phorphiex | 654a7085e77f0d09d8670c6c5ead85d9c59f8205f4e2e2cfa2f5002fec62fc52

General

Target

774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe
Size

23.2MB
MD5

774c8da38e2508dd73b56b33c3bea62b
SHA1

4d118194ed4b9ebcad837f9dcbb4c2c6d7d75039
SHA256

654a7085e77f0d09d8670c6c5ead85d9c59f8205f4e2e2cfa2f5002fec62fc52
SHA512

15064d605d7c4e7184aeba2d443f821629a5fa0113dc5e4203ca97864df954d1bcff1992abddba86f517479bfbc4ffa2df7ffa3432b13e7dfa9ba1a8a9c6b0d4
SSDEEP

393216:uqzoRzWy1upx+2foBNNWLlss+UCAMrhU5XCXxv8jydfZxzuZTJKTq57rPGkET1yI:Dmup2LNiy42hSCXxSypZxqfPz3ET1rR

Score

10^/10

phorphiex discovery evasion execution loader persistence trojan worm

Malware Config

Extracted

Family

phorphiex

C2

http://185.215.113.66/

http://77.91.77.92/

http://91.202.233.141/

Wallets

0xCa90599132C4D88907Bd8E046540284aa468a035

TRuGGXNDM1cavQ1AqMQHG8yfxP4QWVSMN6

qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

XryzFMFVpDUvU7famUGf214EXD3xNUSmQf

LLeT2zkStY3cvxMBFhoWXkG5VuZPoezduv

rwc4LVd9ABpULQ1CuCpDkgX2xVB1fUijyb

4AtjkCVKbtEC3UEN77SQHuH9i1XkzNiRi5VCbA2XGsJh46nJSXfGQn4GjLuupCqmC57Lo7LvKmFUyRfhtJSvKvuw3h9ReKK

15TssKwtjMtwy4vDLcLsQUZUD2B9f7eDjw85sBNVC5LRPPnC

17hgMFyLDwMjxWqw5GhijhnPdJDyFDqecY

ltc1qt0n3f0t7vz9k0mvcswk477shrxwjhf9sj5ykrp

3PMiLynrGVZ8oEqvoqC4hXD67B1WoALR4pc

3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3

DLUzwvyxN1RrwjByUPPzVMdfxNRPGVRMMA

t1J6GCPCiHW1eRdjJgDDu6b1vSVmL5U7Twh

stars125f3mw4xd9htpsq4zj5w5ezm5gags37yxxh6mj

bnb1epx67ne4vckqmaj4gwke8m322f4yjr6eh52wqw

bc1qmpkehfffkr6phuklsksnd7nhgx0369sxu772m3

bitcoincash:qph44jx8r9k5xeq5cuf958krv3ewrnp5vc6hhdjd3r

GBQJMXYXPRIWFMXIFJR35ZB7LRKMB4PHCIUAUFR3TKUL6RDBZVLZEUJ3

Attributes

mutex
x66x54x66x
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36

Signatures

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

sysarddrvs.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" sysarddrvs.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4"	sysarddrvs.exe

Phorphiex payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\A47D.exe	family_phorphiex
C:\Users\Admin\AppData\Local\Temp\2104914083.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysarddrvs.exesylsplvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sylsplvc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4024 powershell.exe
Downloads MZ/PE file
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

pid	process
4024	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmpsysarddrvs.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation	sysarddrvs.exe

Executes dropped EXE 9 IoCs

Processes:

A47D.exe774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmpsylsplvc.exeGARunOnce.exe2104914083.exesysarddrvs.exe305267133.exe553921929.exe1744213705.exe

pid	process
2060	A47D.exe
4284	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp
4428	sylsplvc.exe
2744	GARunOnce.exe
4644	2104914083.exe
1804	sysarddrvs.exe
2160	305267133.exe
4032	553921929.exe
3252	1744213705.exe

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

sysarddrvs.exesylsplvc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiSpywareOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	sysarddrvs.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	sylsplvc.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesOverride = "1"	sylsplvc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

A47D.exe2104914083.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sylsplvc.exe"	A47D.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysarddrvs.exe"	2104914083.exe

Drops file in Windows directory 4 IoCs

Processes:

2104914083.exeA47D.exe

description	ioc	process
File opened for modification	C:\Windows\sysarddrvs.exe	2104914083.exe
File created	C:\Windows\sylsplvc.exe	A47D.exe
File opened for modification	C:\Windows\sylsplvc.exe	A47D.exe
File created	C:\Windows\sysarddrvs.exe	2104914083.exe

Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

4200 sc.exe
4072 sc.exe
4424 sc.exe
3772 sc.exe
1292 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4200	sc.exe
4072	sc.exe
4424	sc.exe
3772	sc.exe
1292	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exesc.exesc.exesc.exepowershell.exe305267133.exeA47D.exe2104914083.execmd.exesc.exe553921929.exe1744213705.exe774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmpsylsplvc.exesc.exe774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exeGARunOnce.exesysarddrvs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	305267133.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A47D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2104914083.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	553921929.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1744213705.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sylsplvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GARunOnce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysarddrvs.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4024 powershell.exe
4024 powershell.exe
Suspicious behavior: SetClipboardViewer 1 IoCs

Processes:

sysarddrvs.exe

pid process

1804 sysarddrvs.exe

pid	process
4024	powershell.exe
4024	powershell.exe

pid	process
1804	sysarddrvs.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

GARunOnce.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2744	GARunOnce.exe
Token: SeAuditPrivilege	2744	GARunOnce.exe
Token: SeSecurityPrivilege	2744	GARunOnce.exe
Token: SeTakeOwnershipPrivilege	2744	GARunOnce.exe
Token: SeManageVolumePrivilege	2744	GARunOnce.exe
Token: SeRestorePrivilege	2744	GARunOnce.exe
Token: SeBackupPrivilege	2744	GARunOnce.exe
Token: SeLoadDriverPrivilege	2744	GARunOnce.exe
Token: SeSystemEnvironmentPrivilege	2744	GARunOnce.exe
Token: SeDebugPrivilege	4024	powershell.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exeA47D.exe774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmpsylsplvc.exe2104914083.exesysarddrvs.execmd.execmd.exe

description	pid	process	target process
PID 336 wrote to memory of 2060	336	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe	A47D.exe
PID 336 wrote to memory of 2060	336	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe	A47D.exe
PID 336 wrote to memory of 2060	336	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe	A47D.exe
PID 336 wrote to memory of 4284	336	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp
PID 336 wrote to memory of 4284	336	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp
PID 336 wrote to memory of 4284	336	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp
PID 2060 wrote to memory of 4428	2060	A47D.exe	sylsplvc.exe
PID 2060 wrote to memory of 4428	2060	A47D.exe	sylsplvc.exe
PID 2060 wrote to memory of 4428	2060	A47D.exe	sylsplvc.exe
PID 4284 wrote to memory of 2744	4284	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp	GARunOnce.exe
PID 4284 wrote to memory of 2744	4284	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp	GARunOnce.exe
PID 4284 wrote to memory of 2744	4284	774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp	GARunOnce.exe
PID 4428 wrote to memory of 4644	4428	sylsplvc.exe	2104914083.exe
PID 4428 wrote to memory of 4644	4428	sylsplvc.exe	2104914083.exe
PID 4428 wrote to memory of 4644	4428	sylsplvc.exe	2104914083.exe
PID 4644 wrote to memory of 1804	4644	2104914083.exe	sysarddrvs.exe
PID 4644 wrote to memory of 1804	4644	2104914083.exe	sysarddrvs.exe
PID 4644 wrote to memory of 1804	4644	2104914083.exe	sysarddrvs.exe
PID 1804 wrote to memory of 4828	1804	sysarddrvs.exe	cmd.exe
PID 1804 wrote to memory of 4828	1804	sysarddrvs.exe	cmd.exe
PID 1804 wrote to memory of 4828	1804	sysarddrvs.exe	cmd.exe
PID 1804 wrote to memory of 864	1804	sysarddrvs.exe	cmd.exe
PID 1804 wrote to memory of 864	1804	sysarddrvs.exe	cmd.exe
PID 1804 wrote to memory of 864	1804	sysarddrvs.exe	cmd.exe
PID 4828 wrote to memory of 4024	4828	cmd.exe	powershell.exe
PID 4828 wrote to memory of 4024	4828	cmd.exe	powershell.exe
PID 4828 wrote to memory of 4024	4828	cmd.exe	powershell.exe
PID 864 wrote to memory of 1292	864	cmd.exe	sc.exe
PID 864 wrote to memory of 1292	864	cmd.exe	sc.exe
PID 864 wrote to memory of 1292	864	cmd.exe	sc.exe
PID 864 wrote to memory of 4200	864	cmd.exe	sc.exe
PID 864 wrote to memory of 4200	864	cmd.exe	sc.exe
PID 864 wrote to memory of 4200	864	cmd.exe	sc.exe
PID 864 wrote to memory of 4072	864	cmd.exe	sc.exe
PID 864 wrote to memory of 4072	864	cmd.exe	sc.exe
PID 864 wrote to memory of 4072	864	cmd.exe	sc.exe
PID 864 wrote to memory of 4424	864	cmd.exe	sc.exe
PID 864 wrote to memory of 4424	864	cmd.exe	sc.exe
PID 864 wrote to memory of 4424	864	cmd.exe	sc.exe
PID 864 wrote to memory of 3772	864	cmd.exe	sc.exe
PID 864 wrote to memory of 3772	864	cmd.exe	sc.exe
PID 864 wrote to memory of 3772	864	cmd.exe	sc.exe
PID 4428 wrote to memory of 2160	4428	sylsplvc.exe	305267133.exe
PID 4428 wrote to memory of 2160	4428	sylsplvc.exe	305267133.exe
PID 4428 wrote to memory of 2160	4428	sylsplvc.exe	305267133.exe
PID 1804 wrote to memory of 4032	1804	sysarddrvs.exe	553921929.exe
PID 1804 wrote to memory of 4032	1804	sysarddrvs.exe	553921929.exe
PID 1804 wrote to memory of 4032	1804	sysarddrvs.exe	553921929.exe
PID 1804 wrote to memory of 3252	1804	sysarddrvs.exe	1744213705.exe
PID 1804 wrote to memory of 3252	1804	sysarddrvs.exe	1744213705.exe
PID 1804 wrote to memory of 3252	1804	sysarddrvs.exe	1744213705.exe

C:\Users\Admin\AppData\Local\Temp\774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:336
- C:\Users\Admin\AppData\Local\Temp\A47D.exe
  "C:\Users\Admin\AppData\Local\Temp\A47D.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2060
- - C:\Windows\sylsplvc.exe
    C:\Windows\sylsplvc.exe
    3⤵
    - Windows security bypass
    - Executes dropped EXE
    - Windows security modification
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4428
  - - C:\Users\Admin\AppData\Local\Temp\2104914083.exe
      C:\Users\Admin\AppData\Local\Temp\2104914083.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4644
    - - C:\Windows\sysarddrvs.exe
        
        C:\Windows\sysarddrvs.exe
        5⤵
        Modifies security service
        Windows security bypass
        Checks computer location settings
        Executes dropped EXE
        Windows security modification
        System Location Discovery: System Language Discovery
        Suspicious behavior: SetClipboardViewer
        Suspicious use of WriteProcessMemory
        
        PID:1804
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4024
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop UsoSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1292
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop WaaSMedicSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4200
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop wuauserv
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop DoSvc
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop BITS
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3772
      - C:\Users\Admin\AppData\Local\Temp\553921929.exe
        
        C:\Users\Admin\AppData\Local\Temp\553921929.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4032
      - C:\Users\Admin\AppData\Local\Temp\1744213705.exe
        
        C:\Users\Admin\AppData\Local\Temp\1744213705.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3252
  - - C:\Users\Admin\AppData\Local\Temp\305267133.exe
      C:\Users\Admin\AppData\Local\Temp\305267133.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2160
- C:\Users\Admin\AppData\Local\Temp\is-EL0K0.tmp\774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-EL0K0.tmp\774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp" /SL5="$50116,23808793,140800,C:\Users\Admin\AppData\Local\Temp\774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Users\Admin\AppData\Local\Temp\is-T4MD4.tmp\GARunOnce.exe
    "C:\Users\Admin\AppData\Local\Temp\is-T4MD4.tmp\GARunOnce.exe" RunInstall|1|C:\Users\Admin\AppData\Local\Temp\is-T4MD4.tmp|std|aomei|pa|en
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Create or Modify System Process

2

T1543

Windows Service

2

T1543.003

Defense Evasion

Impair Defenses

3

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2104914083.exe

Filesize
79KB

MD5
a7f8236eb39605d51964bf50fd015332

SHA1
c627b0f52fa94bfefa7a7d17056f82f00737876c

SHA256
1b5b8d4000174658b280d11ce9143d60ac3db44b9885f35545c3b6c9aeb5ac13

SHA512
d4095d868abe76bf9b1f827a7a41ea9b4ea375e21ac68193927c1e82e60a8cdbc4fcd89b66aff883544bb8eec5f6e5542b7f732f605e22ce1822072908145442

Download Submit
C:\Users\Admin\AppData\Local\Temp\305267133.exe

Filesize
11KB

MD5
cafd277c4132f5d0f202e7ea07a27d5c

SHA1
72c8c16a94cce56a3e01d91bc1276dafc65b351d

SHA256
e5162fa594811f0f01fc76f4acbd9fe99b2265df9cfcbc346023f28775c19f1e

SHA512
7c87d1dec61b78e0f223e8f9fec019d96509813fa6d96129289aab00b2d6f05bf91fe1fafd680b7d9e746f4c2c8cbe48a3028bcaad479048d00d79a19f71b196

Download Submit
C:\Users\Admin\AppData\Local\Temp\553921929.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\A47D.exe

Filesize
79KB

MD5
1e8a2ed2e3f35620fb6b8c2a782a57f3

SHA1
e924ce6d147ecc8b30b7c7cad02e5c9ae09a743a

SHA256
3f16f4550826076b2c8cd7b392ee649aeb06740328658a2d30c3d2002c6b7879

SHA512
ce4dc7fdd7f81a7a127d650f9175292b287b4803d815d74b64a4e5125cff66224d75e7ecade1d9c0e42f870bdb49a78e9613b1a49675ab5bc098611b99b49ade

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zjito1dp.wfy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-EL0K0.tmp\774c8da38e2508dd73b56b33c3bea62b_JaffaCakes118.tmp

Filesize
1.4MB

MD5
d50a6bdcf37d093fc472fcbb6489069a

SHA1
d3f5d6892e4ce3018f8cf441021ace1d9a5b8732

SHA256
4252ef0ec82de8b6634f1b873cbd0a73193bd64dd49cf36f598940817835e10e

SHA512
8304e0211c2f6c96c3d5836175146a6f66a4deba32678e4da6df1715086c19ff6906f48621c472be0247ebd7f18851fc63f72d0657c6b686e1ae9d616c088a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T4MD4.tmp\GARunOnce.exe

Filesize
181KB

MD5
89ffb996d7a0bb9301bf4bb5599ec887

SHA1
5253dfdaae7f157a773fa1e445cdf6740a9fc014

SHA256
27aa98f58990d028dd6d3c80065ea387dae3cdff9daee5c703ff347e791ee2e8

SHA512
9acf5d5827a4de324b7a41ab89f608317c3c496ad6f45710dac9611364fbc943612c5ef706ceeab05b6b49cd8e16da89331671ac3525978c4d5dee8cfc550be7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-T4MD4.tmp\PartAssist.exe

Filesize
8.0MB

MD5
f2b1cd6484072ebc2e7e2edb5634e7c5

SHA1
5742c16f3177c88850e0a00186ce2f88875fc827

SHA256
963086b6cf5725d0749edda5d2cae4d29f617b89dc11ba8a8f0c04647fdef046

SHA512
c8192b8863d9d8ddd663a3e613c2fb4c7bf6a0fbdbc3ab3146b4935798b51c6268fb6dddde83c69749d5ea082843d31c4737ce9b0325fcd5a76e0b9d6b41ceb2

Download Submit
memory/336-6-0x0000000000400000-0x000000000042DDA0-memory.dmp

Filesize
183KB

Download
memory/336-9-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/336-43-0x0000000000400000-0x000000000042DDA0-memory.dmp

Filesize
183KB

Download
memory/336-69-0x0000000000400000-0x000000000042DDA0-memory.dmp

Filesize
183KB

Download
memory/4024-89-0x0000000005480000-0x00000000057D4000-memory.dmp

Filesize
3.3MB

Download
memory/4024-110-0x0000000006E20000-0x0000000006E2A000-memory.dmp

Filesize
40KB

Download
memory/4024-77-0x0000000004AB0000-0x0000000004AD2000-memory.dmp

Filesize
136KB

Download
memory/4024-78-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/4024-79-0x0000000005410000-0x0000000005476000-memory.dmp

Filesize
408KB

Download
memory/4024-72-0x0000000002490000-0x00000000024C6000-memory.dmp

Filesize
216KB

Download
memory/4024-116-0x00000000070D0000-0x00000000070D8000-memory.dmp

Filesize
32KB

Download
memory/4024-90-0x0000000005A80000-0x0000000005A9E000-memory.dmp

Filesize
120KB

Download
memory/4024-91-0x0000000005B10000-0x0000000005B5C000-memory.dmp

Filesize
304KB

Download
memory/4024-92-0x0000000006A00000-0x0000000006A32000-memory.dmp

Filesize
200KB

Download
memory/4024-93-0x000000006FB40000-0x000000006FB8C000-memory.dmp

Filesize
304KB

Download
memory/4024-103-0x0000000006A40000-0x0000000006A5E000-memory.dmp

Filesize
120KB

Download
memory/4024-104-0x0000000006A70000-0x0000000006B13000-memory.dmp

Filesize
652KB

Download
memory/4024-115-0x00000000070F0000-0x000000000710A000-memory.dmp

Filesize
104KB

Download
memory/4024-108-0x0000000007450000-0x0000000007ACA000-memory.dmp

Filesize
6.5MB

Download
memory/4024-109-0x0000000006DD0000-0x0000000006DEA000-memory.dmp

Filesize
104KB

Download
memory/4024-73-0x0000000004C00000-0x0000000005228000-memory.dmp

Filesize
6.2MB

Download
memory/4024-111-0x0000000007030000-0x00000000070C6000-memory.dmp

Filesize
600KB

Download
memory/4024-112-0x0000000006FC0000-0x0000000006FD1000-memory.dmp

Filesize
68KB

Download
memory/4024-113-0x0000000006FF0000-0x0000000006FFE000-memory.dmp

Filesize
56KB

Download
memory/4024-114-0x0000000007000000-0x0000000007014000-memory.dmp

Filesize
80KB

Download
memory/4284-44-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/4284-68-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download
memory/4284-14-0x0000000000400000-0x0000000000579000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads