2397ac46ad9b52de1b72d6821ce44f6fd4815ea6abe449d1b731120d1e0c5ce2

Analysis

max time kernel
148s
max time network
121s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
12/06/2024, 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
Size

6.7MB
MD5

a0f26553dde5cc1d8ff54d6c92c86dd4
SHA1

62a8a34ce8a7c7dd4ca42bfdc198adfa0657d4cd
SHA256

2397ac46ad9b52de1b72d6821ce44f6fd4815ea6abe449d1b731120d1e0c5ce2
SHA512

33b49ea87267895ce6c67ae10b6085d6cfdf963f24222c316ac2b96b9592aba0dc8ff0912351d1909fc599d49de9ff0f371eb9ab8a9dbe99d3314d3fb8aa9c6b
SSDEEP

196608:EQU04EBkFK95xMQtICDTh93p4ehtaTfOEnt6DbPwCwHTZ:E7XFaEQjPz3HQTfh6fPwf

Score

10^/10

discovery evasion execution persistence spyware stealer trojan upx

Malware Config

Signatures

Windows security bypass 2 TTPs 10 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\da32af249fcc8bb76881919b2c13248d.exe = "0"	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\system32\drivers\d435e23f50e54d4bad7887b91b33f8b5.sys = "0"	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\da32af249fcc8bb76881919b2c13248d.exe = "0"	2ada4d5185dfaed833051bbd61ac560f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\da32af249fcc8bb76881919b2c13248d.exe = "0"	2ada4d5185dfaed833051bbd61ac560f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\uninstaller.dat = "0"	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\c:\program files\eab27f564f6aa95ace08e0b9f5fd608c\ = "0"	2ada4d5185dfaed833051bbd61ac560f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers\d435e23f50e54d4bad7887b91b33f8b5.sys = "0"	2ada4d5185dfaed833051bbd61ac560f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\c:\program files\eab27f564f6aa95ace08e0b9f5fd608c\ = "0"	2ada4d5185dfaed833051bbd61ac560f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers\d435e23f50e54d4bad7887b91b33f8b5.sys = "0"	2ada4d5185dfaed833051bbd61ac560f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c = "0"	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\d435e23f50e54d4bad7887b91b33f8b5.sys	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

ACProtect 1.3x - 1.4x DLL software 4 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x0007000000013216-32.dat	acprotect
behavioral1/memory/2924-297-0x0000000003E90000-0x0000000003E9A000-memory.dmp	acprotect
behavioral1/memory/2924-293-0x0000000003E90000-0x0000000003E9A000-memory.dmp	acprotect
behavioral1/memory/2924-368-0x0000000003010000-0x000000000301A000-memory.dmp	acprotect

Executes dropped EXE 4 IoCs

pid	Process
1820	2ada4d5185dfaed833051bbd61ac560f.exe
1464	2ada4d5185dfaed833051bbd61ac560f.exe
1520	2ada4d5185dfaed833051bbd61ac560f.exe
3044	2ada4d5185dfaed833051bbd61ac560f.exe

Loads dropped DLL 64 IoCs

pid	Process
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2424	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2424	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2424	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2424	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2424	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2424	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2424	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2424	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2424	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000013216-32.dat	upx
behavioral1/memory/2924-297-0x0000000003E90000-0x0000000003E9A000-memory.dmp	upx
behavioral1/memory/2924-293-0x0000000003E90000-0x0000000003E9A000-memory.dmp	upx
behavioral1/memory/2924-368-0x0000000003010000-0x000000000301A000-memory.dmp	upx

Windows security modification 2 TTPs 10 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\uninstaller.dat = "0"	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\c:\program files\eab27f564f6aa95ace08e0b9f5fd608c\ = "0"	2ada4d5185dfaed833051bbd61ac560f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers\d435e23f50e54d4bad7887b91b33f8b5.sys = "0"	2ada4d5185dfaed833051bbd61ac560f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\da32af249fcc8bb76881919b2c13248d.exe = "0"	2ada4d5185dfaed833051bbd61ac560f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\da32af249fcc8bb76881919b2c13248d.exe = "0"	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\system32\drivers\d435e23f50e54d4bad7887b91b33f8b5.sys = "0"	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c = "0"	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\da32af249fcc8bb76881919b2c13248d.exe = "0"	2ada4d5185dfaed833051bbd61ac560f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\c:\program files\eab27f564f6aa95ace08e0b9f5fd608c\ = "0"	2ada4d5185dfaed833051bbd61ac560f.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers\d435e23f50e54d4bad7887b91b33f8b5.sys = "0"	2ada4d5185dfaed833051bbd61ac560f.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SSL\cert.db	2ada4d5185dfaed833051bbd61ac560f.exe
File created	C:\Windows\SysWOW64\SSL\cert.db	2ada4d5185dfaed833051bbd61ac560f.exe
File opened for modification	C:\Windows\SysWOW64\SSL\cert.db	2ada4d5185dfaed833051bbd61ac560f.exe
File opened for modification	C:\Windows\SysWOW64\SSL\eec823a821e7f337 2.cer	2ada4d5185dfaed833051bbd61ac560f.exe
File opened for modification	C:\Windows\SysWOW64\SSL\x.db	2ada4d5185dfaed833051bbd61ac560f.exe
File opened for modification	C:\Windows\SysWOW64\SSL\xtls.db	2ada4d5185dfaed833051bbd61ac560f.exe
File opened for modification	C:\Windows\SysWOW64\SSL\xv.db	2ada4d5185dfaed833051bbd61ac560f.exe
File opened for modification	C:\Windows\SysWOW64\SSL\eec823a821e7f337 2.cer	2ada4d5185dfaed833051bbd61ac560f.exe
File opened for modification	C:\Windows\SysWOW64\SSL\x.db	2ada4d5185dfaed833051bbd61ac560f.exe
File opened for modification	C:\Windows\SysWOW64\SSL\xtls.db	2ada4d5185dfaed833051bbd61ac560f.exe
File opened for modification	C:\Windows\SysWOW64\SSL\xv.db	2ada4d5185dfaed833051bbd61ac560f.exe

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\78aeb84ef7f864a3cbdc2d754802eb81.ico	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\nss3.dll	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\nspr4.dll	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\plc4.dll	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\mozcrt19.dll	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File opened for modification	C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\service.dat	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\da32af249fcc8bb76881919b2c13248d.exe	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\WBE_uninstall.dat	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\service_64.dat	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\3220fb1268d362d4fef9905ab424b39c.exe	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\plds4.dll	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\softokn3.dll	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File opened for modification	C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\service_64.dat	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File opened for modification	C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\3220fb1268d362d4fef9905ab424b39c.exe	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\service.dat	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\0ee18cd84a6ff5795bf5c5821ca016e3	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File opened for modification	C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\kiebqmtyeydresvp.kiebq	2ada4d5185dfaed833051bbd61ac560f.exe
File created	C:\Windows\da32af249fcc8bb76881919b2c13248d.exe	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
File created	C:\Windows\uninstaller.dat	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe

Launches sc.exe 9 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2432	sc.exe
2708	sc.exe
1780	sc.exe
2072	sc.exe
2348	sc.exe
2640	sc.exe
1148	sc.exe
624	sc.exe
2580	sc.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	2ada4d5185dfaed833051bbd61ac560f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	2ada4d5185dfaed833051bbd61ac560f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	2ada4d5185dfaed833051bbd61ac560f.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	2ada4d5185dfaed833051bbd61ac560f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	2ada4d5185dfaed833051bbd61ac560f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	2ada4d5185dfaed833051bbd61ac560f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	2ada4d5185dfaed833051bbd61ac560f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	2ada4d5185dfaed833051bbd61ac560f.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	wscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows Script Host	wscript.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\56BF5154-0B48-4ADB-902A-6C8B12E270D9	2ada4d5185dfaed833051bbd61ac560f.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\56BF5154-0B48-4ADB-902A-6C8B12E270D9\LocalService = "eab27f564f6aa95ace08e0b9f5fd608c"	2ada4d5185dfaed833051bbd61ac560f.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C60FABAA1B65E2E42DCE7D0A4C6CED70EA52C06A\Blob = 030000000100000014000000c60fabaa1b65e2e42dce7d0a4c6ced70ea52c06a20000000010000000803000030820304308201eca003020102021100fbec9938a373483790d5af0274c84987300d06092a864886f70d01010b0500302a310b300906035504061302454e311b301906035504030c126565633832336138323165376633333720323020170d3034303631373134313131325a180f32303634303630323134313131325a302a310b300906035504061302454e311b301906035504030c1265656338323361383231653766333337203230820122300d06092a864886f70d01010105000382010f003082010a0282010100d102fac59471f2454e80b9ee0861ed6bc62c3adfc79948a74cab6431221d7b71df61aa005a245e6c3327cda20d5c08adb0d221feb6341439cede4d10d764e688b7eabc1894335631312cf2bb7018c589ba265131a95e54f5632f511c7f64f87025a21b0f37aaf37258301de0e6985740c2bc17b760f47b6ce2abce7c04bff132729f8d8813a4a627589f2add6ff03882c301b842988c8437cf996bac4b8052ba490037f68e5c534c9ede75ed439b281ad72ce839e02e73464b10929aa8d1b67302beb4e67d5bb38bfca987818ffe16130e77dc73b89a042671727239f9c7b1dad7e1b249c30f51a713dd9dd7f7eba4617c90ae2c806af2cec304d8759e219fe10203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b0500038201010051f8045d76714e11193ac045932526ec16a4562e79f8cef75078f4caa3312cfb4e9958b8c345035f38a0b060a88d552107b6cd4af5c6c7c379770450a2d58a142f46d978b7582b9cd7215c50f005366e6572bde12992e155b5ad2706d7681d3bf32235c603d3badc688e602e005362287051cee679b07dc7e50a681b6270a36d84e2af94cb52c3cb30945b8bf25ed3a9b553ad655b31b389694c30998a7d5e4cd2ece4c920679d6a483850a13dd0c4c424c304dc6cd84d594c5dd6d3dc77e95e2b2a6913103021dd6158cb4266e0e571da4cfb25e849b93ed85191753a8d66cbd18fccc3bd0a09e26c68d621232311eb47ec87c0f61a86cdf65ff98da6b3d3ff	2ada4d5185dfaed833051bbd61ac560f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C60FABAA1B65E2E42DCE7D0A4C6CED70EA52C06A	2ada4d5185dfaed833051bbd61ac560f.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C60FABAA1B65E2E42DCE7D0A4C6CED70EA52C06A\Blob = 030000000100000014000000c60fabaa1b65e2e42dce7d0a4c6ced70ea52c06a20000000010000000803000030820304308201eca003020102021100fbec9938a373483790d5af0274c84987300d06092a864886f70d01010b0500302a310b300906035504061302454e311b301906035504030c126565633832336138323165376633333720323020170d3034303631373134313131325a180f32303634303630323134313131325a302a310b300906035504061302454e311b301906035504030c1265656338323361383231653766333337203230820122300d06092a864886f70d01010105000382010f003082010a0282010100d102fac59471f2454e80b9ee0861ed6bc62c3adfc79948a74cab6431221d7b71df61aa005a245e6c3327cda20d5c08adb0d221feb6341439cede4d10d764e688b7eabc1894335631312cf2bb7018c589ba265131a95e54f5632f511c7f64f87025a21b0f37aaf37258301de0e6985740c2bc17b760f47b6ce2abce7c04bff132729f8d8813a4a627589f2add6ff03882c301b842988c8437cf996bac4b8052ba490037f68e5c534c9ede75ed439b281ad72ce839e02e73464b10929aa8d1b67302beb4e67d5bb38bfca987818ffe16130e77dc73b89a042671727239f9c7b1dad7e1b249c30f51a713dd9dd7f7eba4617c90ae2c806af2cec304d8759e219fe10203010001a3233021300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106300d06092a864886f70d01010b0500038201010051f8045d76714e11193ac045932526ec16a4562e79f8cef75078f4caa3312cfb4e9958b8c345035f38a0b060a88d552107b6cd4af5c6c7c379770450a2d58a142f46d978b7582b9cd7215c50f005366e6572bde12992e155b5ad2706d7681d3bf32235c603d3badc688e602e005362287051cee679b07dc7e50a681b6270a36d84e2af94cb52c3cb30945b8bf25ed3a9b553ad655b31b389694c30998a7d5e4cd2ece4c920679d6a483850a13dd0c4c424c304dc6cd84d594c5dd6d3dc77e95e2b2a6913103021dd6158cb4266e0e571da4cfb25e849b93ed85191753a8d66cbd18fccc3bd0a09e26c68d621232311eb47ec87c0f61a86cdf65ff98da6b3d3ff	2ada4d5185dfaed833051bbd61ac560f.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C60FABAA1B65E2E42DCE7D0A4C6CED70EA52C06A	2ada4d5185dfaed833051bbd61ac560f.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\C60FABAA1B65E2E42DCE7D0A4C6CED70EA52C06A	2ada4d5185dfaed833051bbd61ac560f.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1520	2ada4d5185dfaed833051bbd61ac560f.exe
1520	2ada4d5185dfaed833051bbd61ac560f.exe
1520	2ada4d5185dfaed833051bbd61ac560f.exe
3044	2ada4d5185dfaed833051bbd61ac560f.exe
3044	2ada4d5185dfaed833051bbd61ac560f.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 4 IoCs

pid	Process
484	Process not Found
484	Process not Found
484	Process not Found
484	Process not Found

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2424	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
Token: SeRestorePrivilege	2424	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
Token: SeBackupPrivilege	1520	2ada4d5185dfaed833051bbd61ac560f.exe
Token: SeSecurityPrivilege	1520	2ada4d5185dfaed833051bbd61ac560f.exe
Token: SeSecurityPrivilege	1520	2ada4d5185dfaed833051bbd61ac560f.exe
Token: SeSecurityPrivilege	1520	2ada4d5185dfaed833051bbd61ac560f.exe
Token: SeSecurityPrivilege	1520	2ada4d5185dfaed833051bbd61ac560f.exe
Token: SeSecurityPrivilege	1520	2ada4d5185dfaed833051bbd61ac560f.exe
Token: SeDebugPrivilege	1520	2ada4d5185dfaed833051bbd61ac560f.exe
Token: SeBackupPrivilege	3044	2ada4d5185dfaed833051bbd61ac560f.exe
Token: SeSecurityPrivilege	3044	2ada4d5185dfaed833051bbd61ac560f.exe
Token: SeSecurityPrivilege	3044	2ada4d5185dfaed833051bbd61ac560f.exe
Token: SeSecurityPrivilege	3044	2ada4d5185dfaed833051bbd61ac560f.exe
Token: SeSecurityPrivilege	3044	2ada4d5185dfaed833051bbd61ac560f.exe
Token: SeSecurityPrivilege	3044	2ada4d5185dfaed833051bbd61ac560f.exe
Token: SeDebugPrivilege	3044	2ada4d5185dfaed833051bbd61ac560f.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 3024	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	28
PID 2924 wrote to memory of 3024	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	28
PID 2924 wrote to memory of 3024	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	28
PID 2924 wrote to memory of 3024	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	28
PID 2924 wrote to memory of 2640	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	29
PID 2924 wrote to memory of 2640	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	29
PID 2924 wrote to memory of 2640	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	29
PID 2924 wrote to memory of 2640	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	29
PID 2924 wrote to memory of 2356	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	31
PID 2924 wrote to memory of 2356	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	31
PID 2924 wrote to memory of 2356	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	31
PID 2924 wrote to memory of 2356	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	31
PID 2356 wrote to memory of 2408	2356	net.exe	33
PID 2356 wrote to memory of 2408	2356	net.exe	33
PID 2356 wrote to memory of 2408	2356	net.exe	33
PID 2356 wrote to memory of 2408	2356	net.exe	33
PID 2424 wrote to memory of 752	2424	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	35
PID 2424 wrote to memory of 752	2424	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	35
PID 2424 wrote to memory of 752	2424	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	35
PID 2424 wrote to memory of 752	2424	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	35
PID 2924 wrote to memory of 1148	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	36
PID 2924 wrote to memory of 1148	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	36
PID 2924 wrote to memory of 1148	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	36
PID 2924 wrote to memory of 1148	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	36
PID 2924 wrote to memory of 2108	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	38
PID 2924 wrote to memory of 2108	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	38
PID 2924 wrote to memory of 2108	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	38
PID 2924 wrote to memory of 2108	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	38
PID 2924 wrote to memory of 1144	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	40
PID 2924 wrote to memory of 1144	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	40
PID 2924 wrote to memory of 1144	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	40
PID 2924 wrote to memory of 1144	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	40
PID 2924 wrote to memory of 2868	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	42
PID 2924 wrote to memory of 2868	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	42
PID 2924 wrote to memory of 2868	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	42
PID 2924 wrote to memory of 2868	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	42
PID 2924 wrote to memory of 2752	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	44
PID 2924 wrote to memory of 2752	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	44
PID 2924 wrote to memory of 2752	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	44
PID 2924 wrote to memory of 2752	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	44
PID 2924 wrote to memory of 2000	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	46
PID 2924 wrote to memory of 2000	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	46
PID 2924 wrote to memory of 2000	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	46
PID 2924 wrote to memory of 2000	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	46
PID 2924 wrote to memory of 2392	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	48
PID 2924 wrote to memory of 2392	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	48
PID 2924 wrote to memory of 2392	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	48
PID 2924 wrote to memory of 2392	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	48
PID 2924 wrote to memory of 1820	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	51
PID 2924 wrote to memory of 1820	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	51
PID 2924 wrote to memory of 1820	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	51
PID 2924 wrote to memory of 1820	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	51
PID 1820 wrote to memory of 624	1820	2ada4d5185dfaed833051bbd61ac560f.exe	52
PID 1820 wrote to memory of 624	1820	2ada4d5185dfaed833051bbd61ac560f.exe	52
PID 1820 wrote to memory of 624	1820	2ada4d5185dfaed833051bbd61ac560f.exe	52
PID 1820 wrote to memory of 624	1820	2ada4d5185dfaed833051bbd61ac560f.exe	52
PID 1820 wrote to memory of 2432	1820	2ada4d5185dfaed833051bbd61ac560f.exe	54
PID 1820 wrote to memory of 2432	1820	2ada4d5185dfaed833051bbd61ac560f.exe	54
PID 1820 wrote to memory of 2432	1820	2ada4d5185dfaed833051bbd61ac560f.exe	54
PID 1820 wrote to memory of 2432	1820	2ada4d5185dfaed833051bbd61ac560f.exe	54
PID 2924 wrote to memory of 1464	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	56
PID 2924 wrote to memory of 1464	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	56
PID 2924 wrote to memory of 1464	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	56
PID 2924 wrote to memory of 1464	2924	a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe	56

C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Windows\SysWOW64\wscript.exe
  wscript.exe "C:\Users\Admin\AppData\Local\Temp\auBVPavMwbA.js" "C:\Users\Admin\AppData\Local\Temp\nsiFE8B.tmp" "C:\Users\Admin\AppData\Local\Temp\auBVPavMwbA.js"
  2⤵
  PID:3024
- C:\Windows\SysWOW64\sc.exe
  sc create -- binPath= ""C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe" /wl 1"
  2⤵
  - Launches sc.exe
  PID:2640
- C:\Windows\SysWOW64\net.exe
  net start --
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 start --
    3⤵
    PID:2408
- C:\Windows\SysWOW64\sc.exe
  sc delete --
  2⤵
  - Launches sc.exe
  PID:1148
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f
  2⤵
  PID:2108
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f /reg:32
  2⤵
  PID:1144
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontReportInfectionInformation /t REG_DWORD /d 1 /f /reg:64
  2⤵
  PID:2868
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
  2⤵
  PID:2752
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f /reg:32
  2⤵
  PID:2000
- C:\Windows\SysWOW64\reg.exe
  reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f /reg:64
  2⤵
  PID:2392
- C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe
  "C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe" --install_updater 0
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1820
- - C:\Windows\SysWOW64\sc.exe
    sc create ae17162624d60054bd221228f70d7531 binPath= "rundll32.exe C:\Windows\kiebqmtyeydresvp.kiebq EXMe" start= auto
    3⤵
    - Launches sc.exe
    PID:624
- - C:\Windows\SysWOW64\sc.exe
    sc failure ae17162624d60054bd221228f70d7531 reset= 30 actions= restart/5000
    3⤵
    - Launches sc.exe
    PID:2432
- C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe
  "C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe" --install
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:1464
- - C:\Windows\SysWOW64\sc.exe
    sc create d435e23f50e54d4bad7887b91b33f8b5 binpath= system32\drivers\d435e23f50e54d4bad7887b91b33f8b5.sys DisplayName= d435e23f50e54d4bad7887b91b33f8b5 type= kernel start= system group= PNP_TDI
    3⤵
    - Launches sc.exe
    PID:2580
- - C:\Windows\SysWOW64\sc.exe
    sc start d435e23f50e54d4bad7887b91b33f8b5
    3⤵
    - Launches sc.exe
    PID:2708
- - C:\Windows\SysWOW64\sc.exe
    sc create eab27f564f6aa95ace08e0b9f5fd608c displayname= eab27f564f6aa95ace08e0b9f5fd608c binPath= "C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe" start= auto depend= RPCSS
    3⤵
    - Launches sc.exe
    PID:1780
- - C:\Windows\SysWOW64\sc.exe
    sc start ae17162624d60054bd221228f70d7531
    3⤵
    - Launches sc.exe
    PID:2072
- C:\Windows\SysWOW64\sc.exe
  sc failure eab27f564f6aa95ace08e0b9f5fd608c reset= 60 actions= restart/5000/restart/5000/restart/5000
  2⤵
  - Launches sc.exe
  PID:2348

C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\a0f26553dde5cc1d8ff54d6c92c86dd4_JaffaCakes118.exe /wl 1
1⤵
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\wscript.exe
  wscript.exe "C:\Windows\TEMP\auBVPavMwbA.js" "C:\Windows\TEMP\nso38B.tmp" "C:\Windows\TEMP\auBVPavMwbA.js"
  2⤵
  - Modifies data under HKEY_USERS
  PID:752

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Windows\kiebqmtyeydresvp.kiebq EXMe
1⤵
PID:2260
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Windows\kiebqmtyeydresvp.kiebq EXMe
  2⤵
  PID:1364
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32 C:\Windows\kiebqmtyeydresvp.kiebq EXMe perform_update
    3⤵
    PID:1980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c net start d435e23f50e54d4bad7887b91b33f8b5
      4⤵
      PID:2184
    - - C:\Windows\system32\net.exe
        
        net start d435e23f50e54d4bad7887b91b33f8b5
        5⤵
        
        PID:2272
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start d435e23f50e54d4bad7887b91b33f8b5
        6⤵
        
        PID:2192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c net start eab27f564f6aa95ace08e0b9f5fd608c
      4⤵
      PID:1680
    - - C:\Windows\system32\net.exe
        
        net start eab27f564f6aa95ace08e0b9f5fd608c
        5⤵
        
        PID:2320
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start eab27f564f6aa95ace08e0b9f5fd608c
        6⤵
        
        PID:404

C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe
"C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe"
1⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe
"C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe"
1⤵
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\service.dat

Filesize
2.3MB

MD5
433956e0a3deb552c229d63e68240d33

SHA1
c615ed52c77ca5f78dd668877f608e0ce6c637a5

SHA256
7a93d6b1c331e4ac8c0c8ae19f8fdf5fb9ed3ec3fa29e29dc113978f575d4227

SHA512
0fe1c8a4af7e48ae1a43cffc136b730a46f57f1c44fc9b52e71675af25bc111ed551b35432c2a133f9edf5eb5039b84b8d962df1bc220e4a723851f6b78c1a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\auBVPavMwbA.js

Filesize
356B

MD5
a35b87106725234045494a6404a003f9

SHA1
f4d1a2529a271946382c17132a5ebea6449a753f

SHA256
17aa4126885d2299ada9a5e3fa5c21dc52e133bfed72a25a96e0152044ea2cd4

SHA512
7924482b9e20801dd8d7abacd6fc4d2a1f182e4f663b0a519518e33c04b482d35d17d277af1e9555f9e8a3a92e67935dabbc5302507b2924ac4cc9b34546dd17

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd12D.tmp\brh.dat

Filesize
752KB

MD5
99569bc87c4b4ccfde67559bba19aab1

SHA1
65d86fc43b1341cf6a77eb8b9a0d7abd2b93ca20

SHA256
24872a9d09ad34ebe40ee9a7887e1b97ba90e802de36051c2faf2acaaf7fa401

SHA512
05400259837be68853062dd7ee8c38754891c1e51871052ba8fc6a84a4461a8e4dd9c41ba230dcb04cfd8ef69e91468e979e7682b54186e313dd6b8462bed4f4

Download Submit
\Program Files\eab27f564f6aa95ace08e0b9f5fd608c\2ada4d5185dfaed833051bbd61ac560f.exe

Filesize
593KB

MD5
7e6f083c27bc2f551f37119c8833e3bf

SHA1
bc0e3f0ed4c7cafe6ea2f3f5dba37c29ae09001b

SHA256
29a3eb803621d54deaeb8af15735808ae7e3d7204be239111cd9269827e93cee

SHA512
bfca9c08ea1265cf7bf873ae9f26094a28e37ddca58b89c07aedf15266efdc2dcf7e08656d13c9c4a5d3f152f6a4d7a4ddd601a7022a5313444f69836351eb23

Download Submit
\Users\Admin\AppData\Local\Temp\nsd12D.tmp\IpConfig.dll

Filesize
118KB

MD5
a75e3775daac9958610ce1308e0bca3b

SHA1
d83ce354cde527c2e20fb425415f6d4795dd4cd4

SHA256
fe2093ff4bfa1d7259c922aca1e7bb219c4d234e469942446d9e2f8086b7d720

SHA512
48168a91ec90df262b1e158f32b4bc2a6d6ce10022eb96d4a6f3c755b977e5c104558626adaa214bda29d7f1d246f19e2df59b9a338982aa1c623e1bdd5714c6

Download Submit
\Users\Admin\AppData\Local\Temp\nsd12D.tmp\MoreInfo.dll

Filesize
7KB

MD5
bd393029cc49b415b6c9aeb8a4936516

SHA1
c67fd92fffd18941bed41bfd6ac4f3b04fd123df

SHA256
227a4fc9408a44faa5eca608a974bd536814f97b8a4d28b4cac479727167b026

SHA512
3bb8e5cf4bea7e8adaa62196e58fff9031f49fd4efa78e5bd3e4b9c4e9ba1523864567521793053595d90abec719761a5964ff3abe04b93b24d52e5ffa4c1f96

Download Submit
\Users\Admin\AppData\Local\Temp\nsd12D.tmp\NSISList.dll

Filesize
105KB

MD5
4b0617493f32b2b5fe5e838eeb885819

SHA1
336e84380420a9caaa9c12af7c8e530135e63c57

SHA256
df3621f83e9d11be45e0e617b899c4ab0241f60ed56494e892dc449482058402

SHA512
5c50cf97cd9a6c699ec7928a08f77f4eaa68105e87a974432e39b637f926f0df8a95ec19bd63465fc438a4ef6349398938bc8d7651de125d13ccab89d1d49143

Download Submit
\Users\Admin\AppData\Local\Temp\nsd12D.tmp\SimpleSC.dll

Filesize
61KB

MD5
d63975ce28f801f236c4aca5af726961

SHA1
3d93ad9816d3b3dba1e63dfcbfa3bd05f787a8c9

SHA256
e0c580bbe48a483075c21277c6e0f23f3cbd6ce3eb2ccd3bf48cf68f05628f43

SHA512
8357e1955560bf0c42a8f4091550c87c19b4939bf1e6a53a54173d1c163b133b9c517014af6f7614eddc0c9bbf93b3b987c4977b024b10b05b3dc4eb20141810

Download Submit
\Users\Admin\AppData\Local\Temp\nsd12D.tmp\System.dll

Filesize
11KB

MD5
9625d5b1754bc4ff29281d415d27a0fd

SHA1
80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

SHA256
c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

SHA512
dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

Download Submit
\Users\Admin\AppData\Local\Temp\nsd12D.tmp\inetc.dll

Filesize
24KB

MD5
1fc1fbb2c7a14b7901fc9abbd6dbef10

SHA1
4d9ed86f31075a3d3f674ff78f39c190a4098126

SHA256
4f26394c93f1acb315c42c351983dafc7f094b2d05db6d7a1ba7dcb39a3a599e

SHA512
76d8ff7fc301cc5ff966ad8be17f0f3f2d869ef797c5a2c55a062305c02133a842906448741bf9818ec369bbb2932b9a9c2193ebc59835b50e8703db0090fdb2

Download Submit
\Users\Admin\AppData\Local\Temp\nsd12D.tmp\md5dll.dll

Filesize
6KB

MD5
7059f133ea2316b9e7e39094a52a8c34

SHA1
ee9f1487c8152d8c42fecf2efb8ed1db68395802

SHA256
32c3d36f38e7e8a8bafd4a53663203ef24a10431bda16af9e353c7d5d108610f

SHA512
9115986754a74d3084dd18018e757d3b281a2c2fde48c73b71dba882e13bd9b2ded0e6e7f45dc5b019e6d53d086090ccb06e18e6efeec091f655a128510cbe51

Download Submit
\Users\Admin\AppData\Local\Temp\nsd12D.tmp\nsExec.dll

Filesize
6KB

MD5
35200be9cf105f3defe2ae0ee44cea12

SHA1
3f4a09eeb477d3f048cdfb848b95aa39b20d89dc

SHA256
0096ae873c75f4e4d802dc97eec9893acc0749a7346e63f25a8d52ba8e11c527

SHA512
f8f7d8a844d588c6e2d6dc54e0d4bcbb1c4229a6e8f4d110a5e3d47eb0b8b5e0860ff5d31762229a731e08d7b232468b2a78c29778a9f0c62a7381db89175833

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFE8B.tmp\CCGylfvpPId.dll

Filesize
352KB

MD5
41061901c1afc95553800c7203a31cd0

SHA1
38fc9f859502166bf5e356b8820ed6a48b060f6d

SHA256
cc0dc4f6b1bf6627532a8c8ab42ad087f3302000632d22713950f0a8c95e8f05

SHA512
c54f0bf158938fa332d482b1190e66cc7856465080fbddc5f7b95ff1f00491d29fa28c49854e6dda73a8e1e11cf2e845754033eb5cfe77327e1625039946c2eb

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFE8B.tmp\gHbMwlFrsMB.dll

Filesize
493KB

MD5
31eafd1f2c5bceb7761b52ea85cf6c26

SHA1
51045a6eeddc1832a9a71fe95bb746192b1bbb2b

SHA256
27e62f38be7bd86e3144888e68ae6dd3cd9afccce244825929409b4e94623dd6

SHA512
4aa675ad91e655cb36adabab706d9af07b91e1b0d71799f0a4068f02765d6010cdc15ef59eb15758e569cede0161d5e8797f4f39b7dcbfb97b95770acc18e4a8

Download Submit
\Users\Admin\AppData\Local\Temp\nsiFE8B.tmp\lDerpvVTsgA.dll

Filesize
650KB

MD5
e4bdc739307f32b968e32fcebc9c01f6

SHA1
5f3d406f01579e3e8a67c05d2e31ec369e14604c

SHA256
17d489476f1f2fbe95a5ddb2a95a788528db842153c5582457133a79eb0756e0

SHA512
494ab1baf1ba59aa6cb4209dae8d493b784d289c74ba66b34d826aebb4014bb2fdfa3f30680650408048d9197cab5b945936c36cac9529c220048cef4704224e

Download Submit
\Windows\Temp\nsd571.tmp\brh.dll

Filesize
446KB

MD5
915ad39a9a5cac612cee374d81ff8af0

SHA1
d9f20e5174425e063194eefb18ef61ddeed14d4f

SHA256
31de470aadf7ae30d539e8296990b66a83876c9e21460e3b9e4d152e533f9e32

SHA512
24d51ed914796d83e8b73b04fc7db18edde823e57214128106ab250e0798452c6fb2f4ad46acdf26d2d6b5ba4b0820244e97a4b3c9bef826eb6af1efd7475aa5

Download Submit
memory/1364-332-0x0000000000E70000-0x0000000000F2C000-memory.dmp

Filesize
752KB

Download
memory/1520-359-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1520-357-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1520-378-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1520-350-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1520-354-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1520-353-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1520-374-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1520-370-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1520-367-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1520-369-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1520-352-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1520-365-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1520-364-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1520-349-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1520-373-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1520-348-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1520-363-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1520-360-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1520-358-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1520-355-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1520-347-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1520-371-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1520-376-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1520-345-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1520-346-0x0000000001B90000-0x00000000020D2000-memory.dmp

Filesize
5.3MB

Download
memory/1820-259-0x0000000003080000-0x00000000035C2000-memory.dmp

Filesize
5.3MB

Download
memory/2424-67-0x0000000000400000-0x00000000015DB000-memory.dmp

Filesize
17.9MB

Download
memory/2424-95-0x0000000002340000-0x000000000234A000-memory.dmp

Filesize
40KB

Download
memory/2424-97-0x0000000002340000-0x000000000234A000-memory.dmp

Filesize
40KB

Download
memory/2424-96-0x0000000002340000-0x000000000234A000-memory.dmp

Filesize
40KB

Download
memory/2424-101-0x00000000032C0000-0x00000000033A8000-memory.dmp

Filesize
928KB

Download
memory/2924-191-0x0000000003E40000-0x0000000003E64000-memory.dmp

Filesize
144KB

Download
memory/2924-389-0x0000000003010000-0x000000000301A000-memory.dmp

Filesize
40KB

Download
memory/2924-327-0x0000000003E90000-0x0000000003E9A000-memory.dmp

Filesize
40KB

Download
memory/2924-293-0x0000000003E90000-0x0000000003E9A000-memory.dmp

Filesize
40KB

Download
memory/2924-297-0x0000000003E90000-0x0000000003E9A000-memory.dmp

Filesize
40KB

Download
memory/2924-298-0x0000000003000000-0x000000000300A000-memory.dmp

Filesize
40KB

Download
memory/2924-287-0x0000000003E90000-0x0000000003E9A000-memory.dmp

Filesize
40KB

Download
memory/2924-253-0x0000000003E90000-0x0000000003E9A000-memory.dmp

Filesize
40KB

Download
memory/2924-239-0x0000000003E90000-0x0000000003EA3000-memory.dmp

Filesize
76KB

Download
memory/2924-368-0x0000000003010000-0x000000000301A000-memory.dmp

Filesize
40KB

Download
memory/2924-233-0x0000000003E90000-0x0000000003E9A000-memory.dmp

Filesize
40KB

Download
memory/2924-234-0x0000000003E90000-0x0000000003E9A000-memory.dmp

Filesize
40KB

Download
memory/2924-219-0x0000000003E90000-0x0000000003E9A000-memory.dmp

Filesize
40KB

Download
memory/2924-220-0x0000000003E90000-0x0000000003E9A000-memory.dmp

Filesize
40KB

Download
memory/2924-167-0x0000000003010000-0x000000000301A000-memory.dmp

Filesize
40KB

Download
memory/2924-150-0x0000000003E10000-0x0000000003E37000-memory.dmp

Filesize
156KB

Download
memory/2924-34-0x0000000003000000-0x000000000300A000-memory.dmp

Filesize
40KB

Download
memory/2924-22-0x0000000000400000-0x00000000015DB000-memory.dmp

Filesize
17.9MB

Download
memory/2924-390-0x0000000003E90000-0x0000000003E9A000-memory.dmp

Filesize
40KB

Download
memory/2924-339-0x0000000003E90000-0x0000000003E9A000-memory.dmp

Filesize
40KB

Download
memory/2924-497-0x0000000003E90000-0x0000000003E9A000-memory.dmp

Filesize
40KB

Download
memory/2924-495-0x0000000003E90000-0x0000000003E9A000-memory.dmp

Filesize
40KB

Download
memory/2924-496-0x0000000003E90000-0x0000000003E9A000-memory.dmp

Filesize
40KB

Download
memory/2924-494-0x0000000003E90000-0x0000000003E9A000-memory.dmp

Filesize
40KB

Download
memory/2924-493-0x0000000003E90000-0x0000000003E9A000-memory.dmp

Filesize
40KB

Download
memory/2924-481-0x0000000003E90000-0x0000000003E9A000-memory.dmp

Filesize
40KB

Download
memory/2924-415-0x0000000003E90000-0x0000000003E9A000-memory.dmp

Filesize
40KB

Download
memory/2924-416-0x0000000003E90000-0x0000000003E9A000-memory.dmp

Filesize
40KB

Download
memory/3044-404-0x0000000001C60000-0x00000000021A2000-memory.dmp

Filesize
5.3MB

Download
memory/3044-420-0x0000000001C60000-0x00000000021A2000-memory.dmp

Filesize
5.3MB

Download
memory/3044-421-0x0000000001C60000-0x00000000021A2000-memory.dmp

Filesize
5.3MB

Download
memory/3044-422-0x0000000001C60000-0x00000000021A2000-memory.dmp

Filesize
5.3MB

Download
memory/3044-423-0x0000000001C60000-0x00000000021A2000-memory.dmp

Filesize
5.3MB

Download
memory/3044-403-0x0000000001C60000-0x00000000021A2000-memory.dmp

Filesize
5.3MB

Download
memory/3044-401-0x0000000001C60000-0x00000000021A2000-memory.dmp

Filesize
5.3MB

Download
memory/3044-402-0x0000000001C60000-0x00000000021A2000-memory.dmp

Filesize
5.3MB

Download
memory/3044-400-0x0000000001C60000-0x00000000021A2000-memory.dmp

Filesize
5.3MB

Download
memory/3044-399-0x0000000001C60000-0x00000000021A2000-memory.dmp

Filesize
5.3MB

Download
memory/3044-394-0x0000000001C60000-0x00000000021A2000-memory.dmp

Filesize
5.3MB

Download
memory/3044-392-0x0000000001C60000-0x00000000021A2000-memory.dmp

Filesize
5.3MB

Download