52ee340152fd8b2aed4497ce08434c437d8b1fb455751897f192577f35545353

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	services.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	658074f0770a6be10048e0c00d4a56af_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	658074f0770a6be10048e0c00d4a56af_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	services.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

Disable or Modify System Firewall

T1562.004

pid	Process
2188	netsh.exe

Executes dropped EXE 1 IoCs

pid	Process
2936	services.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	services.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	658074f0770a6be10048e0c00d4a56af_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	658074f0770a6be10048e0c00d4a56af_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

persistence privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\file.bat	658074f0770a6be10048e0c00d4a56af_JaffaCakes118.exe
File created	C:\Windows\services.exe	658074f0770a6be10048e0c00d4a56af_JaffaCakes118.exe
File opened for modification	C:\Windows\services.exe	658074f0770a6be10048e0c00d4a56af_JaffaCakes118.exe
File created	C:\Windows\file.bat	services.exe
File created	C:\Windows\services.exe	services.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Desktop	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Desktop\id = "678526651511"	services.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3294248377-1418901787-4083263181-1000\Software\Microsoft\Internet Explorer\Desktop\host = "66.96.248.21"	services.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2684	2956	658074f0770a6be10048e0c00d4a56af_JaffaCakes118.exe	30
PID 2956 wrote to memory of 2684	2956	658074f0770a6be10048e0c00d4a56af_JaffaCakes118.exe	30
PID 2956 wrote to memory of 2684	2956	658074f0770a6be10048e0c00d4a56af_JaffaCakes118.exe	30
PID 2956 wrote to memory of 2684	2956	658074f0770a6be10048e0c00d4a56af_JaffaCakes118.exe	30
PID 2956 wrote to memory of 2936	2956	658074f0770a6be10048e0c00d4a56af_JaffaCakes118.exe	32
PID 2956 wrote to memory of 2936	2956	658074f0770a6be10048e0c00d4a56af_JaffaCakes118.exe	32
PID 2956 wrote to memory of 2936	2956	658074f0770a6be10048e0c00d4a56af_JaffaCakes118.exe	32
PID 2956 wrote to memory of 2936	2956	658074f0770a6be10048e0c00d4a56af_JaffaCakes118.exe	32
PID 2936 wrote to memory of 2808	2936	services.exe	33
PID 2936 wrote to memory of 2808	2936	services.exe	33
PID 2936 wrote to memory of 2808	2936	services.exe	33
PID 2936 wrote to memory of 2808	2936	services.exe	33
PID 2936 wrote to memory of 2840	2936	services.exe	35
PID 2936 wrote to memory of 2840	2936	services.exe	35
PID 2936 wrote to memory of 2840	2936	services.exe	35
PID 2936 wrote to memory of 2840	2936	services.exe	35
PID 2840 wrote to memory of 2188	2840	cmd.exe	37
PID 2840 wrote to memory of 2188	2840	cmd.exe	37
PID 2840 wrote to memory of 2188	2840	cmd.exe	37
PID 2840 wrote to memory of 2188	2840	cmd.exe	37

C:\Users\Admin\AppData\Local\Temp\658074f0770a6be10048e0c00d4a56af_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\658074f0770a6be10048e0c00d4a56af_JaffaCakes118.exe"
1⤵
- Windows security bypass
- Windows security modification
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Windows\SysWOW64\cmd.exe
  cmd /c "file.bat"
  2⤵
  PID:2684
- C:\Windows\services.exe
  C:\Windows\services.exe
  2⤵
  - Modifies security service
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - Adds Run key to start application
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "file.bat"
    3⤵
    PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "file.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\netsh.exe
      netsh firewall set opmode DISABLE
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

3

T1562

Disable or Modify System Firewall