Analysis Overview
SHA256
341cd2edfdbdb9e2526c46bc6f2646d425253c814081146636d540456fdf752e
Threat Level: Known bad
The file 0708a569819216400284adc26919eb4b_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
ModiLoader, DBatLoader
Modifies visiblity of hidden/system files in Explorer
ModiLoader Second Stage
Loads dropped DLL
Executes dropped EXE
UPX packed file
Deletes itself
Checks computer location settings
Drops desktop.ini file(s)
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Enumerates processes with tasklist
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 14:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 14:56
Reported
2024-06-20 14:58
Platform
win7-20240508-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
ModiLoader, DBatLoader
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\d3s3Jf2gX6.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\ruiewof.exe | N/A |
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\d3s3Jf2gX6.exe | N/A |
| N/A | N/A | C:\Users\Admin\ruiewof.exe | N/A |
| N/A | N/A | C:\Users\Admin\ayhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\ayhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bahost.exe | N/A |
| N/A | N/A | C:\Windows\system32\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\djhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\ekhost.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /q" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /g" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /O" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /L" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /I" | C:\Users\Admin\d3s3Jf2gX6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /P" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /T" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /w" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /e" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /u" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /J" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /W" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /s" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /N" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /D" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /v" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /U" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /M" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /E" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /X" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /C" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /A" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /y" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /B" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /h" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /n" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /F" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /K" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /a" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /f" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /o" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /Z" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /Q" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /V" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /H" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /b" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /l" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /d" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /t" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /I" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /p" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /i" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /m" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /R" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /G" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /z" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /r" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /k" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /S" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /c" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /Y" | C:\Users\Admin\ruiewof.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\ruiewof = "C:\\Users\\Admin\\ruiewof.exe /j" | C:\Users\Admin\ruiewof.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | \systemroot\assembly\GAC_64\Desktop.ini | C:\Windows\system32\csrss.exe | N/A |
| File created | \systemroot\assembly\GAC_32\Desktop.ini | C:\Windows\system32\csrss.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2520 set thread context of 2512 | N/A | C:\Users\Admin\ayhost.exe | C:\Users\Admin\ayhost.exe |
| PID 2292 set thread context of 2572 | N/A | C:\Users\Admin\bahost.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\bahost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\bahost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0708a569819216400284adc26919eb4b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\d3s3Jf2gX6.exe | N/A |
| N/A | N/A | C:\Users\Admin\ruiewof.exe | N/A |
| N/A | N/A | C:\Users\Admin\djhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\ekhost.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\0708a569819216400284adc26919eb4b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0708a569819216400284adc26919eb4b_JaffaCakes118.exe"
C:\Users\Admin\d3s3Jf2gX6.exe
C:\Users\Admin\d3s3Jf2gX6.exe
C:\Users\Admin\ruiewof.exe
"C:\Users\Admin\ruiewof.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del d3s3Jf2gX6.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Users\Admin\ayhost.exe
C:\Users\Admin\ayhost.exe
C:\Users\Admin\ayhost.exe
ayhost.exe
C:\Users\Admin\bahost.exe
C:\Users\Admin\bahost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\djhost.exe
C:\Users\Admin\djhost.exe
C:\Users\Admin\ekhost.exe
C:\Users\Admin\ekhost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del 0708a569819216400284adc26919eb4b_JaffaCakes118.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del ekhost.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| US | 8.8.8.8:53 | elegantweddingdecor.com | udp |
| US | 67.85.181.95:25700 | tcp | |
| US | 75.194.28.245:25700 | tcp | |
| OM | 188.66.136.181:25700 | tcp | |
| US | 67.181.89.116:25700 | tcp | |
| US | 68.51.12.254:25700 | tcp | |
| DE | 95.91.41.161:25700 | tcp | |
| PH | 112.205.160.134:25700 | tcp | |
| US | 65.113.118.94:25700 | tcp | |
| US | 98.248.170.108:25700 | tcp | |
| US | 207.38.138.33:25700 | tcp | |
| US | 75.72.141.181:25700 | tcp | |
| HR | 89.18.52.87:25700 | tcp | |
| KZ | 95.57.252.244:25700 | tcp | |
| US | 173.19.200.8:25700 | tcp | |
| US | 97.88.140.101:25700 | tcp | |
| US | 24.253.33.30:25700 | tcp | |
| US | 108.107.200.151:25700 | tcp | |
| US | 96.42.113.52:25700 | tcp | |
| US | 97.115.97.115:25700 | tcp | |
| US | 24.187.91.160:25700 | tcp | |
| US | 68.189.105.18:25700 | tcp | |
| US | 75.196.35.155:25700 | tcp | |
| US | 98.196.30.132:25700 | tcp | |
| US | 24.152.191.210:25700 | tcp | |
| US | 68.63.230.90:25700 | tcp | |
| US | 66.177.71.82:25700 | tcp | |
| US | 76.118.218.158:25700 | tcp | |
| US | 75.143.148.26:25700 | tcp | |
| US | 71.75.75.170:25700 | tcp | |
| JP | 114.158.142.100:25700 | tcp | |
| US | 64.53.184.103:25700 | tcp | |
| IN | 14.98.119.33:25700 | tcp | |
| FR | 85.171.0.142:25700 | tcp | |
| US | 18.245.7.14:25700 | tcp | |
| US | 75.185.13.10:25700 | tcp | |
| LK | 112.134.96.44:25700 | tcp | |
| US | 75.136.106.185:25700 | tcp | |
| US | 72.178.104.115:25700 | tcp | |
| US | 24.12.36.210:25700 | tcp | |
| US | 75.92.67.82:25700 | tcp | |
| NO | 84.52.210.234:25700 | tcp | |
| GB | 92.41.46.218:25700 | tcp | |
| FI | 91.155.181.198:25700 | tcp | |
| US | 75.83.61.197:25700 | tcp | |
| US | 71.197.250.192:25700 | tcp | |
| US | 67.185.176.150:25700 | tcp | |
| BR | 189.103.32.63:25700 | tcp | |
| US | 72.161.208.91:25700 | tcp | |
| US | 74.233.130.58:25700 | tcp | |
| US | 69.201.159.20:25700 | tcp | |
| IN | 65.3.163.60:25700 | tcp | |
| US | 71.68.194.76:25700 | tcp | |
| US | 75.65.115.171:25700 | tcp | |
| US | 71.193.8.197:25700 | tcp | |
| US | 72.24.80.223:25700 | tcp | |
| US | 71.94.132.40:25700 | tcp | |
| US | 66.25.14.205:25700 | tcp | |
| US | 76.170.33.158:25700 | tcp | |
| US | 68.58.177.138:25700 | tcp | |
| US | 76.19.227.125:25700 | tcp | |
| US | 68.37.242.117:25700 | tcp | |
| US | 96.42.218.190:25700 | tcp | |
| US | 67.248.218.233:25700 | tcp | |
| US | 24.211.101.86:25700 | tcp | |
| US | 67.165.43.31:25700 | tcp | |
| CA | 50.92.182.239:25700 | tcp | |
| US | 67.165.49.219:25700 | tcp | |
| US | 69.245.186.178:25700 | tcp | |
| US | 138.236.22.72:25700 | tcp | |
| US | 50.80.239.21:25700 | tcp | |
| US | 174.97.24.141:25700 | tcp | |
| US | 75.187.148.62:25700 | tcp | |
| US | 184.59.204.68:25700 | tcp | |
| US | 68.47.67.107:25700 | tcp | |
| US | 68.192.100.193:25700 | tcp | |
| US | 75.65.245.83:25700 | tcp | |
| US | 76.235.164.101:25700 | tcp | |
| JP | 212.50.232.253:25700 | tcp | |
| US | 70.119.34.246:25700 | tcp | |
| US | 71.197.149.224:25700 | tcp | |
| US | 67.10.199.179:25700 | tcp | |
| US | 71.94.223.29:25700 | tcp | |
| KZ | 84.240.207.226:25700 | tcp | |
| US | 98.198.243.160:25700 | tcp | |
| US | 67.175.63.86:25700 | tcp | |
| US | 67.85.223.123:25700 | tcp | |
| US | 72.179.41.196:25700 | tcp | |
| US | 24.125.159.74:25700 | tcp | |
| DK | 86.52.83.19:25700 | tcp | |
| US | 98.203.129.141:25700 | tcp | |
| US | 98.233.79.149:25700 | tcp | |
| CA | 184.160.183.192:25700 | tcp | |
| US | 71.71.238.247:25700 | tcp | |
| US | 24.234.85.173:25700 | tcp | |
| US | 184.77.179.71:25700 | tcp | |
| US | 75.204.205.69:25700 | tcp | |
| US | 69.249.229.104:25700 | tcp | |
| US | 152.23.18.236:25700 | tcp | |
| US | 98.157.152.68:25700 | tcp | |
| US | 75.111.197.142:25700 | tcp | |
| US | 68.47.164.166:25700 | tcp | |
| US | 68.184.60.76:25700 | tcp | |
| US | 50.80.19.135:25700 | tcp | |
| US | 98.101.150.126:25700 | tcp | |
| US | 98.210.205.21:25700 | tcp | |
| US | 69.116.108.230:25700 | tcp | |
| US | 173.171.137.173:25700 | tcp | |
| US | 68.36.33.67:25700 | tcp | |
| US | 68.226.130.43:25700 | tcp | |
| US | 24.196.160.171:25700 | tcp | |
| US | 50.27.227.131:25700 | tcp | |
| US | 128.123.194.154:25700 | tcp | |
| US | 68.185.158.188:25700 | tcp | |
| US | 71.236.247.96:25700 | tcp | |
| US | 76.187.28.55:25700 | tcp | |
| US | 24.208.178.3:25700 | tcp | |
| US | 68.59.201.247:25700 | tcp | |
| US | 69.122.91.56:25700 | tcp | |
| US | 76.173.92.227:25700 | tcp | |
| US | 67.168.54.19:25700 | tcp | |
| US | 69.125.67.98:25700 | tcp | |
| US | 72.152.174.83:25700 | tcp | |
| US | 98.176.177.6:25700 | tcp | |
| US | 130.85.240.102:25700 | tcp | |
| CA | 130.63.255.0:25700 | tcp | |
| US | 76.121.76.247:25700 | tcp | |
| US | 71.86.96.214:25700 | tcp | |
| US | 24.0.60.42:25700 | tcp | |
| US | 24.18.125.203:25700 | tcp | |
| US | 66.190.220.48:25700 | tcp | |
| US | 24.250.49.21:25700 | tcp | |
| US | 75.215.249.54:25700 | tcp | |
| NL | 77.61.97.222:25700 | tcp | |
| US | 74.197.218.66:25700 | tcp | |
| IT | 82.58.102.106:25700 | tcp | |
| US | 97.100.183.111:25700 | tcp | |
| US | 69.245.229.50:25700 | tcp | |
| CA | 174.112.136.166:25700 | tcp | |
| US | 66.87.2.138:25700 | tcp | |
| US | 174.98.236.183:25700 | tcp | |
| NO | 84.202.167.107:25700 | tcp | |
| US | 50.34.38.185:25700 | tcp | |
| US | 74.90.93.55:25700 | tcp | |
| US | 71.29.65.234:25700 | tcp | |
| GB | 87.117.229.99:25700 | tcp | |
| US | 184.57.174.203:25700 | tcp | |
| US | 68.186.141.82:25700 | tcp | |
| US | 74.161.129.240:25700 | tcp | |
| US | 67.184.24.170:25700 | tcp | |
| US | 75.65.211.210:25700 | tcp | |
| US | 76.169.207.19:25700 | tcp | |
| US | 184.12.12.84:25700 | tcp | |
| US | 66.87.0.164:25700 | tcp | |
| US | 71.234.40.56:25700 | tcp | |
| US | 74.90.118.14:25700 | tcp | |
| GB | 94.196.72.79:25700 | tcp | |
| US | 174.70.47.116:25700 | tcp | |
| US | 24.33.142.77:25700 | tcp | |
| US | 71.225.241.71:25700 | tcp | |
| US | 67.162.64.31:25700 | tcp | |
| US | 74.60.0.54:25700 | tcp | |
| US | 67.80.121.65:25700 | tcp | |
| US | 98.246.97.168:25700 | tcp | |
| US | 76.114.218.172:25700 | tcp | |
| US | 50.113.176.190:25700 | tcp | |
| US | 74.180.50.149:25700 | tcp | |
| US | 173.17.139.147:25700 | tcp | |
| US | 98.198.30.69:25700 | tcp | |
| US | 24.63.97.60:25700 | tcp | |
| US | 66.30.203.111:25700 | tcp | |
| ES | 77.210.93.83:25700 | tcp | |
| US | 67.181.194.146:25700 | tcp | |
| US | 24.119.155.195:25700 | tcp | |
| US | 98.198.219.107:25700 | tcp | |
| US | 68.200.23.168:25700 | tcp | |
| US | 69.211.231.214:25700 | tcp | |
| US | 68.190.19.217:25700 | tcp | |
| SE | 46.239.106.150:25700 | tcp | |
| US | 74.254.247.222:25700 | tcp | |
| US | 98.236.169.124:25700 | tcp | |
| US | 24.1.145.150:25700 | tcp | |
| US | 174.100.141.19:25700 | tcp | |
| US | 24.10.115.156:25700 | tcp | |
| US | 96.63.248.120:25700 | tcp | |
| US | 72.211.190.153:25700 | tcp | |
| US | 74.61.114.66:25700 | tcp | |
| US | 72.187.48.225:25700 | tcp | |
| RU | 91.79.124.198:25700 | tcp | |
| BG | 62.73.111.196:25700 | tcp | |
| US | 173.218.48.197:25700 | tcp | |
| US | 70.119.197.66:25700 | tcp | |
| US | 72.135.111.85:25700 | tcp |
Files
\Users\Admin\d3s3Jf2gX6.exe
| MD5 | b3c7427a9509d61a373b377e668c8ddd |
| SHA1 | 80b7a9d3fea90879ac10e4cbbd70968aaf8f46d3 |
| SHA256 | b24dacfe819e4b8e04e3d1ae5a82ffda05ce5c870c0ce530f723c29c76fe5a28 |
| SHA512 | 616411ce4b75b80bba9bb901848f9814624deb89a941d4f13b2bc66b63a2eab230354f320a61610bb9166d368a77a3036068f3a7c76d0d0078e71b653e10c7fe |
\Users\Admin\ruiewof.exe
| MD5 | b3022ec82521755ddf1b23561f6a49ed |
| SHA1 | 56aff0f7bf10a4a3939e41be623cafe8be037668 |
| SHA256 | 790bf94c09c85791b962329d5fa1e33e0148b7979c256cd13fc8795412184bcb |
| SHA512 | 3e81a2d09b98d8893c3011a5b3d3f12be0b4f419a795aa77f330af3af6c4dc3e9cfe96326a1f6f83746f860707e1d64ac6f52b5af341c5ef7c9ea95068594d18 |
memory/1796-28-0x00000000034C0000-0x0000000003F7A000-memory.dmp
\Users\Admin\ayhost.exe
| MD5 | 8ccbe4f27f9710f3e7f75e1d1de57e49 |
| SHA1 | 272e95e476477cd4a1715ee0bcf32318e0351718 |
| SHA256 | 3d36ee15c25b2308f8552e121d885c26b46b4e7fc6dbb41a684bec53e0ae3b5d |
| SHA512 | 334f56b5158839f521513aff9de334536c86da633bf1a3b78592529275457973ed67fd55a54bef8f88ce918c2863c365cababfbd0ef888a27272906e281105d0 |
memory/2512-37-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2512-39-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2512-44-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2520-47-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2512-51-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2512-45-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2512-41-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2512-53-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2512-52-0x0000000000400000-0x000000000040E000-memory.dmp
\Users\Admin\bahost.exe
| MD5 | 57d06744cbe8d579531f5704827605c1 |
| SHA1 | 222404c29087c7481127d5616e209e8a8946b110 |
| SHA256 | 42c00828ea0ca557e2f50c49ebc24d3e2ffbd207ad6128e002ee9487be0e7f1a |
| SHA512 | 1d22108dbca3e6566a14e687077cfca481adf2eb4d6a214e49c2242f4aa3701f1a31037993f3ba78c41f9242666b2b0b1424f983ee660eae2e89b3c492d93093 |
memory/2292-61-0x0000000000310000-0x0000000000350000-memory.dmp
memory/2292-69-0x0000000000310000-0x0000000000350000-memory.dmp
memory/2292-66-0x0000000000310000-0x0000000000350000-memory.dmp
memory/2292-70-0x0000000000310000-0x0000000000350000-memory.dmp
memory/2292-71-0x0000000000310000-0x0000000000350000-memory.dmp
memory/1208-82-0x0000000002590000-0x0000000002596000-memory.dmp
memory/1208-78-0x0000000002590000-0x0000000002596000-memory.dmp
memory/1208-74-0x0000000002590000-0x0000000002596000-memory.dmp
memory/2292-73-0x0000000000310000-0x0000000000350000-memory.dmp
C:\Windows\system32\consrv.dll
| MD5 | 4d7cde615a0f534bd5e359951829554b |
| SHA1 | c885d00d9000f2a5dbc78f6193a052b36f4fe968 |
| SHA256 | 414fdf9bdcae5136c1295d6d24740c50a484acd81f1f7d0fb5d5c138607cb80a |
| SHA512 | 33d632f9fbb694440a1ca568c90518784278efd1dc9ee2b57028149d56ebe1f7346d5b59dcfafee2eeaa10091dda05f48958e909d6bfc891e037ae1cfbd048d4 |
memory/332-88-0x0000000002510000-0x0000000002522000-memory.dmp
memory/2292-92-0x0000000000400000-0x0000000000446000-memory.dmp
\Users\Admin\djhost.exe
| MD5 | af152804736fe7af65e4b49633a2d185 |
| SHA1 | 3c2ecabfbdca7b4bfed2fbaae7cfeabe9d439d35 |
| SHA256 | 45b8430d8053f791bfcd0033ae2cdfed2b253a0f6835395055345058ab18c40e |
| SHA512 | 749461feaacada8ddec990df90ae5f580fb9b6b0bad680015a7067d66ecd785822bb50223dc734d29016cb29dfa98c9efa08d53b99dc0e0fe26193ff12742cd6 |
\Users\Admin\ekhost.exe
| MD5 | 046275674448c41615014cf770ee4f53 |
| SHA1 | 4f51eb674e199d6b901aaffb55c4aeafb94acfb3 |
| SHA256 | 3c561abc78eb200f46286b30765a2f6bf6b6bc9c6f433b327955d2e0ef6aaa6f |
| SHA512 | db35c805e516209d0ee02e182711360ea2a49f7de5c79a01fe448beb673abe83ac638cf1c0b04c4e45f608fad490cdd5f8d2bd99aa0c0c679fb3fc9a77bbe0e2 |
\Windows\assembly\GAC_32\Desktop.ini
| MD5 | 878f9b6da85cb98fcbdf6abd1730a32f |
| SHA1 | 343007e658ea541f4680b4edf4513e69e1cc18a6 |
| SHA256 | 75b5a460ed6f47fca8ec1bcd8a11b22f24fb33de4d5f307b851ad20c7f831b7d |
| SHA512 | 5425844e34ad5e717b08830020526f5c9465f654f3e9e29967b2983d5cb8dc225be2b89cd29a8e4cc99fcfc99e05556f66eefa0539283ab4569e603413a37293 |
\Windows\assembly\GAC_64\Desktop.ini
| MD5 | 9d7ec1e355ac35cbe6991721ef5ae3b8 |
| SHA1 | c35a00bd35c6e4a7516b93947be08ead966347e8 |
| SHA256 | 68a3cec42215323100398a8eb2cbb37da7d58fe0fa9c6312e954e0f50a95ca98 |
| SHA512 | b7c4be28d8e179974672205a50e72fa1ec9e2e8170b3b8ee763e1751a3397c35afec7a72c88f0a79a8566749b2af1ff054660a96c3a6d6508c545d316a035dc0 |
memory/328-128-0x00000000034E0000-0x0000000003F9A000-memory.dmp
memory/332-131-0x0000000002510000-0x0000000002522000-memory.dmp
memory/844-137-0x0000000000410000-0x000000000041B000-memory.dmp
memory/844-133-0x0000000000410000-0x000000000041B000-memory.dmp
\??\globalroot\systemroot\assembly\temp\@
| MD5 | cabb5ab128bb228df48ad736228ae810 |
| SHA1 | e8ff281f0de5b26d1efa24dee985bbf5009d2648 |
| SHA256 | 099a66ef47c646a956d5fef694226712d60fdf1c0b8949cf25dc330e87f1c59b |
| SHA512 | c339b2ba46b0edc5f31100c2c432308ee7653dd7d6c3ad4a620709fc5fd14c160e88435db93283a18fbc23b81533667f658c4f5614d00d23aa32cb14e45cf003 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 14:56
Reported
2024-06-20 14:58
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
53s
Command Line
Signatures
ModiLoader, DBatLoader
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\d3s3Jf2gX6.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\noevi.exe | N/A |
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\0708a569819216400284adc26919eb4b_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\ekhost.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\d3s3Jf2gX6.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\d3s3Jf2gX6.exe | N/A |
| N/A | N/A | C:\Users\Admin\ayhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\noevi.exe | N/A |
| N/A | N/A | C:\Users\Admin\ayhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bahost.exe | N/A |
| N/A | N/A | C:\Users\Admin\djhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\ekhost.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /h" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /k" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /N" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /Z" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /b" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /r" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /C" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /U" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /A" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /p" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /D" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /v" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /H" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /X" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /x" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /G" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /m" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /i" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /J" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /s" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /R" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /e" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /o" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /l" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /B" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /W" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /c" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /E" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /V" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /S" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /K" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /a" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /Y" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /I" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /O" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /n" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /M" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /X" | C:\Users\Admin\d3s3Jf2gX6.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /P" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /j" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /f" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /u" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /y" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /d" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /q" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /Q" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /z" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /t" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /g" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /w" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /T" | C:\Users\Admin\noevi.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\noevi = "C:\\Users\\Admin\\noevi.exe /L" | C:\Users\Admin\noevi.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5004 set thread context of 436 | N/A | C:\Users\Admin\ayhost.exe | C:\Users\Admin\ayhost.exe |
| PID 3196 set thread context of 2116 | N/A | C:\Users\Admin\bahost.exe | C:\Windows\SysWOW64\cmd.exe |
Enumerates physical storage devices
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\bahost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0708a569819216400284adc26919eb4b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\d3s3Jf2gX6.exe | N/A |
| N/A | N/A | C:\Users\Admin\noevi.exe | N/A |
| N/A | N/A | C:\Users\Admin\djhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\ekhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0708a569819216400284adc26919eb4b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0708a569819216400284adc26919eb4b_JaffaCakes118.exe"
C:\Users\Admin\d3s3Jf2gX6.exe
C:\Users\Admin\d3s3Jf2gX6.exe
C:\Users\Admin\ayhost.exe
C:\Users\Admin\ayhost.exe
C:\Users\Admin\noevi.exe
"C:\Users\Admin\noevi.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del d3s3Jf2gX6.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Users\Admin\ayhost.exe
ayhost.exe
C:\Users\Admin\bahost.exe
C:\Users\Admin\bahost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\djhost.exe
C:\Users\Admin\djhost.exe
C:\Users\Admin\ekhost.exe
C:\Users\Admin\ekhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del 0708a569819216400284adc26919eb4b_JaffaCakes118.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del ekhost.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| US | 8.8.8.8:53 | elegantweddingdecor.com | udp |
Files
C:\Users\Admin\d3s3Jf2gX6.exe
| MD5 | b3c7427a9509d61a373b377e668c8ddd |
| SHA1 | 80b7a9d3fea90879ac10e4cbbd70968aaf8f46d3 |
| SHA256 | b24dacfe819e4b8e04e3d1ae5a82ffda05ce5c870c0ce530f723c29c76fe5a28 |
| SHA512 | 616411ce4b75b80bba9bb901848f9814624deb89a941d4f13b2bc66b63a2eab230354f320a61610bb9166d368a77a3036068f3a7c76d0d0078e71b653e10c7fe |
C:\Users\Admin\noevi.exe
| MD5 | 424f1258c32183b976c1981d0260775b |
| SHA1 | 50eafc7edcf52689cf7827207e591995cf6138d8 |
| SHA256 | bcd0303f8c9da4a88448442bba8d97fd74ca476b5f224e9ee1feb5e1953eece3 |
| SHA512 | 1fd240725e7e47e22a3bb7ab49e40b549df3c10fd1c78353a123a6073b8be63dfe39967718adad35631ee01d21592f2b4d03fb21b432c6560ce1d738c4e77d02 |
C:\Users\Admin\ayhost.exe
| MD5 | 8ccbe4f27f9710f3e7f75e1d1de57e49 |
| SHA1 | 272e95e476477cd4a1715ee0bcf32318e0351718 |
| SHA256 | 3d36ee15c25b2308f8552e121d885c26b46b4e7fc6dbb41a684bec53e0ae3b5d |
| SHA512 | 334f56b5158839f521513aff9de334536c86da633bf1a3b78592529275457973ed67fd55a54bef8f88ce918c2863c365cababfbd0ef888a27272906e281105d0 |
memory/436-46-0x0000000000400000-0x000000000040E000-memory.dmp
memory/436-53-0x0000000000400000-0x000000000040E000-memory.dmp
memory/436-52-0x0000000000400000-0x000000000040E000-memory.dmp
memory/5004-51-0x0000000000400000-0x0000000000417000-memory.dmp
memory/436-50-0x0000000000400000-0x000000000040E000-memory.dmp
memory/436-45-0x0000000000400000-0x000000000040E000-memory.dmp
C:\Users\Admin\bahost.exe
| MD5 | 57d06744cbe8d579531f5704827605c1 |
| SHA1 | 222404c29087c7481127d5616e209e8a8946b110 |
| SHA256 | 42c00828ea0ca557e2f50c49ebc24d3e2ffbd207ad6128e002ee9487be0e7f1a |
| SHA512 | 1d22108dbca3e6566a14e687077cfca481adf2eb4d6a214e49c2242f4aa3701f1a31037993f3ba78c41f9242666b2b0b1424f983ee660eae2e89b3c492d93093 |
memory/3196-57-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Users\Admin\djhost.exe
| MD5 | af152804736fe7af65e4b49633a2d185 |
| SHA1 | 3c2ecabfbdca7b4bfed2fbaae7cfeabe9d439d35 |
| SHA256 | 45b8430d8053f791bfcd0033ae2cdfed2b253a0f6835395055345058ab18c40e |
| SHA512 | 749461feaacada8ddec990df90ae5f580fb9b6b0bad680015a7067d66ecd785822bb50223dc734d29016cb29dfa98c9efa08d53b99dc0e0fe26193ff12742cd6 |
C:\Users\Admin\ekhost.exe
| MD5 | 046275674448c41615014cf770ee4f53 |
| SHA1 | 4f51eb674e199d6b901aaffb55c4aeafb94acfb3 |
| SHA256 | 3c561abc78eb200f46286b30765a2f6bf6b6bc9c6f433b327955d2e0ef6aaa6f |
| SHA512 | db35c805e516209d0ee02e182711360ea2a49f7de5c79a01fe448beb673abe83ac638cf1c0b04c4e45f608fad490cdd5f8d2bd99aa0c0c679fb3fc9a77bbe0e2 |