Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
22s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17/08/2024, 08:21
Static task
static1
Behavioral task
behavioral1
Sample
a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe
-
Size
157KB
-
MD5
a1d15bcb93da89f08fdfaf4485ed5c69
-
SHA1
ae7982fb0b7e2f5c0d8c689430264571a807266f
-
SHA256
bff61a91ce28a7dbd727861fa4082fbd41d0d95f886117cc3841e30e9d81e44d
-
SHA512
19123d180830261f76155494d4266b2c4bb4d70d71c16ea2a17494dcc1fde62f1e33d8b74e2266d4f5a315ff391a869e8a7a4f1eb5f1c25cd2299563027042a4
-
SSDEEP
3072:lWDnaKMq9HV05S1zwLv/dBTtaODXg9vjfE+mzpZ428:2aHq965S1zcTDXg9vjfEVN8
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\userinit.exe" userinit.exe -
Modifies firewall policy service 3 TTPs 27 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" system.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" system.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" system.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" system.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" system.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" userinit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" system.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" system.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" system.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" userinit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" system.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" system.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" system.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" system.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" system.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" system.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" system.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" system.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" system.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" system.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" system.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" system.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" system.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" userinit.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" userinit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" userinit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" userinit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" userinit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" userinit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" userinit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" userinit.exe -
Disables RegEdit via registry modification 9 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" system.exe Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" system.exe Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" system.exe Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" system.exe Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" system.exe Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" system.exe Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" userinit.exe Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" system.exe -
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
pid Process 2276 userinit.exe -
Executes dropped EXE 19 IoCs
pid Process 2276 userinit.exe 2764 system.exe 1480 system.exe 2004 system.exe 2948 system.exe 1048 system.exe 1188 system.exe 2340 system.exe 2416 system.exe 1104 system.exe 2664 system.exe 780 system.exe 2916 system.exe 2432 system.exe 1504 system.exe 340 system.exe 1700 system.exe 932 system.exe 1680 system.exe -
Loads dropped DLL 36 IoCs
pid Process 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe 2276 userinit.exe -
resource yara_rule behavioral1/memory/2384-7-0x0000000000990000-0x0000000001A1E000-memory.dmp upx behavioral1/memory/2384-12-0x0000000000990000-0x0000000001A1E000-memory.dmp upx behavioral1/memory/2384-3-0x0000000000990000-0x0000000001A1E000-memory.dmp upx behavioral1/memory/2384-14-0x0000000000990000-0x0000000001A1E000-memory.dmp upx behavioral1/memory/2384-10-0x0000000000990000-0x0000000001A1E000-memory.dmp upx behavioral1/memory/2384-5-0x0000000000990000-0x0000000001A1E000-memory.dmp upx behavioral1/memory/2384-13-0x0000000000990000-0x0000000001A1E000-memory.dmp upx behavioral1/memory/2384-8-0x0000000000990000-0x0000000001A1E000-memory.dmp upx behavioral1/memory/2384-50-0x0000000000990000-0x0000000001A1E000-memory.dmp upx behavioral1/memory/2384-51-0x0000000000990000-0x0000000001A1E000-memory.dmp upx behavioral1/memory/2384-49-0x0000000000990000-0x0000000001A1E000-memory.dmp upx behavioral1/memory/2384-6-0x0000000000990000-0x0000000001A1E000-memory.dmp upx behavioral1/memory/2764-77-0x0000000000740000-0x00000000017CE000-memory.dmp upx behavioral1/memory/2764-81-0x0000000000740000-0x00000000017CE000-memory.dmp upx behavioral1/memory/2764-80-0x0000000000740000-0x00000000017CE000-memory.dmp upx behavioral1/memory/2764-79-0x0000000000740000-0x00000000017CE000-memory.dmp upx behavioral1/memory/2764-83-0x0000000000740000-0x00000000017CE000-memory.dmp upx behavioral1/memory/2764-90-0x0000000000740000-0x00000000017CE000-memory.dmp upx behavioral1/memory/2764-96-0x0000000000740000-0x00000000017CE000-memory.dmp upx behavioral1/memory/2764-85-0x0000000000740000-0x00000000017CE000-memory.dmp upx behavioral1/memory/2764-84-0x0000000000740000-0x00000000017CE000-memory.dmp upx behavioral1/memory/2764-91-0x0000000000740000-0x00000000017CE000-memory.dmp upx behavioral1/memory/2764-86-0x0000000000740000-0x00000000017CE000-memory.dmp upx behavioral1/memory/2764-82-0x0000000000740000-0x00000000017CE000-memory.dmp upx behavioral1/memory/1480-114-0x00000000006A0000-0x000000000172E000-memory.dmp upx behavioral1/memory/1480-140-0x00000000006A0000-0x000000000172E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" userinit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" userinit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" userinit.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc userinit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" userinit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" userinit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" userinit.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" userinit.exe -
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: userinit.exe File opened (read-only) \??\E: userinit.exe File opened (read-only) \??\G: userinit.exe File opened (read-only) \??\H: userinit.exe File opened (read-only) \??\I: userinit.exe File opened (read-only) \??\J: userinit.exe File opened (read-only) \??\K: userinit.exe File opened (read-only) \??\L: userinit.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\system.exe userinit.exe File opened for modification C:\Windows\SysWOW64\system.exe userinit.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\userinit.exe a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe File created C:\Windows\kdcoms.dll userinit.exe File opened for modification C:\Windows\SYSTEM.INI a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe File created C:\Windows\userinit.exe a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 20 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language userinit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe -
Suspicious behavior: EnumeratesProcesses 47 IoCs
pid Process 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe 2276 userinit.exe 2276 userinit.exe 2764 system.exe 2764 system.exe 2276 userinit.exe 1480 system.exe 1480 system.exe 2276 userinit.exe 2004 system.exe 2276 userinit.exe 2948 system.exe 2948 system.exe 2276 userinit.exe 1048 system.exe 1048 system.exe 2276 userinit.exe 1188 system.exe 1188 system.exe 2276 userinit.exe 2340 system.exe 2276 userinit.exe 2416 system.exe 2416 system.exe 2276 userinit.exe 2276 userinit.exe 1104 system.exe 2276 userinit.exe 2664 system.exe 2276 userinit.exe 780 system.exe 2276 userinit.exe 2916 system.exe 2276 userinit.exe 2432 system.exe 2276 userinit.exe 1504 system.exe 2276 userinit.exe 340 system.exe 2276 userinit.exe 1700 system.exe 2276 userinit.exe 932 system.exe 2276 userinit.exe 2276 userinit.exe 1680 system.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Token: SeDebugPrivilege 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Token: SeDebugPrivilege 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Token: SeDebugPrivilege 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Token: SeDebugPrivilege 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Token: SeDebugPrivilege 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Token: SeDebugPrivilege 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Token: SeDebugPrivilege 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Token: SeDebugPrivilege 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Token: SeDebugPrivilege 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Token: SeDebugPrivilege 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Token: SeDebugPrivilege 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Token: SeDebugPrivilege 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Token: SeDebugPrivilege 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Token: SeDebugPrivilege 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Token: SeDebugPrivilege 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Token: SeDebugPrivilege 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Token: SeDebugPrivilege 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Token: SeDebugPrivilege 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Token: SeDebugPrivilege 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Token: SeDebugPrivilege 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Token: SeDebugPrivilege 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Token: SeDebugPrivilege 1188 system.exe Token: SeDebugPrivilege 1188 system.exe Token: SeDebugPrivilege 1188 system.exe Token: SeDebugPrivilege 1188 system.exe Token: SeDebugPrivilege 1188 system.exe Token: SeDebugPrivilege 1188 system.exe Token: SeDebugPrivilege 1188 system.exe Token: SeDebugPrivilege 1188 system.exe Token: SeDebugPrivilege 1188 system.exe Token: SeDebugPrivilege 1188 system.exe Token: SeDebugPrivilege 1188 system.exe Token: SeDebugPrivilege 1188 system.exe Token: SeDebugPrivilege 1188 system.exe Token: SeDebugPrivilege 1188 system.exe Token: SeDebugPrivilege 1188 system.exe Token: SeDebugPrivilege 1188 system.exe Token: SeDebugPrivilege 1188 system.exe Token: SeDebugPrivilege 1188 system.exe Token: SeDebugPrivilege 1188 system.exe Token: SeDebugPrivilege 1188 system.exe Token: SeDebugPrivilege 1188 system.exe Token: SeDebugPrivilege 1188 system.exe Token: SeDebugPrivilege 2276 userinit.exe Token: SeDebugPrivilege 2276 userinit.exe Token: SeDebugPrivilege 2276 userinit.exe Token: SeDebugPrivilege 2276 userinit.exe Token: SeDebugPrivilege 2276 userinit.exe Token: SeDebugPrivilege 2276 userinit.exe Token: SeDebugPrivilege 2276 userinit.exe Token: SeDebugPrivilege 2276 userinit.exe Token: SeDebugPrivilege 2276 userinit.exe Token: SeDebugPrivilege 2276 userinit.exe Token: SeDebugPrivilege 2276 userinit.exe Token: SeDebugPrivilege 2276 userinit.exe Token: SeDebugPrivilege 2276 userinit.exe Token: SeDebugPrivilege 2276 userinit.exe Token: SeDebugPrivilege 2276 userinit.exe Token: SeDebugPrivilege 2276 userinit.exe Token: SeDebugPrivilege 2276 userinit.exe Token: SeDebugPrivilege 2276 userinit.exe Token: SeDebugPrivilege 2276 userinit.exe Token: SeDebugPrivilege 2276 userinit.exe -
Suspicious use of SetWindowsHookEx 40 IoCs
pid Process 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe 2276 userinit.exe 2276 userinit.exe 2764 system.exe 2764 system.exe 1480 system.exe 1480 system.exe 2004 system.exe 2004 system.exe 2948 system.exe 2948 system.exe 1048 system.exe 1048 system.exe 1188 system.exe 1188 system.exe 2340 system.exe 2340 system.exe 2416 system.exe 2416 system.exe 1104 system.exe 1104 system.exe 2664 system.exe 2664 system.exe 780 system.exe 780 system.exe 2916 system.exe 2916 system.exe 2432 system.exe 2432 system.exe 1504 system.exe 1504 system.exe 340 system.exe 340 system.exe 1700 system.exe 1700 system.exe 932 system.exe 932 system.exe 1680 system.exe 1680 system.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2384 wrote to memory of 2276 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe 30 PID 2384 wrote to memory of 2276 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe 30 PID 2384 wrote to memory of 2276 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe 30 PID 2384 wrote to memory of 2276 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe 30 PID 2384 wrote to memory of 1112 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe 19 PID 2384 wrote to memory of 1164 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe 20 PID 2384 wrote to memory of 1240 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe 21 PID 2384 wrote to memory of 1384 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe 25 PID 2384 wrote to memory of 2276 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe 30 PID 2384 wrote to memory of 2276 2384 a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe 30 PID 2276 wrote to memory of 2764 2276 userinit.exe 31 PID 2276 wrote to memory of 2764 2276 userinit.exe 31 PID 2276 wrote to memory of 2764 2276 userinit.exe 31 PID 2276 wrote to memory of 2764 2276 userinit.exe 31 PID 2276 wrote to memory of 1480 2276 userinit.exe 32 PID 2276 wrote to memory of 1480 2276 userinit.exe 32 PID 2276 wrote to memory of 1480 2276 userinit.exe 32 PID 2276 wrote to memory of 1480 2276 userinit.exe 32 PID 2276 wrote to memory of 2004 2276 userinit.exe 33 PID 2276 wrote to memory of 2004 2276 userinit.exe 33 PID 2276 wrote to memory of 2004 2276 userinit.exe 33 PID 2276 wrote to memory of 2004 2276 userinit.exe 33 PID 2276 wrote to memory of 2948 2276 userinit.exe 34 PID 2276 wrote to memory of 2948 2276 userinit.exe 34 PID 2276 wrote to memory of 2948 2276 userinit.exe 34 PID 2276 wrote to memory of 2948 2276 userinit.exe 34 PID 2276 wrote to memory of 1048 2276 userinit.exe 35 PID 2276 wrote to memory of 1048 2276 userinit.exe 35 PID 2276 wrote to memory of 1048 2276 userinit.exe 35 PID 2276 wrote to memory of 1048 2276 userinit.exe 35 PID 2276 wrote to memory of 1188 2276 userinit.exe 36 PID 2276 wrote to memory of 1188 2276 userinit.exe 36 PID 2276 wrote to memory of 1188 2276 userinit.exe 36 PID 2276 wrote to memory of 1188 2276 userinit.exe 36 PID 1188 wrote to memory of 1112 1188 system.exe 19 PID 1188 wrote to memory of 1164 1188 system.exe 20 PID 1188 wrote to memory of 1240 1188 system.exe 21 PID 1188 wrote to memory of 1384 1188 system.exe 25 PID 2276 wrote to memory of 2340 2276 userinit.exe 37 PID 2276 wrote to memory of 2340 2276 userinit.exe 37 PID 2276 wrote to memory of 2340 2276 userinit.exe 37 PID 2276 wrote to memory of 2340 2276 userinit.exe 37 PID 2276 wrote to memory of 2416 2276 userinit.exe 39 PID 2276 wrote to memory of 2416 2276 userinit.exe 39 PID 2276 wrote to memory of 2416 2276 userinit.exe 39 PID 2276 wrote to memory of 2416 2276 userinit.exe 39 PID 2276 wrote to memory of 1104 2276 userinit.exe 40 PID 2276 wrote to memory of 1104 2276 userinit.exe 40 PID 2276 wrote to memory of 1104 2276 userinit.exe 40 PID 2276 wrote to memory of 1104 2276 userinit.exe 40 PID 2276 wrote to memory of 1112 2276 userinit.exe 19 PID 2276 wrote to memory of 1164 2276 userinit.exe 20 PID 2276 wrote to memory of 1240 2276 userinit.exe 21 PID 2276 wrote to memory of 1384 2276 userinit.exe 25 PID 2276 wrote to memory of 2664 2276 userinit.exe 41 PID 2276 wrote to memory of 2664 2276 userinit.exe 41 PID 2276 wrote to memory of 2664 2276 userinit.exe 41 PID 2276 wrote to memory of 2664 2276 userinit.exe 41 PID 2276 wrote to memory of 780 2276 userinit.exe 42 PID 2276 wrote to memory of 780 2276 userinit.exe 42 PID 2276 wrote to memory of 780 2276 userinit.exe 42 PID 2276 wrote to memory of 780 2276 userinit.exe 42 PID 2276 wrote to memory of 2916 2276 userinit.exe 43 PID 2276 wrote to memory of 2916 2276 userinit.exe 43 -
System policy modification 1 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" userinit.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1164
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1240
-
C:\Users\Admin\AppData\Local\Temp\a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a1d15bcb93da89f08fdfaf4485ed5c69_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2384 -
C:\Windows\userinit.exeC:\Windows\userinit.exe3⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2276 -
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2764
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1480
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2004
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2948
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:1048
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1188
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2340
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2416
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1104
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2664
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:780
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2916
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2432
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1504
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:340
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1700
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:932
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1680
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:2528
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:1788
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:2080
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:2852
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:580
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:2460
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:3020
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:1720
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:1068
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:540
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:2132
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:952
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:956
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:1552
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:1976
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:888
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:2544
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:1580
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:2328
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:2080
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:2652
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:2840
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:2008
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:1096
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:2504
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:2912
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:840
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:2924
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:2432
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:3024
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:856
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:2776
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:1900
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:3052
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:2084
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:1584
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:2796
-
-
C:\Windows\SysWOW64\system.exeC:\Windows\system32\system.exe4⤵PID:1968
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1384
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD508885de19ee27de771c56946c44f68f3
SHA143077aad66d558d960c72f7d57e929e0b6932622
SHA256aa0904ab46114290c8cb7c311c125b2db192e03c65d41fd77e53bd3be1ea5017
SHA51274749a59d7c56aae1af4d943e159d0883b2a5441ea9ad26c50266745084aad45d02431fd47a5799b6d205dc6046bc7e38aeeb80d0def4311d5619f4054fa0e12
-
Filesize
157KB
MD5a1d15bcb93da89f08fdfaf4485ed5c69
SHA1ae7982fb0b7e2f5c0d8c689430264571a807266f
SHA256bff61a91ce28a7dbd727861fa4082fbd41d0d95f886117cc3841e30e9d81e44d
SHA51219123d180830261f76155494d4266b2c4bb4d70d71c16ea2a17494dcc1fde62f1e33d8b74e2266d4f5a315ff391a869e8a7a4f1eb5f1c25cd2299563027042a4
-
Filesize
100KB
MD5a5ae72dda9570a4dbf8745f18b738ee6
SHA16e7509148bf38cb205c46b47ae246df1fe0d7f4c
SHA2565019692cb038cf195d5ba7fe6259a11aecc6e617f1f82f37517aa16725b8229b
SHA512e4820cc2a31b3fe61eb5143a2b05bd7c5078f36578b2773bfa13ca7185e894573ce021c257e4974c3c0f9c5d1a374778da70195e8e1625ef4883976850bdf6fc