152998d31d6a6fac7ccd42c3774b6b0d91ecd6372e22fafb764141582edb0aec

Analysis

max time kernel
148s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Size

933KB
MD5

4119ff924422b22aa2386ca1fa070398
SHA1

ddebba8d44ee16fcf3c19d71e3e5315dfd4c4bad
SHA256

152998d31d6a6fac7ccd42c3774b6b0d91ecd6372e22fafb764141582edb0aec
SHA512

f3fa0e92908d9c4ec38a5f142339033376f3513dc3865523eefcd39532740aeb9f58735752da560825a47f522404f088cd1c66939045c61836ff1e1b3bc67818
SSDEEP

24576:+X8FJ9gwvKpTbh29cWJU3QNIPGgogK9Ps3RIQ2:MK9vipHh29cWJUg2GgogK9PshI/

Score

10^/10

evasion persistence spyware stealer upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 10 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\winsearch.exe = "C:\\Users\\Admin\\AppData\\Roaming\\winsearch.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\winsearch.exe"	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0B3EBB2-89F2-73A9-FBAD-CE6ABB1DE3FA}	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{F0B3EBB2-89F2-73A9-FBAD-CE6ABB1DE3FA}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\winsearch.exe"	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{F0B3EBB2-89F2-73A9-FBAD-CE6ABB1DE3FA}	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{F0B3EBB2-89F2-73A9-FBAD-CE6ABB1DE3FA}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\winsearch.exe"	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	TS_Kilu.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation	winservice.exe

Executes dropped EXE 2 IoCs

pid	Process
2508	TS_Kilu.exe
3396	winservice.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/932-8-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/932-11-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/932-14-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/932-23-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/932-24-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/932-39-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/932-43-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/932-44-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/932-48-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/932-50-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/932-54-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/932-58-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/932-68-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/932-75-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/932-78-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/932-81-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/932-88-0x0000000000400000-0x000000000045D000-memory.dmp	upx
behavioral2/memory/932-91-0x0000000000400000-0x000000000045D000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\winsearch.exe"	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender = "C:\\Users\\Admin\\AppData\\Roaming\\winsearch.exe"	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winservice.exe = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsService\\winservice.exe\""	WScript.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2424 set thread context of 932	2424	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	87

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\bearshare\shared\	winservice.exe
File created	C:\Program Files (x86)\grokster\my grokster\	winservice.exe
File created	C:\Program Files (x86)\kazaa\my shared folder\	winservice.exe
File created	C:\Program Files (x86)\limewire\shared\	winservice.exe
File created	C:\Program Files (x86)\tesla\files\	winservice.exe
File created	C:\Program Files (x86)\winmx\shared\	winservice.exe
File created	C:\Program Files (x86)\edonkey2000\incoming\	winservice.exe
File created	C:\Program Files (x86)\icq\shared folder\	winservice.exe
File created	C:\Program Files (x86)\morpheus\my shared folder\	winservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000_Classes\Local Settings	winservice.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
4576	reg.exe
2936	reg.exe
4968	reg.exe
1200	reg.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2508	TS_Kilu.exe
2508	TS_Kilu.exe
2508	TS_Kilu.exe
2508	TS_Kilu.exe
3396	winservice.exe
3396	winservice.exe
3396	winservice.exe
3396	winservice.exe
3396	winservice.exe
3396	winservice.exe
3396	winservice.exe
3396	winservice.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

description	pid	Process
Token: 1	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeCreateTokenPrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeTcbPrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeSecurityPrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeSystemtimePrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeBackupPrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeRestorePrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeShutdownPrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeDebugPrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeAuditPrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeUndockPrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeManageVolumePrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeImpersonatePrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: 31	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: 32	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: 33	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: 34	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: 35	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
Token: SeDebugPrivilege	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 2508	2424	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	86
PID 2424 wrote to memory of 2508	2424	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	86
PID 2424 wrote to memory of 2508	2424	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	86
PID 2424 wrote to memory of 932	2424	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	87
PID 2424 wrote to memory of 932	2424	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	87
PID 2424 wrote to memory of 932	2424	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	87
PID 2424 wrote to memory of 932	2424	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	87
PID 2424 wrote to memory of 932	2424	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	87
PID 2424 wrote to memory of 932	2424	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	87
PID 2424 wrote to memory of 932	2424	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	87
PID 2424 wrote to memory of 4164	2424	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	88
PID 2424 wrote to memory of 4164	2424	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	88
PID 2424 wrote to memory of 4164	2424	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	88
PID 932 wrote to memory of 756	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	90
PID 932 wrote to memory of 756	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	90
PID 932 wrote to memory of 756	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	90
PID 932 wrote to memory of 2740	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	91
PID 932 wrote to memory of 2740	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	91
PID 932 wrote to memory of 2740	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	91
PID 932 wrote to memory of 4772	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	92
PID 932 wrote to memory of 4772	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	92
PID 932 wrote to memory of 4772	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	92
PID 932 wrote to memory of 1484	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	93
PID 932 wrote to memory of 1484	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	93
PID 932 wrote to memory of 1484	932	4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe	93
PID 2508 wrote to memory of 3396	2508	TS_Kilu.exe	98
PID 2508 wrote to memory of 3396	2508	TS_Kilu.exe	98
PID 2508 wrote to memory of 3396	2508	TS_Kilu.exe	98
PID 4772 wrote to memory of 4968	4772	cmd.exe	99
PID 4772 wrote to memory of 4968	4772	cmd.exe	99
PID 4772 wrote to memory of 4968	4772	cmd.exe	99
PID 1484 wrote to memory of 1200	1484	cmd.exe	100
PID 1484 wrote to memory of 1200	1484	cmd.exe	100
PID 1484 wrote to memory of 1200	1484	cmd.exe	100
PID 2740 wrote to memory of 2936	2740	cmd.exe	101
PID 2740 wrote to memory of 2936	2740	cmd.exe	101
PID 2740 wrote to memory of 2936	2740	cmd.exe	101
PID 756 wrote to memory of 4576	756	cmd.exe	102
PID 756 wrote to memory of 4576	756	cmd.exe	102
PID 756 wrote to memory of 4576	756	cmd.exe	102
PID 3396 wrote to memory of 524	3396	winservice.exe	103
PID 3396 wrote to memory of 524	3396	winservice.exe	103
PID 3396 wrote to memory of 524	3396	winservice.exe	103

C:\Users\Admin\AppData\Local\Temp\4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\TS_Kilu.exe
  "C:\Users\Admin\AppData\Local\Temp\TS_Kilu.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Users\Admin\AppData\Roaming\WindowsService\winservice.exe
    "C:\Users\Admin\AppData\Roaming\WindowsService\winservice.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3396
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Autorun.vbs"
      4⤵
      Adds Run key to start application
      PID:524
- C:\Users\Admin\AppData\Local\Temp\4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe
  2⤵
  - Adds policy Run key to start application
  - Boot or Logon Autostart Execution: Active Setup
  - Adds Run key to start application
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:932
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:4576
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\4119ff924422b22aa2386ca1fa070398_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4772
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:4968
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winsearch.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winsearch.exe:*:Enabled:Windows Messanger" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\winsearch.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\winsearch.exe:*:Enabled:Windows Messanger" /f
      4⤵
      Modifies firewall policy service
      Modifies registry key
      PID:1200
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UGIANGKO.BAT" "
  2⤵
  - Enumerates connected drives
  PID:4164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Autorun.vbs

Filesize
260B

MD5
cf1ca1b74460d6bf92e8c682a5025380

SHA1
aff97a56ba33f8bb26f49f3cef68c1736b835db8

SHA256
8e0c527f497a3551eddf69931af4c317ae6e74938792497772bb0092af9d38a8

SHA512
e9205c864ec6ae4050bb9dd26eb287ee6a0e3ddba4d19a9957e02c23a511b9eb33a0170c8ef3f98c765685ffac3a8a1bf4aded2603af55e99c5a835bece49fbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TS_Kilu.exe

Filesize
692KB

MD5
0a2a5fd8c430bce33ba7f856a6829ff5

SHA1
7fc5d3555f1dd12afa88a5d1a2a0b66f0e0b8905

SHA256
e65aad8079b6594e2aa22db56eca8af0542abad6b66b7e1130f517faf04ab569

SHA512
e94ed436d0171cbfea4f6221b3aa7c4bc8b2bd8e187c3edf2c8f4d2eadeb3b80dfe4f8aa1819ef2da2c65605086ec5a461c1ff2dfea3ca760934e93af44288da

Download Submit
C:\Users\Admin\AppData\Local\Temp\UGIANGKO.BAT

Filesize
339B

MD5
30552806e90d94ce4300dfc7d41222c4

SHA1
b9e84f9ed240975cd2a403f96694dbe030de977f

SHA256
ec506e02eaf6fa433c8c7d78c45ac7f7f3837c471bb3af13aaba0802e69bc094

SHA512
8ff399bc17c75bcae6bb56088f6f88fee91311e8f879656eb054cb1f583917e9d8c5f03fdf44b5912dec660d1d1ee04349ccbe612e46b9b65cbeaa755922eaa5

Download Submit
memory/932-43-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/932-39-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/932-91-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/932-75-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/932-23-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/932-24-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/932-11-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/932-14-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/932-8-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/932-68-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/932-88-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/932-78-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/932-44-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/932-48-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/932-50-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/932-81-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/932-54-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/932-58-0x0000000000400000-0x000000000045D000-memory.dmp

Filesize
372KB

Download
memory/2424-0-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2424-21-0x0000000000400000-0x00000000004EE000-memory.dmp

Filesize
952KB

Download
memory/2508-34-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/2508-19-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3396-67-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3396-61-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3396-53-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/3396-42-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download