sality | f81ff37c86e302b80b85a566a5801a99958acc1fc4ddc08d08c04d3a34b1ca7a

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	BaTurajA v7.0.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	BaTurajA v7.0.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	BaTurajA v7.0.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 1 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	BaTurajA v7.0.exe

Windows security bypass 2 TTPs 6 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	BaTurajA v7.0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	BaTurajA v7.0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	BaTurajA v7.0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	BaTurajA v7.0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	BaTurajA v7.0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	BaTurajA v7.0.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	4314d785cea1470e12518301d08c1d79_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
4624	BaTurajA v7.0.exe

UPX packed file 37 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4624-19-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-27-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-36-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-41-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-30-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-47-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-42-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-28-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-48-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-29-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-62-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-63-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-88-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-94-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-104-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-168-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-171-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-176-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-177-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-196-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-197-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-213-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-216-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-220-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-222-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-223-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-225-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-231-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-232-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-234-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-238-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-239-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-251-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-252-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-254-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-256-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx
behavioral2/memory/4624-259-0x0000000002AC0000-0x0000000003B7A000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	BaTurajA v7.0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	BaTurajA v7.0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	BaTurajA v7.0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	BaTurajA v7.0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	BaTurajA v7.0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	BaTurajA v7.0.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	BaTurajA v7.0.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

System Information Discovery

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	BaTurajA v7.0.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\X:	BaTurajA v7.0.exe
File opened (read-only)	\??\Y:	BaTurajA v7.0.exe
File opened (read-only)	\??\O:	BaTurajA v7.0.exe
File opened (read-only)	\??\P:	BaTurajA v7.0.exe
File opened (read-only)	\??\U:	BaTurajA v7.0.exe
File opened (read-only)	\??\R:	BaTurajA v7.0.exe
File opened (read-only)	\??\M:	BaTurajA v7.0.exe
File opened (read-only)	\??\S:	BaTurajA v7.0.exe
File opened (read-only)	\??\W:	BaTurajA v7.0.exe
File opened (read-only)	\??\I:	BaTurajA v7.0.exe
File opened (read-only)	\??\K:	BaTurajA v7.0.exe
File opened (read-only)	\??\L:	BaTurajA v7.0.exe
File opened (read-only)	\??\J:	BaTurajA v7.0.exe
File opened (read-only)	\??\N:	BaTurajA v7.0.exe
File opened (read-only)	\??\Q:	BaTurajA v7.0.exe
File opened (read-only)	\??\T:	BaTurajA v7.0.exe
File opened (read-only)	\??\V:	BaTurajA v7.0.exe
File opened (read-only)	\??\E:	BaTurajA v7.0.exe
File opened (read-only)	\??\G:	BaTurajA v7.0.exe
File opened (read-only)	\??\H:	BaTurajA v7.0.exe
File opened (read-only)	\??\Z:	BaTurajA v7.0.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	BaTurajA v7.0.exe
File opened for modification	F:\autorun.inf	BaTurajA v7.0.exe

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	BaTurajA v7.0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	BaTurajA v7.0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	BaTurajA v7.0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	BaTurajA v7.0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	BaTurajA v7.0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	BaTurajA v7.0.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	BaTurajA v7.0.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	BaTurajA v7.0.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	BaTurajA v7.0.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	BaTurajA v7.0.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	BaTurajA v7.0.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\e575ed9	BaTurajA v7.0.exe
File opened for modification	C:\Windows\SYSTEM.INI	BaTurajA v7.0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
4624	BaTurajA v7.0.exe
4624	BaTurajA v7.0.exe
4404	msedge.exe
4404	msedge.exe
4076	msedge.exe
4076	msedge.exe
3144	msedge.exe
3144	msedge.exe
4624	BaTurajA v7.0.exe
4624	BaTurajA v7.0.exe
4872	identity_helper.exe
4872	identity_helper.exe
4624	BaTurajA v7.0.exe
4624	BaTurajA v7.0.exe
4624	BaTurajA v7.0.exe
4624	BaTurajA v7.0.exe
4624	BaTurajA v7.0.exe
4624	BaTurajA v7.0.exe
4624	BaTurajA v7.0.exe
4624	BaTurajA v7.0.exe
4624	BaTurajA v7.0.exe
4624	BaTurajA v7.0.exe
4624	BaTurajA v7.0.exe
4624	BaTurajA v7.0.exe
4624	BaTurajA v7.0.exe
4624	BaTurajA v7.0.exe
4624	BaTurajA v7.0.exe
4624	BaTurajA v7.0.exe
4624	BaTurajA v7.0.exe
4624	BaTurajA v7.0.exe
4624	BaTurajA v7.0.exe
4624	BaTurajA v7.0.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe
3060	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe
Token: SeDebugPrivilege	4624	BaTurajA v7.0.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe
3144	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4624	BaTurajA v7.0.exe
4624	BaTurajA v7.0.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 4624	628	4314d785cea1470e12518301d08c1d79_JaffaCakes118.exe	86
PID 628 wrote to memory of 4624	628	4314d785cea1470e12518301d08c1d79_JaffaCakes118.exe	86
PID 628 wrote to memory of 4624	628	4314d785cea1470e12518301d08c1d79_JaffaCakes118.exe	86
PID 4624 wrote to memory of 792	4624	BaTurajA v7.0.exe	8
PID 4624 wrote to memory of 800	4624	BaTurajA v7.0.exe	9
PID 4624 wrote to memory of 388	4624	BaTurajA v7.0.exe	13
PID 4624 wrote to memory of 3052	4624	BaTurajA v7.0.exe	51
PID 4624 wrote to memory of 3112	4624	BaTurajA v7.0.exe	52
PID 4624 wrote to memory of 3152	4624	BaTurajA v7.0.exe	53
PID 4624 wrote to memory of 3356	4624	BaTurajA v7.0.exe	55
PID 4624 wrote to memory of 3540	4624	BaTurajA v7.0.exe	57
PID 4624 wrote to memory of 3720	4624	BaTurajA v7.0.exe	58
PID 4624 wrote to memory of 3812	4624	BaTurajA v7.0.exe	59
PID 4624 wrote to memory of 3880	4624	BaTurajA v7.0.exe	60
PID 4624 wrote to memory of 3984	4624	BaTurajA v7.0.exe	61
PID 4624 wrote to memory of 3140	4624	BaTurajA v7.0.exe	62
PID 4624 wrote to memory of 1048	4624	BaTurajA v7.0.exe	74
PID 4624 wrote to memory of 2856	4624	BaTurajA v7.0.exe	76
PID 4624 wrote to memory of 4768	4624	BaTurajA v7.0.exe	80
PID 4624 wrote to memory of 5056	4624	BaTurajA v7.0.exe	81
PID 4624 wrote to memory of 628	4624	BaTurajA v7.0.exe	82
PID 4624 wrote to memory of 628	4624	BaTurajA v7.0.exe	82
PID 4624 wrote to memory of 3576	4624	BaTurajA v7.0.exe	84
PID 4624 wrote to memory of 1032	4624	BaTurajA v7.0.exe	85
PID 4624 wrote to memory of 3144	4624	BaTurajA v7.0.exe	87
PID 4624 wrote to memory of 3144	4624	BaTurajA v7.0.exe	87
PID 3144 wrote to memory of 3024	3144	msedge.exe	88
PID 3144 wrote to memory of 3024	3144	msedge.exe	88
PID 4624 wrote to memory of 3964	4624	BaTurajA v7.0.exe	89
PID 4624 wrote to memory of 3964	4624	BaTurajA v7.0.exe	89
PID 3964 wrote to memory of 2372	3964	msedge.exe	90
PID 3964 wrote to memory of 2372	3964	msedge.exe	90
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91
PID 3144 wrote to memory of 440	3144	msedge.exe	91

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	BaTurajA v7.0.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:800

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:388

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:3052

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3112

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3152

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3356
- C:\Users\Admin\AppData\Local\Temp\4314d785cea1470e12518301d08c1d79_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4314d785cea1470e12518301d08c1d79_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Users\Admin\AppData\Local\Temp\~sfx0055108380\BaTurajA v7.0.exe
    "C:\Users\Admin\AppData\Local\Temp\~sfx0055108380\BaTurajA v7.0.exe"
    3⤵
    - Modifies firewall policy service
    - UAC bypass
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Drops autorun.inf file
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cheaterbaturaja.blogspot.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3144
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb99dc46f8,0x7ffb99dc4708,0x7ffb99dc4718
        5⤵
        
        PID:3024
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,266772498597103973,17445164024792563801,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
        5⤵
        
        PID:440
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,266772498597103973,17445164024792563801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4404
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,266772498597103973,17445164024792563801,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2968 /prefetch:8
        5⤵
        
        PID:2688
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,266772498597103973,17445164024792563801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
        5⤵
        
        PID:408
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,266772498597103973,17445164024792563801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
        5⤵
        
        PID:2192
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,266772498597103973,17445164024792563801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
        5⤵
        
        PID:1256
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,266772498597103973,17445164024792563801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
        5⤵
        
        PID:3608
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,266772498597103973,17445164024792563801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
        5⤵
        
        PID:3464
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,266772498597103973,17445164024792563801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
        5⤵
        
        PID:4436
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,266772498597103973,17445164024792563801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 /prefetch:8
        5⤵
        
        PID:5000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,266772498597103973,17445164024792563801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4872
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,266772498597103973,17445164024792563801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2588 /prefetch:1
        5⤵
        
        PID:3868
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,266772498597103973,17445164024792563801,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
        5⤵
        
        PID:4676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,266772498597103973,17445164024792563801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
        5⤵
        
        PID:924
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,266772498597103973,17445164024792563801,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
        5⤵
        
        PID:5000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,266772498597103973,17445164024792563801,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5060 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://cheaterbaturaja.blogspot.com/
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3964
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb99dc46f8,0x7ffb99dc4708,0x7ffb99dc4718
        5⤵
        
        PID:2372
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,11878185895188537226,3905858646982146807,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
        5⤵
        
        PID:1524
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,11878185895188537226,3905858646982146807,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3540

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3720

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3812

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3880

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3984

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3140

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1048

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2856

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4768

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:5056

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3576

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:1032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4672

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3012

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery