metasploit | 6908443c51099ce928f43971c833de4066a8a4b302ea2af92f690eb68cd6e025

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	unwise_.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	unwise_.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	unwise_.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	unwise_.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	unwise_.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	unwise_.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	unwise_.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	unwise_.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	unwise_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	unwise_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	unwise_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	unwise_.exe

Modifies Windows Firewall 2 TTPs 7 IoCs

evasion

Windows Service

persistence privilege_escalation

Disable or Modify System Firewall

T1562.004

pid	Process
5072	netsh.exe
4976	netsh.exe
1344	netsh.exe
3012	netsh.exe
2996	netsh.exe
3860	netsh.exe
4248	netsh.exe

Deletes itself 1 IoCs

pid	Process
4052	unwise_.exe

Executes dropped EXE 1 IoCs

pid	Process
4052	unwise_.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	unwise_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	unwise_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	unwise_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	unwise_.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\unwise_.exe	2fecd87948f115c4aad324f544e24d97_JaffaCakes118.exe
File opened for modification	C:\Windows\Fonts\unwise_.exe	2fecd87948f115c4aad324f544e24d97_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 21 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	unwise_.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	unwise_.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	unwise_.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings	unwise_.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server = "65534"	unwise_.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer = "65534"	unwise_.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	unwise_.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	unwise_.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: 33	552	2fecd87948f115c4aad324f544e24d97_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	552	2fecd87948f115c4aad324f544e24d97_JaffaCakes118.exe
Token: 33	4052	unwise_.exe
Token: SeIncBasePriorityPrivilege	4052	unwise_.exe
Token: SeBackupPrivilege	4052	unwise_.exe
Token: SeSecurityPrivilege	4052	unwise_.exe
Token: SeSecurityPrivilege	4052	unwise_.exe
Token: SeBackupPrivilege	4052	unwise_.exe
Token: SeSecurityPrivilege	4052	unwise_.exe
Token: SeBackupPrivilege	4052	unwise_.exe
Token: SeSecurityPrivilege	4052	unwise_.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4052 wrote to memory of 3012	4052	unwise_.exe	87
PID 4052 wrote to memory of 3012	4052	unwise_.exe	87
PID 4052 wrote to memory of 3012	4052	unwise_.exe	87
PID 4052 wrote to memory of 2996	4052	unwise_.exe	89
PID 4052 wrote to memory of 2996	4052	unwise_.exe	89
PID 4052 wrote to memory of 2996	4052	unwise_.exe	89
PID 4052 wrote to memory of 3860	4052	unwise_.exe	91
PID 4052 wrote to memory of 3860	4052	unwise_.exe	91
PID 4052 wrote to memory of 3860	4052	unwise_.exe	91
PID 4052 wrote to memory of 4248	4052	unwise_.exe	93
PID 4052 wrote to memory of 4248	4052	unwise_.exe	93
PID 4052 wrote to memory of 4248	4052	unwise_.exe	93
PID 4052 wrote to memory of 5072	4052	unwise_.exe	95
PID 4052 wrote to memory of 5072	4052	unwise_.exe	95
PID 4052 wrote to memory of 5072	4052	unwise_.exe	95
PID 4052 wrote to memory of 4976	4052	unwise_.exe	97
PID 4052 wrote to memory of 4976	4052	unwise_.exe	97
PID 4052 wrote to memory of 4976	4052	unwise_.exe	97
PID 4052 wrote to memory of 1344	4052	unwise_.exe	99
PID 4052 wrote to memory of 1344	4052	unwise_.exe	99
PID 4052 wrote to memory of 1344	4052	unwise_.exe	99

C:\Users\Admin\AppData\Local\Temp\2fecd87948f115c4aad324f544e24d97_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2fecd87948f115c4aad324f544e24d97_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:552

C:\Windows\Fonts\unwise_.exe
"C:\Windows\Fonts\unwise_.exe"
1⤵
- Modifies firewall policy service
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4052
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" firewall set portopening TCP 445 NB
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:3012
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" firewall set portopening TCP 139 NB
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2996
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" firewall set portopening TCP 1013 BS
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:3860
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" firewall set portopening TCP 9999 PORT1
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:4248
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" firewall set portopening TCP 9991 PORT2
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:5072
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Windows\Fonts\unwise_.exe" workstation ENABLE ALL
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:4976
- C:\Windows\SysWOW64\netsh.exe
  "C:\Windows\System32\netsh.exe" firewall set allowedprogram "C:\Windows\Fonts\unwise_.exe" workstation ENABLE ALL
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:1344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

4

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

System Information Discovery