darktrack | e5184d8982254662e152b0f61fccf90d1230a6f173118a59bc53bc883992de26

General

Target

4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
Size

822KB
MD5

4e7cf999557893b08c6623c31c45b28d
SHA1

9f8a085de74277fe2fcd79d77037a0627b79ebc1
SHA256

e5184d8982254662e152b0f61fccf90d1230a6f173118a59bc53bc883992de26
SHA512

44711a040f3b5329d71b6f0fec1dd21adf16626ffacde92b28603b8358f81f9b8e76f68610629be9a62051273f14396ba7cd24eb87f89a60bca5260f8e337ef8
SSDEEP

24576:jYUneM0AEIl09L8fffGkPt0UBEw8qqauuNWKP1UAp9:jYSKAE1ifffJtaw8qBuucKP+A/

Score

10^/10

darktrack evasion execution persistence rat stealer trojan

Malware Config

Signatures

DarkTrack
DarkTrack is a remote administration tool written in delphi.
rat stealer darktrack

DarkTrack payload 11 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1644-36-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/1644-34-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/1644-32-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/1644-30-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/1644-28-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/1644-26-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/1644-40-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/1644-41-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/1644-39-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/1644-82-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack
behavioral1/memory/1644-81-0x0000000000400000-0x00000000004A8000-memory.dmp	family_darktrack

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe\""	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe = "0"	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe = "0"	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

3024 powershell.exe
2592 powershell.exe
2708 powershell.exe
2588 powershell.exe

pid	process
3024	powershell.exe
2592	powershell.exe
2708	powershell.exe
2588	powershell.exe

Drops startup file 2 IoCs

Processes:

4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe

Windows security modification 2 TTPs 9 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe = "0"	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe = "0"	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe"	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe"	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 pastebin.com
4 pastebin.com

flow	ioc
5	pastebin.com
4	pastebin.com

Suspicious use of NtSetInformationThreadHideFromDebugger 11 IoCs

Processes:

4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe

pid	process
2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe

description pid process target process

PID 2940 set thread context of 1644 2940 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe aspnet_state.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1856 2940 WerFault.exe 4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3044 timeout.exe

description	pid	process	target process
PID 2940 set thread context of 1644	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	aspnet_state.exe

pid	pid_target	process	target process
1856	2940	WerFault.exe	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe

pid	process
3044	timeout.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe

pid	process
2592	powershell.exe
2708	powershell.exe
2588	powershell.exe
3024	powershell.exe
2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

aspnet_state.exe

pid process

1644 aspnet_state.exe

pid	process
1644	aspnet_state.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exeaspnet_state.exe

description	pid	process	target process
PID 2940 wrote to memory of 3044	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	timeout.exe
PID 2940 wrote to memory of 3044	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	timeout.exe
PID 2940 wrote to memory of 3044	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	timeout.exe
PID 2940 wrote to memory of 3044	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	timeout.exe
PID 2940 wrote to memory of 3024	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	powershell.exe
PID 2940 wrote to memory of 3024	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	powershell.exe
PID 2940 wrote to memory of 3024	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	powershell.exe
PID 2940 wrote to memory of 3024	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	powershell.exe
PID 2940 wrote to memory of 2592	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	powershell.exe
PID 2940 wrote to memory of 2592	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	powershell.exe
PID 2940 wrote to memory of 2592	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	powershell.exe
PID 2940 wrote to memory of 2592	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	powershell.exe
PID 2940 wrote to memory of 2708	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	powershell.exe
PID 2940 wrote to memory of 2708	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	powershell.exe
PID 2940 wrote to memory of 2708	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	powershell.exe
PID 2940 wrote to memory of 2708	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	powershell.exe
PID 2940 wrote to memory of 2588	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	powershell.exe
PID 2940 wrote to memory of 2588	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	powershell.exe
PID 2940 wrote to memory of 2588	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	powershell.exe
PID 2940 wrote to memory of 2588	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	powershell.exe
PID 2940 wrote to memory of 1644	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	aspnet_state.exe
PID 2940 wrote to memory of 1644	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	aspnet_state.exe
PID 2940 wrote to memory of 1644	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	aspnet_state.exe
PID 2940 wrote to memory of 1644	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	aspnet_state.exe
PID 2940 wrote to memory of 1644	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	aspnet_state.exe
PID 2940 wrote to memory of 1644	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	aspnet_state.exe
PID 2940 wrote to memory of 1644	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	aspnet_state.exe
PID 2940 wrote to memory of 1644	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	aspnet_state.exe
PID 2940 wrote to memory of 1644	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	aspnet_state.exe
PID 2940 wrote to memory of 1644	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	aspnet_state.exe
PID 2940 wrote to memory of 1644	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	aspnet_state.exe
PID 2940 wrote to memory of 1644	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	aspnet_state.exe
PID 2940 wrote to memory of 1644	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	aspnet_state.exe
PID 2940 wrote to memory of 1856	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	WerFault.exe
PID 2940 wrote to memory of 1856	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	WerFault.exe
PID 2940 wrote to memory of 1856	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	WerFault.exe
PID 2940 wrote to memory of 1856	2940	4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe	WerFault.exe
PID 1644 wrote to memory of 1032	1644	aspnet_state.exe	notepad.exe
PID 1644 wrote to memory of 1032	1644	aspnet_state.exe	notepad.exe
PID 1644 wrote to memory of 1032	1644	aspnet_state.exe	notepad.exe
PID 1644 wrote to memory of 1032	1644	aspnet_state.exe	notepad.exe
PID 1644 wrote to memory of 1032	1644	aspnet_state.exe	notepad.exe
PID 1644 wrote to memory of 1032	1644	aspnet_state.exe	notepad.exe
PID 1644 wrote to memory of 1032	1644	aspnet_state.exe	notepad.exe
PID 1644 wrote to memory of 1032	1644	aspnet_state.exe	notepad.exe
PID 1644 wrote to memory of 1032	1644	aspnet_state.exe	notepad.exe
PID 1644 wrote to memory of 1032	1644	aspnet_state.exe	notepad.exe
PID 1644 wrote to memory of 1032	1644	aspnet_state.exe	notepad.exe
PID 1644 wrote to memory of 1032	1644	aspnet_state.exe	notepad.exe
PID 1644 wrote to memory of 1032	1644	aspnet_state.exe	notepad.exe
PID 1644 wrote to memory of 1032	1644	aspnet_state.exe	notepad.exe
PID 1644 wrote to memory of 1032	1644	aspnet_state.exe	notepad.exe
PID 1644 wrote to memory of 1032	1644	aspnet_state.exe	notepad.exe
PID 1644 wrote to memory of 1032	1644	aspnet_state.exe	notepad.exe
PID 1644 wrote to memory of 1032	1644	aspnet_state.exe	notepad.exe
PID 1644 wrote to memory of 1032	1644	aspnet_state.exe	notepad.exe
PID 1644 wrote to memory of 1032	1644	aspnet_state.exe	notepad.exe
PID 1644 wrote to memory of 1032	1644	aspnet_state.exe	notepad.exe
PID 1644 wrote to memory of 1032	1644	aspnet_state.exe	notepad.exe
PID 1644 wrote to memory of 1032	1644	aspnet_state.exe	notepad.exe

C:\Users\Admin\AppData\Local\Temp\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Windows\SysWOW64\timeout.exe
  timeout 4
  2⤵
  - Delays execution with timeout.exe
  PID:3044
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3024
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2708
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\4e7cf999557893b08c6623c31c45b28d_JaffaCakes118.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:1032
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 840
  2⤵
  - Program crash
  PID:1856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
10e24b6c2b14411e6b345a0048156e13

SHA1
5e32a57c59710ba5496d420ecfc2e3b13a55842b

SHA256
b602ff5db34e8448af442b3c5046d6ab4f1417003bfb280b6739660e3d124548

SHA512
6a237559b787df49e53d4c66b79fee892350819fd8789688f32693940693bdd1116a9d145dec9642987fe0cc89966b687074d6ad8e4ae5668dd5714183b3b8d8

Download Submit
memory/1032-80-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1032-42-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1644-30-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1644-22-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1644-24-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1644-38-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1644-36-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1644-34-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1644-32-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1644-81-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1644-28-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1644-82-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1644-26-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1644-40-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1644-41-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1644-39-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2940-2-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download
memory/2940-1-0x000000000F4E0000-0x000000000F5B2000-memory.dmp

Filesize
840KB

Download
memory/2940-3-0x00000000007E0000-0x0000000000898000-memory.dmp

Filesize
736KB

Download
memory/2940-0-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/2940-84-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/2940-85-0x00000000749E0000-0x00000000750CE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads