2528551adf2d1cf79b73e2f35c514d6ec2969f9af1c2d914ccce2ed87efa7441

Windows Service

T1543.003

Disable or Modify Tools

Processes:

winsvcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	winsvcs.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	winsvcs.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

Processes:

winsvcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winsvcs.exe

Executes dropped EXE 1 IoCs

Processes:

winsvcs.exe

pid process

3036 winsvcs.exe

pid	process
3036	winsvcs.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

Processes:

winsvcs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AutoUpdateDisableNotify = "1"	winsvcs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winsvcs.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

356e3491786ba260977987d91967dfca_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services Up = "C:\\Windows\\T706580746870\\winsvcs.exe"	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Services Up = "C:\\Windows\\T706580746870\\winsvcs.exe"	356e3491786ba260977987d91967dfca_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

Processes:

356e3491786ba260977987d91967dfca_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\T706580746870\winsvcs.exe	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
File opened for modification	C:\Windows\T706580746870\winsvcs.exe	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
File opened for modification	C:\Windows\T706580746870	356e3491786ba260977987d91967dfca_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

356e3491786ba260977987d91967dfca_JaffaCakes118.exewinsvcs.exe

pid	process
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe
3036	winsvcs.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

356e3491786ba260977987d91967dfca_JaffaCakes118.exe

description	pid	process	target process
PID 4944 wrote to memory of 3036	4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe	winsvcs.exe
PID 4944 wrote to memory of 3036	4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe	winsvcs.exe
PID 4944 wrote to memory of 3036	4944	356e3491786ba260977987d91967dfca_JaffaCakes118.exe	winsvcs.exe

C:\Users\Admin\AppData\Local\Temp\356e3491786ba260977987d91967dfca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\356e3491786ba260977987d91967dfca_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4944

C:\Windows\T706580746870\winsvcs.exe
C:\Windows\T706580746870\winsvcs.exe
2⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
PID:3036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4172,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=4420 /prefetch:8
1⤵
PID:4732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

4

Impair Defenses

3

T1562

Disable or Modify Tools

3