50bf98c9a85bfa379c856dffef58be08f611629337678e1c7ee5707558d3ba3d

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
16-07-2024 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
Size

1.2MB
MD5

4db04be99e086c9e900408032a8ff320
SHA1

c11fd112f65387ed321995e9dff4be648654d585
SHA256

50bf98c9a85bfa379c856dffef58be08f611629337678e1c7ee5707558d3ba3d
SHA512

20ab6f51030cc0433479c3b9db5df4f94373f80d7db0e1235dbef2e68e69f9fd984573706a2c6ea00d74cc000bcc0f401b85ea2b1c8d8a3652c9af85f07ed166
SSDEEP

24576:9j8+cC/jlWT1qOhNfxBogmGqfc0Fb7qBbzEYAtqI:P7QT13XxBogIckw3E7qI

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Executes dropped EXE 1 IoCs

pid	Process
1984	advanceddefender.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\advanceddefender = "C:\\Program Files (x86)\\Advanced Defender\\advanceddefender.exe"	advanceddefender.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\advanceddefender = "C:\\Program Files (x86)\\Advanced Defender\\advanceddefender.exe"	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 33 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Offline Web Pages\desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.19041.1_none_4b0e6b545bf0f4e7\desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondocuments_31bf3856ad364e35_10.0.19041.1_none_04c252e5678f305a\desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..i-accessibilityuser_31bf3856ad364e35_10.0.19041.1_none_19358785a81a86d6\Desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-accessoriesuser_31bf3856ad364e35_10.0.19041.1_none_d9f53b39b3834744\Desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-maintenanceuser_31bf3856ad364e35_10.0.19041.1_none_bbf8ad8ff53c9b5b\Desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-commonvideos_31bf3856ad364e35_10.0.19041.1_none_923716ddadd939c8\desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme2\Desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commondownloads_31bf3856ad364e35_10.0.19041.1_none_a914e3e3f19ceda1\desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme2_31bf3856ad364e35_10.0.19041.1_none_8ccaf9c8444b9274\Desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-commonstartmenu_31bf3856ad364e35_10.0.19041.1_none_f6eee8789c1c6fdd\desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-programfilesx86_31bf3856ad364e35_10.0.19041.1_none_3870d3554f39ac78\desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonpictures_31bf3856ad364e35_10.0.19041.1_none_36436b821c9e7209\desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commondesktop_31bf3856ad364e35_10.0.19041.1_none_a81a33274fb1b624\desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.423_none_7c917c97525f1487\desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..2-kf-commonprograms_31bf3856ad364e35_10.0.19041.1_none_047fa97bc9873117\desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..32-kf-commonstartup_31bf3856ad364e35_10.0.19041.1_none_b2014b56ea660ec9\desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-programfiles_31bf3856ad364e35_10.0.19041.1_none_cb8c8caad1a2ad44\desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-public_31bf3856ad364e35_10.0.19041.1_none_0cf1a65e91dfb2be\desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_10.0.19041.1_none_905c6a851ca62951\Desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_10.0.19041.1_none_be359f0533764571\Desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell-wallpaper-theme1_31bf3856ad364e35_10.0.19041.1_none_8ccb1090444b78d3\Desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-fontext_31bf3856ad364e35_10.0.19041.1_none_5476a60692fad199\desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.0.19041.1_none_2108f0881e5a7a03\desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_10.0.19041.1_none_d69cbb4282e4fe2c\Desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-maintenance_31bf3856ad364e35_10.0.19041.1_none_148b41803c849a3c\Desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..l32-kf-userprofiles_31bf3856ad364e35_10.0.19041.1_none_39d6d106c6f70bec\desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-shell32-kf-commonmusic_31bf3856ad364e35_10.0.19041.1_none_2f07a4cad3dec315\desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..-kf-publiclibraries_31bf3856ad364e35_10.0.19041.1_none_cbd9ad4986c925d5\desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..kf-commonadmintools_31bf3856ad364e35_10.0.19041.1_none_0b090bb5ae01dd1a\desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_10.0.19041.1_none_a208296858c76413\Desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_10.0.19041.1_none_345e4e1d2701732b\Desktop.ini	advanceddefender.exe
File opened for modification	C:\Windows\Web\Wallpaper\Theme1\Desktop.ini	advanceddefender.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-s..ccessagent-binaries_31bf3856ad364e35_10.0.19041.1_none_3802d0d85b60df4c\autorun.inf	advanceddefender.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winscent.exe	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\regedit.exe	advanceddefender.exe
File opened for modification	C:\Windows\SysWOW64\12520437.cpx	advanceddefender.exe
File opened for modification	C:\Windows\SysWOW64\12520850.cpx	advanceddefender.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Advanced Defender\base.wdb	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
File created	C:\Program Files (x86)\Advanced Defender\baseadd.wdb	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
File created	C:\Program Files (x86)\Advanced Defender\conf.wcf	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
File created	C:\Program Files (x86)\Advanced Defender\quarant.wdb	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
File created	C:\Program Files (x86)\Advanced Defender\advanceddefender.exe	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Advanced Defender\advanceddefender.exe	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
File created	C:\Program Files (x86)\Advanced Defender\queue.wdb	advanceddefender.exe
File opened for modification	C:\Program Files (x86)\Advanced Defender\conf.wcf	advanceddefender.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-hbaapi_31bf3856ad364e35_10.0.19041.1_none_ff04ba67127d59fe\hbaapi.mof	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wlangpclient_31bf3856ad364e35_10.0.19041.488_none_96754d2c2f87291c\f\wlgpclnt.dll	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-sxs.resources_31bf3856ad364e35_10.0.19041.1_de-de_fed16582364dbe4b\SxsMigPlugin.dll.mui	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-usermodepowerservice_31bf3856ad364e35_10.0.19041.207_none_3c300852ab214f81\umpo.dll	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_multimedia-voiceactivationmanager_31bf3856ad364e35_10.0.19041.1_none_9721e0df62caa10d\VoiceActivationManager.dll	advanceddefender.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.S0f8e494c#\6d056f3fff70a663755a1120dd61d6e3\Microsoft.Security.ApplicationId.PolicyManagement.PolicyModel.ni.dll.aux	advanceddefender.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\es\System.Data.OracleClient.resources.dll	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-security-passport-adm_31bf3856ad364e35_10.0.19041.1202_none_b31c5934486d66bd\f\Passport.admx	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-wdf-kernellibrary_31bf3856ad364e35_10.0.19041.1151_none_eb232d49d315b9a6\WdfLdr.sys	advanceddefender.exe
File opened for modification	C:\Windows\IME\it-IT\SpTip.dll.mui	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..ionbroker.resources_31bf3856ad364e35_10.0.19041.1_de-de_8ec9765e41f28cc8\ncbservice.dll.mui	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-rasbase-rascustom_31bf3856ad364e35_10.0.19041.1202_none_6dddb24371ed0da6\f\rascustom.dll	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-oleacc_31bf3856ad364e35_10.0.19041.746_none_52d2b2ecb593c243\oleacchooks.dll	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_netmyk64.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_5cfca4d9c9d6cdcb\netmyk64.inf_loc	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_sensorsservicedriver.inf.resources_31bf3856ad364e35_10.0.19041.1_es-es_75234bc42cc6cddf\SensorsServiceDriver.inf_loc	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-w..lient-aux.resources_31bf3856ad364e35_10.0.19041.1266_en-us_2d9ea7f6426cfa21\f\wuapi.dll.mui	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..ado15-rll.resources_31bf3856ad364e35_10.0.19041.1_it-it_9f777a5df319b339\msader15.dll.mui	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..otect-dll.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_815d1715608b02d5\mskeyprotect.dll.mui	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..iprovider.resources_31bf3856ad364e35_10.0.19041.1_it-it_875f4001f3d72962\tsallow.mfl	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-v..ption-adm.resources_31bf3856ad364e35_10.0.19041.1_de-de_1f25759dca92a9e7\VolumeEncryption.adml	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx4-aspnet_webadmin_users_b03f5f7f11d50a3a_4.0.15805.0_none_cd2cf0af757e55d5\addUser.aspx	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-accountscontrol-api_31bf3856ad364e35_10.0.19041.264_none_5a976f2c1dd607f3\f\Windows.AccountsControl.dll	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-l..fessional.resources_31bf3856ad364e35_10.0.19041.1266_en-us_b7f76c18d260859b\license.rtf	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..nifests-onecorebase_31bf3856ad364e35_10.0.19041.1_none_db4b554de350e1e9\CommandPrompt-DL.man	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..d-library.resources_31bf3856ad364e35_10.0.19041.1_es-es_6ae4d7bcf65e6d70\Windows.UI.PicturePassword.dll.mui	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-s..rformance.resources_31bf3856ad364e35_10.0.19041.1_en-us_50fc38b2da301716\SensorPerformanceEvents.dll.mui	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-ui-pcshell_31bf3856ad364e35_10.0.19041.1_none_ca8fc1d1562cc0bb\DefaultLayouts.xml	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-m..nsors-cpl.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_6fbe430910427f9f\SensorsCpl.dll.mui	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..ommunicationsupport_31bf3856ad364e35_10.0.19041.1023_none_8fc3cb26a8d2f9a1\f\bidispl.dll	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_system.web.dynamicdata.design.resources_31bf3856ad364e35_4.0.15805.0_ja-jp_eec39a6a04258800\System.Web.DynamicData.Design.resources.dll	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\msil_microsoft.powershel..admanager.resources_31bf3856ad364e35_10.0.19041.1_it-it_2508733df92d5493\Microsoft.PowerShell.DSC.FileDownloadManager.Resources.dll	advanceddefender.exe
File opened for modification	C:\Windows\assembly\NativeImages_v4.0.30319_32\Microsoft.Sb6a1f1bc#\81091ae499b2593b4e8a4b012e6a7c1b\Microsoft.Security.ApplicationId.PolicyManagement.XmlHelper.ni.dll	advanceddefender.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-e..mogrifier.resources_31bf3856ad364e35_10.0.19041.1_de-de_9cbe9e262a309dda\TransmogProvider.dll.mui	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-video-tvvideocontrol_31bf3856ad364e35_10.0.19041.746_none_cca9952be1e84d95\f\MSVidCtl.dll	advanceddefender.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Policy.1.0.Microsoft.PowerShell.Commands.Management\v4.0_1.0.0.0__31bf3856ad364e35\Policy.1.0.Microsoft.Powershell.Commands.Management.dll	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-e..ent-winrt.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_d0e1c631d2f073f2\Windows.Internal.Management.dll.mui	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-i..er-engine.resources_31bf3856ad364e35_10.0.19041.906_he-il_0be8f8db96d74140\msimsg.dll.mui	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\x86_microsoft-windows-ie-htmleditingsupport_31bf3856ad364e35_11.0.19041.1_none_813173590c008f5d\mshtmler.dll	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-a..es-interface-router_31bf3856ad364e35_10.0.19041.746_none_35ef5174dd58720c\activeds.dll	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_cht4vx64.inf.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_92f51e2d3a1cb43a\cht4vx64.inf_loc	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-d..gement-dmwappushsvc_31bf3856ad364e35_10.0.19041.1_none_05a0fa60217a6408\dmwappushsvc.dll	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-t..erver-adm.resources_31bf3856ad364e35_10.0.19041.1_it-it_b5ed54b0fe7db897\TerminalServer-Server.adml	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_dual_vdrvroot.inf_31bf3856ad364e35_10.0.19041.1_none_71f587fed09ddb69\vdrvroot.inf	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-c...appxmain.resources_31bf3856ad364e35_10.0.19041.1_it-it_a1d08746c3a1aeff\resources.it-IT.pri	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-lpksetup.resources_31bf3856ad364e35_10.0.19041.1_fr-fr_2e67d1b881f71aa7\lpremove.exe.mui	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-sensors-core.resources_31bf3856ad364e35_10.0.19041.1_en-us_5e24f9054e519d93\SensorService.dll.mui	advanceddefender.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework.resources\v4.0_4.0.0.0_fr_31bf3856ad364e35\PresentationFramework.resources.dll	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-p..ns-platform-library_31bf3856ad364e35_10.0.19041.844_none_648bdd4ee187c820\f\wpncore.dll	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-t..s-clientactivexcore_31bf3856ad364e35_10.0.19041.153_none_182e20ad58e31e3f\mstscax.dll	advanceddefender.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Data.Entity.Build.Tasks.resources\v4.0_4.0.0.0_es_b03f5f7f11d50a3a\Microsoft.Data.Entity.Build.Tasks.resources.dll	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_wcf-comsvcconfig_b03f5f7f11d50a3a_10.0.19041.1_none_3f67a7384812df13\ComSvcConfig.exe	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-c..-migregdb.resources_31bf3856ad364e35_10.0.19041.1_de-de_d806fe0506954399\MigRegDB.exe.mui	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-c..gureexpandedstorage_31bf3856ad364e35_10.0.19041.746_none_84c290480ca1cf56\f\ConfigureExpandedStorage.dll	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-cmi_31bf3856ad364e35_10.0.19041.1_none_5fbf57cbf9e86514\cmiv2.dll	advanceddefender.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\Help.adml	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-deskmon.resources_31bf3856ad364e35_10.0.19041.1_es-es_cb64e17e9bb320e2\deskmon.dll.mui	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_netfx4-mscordacwks_dll_b03f5f7f11d50a3a_4.0.15805.110_none_ded4e985aec3950d\mscordacwks.dll	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-t..tservices.resources_31bf3856ad364e35_10.0.19041.1_de-de_28b6d49a2d1d5124\TipTsf.dll.mui	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-msmpeg2enc_31bf3856ad364e35_10.0.19041.1_none_bf2ea6e9e55dbc76\MSMPEG2ENC.DLL	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-mtffuzzyds.resources_31bf3856ad364e35_10.0.19041.1_ja-jp_fb5b883689b88538\MTFFuzzyDS.dll.mui	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft-windows-n..meworkapi.resources_31bf3856ad364e35_10.0.19041.1_es-es_06ecbcdf7471666b\ndfapi.dll.mui	advanceddefender.exe
File opened for modification	C:\Windows\WinSxS\wow64_microsoft-windows-i..rolviewer.resources_31bf3856ad364e35_11.0.19041.1_it-it_235614bcc5610e0e\occache.dll.mui	advanceddefender.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Presentation.resources\v4.0_4.0.0.0_fr_b77a5c561934e089\System.Windows.Presentation.resources.dll	advanceddefender.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3020	1984	WerFault.exe	87
2444	3604	WerFault.exe	82

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
1984	advanceddefender.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
Token: SeSecurityPrivilege	3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
Token: SeSecurityPrivilege	1984	advanceddefender.exe
Token: SeSecurityPrivilege	1984	advanceddefender.exe

Suspicious use of FindShellTrayWindow 19 IoCs

pid	Process
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
1984	advanceddefender.exe
1984	advanceddefender.exe

Suspicious use of SendNotifyMessage 19 IoCs

pid	Process
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
1984	advanceddefender.exe
3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
1984	advanceddefender.exe
1984	advanceddefender.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 4576	3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe	86
PID 3604 wrote to memory of 4576	3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe	86
PID 3604 wrote to memory of 4576	3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe	86
PID 3604 wrote to memory of 1984	3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe	87
PID 3604 wrote to memory of 1984	3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe	87
PID 3604 wrote to memory of 1984	3604	4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4db04be99e086c9e900408032a8ff320_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\tempfile2.bat
  2⤵
  PID:4576
- C:\Program Files (x86)\Advanced Defender\advanceddefender.exe
  "C:\Program Files (x86)\Advanced Defender\advanceddefender.exe" /checkoff
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1984
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 688
    3⤵
    - Program crash
    PID:3020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 840
  2⤵
  - Program crash
  PID:2444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1984 -ip 1984
1⤵
PID:1132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3604 -ip 3604
1⤵
PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Advanced Defender\advanceddefender.exe

Filesize
1.2MB

MD5
4db04be99e086c9e900408032a8ff320

SHA1
c11fd112f65387ed321995e9dff4be648654d585

SHA256
50bf98c9a85bfa379c856dffef58be08f611629337678e1c7ee5707558d3ba3d

SHA512
20ab6f51030cc0433479c3b9db5df4f94373f80d7db0e1235dbef2e68e69f9fd984573706a2c6ea00d74cc000bcc0f401b85ea2b1c8d8a3652c9af85f07ed166

Download Submit
C:\Program Files (x86)\Advanced Defender\base.wdb

Filesize
1KB

MD5
59335c59d8fcf6d32141fe2248a0e55c

SHA1
bf76410ad84c45d2862a73c59b84506a86d3a8aa

SHA256
8404905f19f09a31e7b4b6b5beb15806b331628fe7bb2a7c49b84d547d152a2a

SHA512
d356bc3a59b22f7079ce6193f8364c84862a064241b9693067149039d7fdfa584d9cf5ed5d746c5b7dfae0dc47a71b11d1cc3c588545ec4331c828c464b73720

Download Submit
C:\Program Files (x86)\Advanced Defender\baseadd.wdb

Filesize
4KB

MD5
bed2a01a650fe3ae32f50475deeacea0

SHA1
3a375714d7668fd59c0ebc0ae617e92747022d38

SHA256
d524eca33d09d63261bba96a8ea8dc44d51a1050900877570c0d2b6db06982e1

SHA512
3581b56fe2097f1226377e80a93c195da0fb101e1c8a232f82563fea7f3d23bcef8e3a2a4b0e6f253dc6ef3209d04c6bf8c54c9c7e9d331ae996097271d005e2

Download Submit
C:\Program Files (x86)\Advanced Defender\conf.wcf

Filesize
274B

MD5
e3682a2ac8e0fff8de885e8e437ef2d0

SHA1
75272358b8f4e5ffeacc871d755a76e6b9a322f4

SHA256
6ffdfaf3f77a28636baef2249224ebcfb7e7c724f9865e5fbfa21d14d1aa9e1d

SHA512
6944cdbb764ef77c5eaab2a8ce7b521502db2ab734c42ba30352a87dfc6f43c80eaffd58768a073f9afa053ca08a324e1ae2f26ba1eafec403845b70f467584d

Download Submit
C:\ProgramData\Microsoft PData\track.wid

Filesize
5B

MD5
f5dffc111454b227fbcdf36178dfe6ac

SHA1
b27b41feecc0a5a45ad1bfa42765474174d5e09e

SHA256
e162e30a5a4c1e44a7e04fca063c296001f26636ecf384701ae17849a4f83b11

SHA512
274e9140efa22910ddd95d78419ed693c1fd63678829a26553f7047727455b3bbdf9278d2ad3ccdaf5d51413309b0c28a8b66e519c3dec027d9cc9f4370380ff

Download Submit
C:\Windows\certofsystem.exe

Filesize
46KB

MD5
8738bab505367e09789e91a02337986b

SHA1
66e8432e8abc68480eae65a6a64bea6a1476c267

SHA256
d3c805fe5223d9501d95e536bb8749e8516489a0726cd88116d8d8c096595dc2

SHA512
29e384f3f442e9bce5c3d34e15e24323297dd51f08f5788300693220def444772d0fbff67b44fe10375ceca670baa13af59443b761fe750f84ba2580e9f2a8ab

Download Submit
C:\Windows\explorers.exe

Filesize
32KB

MD5
c9a582438d3851a6572cfa75a567e7c8

SHA1
551904c8b909d5339a7d0f6a4f53b3431b3191c4

SHA256
41797d750884ddf699a1ee1c1aa6545e13a1467d10c60463532b51214d2fe871

SHA512
8ad278f7a6303a86a79acb8c62db6e05ec55494504ad121777ffa2a6639922122da9c58bf4f9c3d66b819269a67e656fcae3348e09e9b2b2fed0673d44d0e422

Download Submit
C:\Windows\microsoftdefend.dll

Filesize
18KB

MD5
a8d2dde23081e085216413450ce9ecea

SHA1
7b197e51cd59bb130fdd701516ce3890fb4ab9c8

SHA256
ca8cccee3f4f6cba169bb565da220aac7de6655912079c04152be8f85fe7aae7

SHA512
c8469e1737392f6a2f252f9dd87f18c676b27d813f1934ac42548736bb958f0ac0a5a73c9e995e39e3c30485e0fd51d2048f9a1e97d984cc58f5d359d6a5723c

Download Submit
C:\Windows\regp.exe

Filesize
37KB

MD5
405e6e5c06c3e0be8be6aaab679521ef

SHA1
e0e2073db72f5d383594f17875e9277e09deb1ea

SHA256
8172ad8a3c77b2faedc7bc768ee659f1c08245c654e8b38f5e206853de4926b0

SHA512
972e227dc7b6c3af500dc80dced1e2c75667deb04910a700ae5531d98c6f35859b86d60f55967fef8cbe6317c54d92f67a12f627b01940eb727cc02be463cdfe

Download Submit
C:\Windows\secureit.com

Filesize
27KB

MD5
863ffbc9e055cc974843de1191f42309

SHA1
9219331e2eb3ef20d6bf1f016f46c4519ccb47bf

SHA256
7bda0d24bd7a6f2d867164a8a1cb55f2166e5e4bb45dd91ed2e83edc5c9a05f5

SHA512
113cb64ddd19ad30bd095056d8c136cef87503ebaf25bdb471e77c2dbe6f542781931ca9fc2ab07e0f41623fe3711077a3fc3794c0ba183611779dd30aeeeee5

Download Submit
C:\Windows\spoos.exe

Filesize
49KB

MD5
ebb8481b89265cb919f382583fd42992

SHA1
f68e99afdc465a400d33b9cd173960196d3ce3df

SHA256
9fd1091fd169951603ec82621e248df359943b2a5f9b9f5c0983a6eb559ea065

SHA512
14cf5ef015a77d3c95c2154d96dea764c83732856a4825f99ef14769578eb168114365f8b4aadeaa98f450de758eefb8cfd81b0700a7ee129cbe2bf4839a2209

Download Submit
C:\Windows\tempfile2.bat

Filesize
230B

MD5
6d546c66dc4a9ebbf9ee656ab14b8702

SHA1
69f001790fd92862a363d806e3a64c356b451c7a

SHA256
2a0a09deb7e35ecbfc5dd174009dbf580a150815f8d1e0e31c35a17582cea7f4

SHA512
7ea8427100f68a8aa239cfca50ae529bf99f499f52c4a69fbe2a1b140c2ecad0cbbcd4e4b671e154401c86c1111bd44ab67e87d126ee1c524e04a8f96f3036e5

Download Submit
memory/1984-37-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/1984-54-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/1984-24-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/1984-23-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/1984-70-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/1984-32-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/1984-68-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/1984-36-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/1984-66-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/1984-22-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/1984-21-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/1984-64-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/1984-62-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/1984-60-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/1984-58-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/1984-46-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/1984-47-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/1984-49-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/1984-52-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/1984-25-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/1984-56-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/3604-1-0x000000000075C000-0x0000000000882000-memory.dmp

Filesize
1.1MB

Download
memory/3604-2-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/3604-3-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/3604-4-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/3604-0-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download
memory/3604-34-0x000000000075C000-0x0000000000882000-memory.dmp

Filesize
1.1MB

Download
memory/3604-31-0x0000000000400000-0x000000000088B000-memory.dmp

Filesize
4.5MB

Download