Analysis
-
max time kernel
122s -
max time network
133s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-06-2024 23:48
Static task
static1
Behavioral task
behavioral1
Sample
ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
ba2bbf9c7809297a2ee1baba58c55e81
-
SHA1
b62317610a8d1f33cb566f40efbf0fd35954d5c8
-
SHA256
55819061820b24c4e0f6845d20e02d872993bc88821be47fd5d1543297266a07
-
SHA512
87dcf3494c094bcb2d527dd0d4fd170dd580f9ba36fbb7196deaab7629faf2c646aa69ad8278758d9d291528d468e2287f4f1ba1a86ec1d43f83bc17eb8fe54e
-
SSDEEP
12288:MUDNipGWJMHT/90G1m3AALuRuoBOE9g7MHEI:n/9Z1YLucmOmgAN
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 2 TTPs 6 IoCs
Processes:
svchost.exeba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" svchost.exe -
Processes:
ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exesvchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Processes:
ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exesvchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" svchost.exe -
Executes dropped EXE 3 IoCs
Processes:
svchost.exesvchost.exesvchost.exepid process 1116 svchost.exe 2348 svchost.exe 4784 svchost.exe -
Processes:
resource yara_rule behavioral2/memory/4000-1-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-6-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-15-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-17-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/1116-18-0x0000000001240000-0x00000000022CE000-memory.dmp upx behavioral2/memory/4000-16-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-13-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-7-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-8-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-4-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/1116-30-0x0000000001240000-0x00000000022CE000-memory.dmp upx behavioral2/memory/4000-31-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-32-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-33-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-34-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-35-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-37-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-38-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-39-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-41-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-43-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-44-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-45-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-48-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-51-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-53-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-54-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-56-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-58-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-64-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-66-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-67-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-71-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-72-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-73-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-76-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-78-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-80-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-81-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-83-0x0000000002290000-0x000000000331E000-memory.dmp upx behavioral2/memory/4000-86-0x0000000002290000-0x000000000331E000-memory.dmp upx -
Processes:
svchost.exeba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe -
Processes:
svchost.exeba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exedescription ioc process File opened (read-only) \??\Z: ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened (read-only) \??\H: ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened (read-only) \??\K: ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened (read-only) \??\L: ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened (read-only) \??\N: ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened (read-only) \??\P: ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened (read-only) \??\R: ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened (read-only) \??\I: ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened (read-only) \??\G: ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened (read-only) \??\M: ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened (read-only) \??\O: ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened (read-only) \??\Q: ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened (read-only) \??\S: ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened (read-only) \??\T: ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened (read-only) \??\U: ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened (read-only) \??\E: ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened (read-only) \??\V: ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened (read-only) \??\W: ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened (read-only) \??\X: ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened (read-only) \??\Y: ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened (read-only) \??\J: ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exedescription ioc process File opened for modification C:\autorun.inf ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened for modification F:\autorun.inf ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe -
Drops file in Program Files directory 12 IoCs
Processes:
ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exedescription ioc process File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
Processes:
ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exedescription ioc process File created C:\Windows\svchost.exe ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened for modification C:\Windows\svchost.exe ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe File opened for modification C:\Windows\SYSTEM.INI ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe -
Modifies data under HKEY_USERS 11 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425 svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Aoqcbk svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\1414748499 = "124" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-1465470298 = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-1516192097 = "397" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-101443598 = "0A00687474703A2F2F70656C63706177656C2E666D2E696E74657269612E706C2F6C6F676F732E67696600687474703A2F2F636869636F73746172612E636F6D2F6C6F676F662E67696600687474703A2F2F73756577796C6C69652E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F646577706F696E742D65672E636F6D2F696D616765732F6C6F676F73612E67696600687474703A2F2F7777772E6365796C616E6F67756C6C6172692E636F6D2F6C6F676F662E67696600687474703A2F2F7777772E626C7565637562656372656174697665732E636F6D2F6C6F676F732E67696600687474703A2F2F37323468697A6D6574677275702E636F6D2F696D616765732F6C6F676F73612E67696600687474703A2F2F796176757A74756E63696C2E79612E66756E7069632E64652F696D616765732F6C6F676F732E67696600687474703A2F2F6365766174706173612E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F3137332E3139332E31392E31342F6C6F676F2E676966" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-50721799 = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\1364026700 = "35" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\1313304901 = "06A8BB1AD2BF41C19C957B4CFBEDFF1EF2E3DBE4DA4CD047EAD75E66990059CCABC859A6F25DCE12C46ACFD1231BE43A44AD47CB2CB3B9B6631773B6B0B554211CAC18062A3268B25D9944460116DE02E91BDD350C12D825D2A50CC8D8C43714ED90C6C665B92D768DAC66752F17E51E8C3DDE8BAFA8C6BE3B1DD99913135E28" svchost.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exepid process 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Token: SeDebugPrivilege 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exesvchost.exedescription pid process target process PID 4000 wrote to memory of 788 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe fontdrvhost.exe PID 4000 wrote to memory of 796 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe fontdrvhost.exe PID 4000 wrote to memory of 316 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe dwm.exe PID 4000 wrote to memory of 2568 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe svchost.exe PID 4000 wrote to memory of 2580 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe sihost.exe PID 4000 wrote to memory of 2804 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe taskhostw.exe PID 4000 wrote to memory of 3388 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Explorer.EXE PID 4000 wrote to memory of 3596 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe svchost.exe PID 4000 wrote to memory of 3780 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe DllHost.exe PID 4000 wrote to memory of 3868 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe StartMenuExperienceHost.exe PID 4000 wrote to memory of 3936 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe RuntimeBroker.exe PID 4000 wrote to memory of 4016 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe SearchApp.exe PID 4000 wrote to memory of 3408 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe RuntimeBroker.exe PID 4000 wrote to memory of 3624 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe TextInputHost.exe PID 4000 wrote to memory of 3116 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe RuntimeBroker.exe PID 4000 wrote to memory of 836 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe backgroundTaskHost.exe PID 1116 wrote to memory of 2348 1116 svchost.exe svchost.exe PID 1116 wrote to memory of 2348 1116 svchost.exe svchost.exe PID 1116 wrote to memory of 2348 1116 svchost.exe svchost.exe PID 1116 wrote to memory of 4784 1116 svchost.exe svchost.exe PID 1116 wrote to memory of 4784 1116 svchost.exe svchost.exe PID 1116 wrote to memory of 4784 1116 svchost.exe svchost.exe PID 4000 wrote to memory of 788 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe fontdrvhost.exe PID 4000 wrote to memory of 796 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe fontdrvhost.exe PID 4000 wrote to memory of 316 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe dwm.exe PID 4000 wrote to memory of 2568 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe svchost.exe PID 4000 wrote to memory of 2580 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe sihost.exe PID 4000 wrote to memory of 2804 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe taskhostw.exe PID 4000 wrote to memory of 3388 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Explorer.EXE PID 4000 wrote to memory of 3596 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe svchost.exe PID 4000 wrote to memory of 3780 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe DllHost.exe PID 4000 wrote to memory of 3868 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe StartMenuExperienceHost.exe PID 4000 wrote to memory of 3936 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe RuntimeBroker.exe PID 4000 wrote to memory of 4016 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe SearchApp.exe PID 4000 wrote to memory of 3408 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe RuntimeBroker.exe PID 4000 wrote to memory of 3624 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe TextInputHost.exe PID 4000 wrote to memory of 3116 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe RuntimeBroker.exe PID 4000 wrote to memory of 836 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe backgroundTaskHost.exe PID 4000 wrote to memory of 2740 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe RuntimeBroker.exe PID 4000 wrote to memory of 4380 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe RuntimeBroker.exe PID 4000 wrote to memory of 788 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe fontdrvhost.exe PID 4000 wrote to memory of 796 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe fontdrvhost.exe PID 4000 wrote to memory of 316 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe dwm.exe PID 4000 wrote to memory of 2568 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe svchost.exe PID 4000 wrote to memory of 2580 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe sihost.exe PID 4000 wrote to memory of 2804 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe taskhostw.exe PID 4000 wrote to memory of 3388 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Explorer.EXE PID 4000 wrote to memory of 3596 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe svchost.exe PID 4000 wrote to memory of 3780 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe DllHost.exe PID 4000 wrote to memory of 3868 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe StartMenuExperienceHost.exe PID 4000 wrote to memory of 3936 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe RuntimeBroker.exe PID 4000 wrote to memory of 4016 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe SearchApp.exe PID 4000 wrote to memory of 3408 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe RuntimeBroker.exe PID 4000 wrote to memory of 3624 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe TextInputHost.exe PID 4000 wrote to memory of 3116 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe RuntimeBroker.exe PID 4000 wrote to memory of 2740 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe RuntimeBroker.exe PID 4000 wrote to memory of 4380 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe RuntimeBroker.exe PID 4000 wrote to memory of 788 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe fontdrvhost.exe PID 4000 wrote to memory of 796 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe fontdrvhost.exe PID 4000 wrote to memory of 316 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe dwm.exe PID 4000 wrote to memory of 2568 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe svchost.exe PID 4000 wrote to memory of 2580 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe sihost.exe PID 4000 wrote to memory of 2804 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe taskhostw.exe PID 4000 wrote to memory of 3388 4000 ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Explorer.EXE -
System policy modification 1 TTPs 2 IoCs
Processes:
ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exesvchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\sihost.exesihost.exe1⤵
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\svchost.exeC:\Windows\svchost.exe Win72⤵
- Executes dropped EXE
-
C:\Windows\svchost.exeC:\Windows\svchost.exe Win72⤵
- Executes dropped EXE
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Privilege Escalation
Create or Modify System Process
1Windows Service
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Modify Registry
5Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SYSTEM.INIFilesize
257B
MD5d2842e2cd63fed7f4ce7746f8f911e86
SHA1734487ca11e2012a1b4e964537c7567a7fd3729e
SHA256a45985257d7f56da67f876889a9d0b7ccae82eedb19883e5c93f122a125a43f5
SHA512e78e1ec78abf54dbd142e2e635d6b9558eee7a737f822d71ef7bbe34a1d405ed6a41ee8078a7394fd96322fd6b389e96eaabdbefbd4e0a3dff7abf0753ad1bf9
-
C:\Windows\svchost.exeFilesize
1.0MB
MD5ba2bbf9c7809297a2ee1baba58c55e81
SHA1b62317610a8d1f33cb566f40efbf0fd35954d5c8
SHA25655819061820b24c4e0f6845d20e02d872993bc88821be47fd5d1543297266a07
SHA51287dcf3494c094bcb2d527dd0d4fd170dd580f9ba36fbb7196deaab7629faf2c646aa69ad8278758d9d291528d468e2287f4f1ba1a86ec1d43f83bc17eb8fe54e
-
C:\kflf.exeFilesize
100KB
MD58ec844d8d81d0352a14fe342d8a0e98b
SHA1f2496c48cf97649a982234a88e1698212fd14c0a
SHA256dd229dc2331198ede4d171435e32b61a819f197c7af5a2ffa349eef818e0ff83
SHA512900be890489bdec5c1ae1f67a8e8ce215aaff15507e1c21feae309a74f624434cf38973d8b593914eb45b89a4369670ba503036b643733bf7d271f5f44293b2e
-
memory/1116-18-0x0000000001240000-0x00000000022CE000-memory.dmpFilesize
16.6MB
-
memory/1116-24-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/1116-30-0x0000000001240000-0x00000000022CE000-memory.dmpFilesize
16.6MB
-
memory/2348-25-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/2348-28-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/4000-37-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-44-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-17-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-15-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-16-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-13-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-7-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-8-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-14-0x0000000002150000-0x0000000002152000-memory.dmpFilesize
8KB
-
memory/4000-12-0x0000000002160000-0x0000000002161000-memory.dmpFilesize
4KB
-
memory/4000-11-0x0000000002150000-0x0000000002152000-memory.dmpFilesize
8KB
-
memory/4000-4-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-6-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-31-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-32-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-33-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-34-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-35-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-1-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-38-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-39-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-41-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-43-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-19-0x0000000002150000-0x0000000002152000-memory.dmpFilesize
8KB
-
memory/4000-45-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-48-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-51-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-53-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-54-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-56-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-58-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-64-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-66-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-67-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-69-0x0000000002150000-0x0000000002152000-memory.dmpFilesize
8KB
-
memory/4000-71-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-72-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-73-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-76-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-78-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-80-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-81-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-83-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-86-0x0000000002290000-0x000000000331E000-memory.dmpFilesize
16.6MB
-
memory/4000-0-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/4784-29-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB
-
memory/4784-27-0x0000000000400000-0x00000000004D1000-memory.dmpFilesize
836KB