Analysis
-
max time kernel
120s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
14/07/2024, 23:34
Behavioral task
behavioral1
Sample
474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
3 signatures
150 seconds
General
-
Target
474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe
-
Size
2.2MB
-
MD5
474327fa2851ff7c1abfd4dd70957c52
-
SHA1
cd98abe27b03e29506c0d9764c12c00d688f9197
-
SHA256
46d16e9f32294d01a2aa828ee58c25c1ea433405dca074e54f595eceddf27498
-
SHA512
04ac4c61c3d0144f29151592049e11dc41d618c575096213b3b0b817c874aa71e32cd33689ff9dab6d93b22ffd4298b9fcabe98b61003e0b8b715d2386dd7523
-
SSDEEP
6144:xYZTNk3D6LyUXwLLk+cR3qh0GQ43VJRD0ewYfPDZyzaIfP/BanNXk4iMz9J:xSNC80I+cR3R03VsevfPDZ1IPJQ0f
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SSVICHOSST.exe" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
resource yara_rule behavioral2/memory/2916-0-0x0000000000400000-0x00000000004D4000-memory.dmp upx behavioral2/memory/2916-1-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-3-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-4-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-7-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-6-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-5-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-22-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-23-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-21-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-24-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-25-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-26-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-27-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-28-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-30-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-31-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-32-0x0000000000400000-0x00000000004D4000-memory.dmp upx behavioral2/memory/2916-33-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-35-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-36-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-38-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-40-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-42-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-46-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-47-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-48-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-50-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-51-0x0000000000400000-0x00000000004D4000-memory.dmp upx behavioral2/memory/2916-52-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-53-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-55-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-54-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-61-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-64-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-63-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-67-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-68-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-69-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-72-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-73-0x0000000000400000-0x00000000004D4000-memory.dmp upx behavioral2/memory/2916-74-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-75-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-78-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/files/0x000900000002344c-80.dat upx behavioral2/memory/2916-83-0x00000000036E0000-0x000000000476E000-memory.dmp upx behavioral2/memory/2916-85-0x0000000000400000-0x00000000004D4000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Windows\\system32\\SSVICHOSST.exe" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 44 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\h: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\p: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\E: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\N: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\i: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\K: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\J: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\M: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\a: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\e: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\m: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\q: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\s: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\u: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\S: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\Z: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\Q: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\W: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\g: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\k: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\l: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\w: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\I: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\P: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\X: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\n: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\t: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\z: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\H: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\T: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\V: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\b: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\r: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\v: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\O: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\R: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\U: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\x: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\y: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\G: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\j: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\o: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\L: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened (read-only) \??\Y: 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe -
AutoIT Executable 4 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2916-32-0x0000000000400000-0x00000000004D4000-memory.dmp autoit_exe behavioral2/memory/2916-51-0x0000000000400000-0x00000000004D4000-memory.dmp autoit_exe behavioral2/memory/2916-73-0x0000000000400000-0x00000000004D4000-memory.dmp autoit_exe behavioral2/memory/2916-85-0x0000000000400000-0x00000000004D4000-memory.dmp autoit_exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened for modification F:\autorun.inf 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\SSVICHOSST.exe 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\autorun.ini 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File created C:\Windows\SysWOW64\SSVICHOSST.exe 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File created C:\Windows\SSVICHOSST.exe 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe File opened for modification C:\Windows\SSVICHOSST.exe 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Page_URL = "http://rnd009.googlepages.com/google.html" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Default_Search_URL = "http://rnd009.googlepages.com/google.html" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Search Page = "http://rnd009.googlepages.com/google.html" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\Software\Microsoft\Internet Explorer\Main 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe -
Modifies Internet Explorer start page 1 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://rnd009.googlepages.com/google.html" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-464762018-485119342-1613148473-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://rnd009.googlepages.com/google.html" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe Token: SeDebugPrivilege 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2916 wrote to memory of 796 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 9 PID 2916 wrote to memory of 804 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 10 PID 2916 wrote to memory of 64 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 13 PID 2916 wrote to memory of 2692 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 49 PID 2916 wrote to memory of 2760 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 50 PID 2916 wrote to memory of 3000 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 51 PID 2916 wrote to memory of 3528 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 56 PID 2916 wrote to memory of 3656 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 57 PID 2916 wrote to memory of 3856 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 58 PID 2916 wrote to memory of 3952 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 59 PID 2916 wrote to memory of 4020 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 60 PID 2916 wrote to memory of 1380 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 61 PID 2916 wrote to memory of 4156 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 62 PID 2916 wrote to memory of 4888 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 74 PID 2916 wrote to memory of 2264 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 76 PID 2916 wrote to memory of 32 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 80 PID 2916 wrote to memory of 4572 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 81 PID 2916 wrote to memory of 840 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 83 PID 2916 wrote to memory of 2296 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 84 PID 2916 wrote to memory of 4240 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 85 PID 2916 wrote to memory of 4240 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 85 PID 2916 wrote to memory of 4240 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 85 PID 4240 wrote to memory of 3060 4240 cmd.exe 88 PID 4240 wrote to memory of 3060 4240 cmd.exe 88 PID 4240 wrote to memory of 3060 4240 cmd.exe 88 PID 2916 wrote to memory of 4072 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 89 PID 2916 wrote to memory of 4072 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 89 PID 2916 wrote to memory of 4072 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 89 PID 4072 wrote to memory of 4960 4072 cmd.exe 91 PID 4072 wrote to memory of 4960 4072 cmd.exe 91 PID 4072 wrote to memory of 4960 4072 cmd.exe 91 PID 2916 wrote to memory of 796 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 9 PID 2916 wrote to memory of 804 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 10 PID 2916 wrote to memory of 64 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 13 PID 2916 wrote to memory of 2692 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 49 PID 2916 wrote to memory of 2760 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 50 PID 2916 wrote to memory of 3000 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 51 PID 2916 wrote to memory of 3528 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 56 PID 2916 wrote to memory of 3656 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 57 PID 2916 wrote to memory of 3856 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 58 PID 2916 wrote to memory of 3952 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 59 PID 2916 wrote to memory of 4020 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 60 PID 2916 wrote to memory of 1380 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 61 PID 2916 wrote to memory of 4156 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 62 PID 2916 wrote to memory of 4888 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 74 PID 2916 wrote to memory of 2264 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 76 PID 2916 wrote to memory of 32 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 80 PID 2916 wrote to memory of 4572 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 81 PID 2916 wrote to memory of 2296 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 84 PID 2916 wrote to memory of 5040 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 87 PID 2916 wrote to memory of 796 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 9 PID 2916 wrote to memory of 804 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 10 PID 2916 wrote to memory of 64 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 13 PID 2916 wrote to memory of 2692 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 49 PID 2916 wrote to memory of 2760 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 50 PID 2916 wrote to memory of 3000 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 51 PID 2916 wrote to memory of 3528 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 56 PID 2916 wrote to memory of 3656 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 57 PID 2916 wrote to memory of 3856 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 58 PID 2916 wrote to memory of 3952 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 59 PID 2916 wrote to memory of 4020 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 60 PID 2916 wrote to memory of 1380 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 61 PID 2916 wrote to memory of 4156 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 62 PID 2916 wrote to memory of 4888 2916 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe 74 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2760
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3000
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\474327fa2851ff7c1abfd4dd70957c52_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2916 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT /delete /yes3⤵
- Suspicious use of WriteProcessMemory
PID:4240 -
C:\Windows\SysWOW64\at.exeAT /delete /yes4⤵PID:3060
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\SSVICHOSST.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4072 -
C:\Windows\SysWOW64\at.exeAT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\SSVICHOSST.exe4⤵PID:4960
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3656
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3856
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3952
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4020
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1380
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4156
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4888
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2264
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:32
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4572
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2296
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5040
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.2MB
MD5474327fa2851ff7c1abfd4dd70957c52
SHA1cd98abe27b03e29506c0d9764c12c00d688f9197
SHA25646d16e9f32294d01a2aa828ee58c25c1ea433405dca074e54f595eceddf27498
SHA51204ac4c61c3d0144f29151592049e11dc41d618c575096213b3b0b817c874aa71e32cd33689ff9dab6d93b22ffd4298b9fcabe98b61003e0b8b715d2386dd7523
-
Filesize
109B
MD543b9dfd6e61eba0dda808ab0f5f966aa
SHA1ffdca1842198d91dae7c98e862704ea80235894b
SHA256de6a46a45c6fb7c6e3ef68bba4d706b2f398dc961fbdbd2b23a5067c5faff406
SHA51240f1c2597ad182c5e4c2fd6e3bf63e5683f1f9acdd3021eaee5d7c20f39dfc525736bd73ad7955a770b23ce1eb419a3c346095b31573bb9aea9558fd07494981
-
Filesize
100KB
MD5dcdb92e6497a01bdf9178391a3df30c4
SHA1891bcfc19b972386bea2414524dbc9aaa47b6873
SHA2563386c2debd3d85b5ddd30f58fcce8197acdd44ecd72e7ac482d732229ef2d344
SHA51281043ba47283838dd373c9073c014aaff0c0d12080195b3a72d1e5339b57e75b93b6d97aa378247dfe78c9644425f6bb79bfb5a5991dea671d7fe3f6c5d5b3e6