Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
12-07-2024 12:49
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
30 signatures
150 seconds
General
-
Target
3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe
-
Size
808KB
-
MD5
3d71e631c6d0c0be9b43a58fdd0a0b0f
-
SHA1
84975f32c155ae4f0429732610e79bfa0dfe22b4
-
SHA256
70ef9ecadb6950c33637b0aa98fdac2a9cb700e7a7c103efaddba6d8a96bca36
-
SHA512
ff49bd9441b68bfb0d4c76d9dffe46a0ce1b98af133bef34c8dff2358338a0c66b1401cf07d7504d8990f9912cf4829b9c269f8868a387ab29a055da71ff58f0
-
SSDEEP
12288:GcyDz+j8zC/POs/RszSpabbs3JYNpYEzw8kY47hW6DgyPg7VjfAiABU:Gc2+ms5pavs+NpM9nXg79CU
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\32ed4225\\X" Explorer.EXE -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" x276Ht.exe Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" qietaol.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 2576 cmd.exe -
Executes dropped EXE 12 IoCs
pid Process 2156 x276Ht.exe 2772 qietaol.exe 2672 2xiv.exe 2028 2xiv.exe 2604 3xiv.exe 2880 4xiv.exe 332 csrss.exe 932 X 1620 3xiv.exe 2536 3xiv.exe 2512 5xiv.exe 112 200E.tmp -
Loads dropped DLL 16 IoCs
pid Process 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 2156 x276Ht.exe 2156 x276Ht.exe 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 2880 4xiv.exe 2880 4xiv.exe 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 2604 3xiv.exe 2604 3xiv.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/2028-41-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2028-50-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2028-49-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2028-48-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2028-46-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2028-43-0x0000000000400000-0x000000000040E000-memory.dmp upx behavioral1/memory/2604-116-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/1620-119-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2536-234-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2604-394-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2604-412-0x0000000000400000-0x000000000046B000-memory.dmp upx behavioral1/memory/2604-421-0x0000000000400000-0x000000000046B000-memory.dmp upx -
Unexpected DNS network traffic destination 5 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 31.193.3.240 Destination IP 31.193.3.240 Destination IP 31.193.3.240 Destination IP 31.193.3.240 Destination IP 31.193.3.240 -
Adds Run key to start application 2 TTPs 53 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /T" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /f" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /Q" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /V" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /w" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /B" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /u" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /b" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /s" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /d" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /r" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /K" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /z" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /k" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /M" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /F" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /i" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /h" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /W" qietaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\66C.exe = "C:\\Program Files (x86)\\LP\\023C\\66C.exe" 3xiv.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /P" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /y" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /X" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /q" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /a" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /N" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /c" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /l" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /e" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /L" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /G" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /n" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /Y" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /v" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /j" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /R" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /E" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /m" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /C" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /A" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /p" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /J" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /S" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /n" x276Ht.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /Z" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /x" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /o" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /I" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /g" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /t" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /H" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /U" qietaol.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\qietaol = "C:\\Users\\Admin\\qietaol.exe /D" qietaol.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2672 set thread context of 2028 2672 2xiv.exe 33 PID 2880 set thread context of 1972 2880 4xiv.exe 48 -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\023C\66C.exe 3xiv.exe File opened for modification C:\Program Files (x86)\LP\023C\200E.tmp 3xiv.exe File opened for modification C:\Program Files (x86)\LP\023C\66C.exe 3xiv.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification \??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico explorer.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2532 tasklist.exe 280 tasklist.exe -
Modifies registry class 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21240613-e5f7-3097-7118-07a5e49ca0cc}\u = "188" 4xiv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{21240613-e5f7-3097-7118-07a5e49ca0cc}\cid = "11897384493224558550" 4xiv.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \registry\machine\Software\Classes\Interface\{21240613-e5f7-3097-7118-07a5e49ca0cc} 4xiv.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2156 x276Ht.exe 2156 x276Ht.exe 2028 2xiv.exe 2772 qietaol.exe 2772 qietaol.exe 2028 2xiv.exe 2772 qietaol.exe 2772 qietaol.exe 2772 qietaol.exe 2028 2xiv.exe 2772 qietaol.exe 2028 2xiv.exe 2028 2xiv.exe 2604 3xiv.exe 2604 3xiv.exe 2604 3xiv.exe 2604 3xiv.exe 2604 3xiv.exe 2604 3xiv.exe 2772 qietaol.exe 2772 qietaol.exe 2772 qietaol.exe 2880 4xiv.exe 2880 4xiv.exe 2880 4xiv.exe 2028 2xiv.exe 2880 4xiv.exe 2772 qietaol.exe 932 X 2028 2xiv.exe 2772 qietaol.exe 2028 2xiv.exe 2772 qietaol.exe 2772 qietaol.exe 2028 2xiv.exe 2772 qietaol.exe 2028 2xiv.exe 2028 2xiv.exe 2772 qietaol.exe 2028 2xiv.exe 2028 2xiv.exe 2772 qietaol.exe 2772 qietaol.exe 2028 2xiv.exe 2028 2xiv.exe 2772 qietaol.exe 2028 2xiv.exe 2772 qietaol.exe 2772 qietaol.exe 2028 2xiv.exe 2028 2xiv.exe 2028 2xiv.exe 2772 qietaol.exe 2028 2xiv.exe 2772 qietaol.exe 2028 2xiv.exe 2772 qietaol.exe 2772 qietaol.exe 2028 2xiv.exe 2028 2xiv.exe 2028 2xiv.exe 2772 qietaol.exe 2028 2xiv.exe 2028 2xiv.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1120 explorer.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
description pid Process Token: SeDebugPrivilege 2532 tasklist.exe Token: SeRestorePrivilege 2396 msiexec.exe Token: SeTakeOwnershipPrivilege 2396 msiexec.exe Token: SeSecurityPrivilege 2396 msiexec.exe Token: SeDebugPrivilege 2880 4xiv.exe Token: SeDebugPrivilege 2880 4xiv.exe Token: SeShutdownPrivilege 1120 explorer.exe Token: SeShutdownPrivilege 1120 explorer.exe Token: SeShutdownPrivilege 1120 explorer.exe Token: SeShutdownPrivilege 1120 explorer.exe Token: SeShutdownPrivilege 1120 explorer.exe Token: SeShutdownPrivilege 1120 explorer.exe Token: SeShutdownPrivilege 1120 explorer.exe Token: SeShutdownPrivilege 1120 explorer.exe Token: SeShutdownPrivilege 1120 explorer.exe Token: SeShutdownPrivilege 1120 explorer.exe Token: 33 2008 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2008 AUDIODG.EXE Token: 33 2008 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2008 AUDIODG.EXE Token: SeShutdownPrivilege 1120 explorer.exe Token: SeShutdownPrivilege 1120 explorer.exe Token: SeDebugPrivilege 280 tasklist.exe -
Suspicious use of FindShellTrayWindow 30 IoCs
pid Process 1204 Explorer.EXE 1204 Explorer.EXE 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 1204 Explorer.EXE 1204 Explorer.EXE 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe 1120 explorer.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 2156 x276Ht.exe 2772 qietaol.exe 2672 2xiv.exe 2512 5xiv.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 332 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2080 wrote to memory of 2156 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 30 PID 2080 wrote to memory of 2156 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 30 PID 2080 wrote to memory of 2156 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 30 PID 2080 wrote to memory of 2156 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 30 PID 2156 wrote to memory of 2772 2156 x276Ht.exe 31 PID 2156 wrote to memory of 2772 2156 x276Ht.exe 31 PID 2156 wrote to memory of 2772 2156 x276Ht.exe 31 PID 2156 wrote to memory of 2772 2156 x276Ht.exe 31 PID 2080 wrote to memory of 2672 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 32 PID 2080 wrote to memory of 2672 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 32 PID 2080 wrote to memory of 2672 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 32 PID 2080 wrote to memory of 2672 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 32 PID 2672 wrote to memory of 2028 2672 2xiv.exe 33 PID 2672 wrote to memory of 2028 2672 2xiv.exe 33 PID 2672 wrote to memory of 2028 2672 2xiv.exe 33 PID 2672 wrote to memory of 2028 2672 2xiv.exe 33 PID 2672 wrote to memory of 2028 2672 2xiv.exe 33 PID 2672 wrote to memory of 2028 2672 2xiv.exe 33 PID 2672 wrote to memory of 2028 2672 2xiv.exe 33 PID 2672 wrote to memory of 2028 2672 2xiv.exe 33 PID 2156 wrote to memory of 2580 2156 x276Ht.exe 34 PID 2156 wrote to memory of 2580 2156 x276Ht.exe 34 PID 2156 wrote to memory of 2580 2156 x276Ht.exe 34 PID 2156 wrote to memory of 2580 2156 x276Ht.exe 34 PID 2580 wrote to memory of 2532 2580 cmd.exe 36 PID 2580 wrote to memory of 2532 2580 cmd.exe 36 PID 2580 wrote to memory of 2532 2580 cmd.exe 36 PID 2580 wrote to memory of 2532 2580 cmd.exe 36 PID 2080 wrote to memory of 2604 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 37 PID 2080 wrote to memory of 2604 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 37 PID 2080 wrote to memory of 2604 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 37 PID 2080 wrote to memory of 2604 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 37 PID 2772 wrote to memory of 2532 2772 qietaol.exe 36 PID 2772 wrote to memory of 2532 2772 qietaol.exe 36 PID 2080 wrote to memory of 2880 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 40 PID 2080 wrote to memory of 2880 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 40 PID 2080 wrote to memory of 2880 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 40 PID 2080 wrote to memory of 2880 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 40 PID 2880 wrote to memory of 1204 2880 4xiv.exe 21 PID 2880 wrote to memory of 332 2880 4xiv.exe 2 PID 2880 wrote to memory of 932 2880 4xiv.exe 41 PID 2880 wrote to memory of 932 2880 4xiv.exe 41 PID 2880 wrote to memory of 932 2880 4xiv.exe 41 PID 2880 wrote to memory of 932 2880 4xiv.exe 41 PID 932 wrote to memory of 1204 932 X 21 PID 2604 wrote to memory of 1620 2604 3xiv.exe 42 PID 2604 wrote to memory of 1620 2604 3xiv.exe 42 PID 2604 wrote to memory of 1620 2604 3xiv.exe 42 PID 2604 wrote to memory of 1620 2604 3xiv.exe 42 PID 332 wrote to memory of 608 332 csrss.exe 43 PID 2604 wrote to memory of 2536 2604 3xiv.exe 44 PID 2604 wrote to memory of 2536 2604 3xiv.exe 44 PID 2604 wrote to memory of 2536 2604 3xiv.exe 44 PID 2604 wrote to memory of 2536 2604 3xiv.exe 44 PID 332 wrote to memory of 1936 332 csrss.exe 46 PID 2880 wrote to memory of 1972 2880 4xiv.exe 48 PID 2880 wrote to memory of 1972 2880 4xiv.exe 48 PID 2880 wrote to memory of 1972 2880 4xiv.exe 48 PID 2880 wrote to memory of 1972 2880 4xiv.exe 48 PID 2880 wrote to memory of 1972 2880 4xiv.exe 48 PID 2080 wrote to memory of 2512 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 50 PID 2080 wrote to memory of 2512 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 50 PID 2080 wrote to memory of 2512 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 50 PID 2080 wrote to memory of 2512 2080 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe 50 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 3xiv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 3xiv.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:332
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies WinLogon for persistence
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\x276Ht.exeC:\Users\Admin\x276Ht.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\qietaol.exe"C:\Users\Admin\qietaol.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2772
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del x276Ht.exe4⤵
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2532
-
-
-
-
C:\Users\Admin\2xiv.exeC:\Users\Admin\2xiv.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\2xiv.exe"C:\Users\Admin\2xiv.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2028
-
-
-
C:\Users\Admin\3xiv.exeC:\Users\Admin\3xiv.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2604 -
C:\Users\Admin\3xiv.exeC:\Users\Admin\3xiv.exe startC:\Users\Admin\AppData\Roaming\C0198\5B602.exe%C:\Users\Admin\AppData\Roaming\C01984⤵
- Executes dropped EXE
PID:1620
-
-
C:\Users\Admin\3xiv.exeC:\Users\Admin\3xiv.exe startC:\Program Files (x86)\98811\lvvm.exe%C:\Program Files (x86)\988114⤵
- Executes dropped EXE
PID:2536
-
-
C:\Program Files (x86)\LP\023C\200E.tmp"C:\Program Files (x86)\LP\023C\200E.tmp"4⤵
- Executes dropped EXE
PID:112
-
-
-
C:\Users\Admin\4xiv.exeC:\Users\Admin\4xiv.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Users\Admin\AppData\Local\32ed4225\X*0*bc*5ae3ffd6*31.193.3.240:534⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:932
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"4⤵PID:1972
-
-
-
C:\Users\Admin\5xiv.exeC:\Users\Admin\5xiv.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2512
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 3d71e631c6d0c0be9b43a58fdd0a0b0f_JaffaCakes118.exe3⤵
- Deletes itself
PID:2576 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:280
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2396
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:608
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1120
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:1936
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5c81⤵
- Suspicious use of AdjustPrivilegeToken
PID:2008
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
287KB
MD53d6f651187a05dfab030fd923b218279
SHA19d0fff6e4d22777a9f3b7c57baea9f34151eca65
SHA256b0c28bc12dc7dfe527283d315605e01f8a3b282f1e877a3bcf78b3ca35f72f3e
SHA512835cc4eb247e6bdaefef37546922c902a448eb9de32432f59c0b7a9c524a07abfa10d23ad3fd5f3d8897e821f95d73849b5ef8053ace3d480d76720e7d10acbd
-
Filesize
600B
MD59d3ae1379dc60e6c79313806efca700c
SHA17c7d011b93c6d6102a21458c721a473c14e7b169
SHA256622995526b92e369c7b0321bc3513702d6f218f13e5fffe4ec99f333f01029cf
SHA5123591500c9229a503c47f1ad632e7d1376f1aa7c7a1fab66b76041450da426b853d7637a05430404ee9e057bc467e80de2650714ccb495dccc57779bf655857cd
-
Filesize
996B
MD5738d56617db687f3a378858790a1de13
SHA13b53c1f97e9057807f82dac599a81428cd09c9f9
SHA256ca6b68faa84554e1cfebcfaa313c8abb83bd06884597685b8ae5b9bcd6ffe286
SHA512b81635ccc3da93193b53b0d04a364d01ff9e5dd335ecd08747284c23d1652a0fd7d5592051e1e7188bab43d98345d608866d9005e99ae7118b914a8adaaa6852
-
Filesize
1KB
MD57d60a6ce4f7ad0dff6dcf9a4ea0935cb
SHA1794074342356ed00da1225bbf22e663ac2635a88
SHA25662005b6818a8e664b86befef1376333ad429957afddbf1d15406c5bc6afc4223
SHA512401bf7bc2cc84cbd1cbccd142c32fa53ad11d2106db9ad268d0cb7812a2a0626aa952e1fb8f9c36fb7d96dd213f9dce9e23db4bd2bd657c9d94ae6dc1eb40ef6
-
Filesize
101KB
MD58ddb300fe82a1e8ab0b0c9b704725316
SHA1899ef3abfa492136996ccffd0958e0c607817835
SHA25686725431a4d0a9b52b5be71853baac7bc228b5ce92443e758a376ef7e7cbac5f
SHA5123a13663e34a65a6f255c973aeb4c2534adc386135d401b7274fd958c753e29116dc85f6736481593d8cdf7459dc65aa926de7d5b3a67db983730e36db146b321
-
Filesize
64KB
MD5930ddf5711ff276332bc5e1eec8cded0
SHA1e14b2bdd272fe546c043ab7a2f249955e1820744
SHA2564ee9b7d064b411cbde34bb286e46d1d99112efe5f928420b4dc11a66d9b6839d
SHA5123ca938a3bd51168445a50b4f823feb9db2eee5d7828e32cc90be64275b2702e8c3eba0cf8a4e9d5b1b7a17a4df8b7c627315a140bcd2f47e2b78e5e220ae4f6d
-
Filesize
265KB
MD545cba518c7a8b41f65690da873e13e3d
SHA15a787a1f7f7bdd22c72b0f9d26818d902b65da8b
SHA256c31f65ef14f409c290bb661077f8473bf0a2de47e08d0256c1f086556b50ab79
SHA5127515485b6d9e90cf4dd00b076c4173f19adffe0215d95edadd4ceb61b46a06c3751aa524c70a3cac738b751bc73802877ef2d16a44b5cc0399c3e85b704249f7
-
Filesize
44KB
MD5fd4f97e710556c5769ab1e074a5c02b5
SHA1eaac335c1dd2cd449f4d3b4f9b5cdad0cffa6d61
SHA2567cf1fcac1a66a68e71346d784a0fe68aca36f15425c3c44a9a6eb60241617e18
SHA5126f01d7a97497d245cf4144fac30cd169435ad51ea432adf2469e822773c529ff08daf0ffdca80c1aab607490b9f8f7cd06e08f6219c0065b58a773d42c159726
-
Filesize
38KB
MD572de2dadaf875e2fd7614e100419033c
SHA15f17c5330e91a42daa9ff24c4aa602bd1a72bf6e
SHA256c44993768a4dc5a58ddbfc9cb05ce2a7d3a0a56be45643d70a72bcf811b6c381
SHA512e2520a53326a7d3b056e65d0cf60e9d823ffb34ca026cdddc7ea3a714f8396c53c37e13a887fc86a7dd7076c97fdfad53c3f5a68342ebc1bdec948c76bda8df3
-
Filesize
332KB
MD596158e1c617ef77a19840cfa6f314862
SHA1079540a3c86c0929c460f7af9137df68f4624f71
SHA2569381f54b83e0c9d81da24e37a36e9b9a91f17400278e4d2ca687f6b18d32772b
SHA5126a2d5751fa2039cddbf096fcab64219aaec6be032f3b57dd39977bd43f84efa5a13c2ad2605f1aac5acf7479caa63258726be35c06972cd35c3141e4b0904997
-
Filesize
332KB
MD5ad27bc021625bc7692f942a626b3a576
SHA112d961ecb68e63c2cf3c3590da311a9bd5e521f7
SHA25639c408d03296d3639563dfb51ee977fb508fc9fd4d005e6cad8551ea3f2f4fb0
SHA5122c51d8fe3cc5d2eb50d7cc5faf76f8b1d35380eb078409b1fa24caa9ca719d3b447d0669f07138330d360471a06bbc1dcca5e7a2eb81179af164a87a9f6b74bb
-
Filesize
29KB
MD576f2ad6212981964aeea83926e5ffdd7
SHA18f016ab22ce1338507218f713166c5c169eee65e
SHA2560b2de0f2219abcf8c5bd580b5b46777eb41290bf5d4b4225b4fd65e56cd99e08
SHA512e650275cf11752d12c89aa189270627e54b7b5f55b6f9261aa4e25eafc073374ae9bbae2a380338a81ee07c4aaa0ee3608a45c118fccae1c382f99554b26a91f
-
Filesize
2KB
MD5c524bff734708f158344d28186fe27fb
SHA155fc6b5336c61abcdd69daf08af99448242c1057
SHA2568bc07ca83110d0bcaad3dc942877ffa9b0254d5fd8c881109faaf9536aa673a9
SHA512004138e6f0cb61a9d30a8783195bf0dedc4ee6a30f434a5d481e0001e9af97199ac1481527c13e4511e32887a96a73ba58fdf07188e3a67bc14e52b943eb31ee