sality | c8ceb7f27b3cedffabd4abaae3688b9b41d794f583ece6d7cb456a84f920aa8b

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	explorer.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 7 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Windows security bypass 2 TTPs 42 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	svchost.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 14 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\windows\\explorer.exe restart"	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\explorer.exe restart"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Windows\\windows\\explorer.exe restart"	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\explorer.exe restart"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\explorer.exe restart"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\explorer.exe restart"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{5460C4DF-B266-909E-CB58-E32B79832EB2}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\explorer.exe restart"	explorer.exe

Deletes itself 1 IoCs

pid	Process
2412	explorer.exe

Executes dropped EXE 31 IoCs

pid	Process
2156	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
2528	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
1220	explorer.exe
2412	explorer.exe
2848	explorer.exe
712	explorer.exe
1772	explorer.exe
1928	explorer.exe
1936	explorer.exe
1952	explorer.exe
2064	explorer.exe
2288	explorer.exe
2548	explorer.exe
2460	explorer.exe
2676	explorer.exe
2704	explorer.exe
1676	explorer.exe
2216	explorer.exe
336	explorer.exe
1828	explorer.exe
600	explorer.exe
3060	explorer.exe
2000	explorer.exe
2372	explorer.exe
1600	explorer.exe
2552	explorer.exe
2512	explorer.exe
1988	explorer.exe
2400	explorer.exe
2224	explorer.exe
1160	explorer.exe

Loads dropped DLL 12 IoCs

pid	Process
2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
2156	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
2332	svchost.exe
2332	svchost.exe
2332	svchost.exe
2332	svchost.exe
2332	svchost.exe
2332	svchost.exe
2332	svchost.exe
2332	svchost.exe
2332	svchost.exe
2332	svchost.exe

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2736-45-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/2736-47-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/2736-46-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/2736-48-0x0000000002980000-0x0000000003A0E000-memory.dmp	upx
behavioral1/memory/2736-44-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/2736-43-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/2736-37-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/2736-50-0x0000000002980000-0x0000000003A0E000-memory.dmp	upx
behavioral1/memory/2736-56-0x0000000002980000-0x0000000003A0E000-memory.dmp	upx
behavioral1/memory/2736-52-0x0000000002980000-0x0000000003A0E000-memory.dmp	upx
behavioral1/memory/2736-55-0x0000000002980000-0x0000000003A0E000-memory.dmp	upx
behavioral1/memory/2736-51-0x0000000002980000-0x0000000003A0E000-memory.dmp	upx
behavioral1/memory/2736-35-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/2736-33-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/2736-74-0x0000000002980000-0x0000000003A0E000-memory.dmp	upx
behavioral1/memory/2736-73-0x0000000002980000-0x0000000003A0E000-memory.dmp	upx
behavioral1/memory/2736-72-0x0000000002980000-0x0000000003A0E000-memory.dmp	upx
behavioral1/memory/2736-75-0x0000000002980000-0x0000000003A0E000-memory.dmp	upx
behavioral1/memory/2736-76-0x0000000002980000-0x0000000003A0E000-memory.dmp	upx
behavioral1/memory/2156-100-0x0000000001D40000-0x0000000001E5E000-memory.dmp	upx
behavioral1/memory/2528-112-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2736-82-0x0000000002980000-0x0000000003A0E000-memory.dmp	upx
behavioral1/memory/2736-98-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/2528-106-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2528-104-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2528-102-0x0000000010000000-0x000000001031C000-memory.dmp	upx
behavioral1/memory/2412-139-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/712-191-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/712-200-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/2412-222-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/1952-299-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/2460-381-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/2216-470-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/2000-546-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/2000-554-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/3060-576-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/2512-651-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/2332-666-0x0000000002C00000-0x0000000002D1E000-memory.dmp	upx
behavioral1/memory/1160-697-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/1160-726-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/2332-762-0x0000000002C00000-0x0000000002D1E000-memory.dmp	upx
behavioral1/memory/1136-781-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/1136-812-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/2292-877-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/2752-901-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/2752-907-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/2292-913-0x0000000000400000-0x00000000005AA000-memory.dmp	upx
behavioral1/memory/1780-956-0x0000000000400000-0x00000000005AA000-memory.dmp	upx

Windows security modification 2 TTPs 42 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	explorer.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\windows\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\windows\\explorer.exe"	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\windows\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\windows\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\windows\\explorer.exe"	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Local\\Temp\\07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe"	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Windows\\windows\\explorer.exe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\windows\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\windows\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HKLM = "C:\\Users\\Admin\\AppData\\Roaming\\windows\\explorer.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\windows\\explorer.exe"	explorer.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\J:	svchost.exe

Maps connected drives based on registry 3 TTPs 16 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	explorer.exe

Writes to the Master Boot Record (MBR) 1 TTPs 10 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	explorer.exe
File opened for modification	\??\PhysicalDrive0	explorer.exe
File opened for modification	\??\PhysicalDrive0	explorer.exe
File opened for modification	\??\PhysicalDrive0	explorer.exe
File opened for modification	\??\PhysicalDrive0	explorer.exe
File opened for modification	\??\PhysicalDrive0	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
File opened for modification	\??\PhysicalDrive0	explorer.exe
File opened for modification	\??\PhysicalDrive0	explorer.exe
File opened for modification	\??\PhysicalDrive0	explorer.exe
File opened for modification	\??\PhysicalDrive0	explorer.exe

Suspicious use of SetThreadContext 23 IoCs

description	pid	Process	procid_target
PID 2940 set thread context of 2736	2940	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	28
PID 2736 set thread context of 2156	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	29
PID 2156 set thread context of 2528	2156	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	30
PID 1220 set thread context of 2412	1220	explorer.exe	33
PID 2848 set thread context of 712	2848	explorer.exe	35
PID 2412 set thread context of 1772	2412	explorer.exe	36
PID 1772 set thread context of 1928	1772	explorer.exe	37
PID 1936 set thread context of 1952	1936	explorer.exe	39
PID 1952 set thread context of 2064	1952	explorer.exe	40
PID 2064 set thread context of 2288	2064	explorer.exe	41
PID 2548 set thread context of 2460	2548	explorer.exe	43
PID 2460 set thread context of 2676	2460	explorer.exe	44
PID 2676 set thread context of 2704	2676	explorer.exe	45
PID 1676 set thread context of 2216	1676	explorer.exe	47
PID 2216 set thread context of 336	2216	explorer.exe	48
PID 600 set thread context of 3060	600	explorer.exe	51
PID 1828 set thread context of 2000	1828	explorer.exe	52
PID 3060 set thread context of 2372	3060	explorer.exe	53
PID 2372 set thread context of 1600	2372	explorer.exe	54
PID 2552 set thread context of 2512	2552	explorer.exe	58
PID 2512 set thread context of 1988	2512	explorer.exe	59
PID 1988 set thread context of 2400	1988	explorer.exe	60
PID 2224 set thread context of 1160	2224	explorer.exe	62

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\windows\explorer.exe	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
File opened for modification	C:\Windows\windows\explorer.exe	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
File created	C:\Windows\windows\explorer.exe	explorer.exe
File created	C:\Windows\windows\explorer.exe	explorer.exe
File created	C:\Windows\windows\explorer.exe	explorer.exe
File created	C:\Windows\windows\explorer.exe	explorer.exe
File created	C:\Windows\windows\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SYSTEM.INI	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe

Modifies registry class 30 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.key	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile"	explorer.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
2156	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
2412	explorer.exe
1772	explorer.exe
1952	explorer.exe
2064	explorer.exe
2460	explorer.exe
2676	explorer.exe
2216	explorer.exe
3060	explorer.exe
2372	explorer.exe
2332	svchost.exe
1988	explorer.exe
2332	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Token: SeDebugPrivilege	2412	explorer.exe
Token: SeDebugPrivilege	2412	explorer.exe
Token: SeDebugPrivilege	2412	explorer.exe
Token: SeDebugPrivilege	2412	explorer.exe
Token: SeDebugPrivilege	2412	explorer.exe
Token: SeDebugPrivilege	2412	explorer.exe
Token: SeDebugPrivilege	2412	explorer.exe
Token: SeDebugPrivilege	2412	explorer.exe
Token: SeDebugPrivilege	2412	explorer.exe
Token: SeDebugPrivilege	2412	explorer.exe
Token: SeDebugPrivilege	2412	explorer.exe
Token: SeDebugPrivilege	2412	explorer.exe
Token: SeDebugPrivilege	2412	explorer.exe
Token: SeDebugPrivilege	2412	explorer.exe
Token: SeDebugPrivilege	2412	explorer.exe
Token: SeDebugPrivilege	2412	explorer.exe
Token: SeDebugPrivilege	2412	explorer.exe
Token: SeDebugPrivilege	2412	explorer.exe
Token: SeDebugPrivilege	2412	explorer.exe
Token: SeDebugPrivilege	2412	explorer.exe
Token: SeDebugPrivilege	1952	explorer.exe
Token: SeDebugPrivilege	1952	explorer.exe
Token: SeDebugPrivilege	1952	explorer.exe
Token: SeDebugPrivilege	1952	explorer.exe
Token: SeDebugPrivilege	1952	explorer.exe
Token: SeDebugPrivilege	1952	explorer.exe
Token: SeDebugPrivilege	1952	explorer.exe
Token: SeDebugPrivilege	1952	explorer.exe
Token: SeDebugPrivilege	1952	explorer.exe
Token: SeDebugPrivilege	1952	explorer.exe
Token: SeDebugPrivilege	1952	explorer.exe
Token: SeDebugPrivilege	1952	explorer.exe
Token: SeDebugPrivilege	1952	explorer.exe
Token: SeDebugPrivilege	1952	explorer.exe
Token: SeDebugPrivilege	1952	explorer.exe
Token: SeDebugPrivilege	1952	explorer.exe
Token: SeDebugPrivilege	1952	explorer.exe
Token: SeDebugPrivilege	1952	explorer.exe
Token: SeDebugPrivilege	1952	explorer.exe
Token: SeDebugPrivilege	1952	explorer.exe
Token: SeDebugPrivilege	2460	explorer.exe
Token: SeDebugPrivilege	2460	explorer.exe
Token: SeDebugPrivilege	2460	explorer.exe
Token: SeDebugPrivilege	2460	explorer.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
2528	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
2412	explorer.exe
712	explorer.exe
1928	explorer.exe
1952	explorer.exe
2288	explorer.exe
2460	explorer.exe
2704	explorer.exe
2216	explorer.exe
3060	explorer.exe
2000	explorer.exe
1600	explorer.exe
2512	explorer.exe
2400	explorer.exe
1160	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 2736	2940	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	28
PID 2940 wrote to memory of 2736	2940	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	28
PID 2940 wrote to memory of 2736	2940	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	28
PID 2940 wrote to memory of 2736	2940	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	28
PID 2940 wrote to memory of 2736	2940	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	28
PID 2940 wrote to memory of 2736	2940	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	28
PID 2940 wrote to memory of 2736	2940	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	28
PID 2940 wrote to memory of 2736	2940	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	28
PID 2736 wrote to memory of 1124	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	19
PID 2736 wrote to memory of 1184	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	20
PID 2736 wrote to memory of 1224	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	21
PID 2736 wrote to memory of 632	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	23
PID 2736 wrote to memory of 2156	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	29
PID 2736 wrote to memory of 2156	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	29
PID 2736 wrote to memory of 2156	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	29
PID 2736 wrote to memory of 2156	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	29
PID 2736 wrote to memory of 2156	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	29
PID 2736 wrote to memory of 2156	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	29
PID 2736 wrote to memory of 2156	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	29
PID 2736 wrote to memory of 2156	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	29
PID 2736 wrote to memory of 2156	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	29
PID 2736 wrote to memory of 2156	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	29
PID 2736 wrote to memory of 2156	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	29
PID 2736 wrote to memory of 2156	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	29
PID 2736 wrote to memory of 2156	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	29
PID 2736 wrote to memory of 2156	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	29
PID 2736 wrote to memory of 2156	2736	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	29
PID 2156 wrote to memory of 2528	2156	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2528	2156	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2528	2156	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2528	2156	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2528	2156	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2528	2156	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2528	2156	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	30
PID 2156 wrote to memory of 2528	2156	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	30
PID 2528 wrote to memory of 2332	2528	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	31
PID 2528 wrote to memory of 2332	2528	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	31
PID 2528 wrote to memory of 2332	2528	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	31
PID 2528 wrote to memory of 2332	2528	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	31
PID 2528 wrote to memory of 2332	2528	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe	31
PID 2332 wrote to memory of 1220	2332	svchost.exe	32
PID 2332 wrote to memory of 1220	2332	svchost.exe	32
PID 2332 wrote to memory of 1220	2332	svchost.exe	32
PID 2332 wrote to memory of 1220	2332	svchost.exe	32
PID 1220 wrote to memory of 2412	1220	explorer.exe	33
PID 1220 wrote to memory of 2412	1220	explorer.exe	33
PID 1220 wrote to memory of 2412	1220	explorer.exe	33
PID 1220 wrote to memory of 2412	1220	explorer.exe	33
PID 1220 wrote to memory of 2412	1220	explorer.exe	33
PID 1220 wrote to memory of 2412	1220	explorer.exe	33
PID 1220 wrote to memory of 2412	1220	explorer.exe	33
PID 1220 wrote to memory of 2412	1220	explorer.exe	33
PID 2332 wrote to memory of 2848	2332	svchost.exe	34
PID 2332 wrote to memory of 2848	2332	svchost.exe	34
PID 2332 wrote to memory of 2848	2332	svchost.exe	34
PID 2332 wrote to memory of 2848	2332	svchost.exe	34
PID 2412 wrote to memory of 1124	2412	explorer.exe	19
PID 2412 wrote to memory of 1184	2412	explorer.exe	20
PID 2412 wrote to memory of 1224	2412	explorer.exe	21
PID 2412 wrote to memory of 2332	2412	explorer.exe	31
PID 2412 wrote to memory of 2332	2412	explorer.exe	31
PID 2848 wrote to memory of 712	2848	explorer.exe	35
PID 2848 wrote to memory of 712	2848	explorer.exe	35
PID 2848 wrote to memory of 712	2848	explorer.exe	35

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	explorer.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1184

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1224
- C:\Users\Admin\AppData\Local\Temp\07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2940
- - C:\Users\Admin\AppData\Local\Temp\07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe"
    3⤵
    - Modifies firewall policy service
    - UAC bypass
    - Windows security bypass
    - Loads dropped DLL
    - Windows security modification
    - Checks whether UAC is enabled
    - Maps connected drives based on registry
    - Suspicious use of SetThreadContext
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2736
  - - C:\Users\Admin\AppData\Local\Temp\07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Users\Admin\AppData\Local\Temp\07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
        
        C:\Users\Admin\AppData\Local\Temp\07ff01a5981a62f881098f91c9d8dc2a_JaffaCakes118.exe
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2528
      - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        6⤵
        Modifies firewall policy service
        UAC bypass
        Windows security bypass
        Boot or Logon Autostart Execution: Active Setup
        Loads dropped DLL
        Adds Run key to start application
        Enumerates connected drives
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        7⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        8⤵
        Modifies firewall policy service
        UAC bypass
        Windows security bypass
        Deletes itself
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:2412
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1772
        
        C:\Windows\windows\explorer.exe
        
        C:\Windows\windows\explorer.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1928
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        7⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:712
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        7⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:1936
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        8⤵
        Modifies firewall policy service
        UAC bypass
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1952
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2064
        
        C:\Windows\windows\explorer.exe
        
        C:\Windows\windows\explorer.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2288
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        7⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:2548
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        8⤵
        Modifies firewall policy service
        UAC bypass
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2460
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2676
        
        C:\Windows\windows\explorer.exe
        
        C:\Windows\windows\explorer.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2704
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        7⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:1676
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        8⤵
        Modifies firewall policy service
        UAC bypass
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:2216
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        9⤵
        Executes dropped EXE
        
        PID:336
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        7⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:1828
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2000
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        7⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:600
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        8⤵
        Modifies firewall policy service
        UAC bypass
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:3060
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:2372
        
        C:\Windows\windows\explorer.exe
        
        C:\Windows\windows\explorer.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1600
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        7⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:2552
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        8⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:2512
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:1988
        
        C:\Windows\windows\explorer.exe
        
        C:\Windows\windows\explorer.exe
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2400
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        7⤵
        Executes dropped EXE
        Writes to the Master Boot Record (MBR)
        Suspicious use of SetThreadContext
        Modifies registry class
        
        PID:2224
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        8⤵
        Executes dropped EXE
        Maps connected drives based on registry
        Suspicious use of SetWindowsHookEx
        
        PID:1160
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        9⤵
        
        PID:1516
        
        C:\Windows\windows\explorer.exe
        
        C:\Windows\windows\explorer.exe
        10⤵
        
        PID:1556
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        7⤵
        
        PID:1668
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        8⤵
        
        PID:1136
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        9⤵
        
        PID:1304
        
        C:\Windows\windows\explorer.exe
        
        C:\Windows\windows\explorer.exe
        10⤵
        
        PID:2828
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        7⤵
        
        PID:2600
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        8⤵
        
        PID:2292
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        9⤵
        
        PID:2672
        
        C:\Windows\windows\explorer.exe
        
        C:\Windows\windows\explorer.exe
        10⤵
        
        PID:2696
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        7⤵
        
        PID:1840
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        8⤵
        
        PID:2752
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        7⤵
        
        PID:1948
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        8⤵
        
        PID:1780
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        9⤵
        
        PID:584
        
        C:\Windows\windows\explorer.exe
        
        C:\Windows\windows\explorer.exe
        10⤵
        
        PID:968
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        7⤵
        
        PID:1236
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        8⤵
        
        PID:1096
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        9⤵
        
        PID:2404
        
        C:\Windows\windows\explorer.exe
        
        C:\Windows\windows\explorer.exe
        10⤵
        
        PID:2996
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        7⤵
        
        PID:1376
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        8⤵
        
        PID:1760
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        7⤵
        
        PID:1624
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        8⤵
        
        PID:2076
        
        C:\Windows\windows\explorer.exe
        
        "C:\Windows\windows\explorer.exe"
        9⤵
        
        PID:1012
        
        C:\Windows\windows\explorer.exe
        
        C:\Windows\windows\explorer.exe
        10⤵
        
        PID:2712

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery