66981fa3d8142e9618cf04c32046e4b9e97da4afac7806acf0967b969499a96f

Analysis

max time kernel
148s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
03/07/2024, 12:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

225dcbe49a18bd2fe82b643d8587718b_JaffaCakes118.exe
Size

30KB
MD5

225dcbe49a18bd2fe82b643d8587718b
SHA1

2fa7eb0f5fcdd1ca485483ccc73364903f8ae9a2
SHA256

66981fa3d8142e9618cf04c32046e4b9e97da4afac7806acf0967b969499a96f
SHA512

ef21dbedf76ef9e367ee174c64db4a03e52dc410737fc01c0e5f19cf2fd9b44c51d45bf707fd6ac6237cce426d2ec7bd7e9e5cc081fe897d32e38f2d612dc4eb
SSDEEP

384:wv9j/XB736by+T9wQpZTvZoQiHoB6dLmdIum8FqXcfLc5IxmyOJJfzvasZEzlobr:wF5AyS3vZoBHoB6/uml6qLLihJTu7

Score

10^/10

evasion persistence privilege_escalation trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	225dcbe49a18bd2fe82b643d8587718b_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Trojan.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1344	netsh.exe
2540	netsh.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	Trojan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	Trojan.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5cd8f17f4086744065eb0992a09e05a2.exe	wscript.exe

Executes dropped EXE 1 IoCs

pid	Process
2972	Trojan.exe

Loads dropped DLL 4 IoCs

pid	Process
1960	225dcbe49a18bd2fe82b643d8587718b_JaffaCakes118.exe
1960	225dcbe49a18bd2fe82b643d8587718b_JaffaCakes118.exe
2704	wscript.exe
2704	wscript.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	Trojan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\5cd8f17f4086744065eb0992a09e05a2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Trojan.exe\" .."	wscript.exe

Checks whether UAC is enabled 1 TTPs 4 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	225dcbe49a18bd2fe82b643d8587718b_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Trojan.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Trojan.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	225dcbe49a18bd2fe82b643d8587718b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Modifies registry class 61 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF1F38C5-12E5-355D-B4FD-C350BEB92026}\InprocServer32\0.0.0.0\RuntimeVersion = "v2.0.50727"	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{800D7B3B-3A7C-3A8E-B240-D3A510F33154}	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Component Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}\0 = ".NET Category"	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ucpjpnayehw.ucpjpnayehw	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF1F38C5-12E5-355D-B4FD-C350BEB92026}\InprocServer32\0.0.0.0\Assembly = "ucpjpnayehw, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null"	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF1F38C5-12E5-355D-B4FD-C350BEB92026}\ProgId	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{800D7B3B-3A7C-3A8E-B240-D3A510F33154}\ProgId	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ucpjpnayehw.ucpjpnayehw\CLSID	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{800D7B3B-3A7C-3A8E-B240-D3A510F33154}	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{800D7B3B-3A7C-3A8E-B240-D3A510F33154}\InprocServer32\CodeBase = "file:///C:/Users/Admin/AppData/Local/Temp/Trojan.exe"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF1F38C5-12E5-355D-B4FD-C350BEB92026}\InprocServer32\0.0.0.0\CodeBase = "file:///C:/Users/Admin/AppData/Local/Temp/Trojan.exe"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF1F38C5-12E5-355D-B4FD-C350BEB92026}\ProgId\ = "ucpjpnayehw.ucpjpnayehw"	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF1F38C5-12E5-355D-B4FD-C350BEB92026}\InprocServer32\0.0.0.0	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF1F38C5-12E5-355D-B4FD-C350BEB92026}\InprocServer32	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF1F38C5-12E5-355D-B4FD-C350BEB92026}\InprocServer32\0.0.0.0	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF1F38C5-12E5-355D-B4FD-C350BEB92026}\InprocServer32\CodeBase = "file:///C:/Users/Admin/AppData/Local/Temp/Trojan.exe"	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{800D7B3B-3A7C-3A8E-B240-D3A510F33154}\InprocServer32	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF1F38C5-12E5-355D-B4FD-C350BEB92026}\InprocServer32\RuntimeVersion = "v2.0.50727"	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ucpjpnayehw.A	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ucpjpnayehw.A\CLSID	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{800D7B3B-3A7C-3A8E-B240-D3A510F33154}\InprocServer32\0.0.0.0	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{800D7B3B-3A7C-3A8E-B240-D3A510F33154}\InprocServer32\0.0.0.0\CodeBase = "file:///C:/Users/Admin/AppData/Local/Temp/Trojan.exe"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF1F38C5-12E5-355D-B4FD-C350BEB92026}\InprocServer32\Assembly = "ucpjpnayehw, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null"	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF1F38C5-12E5-355D-B4FD-C350BEB92026}\Implemented Categories	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF1F38C5-12E5-355D-B4FD-C350BEB92026}\InprocServer32	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ucpjpnayehw.ucpjpnayehw	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF1F38C5-12E5-355D-B4FD-C350BEB92026}\InprocServer32\ = "mscoree.dll"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF1F38C5-12E5-355D-B4FD-C350BEB92026}\InprocServer32\ThreadingModel = "Both"	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF1F38C5-12E5-355D-B4FD-C350BEB92026}	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ucpjpnayehw.A\ = "ucpjpnayehw.A"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{800D7B3B-3A7C-3A8E-B240-D3A510F33154}\InprocServer32\ = "mscoree.dll"	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ucpjpnayehw.A\CLSID	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF1F38C5-12E5-355D-B4FD-C350BEB92026}\ProgId	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{800D7B3B-3A7C-3A8E-B240-D3A510F33154}\Implemented Categories	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{800D7B3B-3A7C-3A8E-B240-D3A510F33154}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{800D7B3B-3A7C-3A8E-B240-D3A510F33154}\InprocServer32\0.0.0.0\Assembly = "ucpjpnayehw, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF1F38C5-12E5-355D-B4FD-C350BEB92026}\InprocServer32\Class = "ucpjpnayehw.ucpjpnayehw"	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF1F38C5-12E5-355D-B4FD-C350BEB92026}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{800D7B3B-3A7C-3A8E-B240-D3A510F33154}\InprocServer32\ThreadingModel = "Both"	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{800D7B3B-3A7C-3A8E-B240-D3A510F33154}\InprocServer32\0.0.0.0	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF1F38C5-12E5-355D-B4FD-C350BEB92026}	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{800D7B3B-3A7C-3A8E-B240-D3A510F33154}\ProgId	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ucpjpnayehw.ucpjpnayehw\CLSID\ = "{CF1F38C5-12E5-355D-B4FD-C350BEB92026}"	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ucpjpnayehw.ucpjpnayehw\CLSID	Trojan.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF1F38C5-12E5-355D-B4FD-C350BEB92026}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{800D7B3B-3A7C-3A8E-B240-D3A510F33154}\InprocServer32	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ucpjpnayehw.A\CLSID\ = "{800D7B3B-3A7C-3A8E-B240-D3A510F33154}"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{800D7B3B-3A7C-3A8E-B240-D3A510F33154}\InprocServer32\Assembly = "ucpjpnayehw, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF1F38C5-12E5-355D-B4FD-C350BEB92026}\InprocServer32\0.0.0.0\Class = "ucpjpnayehw.ucpjpnayehw"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{800D7B3B-3A7C-3A8E-B240-D3A510F33154}\InprocServer32\0.0.0.0\Class = "ucpjpnayehw.A"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF1F38C5-12E5-355D-B4FD-C350BEB92026}\ = "ucpjpnayehw.ucpjpnayehw"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ucpjpnayehw.ucpjpnayehw\ = "ucpjpnayehw.ucpjpnayehw"	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{800D7B3B-3A7C-3A8E-B240-D3A510F33154}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ucpjpnayehw.A	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CF1F38C5-12E5-355D-B4FD-C350BEB92026}\Implemented Categories	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{800D7B3B-3A7C-3A8E-B240-D3A510F33154}\InprocServer32\Class = "ucpjpnayehw.A"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{800D7B3B-3A7C-3A8E-B240-D3A510F33154}\ProgId\ = "ucpjpnayehw.A"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{800D7B3B-3A7C-3A8E-B240-D3A510F33154}\InprocServer32\0.0.0.0\RuntimeVersion = "v2.0.50727"	Trojan.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{800D7B3B-3A7C-3A8E-B240-D3A510F33154}\Implemented Categories	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{800D7B3B-3A7C-3A8E-B240-D3A510F33154}\ = "ucpjpnayehw.A"	Trojan.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{800D7B3B-3A7C-3A8E-B240-D3A510F33154}\InprocServer32\RuntimeVersion = "v2.0.50727"	Trojan.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	wscript.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2704	wscript.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2972	1960	225dcbe49a18bd2fe82b643d8587718b_JaffaCakes118.exe	28
PID 1960 wrote to memory of 2972	1960	225dcbe49a18bd2fe82b643d8587718b_JaffaCakes118.exe	28
PID 1960 wrote to memory of 2972	1960	225dcbe49a18bd2fe82b643d8587718b_JaffaCakes118.exe	28
PID 1960 wrote to memory of 2972	1960	225dcbe49a18bd2fe82b643d8587718b_JaffaCakes118.exe	28
PID 2972 wrote to memory of 1344	2972	Trojan.exe	29
PID 2972 wrote to memory of 1344	2972	Trojan.exe	29
PID 2972 wrote to memory of 1344	2972	Trojan.exe	29
PID 2972 wrote to memory of 1344	2972	Trojan.exe	29
PID 2972 wrote to memory of 2540	2972	Trojan.exe	30
PID 2972 wrote to memory of 2540	2972	Trojan.exe	30
PID 2972 wrote to memory of 2540	2972	Trojan.exe	30
PID 2972 wrote to memory of 2540	2972	Trojan.exe	30
PID 2972 wrote to memory of 2704	2972	Trojan.exe	33
PID 2972 wrote to memory of 2704	2972	Trojan.exe	33
PID 2972 wrote to memory of 2704	2972	Trojan.exe	33
PID 2972 wrote to memory of 2704	2972	Trojan.exe	33

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	225dcbe49a18bd2fe82b643d8587718b_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Trojan.exe

C:\Users\Admin\AppData\Local\Temp\225dcbe49a18bd2fe82b643d8587718b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\225dcbe49a18bd2fe82b643d8587718b_JaffaCakes118.exe"
1⤵
- UAC bypass
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1960
- C:\Users\Admin\AppData\Local\Temp\Trojan.exe
  "C:\Users\Admin\AppData\Local\Temp\Trojan.exe"
  2⤵
  - UAC bypass
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2972
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\Trojan.exe" "Trojan.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1344
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall add allowedprogram "C:\Windows\SysWOW64\wscript.exe" "wscript.exe" ENABLE
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2540
- - C:\Windows\SysWOW64\wscript.exe
    "C:\Windows\SysWOW64\wscript.exe" "C:\Users\Admin\AppData\Local\Temp\Trojan.vbe"
    3⤵
    - Drops startup file
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Trojan.vbe

Filesize
54B

MD5
6a2361ccfff9cebc9016ae981cdc23a0

SHA1
b08899dbd2cfa1df8682ccc5723fc51856dc8457

SHA256
955b1f9ed7dfb9394d68118f6ee80beeab7548d09dde64724b146a4c0f9eede6

SHA512
f72070b5c383532112a4381a6819814626e22729eaa75cb5f3ab8887e642a2353da5c6862168543b0dbde3866b72ee73c7550a9b446b70833430b80f6288c6e3

Download Submit
\Users\Admin\AppData\Local\Temp\Trojan.exe

Filesize
30KB

MD5
225dcbe49a18bd2fe82b643d8587718b

SHA1
2fa7eb0f5fcdd1ca485483ccc73364903f8ae9a2

SHA256
66981fa3d8142e9618cf04c32046e4b9e97da4afac7806acf0967b969499a96f

SHA512
ef21dbedf76ef9e367ee174c64db4a03e52dc410737fc01c0e5f19cf2fd9b44c51d45bf707fd6ac6237cce426d2ec7bd7e9e5cc081fe897d32e38f2d612dc4eb

Download Submit
memory/1960-0-0x0000000074D61000-0x0000000074D62000-memory.dmp

Filesize
4KB

Download
memory/1960-1-0x0000000074D60000-0x000000007530B000-memory.dmp

Filesize
5.7MB

Download
memory/1960-2-0x0000000074D60000-0x000000007530B000-memory.dmp

Filesize
5.7MB

Download
memory/1960-14-0x0000000074D60000-0x000000007530B000-memory.dmp

Filesize
5.7MB

Download
memory/2972-15-0x0000000074D60000-0x000000007530B000-memory.dmp

Filesize
5.7MB

Download
memory/2972-20-0x0000000074D60000-0x000000007530B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads