sality | bff61a91ce28a7dbd727861fa4082fbd41d0d95f886117cc3841e30e9d81e44d

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe"	userinit.exe

Modifies firewall policy service 3 TTPs 27 IoCs

evasion

Modify Registry

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	userinit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	userinit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	userinit.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 9 IoCs

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	userinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system.exe

Windows security bypass 2 TTPs 54 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	userinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	userinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	userinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	userinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	userinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	userinit.exe

Disables RegEdit via registry modification 9 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	system.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	system.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	system.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	system.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	system.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	system.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	userinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	system.exe

Disables Task Manager via registry modification
evasion

Deletes itself 1 IoCs

pid	Process
2276	userinit.exe

Executes dropped EXE 19 IoCs

pid	Process
2276	userinit.exe
2764	system.exe
1480	system.exe
2004	system.exe
2948	system.exe
1048	system.exe
1188	system.exe
2340	system.exe
2416	system.exe
1104	system.exe
2664	system.exe
780	system.exe
2916	system.exe
2432	system.exe
1504	system.exe
340	system.exe
1700	system.exe
932	system.exe
1680	system.exe

Loads dropped DLL 36 IoCs

pid	Process
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe
2276	userinit.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2384-7-0x0000000000990000-0x0000000001A1E000-memory.dmp	upx
behavioral1/memory/2384-12-0x0000000000990000-0x0000000001A1E000-memory.dmp	upx
behavioral1/memory/2384-3-0x0000000000990000-0x0000000001A1E000-memory.dmp	upx
behavioral1/memory/2384-14-0x0000000000990000-0x0000000001A1E000-memory.dmp	upx
behavioral1/memory/2384-10-0x0000000000990000-0x0000000001A1E000-memory.dmp	upx
behavioral1/memory/2384-5-0x0000000000990000-0x0000000001A1E000-memory.dmp	upx
behavioral1/memory/2384-13-0x0000000000990000-0x0000000001A1E000-memory.dmp	upx
behavioral1/memory/2384-8-0x0000000000990000-0x0000000001A1E000-memory.dmp	upx
behavioral1/memory/2384-50-0x0000000000990000-0x0000000001A1E000-memory.dmp	upx
behavioral1/memory/2384-51-0x0000000000990000-0x0000000001A1E000-memory.dmp	upx
behavioral1/memory/2384-49-0x0000000000990000-0x0000000001A1E000-memory.dmp	upx
behavioral1/memory/2384-6-0x0000000000990000-0x0000000001A1E000-memory.dmp	upx
behavioral1/memory/2764-77-0x0000000000740000-0x00000000017CE000-memory.dmp	upx
behavioral1/memory/2764-81-0x0000000000740000-0x00000000017CE000-memory.dmp	upx
behavioral1/memory/2764-80-0x0000000000740000-0x00000000017CE000-memory.dmp	upx
behavioral1/memory/2764-79-0x0000000000740000-0x00000000017CE000-memory.dmp	upx
behavioral1/memory/2764-83-0x0000000000740000-0x00000000017CE000-memory.dmp	upx
behavioral1/memory/2764-90-0x0000000000740000-0x00000000017CE000-memory.dmp	upx
behavioral1/memory/2764-96-0x0000000000740000-0x00000000017CE000-memory.dmp	upx
behavioral1/memory/2764-85-0x0000000000740000-0x00000000017CE000-memory.dmp	upx
behavioral1/memory/2764-84-0x0000000000740000-0x00000000017CE000-memory.dmp	upx
behavioral1/memory/2764-91-0x0000000000740000-0x00000000017CE000-memory.dmp	upx
behavioral1/memory/2764-86-0x0000000000740000-0x00000000017CE000-memory.dmp	upx
behavioral1/memory/2764-82-0x0000000000740000-0x00000000017CE000-memory.dmp	upx
behavioral1/memory/1480-114-0x00000000006A0000-0x000000000172E000-memory.dmp	upx
behavioral1/memory/1480-140-0x00000000006A0000-0x000000000172E000-memory.dmp	upx

Windows security modification 2 TTPs 63 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	userinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	userinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	userinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	userinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	userinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	system.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	userinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	userinit.exe

Checks whether UAC is enabled 1 TTPs 9 IoCs

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	userinit.exe

Enumerates connected drives 3 TTPs 8 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	userinit.exe
File opened (read-only)	\??\E:	userinit.exe
File opened (read-only)	\??\G:	userinit.exe
File opened (read-only)	\??\H:	userinit.exe
File opened (read-only)	\??\I:	userinit.exe
File opened (read-only)	\??\J:	userinit.exe
File opened (read-only)	\??\K:	userinit.exe
File opened (read-only)	\??\L:	userinit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\system.exe	userinit.exe
File opened for modification	C:\Windows\SysWOW64\system.exe	userinit.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\userinit.exe	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
File created	C:\Windows\kdcoms.dll	userinit.exe
File opened for modification	C:\Windows\SYSTEM.INI	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
File created	C:\Windows\userinit.exe	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	userinit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	system.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
2276	userinit.exe
2276	userinit.exe
2764	system.exe
2764	system.exe
2276	userinit.exe
1480	system.exe
1480	system.exe
2276	userinit.exe
2004	system.exe
2276	userinit.exe
2948	system.exe
2948	system.exe
2276	userinit.exe
1048	system.exe
1048	system.exe
2276	userinit.exe
1188	system.exe
1188	system.exe
2276	userinit.exe
2340	system.exe
2276	userinit.exe
2416	system.exe
2416	system.exe
2276	userinit.exe
2276	userinit.exe
1104	system.exe
2276	userinit.exe
2664	system.exe
2276	userinit.exe
780	system.exe
2276	userinit.exe
2916	system.exe
2276	userinit.exe
2432	system.exe
2276	userinit.exe
1504	system.exe
2276	userinit.exe
340	system.exe
2276	userinit.exe
1700	system.exe
2276	userinit.exe
932	system.exe
2276	userinit.exe
2276	userinit.exe
1680	system.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Token: SeDebugPrivilege	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Token: SeDebugPrivilege	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Token: SeDebugPrivilege	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Token: SeDebugPrivilege	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Token: SeDebugPrivilege	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Token: SeDebugPrivilege	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Token: SeDebugPrivilege	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Token: SeDebugPrivilege	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Token: SeDebugPrivilege	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Token: SeDebugPrivilege	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Token: SeDebugPrivilege	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Token: SeDebugPrivilege	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Token: SeDebugPrivilege	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Token: SeDebugPrivilege	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Token: SeDebugPrivilege	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Token: SeDebugPrivilege	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Token: SeDebugPrivilege	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Token: SeDebugPrivilege	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Token: SeDebugPrivilege	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Token: SeDebugPrivilege	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Token: SeDebugPrivilege	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Token: SeDebugPrivilege	1188	system.exe
Token: SeDebugPrivilege	1188	system.exe
Token: SeDebugPrivilege	1188	system.exe
Token: SeDebugPrivilege	1188	system.exe
Token: SeDebugPrivilege	1188	system.exe
Token: SeDebugPrivilege	1188	system.exe
Token: SeDebugPrivilege	1188	system.exe
Token: SeDebugPrivilege	1188	system.exe
Token: SeDebugPrivilege	1188	system.exe
Token: SeDebugPrivilege	1188	system.exe
Token: SeDebugPrivilege	1188	system.exe
Token: SeDebugPrivilege	1188	system.exe
Token: SeDebugPrivilege	1188	system.exe
Token: SeDebugPrivilege	1188	system.exe
Token: SeDebugPrivilege	1188	system.exe
Token: SeDebugPrivilege	1188	system.exe
Token: SeDebugPrivilege	1188	system.exe
Token: SeDebugPrivilege	1188	system.exe
Token: SeDebugPrivilege	1188	system.exe
Token: SeDebugPrivilege	1188	system.exe
Token: SeDebugPrivilege	1188	system.exe
Token: SeDebugPrivilege	1188	system.exe
Token: SeDebugPrivilege	2276	userinit.exe
Token: SeDebugPrivilege	2276	userinit.exe
Token: SeDebugPrivilege	2276	userinit.exe
Token: SeDebugPrivilege	2276	userinit.exe
Token: SeDebugPrivilege	2276	userinit.exe
Token: SeDebugPrivilege	2276	userinit.exe
Token: SeDebugPrivilege	2276	userinit.exe
Token: SeDebugPrivilege	2276	userinit.exe
Token: SeDebugPrivilege	2276	userinit.exe
Token: SeDebugPrivilege	2276	userinit.exe
Token: SeDebugPrivilege	2276	userinit.exe
Token: SeDebugPrivilege	2276	userinit.exe
Token: SeDebugPrivilege	2276	userinit.exe
Token: SeDebugPrivilege	2276	userinit.exe
Token: SeDebugPrivilege	2276	userinit.exe
Token: SeDebugPrivilege	2276	userinit.exe
Token: SeDebugPrivilege	2276	userinit.exe
Token: SeDebugPrivilege	2276	userinit.exe
Token: SeDebugPrivilege	2276	userinit.exe
Token: SeDebugPrivilege	2276	userinit.exe

Suspicious use of SetWindowsHookEx 40 IoCs

pid	Process
2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
2276	userinit.exe
2276	userinit.exe
2764	system.exe
2764	system.exe
1480	system.exe
1480	system.exe
2004	system.exe
2004	system.exe
2948	system.exe
2948	system.exe
1048	system.exe
1048	system.exe
1188	system.exe
1188	system.exe
2340	system.exe
2340	system.exe
2416	system.exe
2416	system.exe
1104	system.exe
1104	system.exe
2664	system.exe
2664	system.exe
780	system.exe
780	system.exe
2916	system.exe
2916	system.exe
2432	system.exe
2432	system.exe
1504	system.exe
1504	system.exe
340	system.exe
340	system.exe
1700	system.exe
1700	system.exe
932	system.exe
932	system.exe
1680	system.exe
1680	system.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2276	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2276	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2276	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2276	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe	30
PID 2384 wrote to memory of 1112	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe	19
PID 2384 wrote to memory of 1164	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe	20
PID 2384 wrote to memory of 1240	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe	21
PID 2384 wrote to memory of 1384	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe	25
PID 2384 wrote to memory of 2276	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe	30
PID 2384 wrote to memory of 2276	2384	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2764	2276	userinit.exe	31
PID 2276 wrote to memory of 2764	2276	userinit.exe	31
PID 2276 wrote to memory of 2764	2276	userinit.exe	31
PID 2276 wrote to memory of 2764	2276	userinit.exe	31
PID 2276 wrote to memory of 1480	2276	userinit.exe	32
PID 2276 wrote to memory of 1480	2276	userinit.exe	32
PID 2276 wrote to memory of 1480	2276	userinit.exe	32
PID 2276 wrote to memory of 1480	2276	userinit.exe	32
PID 2276 wrote to memory of 2004	2276	userinit.exe	33
PID 2276 wrote to memory of 2004	2276	userinit.exe	33
PID 2276 wrote to memory of 2004	2276	userinit.exe	33
PID 2276 wrote to memory of 2004	2276	userinit.exe	33
PID 2276 wrote to memory of 2948	2276	userinit.exe	34
PID 2276 wrote to memory of 2948	2276	userinit.exe	34
PID 2276 wrote to memory of 2948	2276	userinit.exe	34
PID 2276 wrote to memory of 2948	2276	userinit.exe	34
PID 2276 wrote to memory of 1048	2276	userinit.exe	35
PID 2276 wrote to memory of 1048	2276	userinit.exe	35
PID 2276 wrote to memory of 1048	2276	userinit.exe	35
PID 2276 wrote to memory of 1048	2276	userinit.exe	35
PID 2276 wrote to memory of 1188	2276	userinit.exe	36
PID 2276 wrote to memory of 1188	2276	userinit.exe	36
PID 2276 wrote to memory of 1188	2276	userinit.exe	36
PID 2276 wrote to memory of 1188	2276	userinit.exe	36
PID 1188 wrote to memory of 1112	1188	system.exe	19
PID 1188 wrote to memory of 1164	1188	system.exe	20
PID 1188 wrote to memory of 1240	1188	system.exe	21
PID 1188 wrote to memory of 1384	1188	system.exe	25
PID 2276 wrote to memory of 2340	2276	userinit.exe	37
PID 2276 wrote to memory of 2340	2276	userinit.exe	37
PID 2276 wrote to memory of 2340	2276	userinit.exe	37
PID 2276 wrote to memory of 2340	2276	userinit.exe	37
PID 2276 wrote to memory of 2416	2276	userinit.exe	39
PID 2276 wrote to memory of 2416	2276	userinit.exe	39
PID 2276 wrote to memory of 2416	2276	userinit.exe	39
PID 2276 wrote to memory of 2416	2276	userinit.exe	39
PID 2276 wrote to memory of 1104	2276	userinit.exe	40
PID 2276 wrote to memory of 1104	2276	userinit.exe	40
PID 2276 wrote to memory of 1104	2276	userinit.exe	40
PID 2276 wrote to memory of 1104	2276	userinit.exe	40
PID 2276 wrote to memory of 1112	2276	userinit.exe	19
PID 2276 wrote to memory of 1164	2276	userinit.exe	20
PID 2276 wrote to memory of 1240	2276	userinit.exe	21
PID 2276 wrote to memory of 1384	2276	userinit.exe	25
PID 2276 wrote to memory of 2664	2276	userinit.exe	41
PID 2276 wrote to memory of 2664	2276	userinit.exe	41
PID 2276 wrote to memory of 2664	2276	userinit.exe	41
PID 2276 wrote to memory of 2664	2276	userinit.exe	41
PID 2276 wrote to memory of 780	2276	userinit.exe	42
PID 2276 wrote to memory of 780	2276	userinit.exe	42
PID 2276 wrote to memory of 780	2276	userinit.exe	42
PID 2276 wrote to memory of 780	2276	userinit.exe	42
PID 2276 wrote to memory of 2916	2276	userinit.exe	43
PID 2276 wrote to memory of 2916	2276	userinit.exe	43

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	userinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1240
- C:\Users\Admin\AppData\Local\Temp\a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe"
  2⤵
  - Modifies firewall policy service
  - UAC bypass
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Windows security modification
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2384
- - C:\Windows\userinit.exe
    C:\Windows\userinit.exe
    3⤵
    - Modifies WinLogon for persistence
    - Modifies firewall policy service
    - UAC bypass
    - Windows security bypass
    - Disables RegEdit via registry modification
    - Deletes itself
    - Executes dropped EXE
    - Loads dropped DLL
    - Windows security modification
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2276
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Modifies firewall policy service
      UAC bypass
      Windows security bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Windows security modification
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2764
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Modifies firewall policy service
      UAC bypass
      Windows security bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Windows security modification
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1480
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2004
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Modifies firewall policy service
      UAC bypass
      Windows security bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Windows security modification
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2948
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Modifies firewall policy service
      UAC bypass
      Windows security bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Windows security modification
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:1048
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Modifies firewall policy service
      UAC bypass
      Windows security bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Windows security modification
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:1188
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Modifies firewall policy service
      UAC bypass
      Windows security bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Windows security modification
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2340
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Modifies firewall policy service
      UAC bypass
      Windows security bypass
      Disables RegEdit via registry modification
      Executes dropped EXE
      Windows security modification
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      System policy modification
      PID:2416
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1104
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2664
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:780
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2916
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2432
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1504
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:340
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1700
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:932
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1680
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2528
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1788
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2080
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2852
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:580
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2460
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:3020
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1720
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1068
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:540
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2132
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:952
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:956
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1552
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1976
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:888
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2544
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1580
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2328
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2080
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2652
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2840
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2008
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1096
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2504
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2912
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:840
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2924
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2432
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:3024
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:856
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2776
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1900
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:3052
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2084
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1584
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:2796
  - - C:\Windows\SysWOW64\system.exe
      C:\Windows\system32\system.exe
      4⤵
      PID:1968

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

Modify Registry