memory.dmp
memory/1720-1-0x0000000000400000-0x0000000000499000-memory.dmp
memory/2940-7-0x000000001B700000-0x000000001B9E2000-memory.dmp
memory/2940-8-0x0000000002220000-0x0000000002228000-memory.dmp
\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe
| MD5 | 23a6caad88c0f42f1e73daf13fc3b0df |
| SHA1 | e97fcb7899f4d894c26b63f8af19233bd59cf9a1 |
| SHA256 | 8b8fbeb1aaef887b118e19dbb247e06fa6dff48bf75ea12ed3c058a8079134ca |
| SHA512 | e7ce48800957df81e662de24969206b2386374cfb04457433741db262d0b57dccb4a57d78edff585732483677f6602981e76808abdf1936322594d71d380ca4e |
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3627615824-4061627003-3019543961-1000\0f5007522459c86e95ffcc62f32308f1_12cce00e-511f-47e5-8588-7df67886da42
| MD5 | b9c8e4c8897ee40749eb7854e175b3c8 |
| SHA1 | 19a56033a88fe25938ceec45fc0b0d8ff8ae9668 |
| SHA256 | 19431c2a194efe1a19a4804ad044c6873afd040f968324e685420cbef165d91e |
| SHA512 | 35ea2c308f73b2c04f983809e3032f323494ab34d82e63cb65bb010d5dc1a013675bb7d1f3533f840d861a809270b75df1d4801ef3b3c42b172c44deb249bee1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C3KPEXOAMXMHCFHSO7K3.temp
| MD5 | 57f69aa51b0af03ee95beb2f7bd778bf |
| SHA1 | 6fa33c09fee864a6a1a0b5e9d1a945ef44453700 |
| SHA256 | 8a6694e5e13a50dc3b462addf3214db3f150545004fe223062843b53f3a45c03 |
| SHA512 | e6066f9310fd2615f3df0f8bc9d5146dcfab0de8e9518d406b2ab954c36a58c3d0dfa8543419c08984cf988deb724e6c21c9ab15d3122c91933939ce2d92287c |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2508-25-0x000000001B750000-0x000000001BA32000-memory.dmp
memory/2508-28-0x0000000001E90000-0x0000000001E98000-memory.dmp
memory/2452-30-0x0000000010000000-0x0000000010007000-memory.dmp
memory/2692-34-0x0000000010000000-0x0000000010020000-memory.dmp
memory/1720-38-0x0000000000400000-0x0000000000499000-memory.dmp
memory/2452-39-0x0000000000400000-0x0000000000499000-memory.dmp
memory/2064-44-0x000000001A080000-0x000000001A362000-memory.dmp
memory/2064-45-0x0000000000980000-0x0000000000988000-memory.dmp
memory/860-46-0x0000000010000000-0x0000000010007000-memory.dmp
memory/860-55-0x0000000000400000-0x0000000000499000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-08 06:41
Reported
2024-05-08 06:44
Platform
win10v2004-20240226-en
Max time kernel
144s
Max time network
158s
Command Line
Signatures
Trickbot
Trickbot x86 loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\EMP.DAT | C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe
C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4092 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe
C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.180.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 10.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 68.119.85.138:449 | tcp | |
| US | 68.119.85.138:449 | tcp | |
| US | 8.8.8.8:53 | 210.143.182.52.in-addr.arpa | udp |
Files
memory/940-0-0x0000000000401000-0x0000000000404000-memory.dmp
memory/940-1-0x0000000000400000-0x0000000000499000-memory.dmp
memory/940-4-0x0000000000400000-0x0000000000499000-memory.dmp
memory/1220-5-0x00007FF97B673000-0x00007FF97B675000-memory.dmp
memory/1220-6-0x000001E0575F0000-0x000001E057612000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_syu3ne14.mib.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1220-16-0x00007FF97B670000-0x00007FF97C131000-memory.dmp
memory/1220-17-0x00007FF97B670000-0x00007FF97C131000-memory.dmp
memory/1220-18-0x00007FF97B670000-0x00007FF97C131000-memory.dmp
memory/1220-21-0x00007FF97B670000-0x00007FF97C131000-memory.dmp
C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe
| MD5 | 23a6caad88c0f42f1e73daf13fc3b0df |
| SHA1 | e97fcb7899f4d894c26b63f8af19233bd59cf9a1 |
| SHA256 | 8b8fbeb1aaef887b118e19dbb247e06fa6dff48bf75ea12ed3c058a8079134ca |
| SHA512 | e7ce48800957df81e662de24969206b2386374cfb04457433741db262d0b57dccb4a57d78edff585732483677f6602981e76808abdf1936322594d71d380ca4e |
memory/4948-26-0x0000000000400000-0x0000000000499000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\0f5007522459c86e95ffcc62f32308f1_2397ee06-28fe-4eaa-8777-f7014368c353
| MD5 | 755d30c8290fba87068fb031351e2656 |
| SHA1 | 6b3754c4e7fe94c49032de6b5f1dee39efcc7a3c |
| SHA256 | 5bd78e8214acd164e36493f048b059772c58c81543b18adc2321539310c01657 |
| SHA512 | 3a46aabeda144370e4bf804e006b0d7f73ad8e22bb17a1e59dd635392e3e24ac63ba4193df4d1c1d656ea8780109e68b47ee312a4ea336a9a123db89066ab16a |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62623d22bd9e037191765d5083ce16a3 |
| SHA1 | 4a07da6872672f715a4780513d95ed8ddeefd259 |
| SHA256 | 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010 |
| SHA512 | 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992 |
memory/4376-46-0x0000000010000000-0x0000000010020000-memory.dmp
memory/4948-42-0x0000000010000000-0x0000000010007000-memory.dmp
memory/940-51-0x0000000000400000-0x0000000000499000-memory.dmp
memory/4948-52-0x0000000000400000-0x0000000000499000-memory.dmp
memory/4948-54-0x0000000003780000-0x0000000003A49000-memory.dmp
memory/4948-53-0x00000000036C0000-0x000000000377E000-memory.dmp
memory/1900-76-0x0000024225770000-0x000002422578C000-memory.dmp
memory/1900-77-0x0000024225790000-0x0000024225845000-memory.dmp
memory/1900-78-0x0000024225760000-0x000002422576A000-memory.dmp
memory/1900-79-0x00000242259B0000-0x00000242259CC000-memory.dmp
memory/1900-80-0x0000024225990000-0x000002422599A000-memory.dmp
memory/1900-81-0x00000242259F0000-0x0000024225A0A000-memory.dmp
memory/1900-82-0x00000242259A0000-0x00000242259A8000-memory.dmp
memory/1900-83-0x00000242259D0000-0x00000242259D6000-memory.dmp
memory/1900-84-0x00000242259E0000-0x00000242259EA000-memory.dmp
memory/2724-96-0x0000000000400000-0x0000000000499000-memory.dmp
memory/2724-97-0x0000000002390000-0x000000000244E000-memory.dmp
memory/2724-98-0x0000000002450000-0x0000000002719000-memory.dmp
memory/3720-100-0x0000000010000000-0x0000000010020000-memory.dmp