Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
29-08-2024 17:13
Behavioral task
behavioral1
Sample
c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
30 signatures
150 seconds
Behavioral task
behavioral2
Sample
c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
30 signatures
150 seconds
General
-
Target
c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe
-
Size
292KB
-
MD5
c941f52156a23b7d68e472985e7a20c8
-
SHA1
0abf6219aca6b805778b389a7fd1692a85d00b18
-
SHA256
97e9d8fedf5738ce3f5ca2e84d3c250cc7e903ba286510fb4ed3a2f30d47813f
-
SHA512
fc26638882acdc5646cbefb43972a9db92e06204a6765488066c9c7af1272683e0d0f346a8ae331b5a52e48c90e358124cfd30f9b1e25d68ab342507e6380ee1
-
SSDEEP
6144:JYDhB6ActM8FbPt6a15RGkPNJAcb+k2WzoPiML3AYRYAe5mYkl5ehRsGT:S9BvctM85t35JPNJj2WzoRLQYRYzmYO8
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\SysWOW64\\fdisk.com" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\userinit.exe,C:\\Windows\\SysWOW64\\fdisk.com" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\userinit.exe,C:\\Windows\\SysWOW64\\fdisk.com" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\SysWOW64\\fdisk.com" svchost.com -
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "2" svchost.com Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "2" svchost.com -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.com Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" svchost.com -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" svchost.com Set value (int) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" svchost.com -
Disables Task Manager via registry modification
-
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 48 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis" svchost.com -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe svchost.com File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe svchost.com -
Executes dropped EXE 4 IoCs
pid Process 1248 svchost.com 2832 cftmon.exe 2240 cftmon.exe 1756 svchost.com -
Loads dropped DLL 64 IoCs
pid Process 2044 c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe 2044 c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe 2044 c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe 2044 c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe 1248 svchost.com 1248 svchost.com 1248 svchost.com 1248 svchost.com 2832 cftmon.exe 2832 cftmon.exe 1248 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com 1756 svchost.com -
resource yara_rule behavioral1/memory/2044-0-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/files/0x000a000000012248-6.dat upx behavioral1/memory/2044-20-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1248-21-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2832-54-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1756-71-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1248-86-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1756-96-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2240-95-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2832-65-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2240-151-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1756-152-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1248-150-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1756-166-0x00000000026C0000-0x0000000002775000-memory.dmp upx behavioral1/memory/1756-175-0x00000000026C0000-0x0000000002775000-memory.dmp upx behavioral1/memory/1756-173-0x00000000026C0000-0x0000000002775000-memory.dmp upx behavioral1/memory/1756-181-0x00000000026C0000-0x0000000002775000-memory.dmp upx behavioral1/memory/2240-183-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1756-184-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1756-185-0x00000000026C0000-0x0000000002775000-memory.dmp upx behavioral1/memory/1756-186-0x00000000026C0000-0x0000000002775000-memory.dmp upx behavioral1/memory/1756-187-0x00000000026C0000-0x0000000002775000-memory.dmp upx behavioral1/memory/2240-191-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1756-192-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2240-194-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1756-195-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2240-197-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1756-198-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1756-201-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1248-199-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2240-200-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2240-203-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1756-204-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2240-206-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1756-207-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2240-209-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1756-210-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1248-211-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2240-212-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1756-213-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1756-216-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2240-215-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2240-218-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1756-219-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2240-221-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1756-222-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/2240-228-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1756-229-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1248-227-0x0000000000400000-0x00000000004B5000-memory.dmp upx behavioral1/memory/1756-234-0x0000000000400000-0x00000000004B5000-memory.dmp upx -
Adds Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\User Agent = "C:\\Windows\\SysWOW64\\fdisk.com" svchost.com Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\User Agent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HotKey = "C:\\Users\\Admin\\Templates\\cache\\SFCsrvc.pif" svchost.com Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HotKey = "C:\\Users\\Admin\\Templates\\cache\\SFCsrvc.pif" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\User Agent = "C:\\Windows\\SysWOW64\\fdisk.com" svchost.com Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\User Agent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\HotKey = "C:\\Users\\Admin\\Templates\\cache\\SFCsrvc.pif" svchost.com Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\HotKey = "C:\\Users\\Admin\\Templates\\cache\\SFCsrvc.pif" svchost.com -
Drops desktop.ini file(s) 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe File opened for modification C:\Users\Admin\Templates\cache\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini svchost.com File opened for modification C:\Users\Admin\Templates\cache\desktop.ini svchost.com File opened for modification \??\c:\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini svchost.com File opened for modification \??\f:\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini svchost.com -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\w: svchost.com File opened (read-only) \??\y: svchost.com File opened (read-only) \??\p: svchost.com File opened (read-only) \??\q: svchost.com File opened (read-only) \??\p: svchost.com File opened (read-only) \??\q: svchost.com File opened (read-only) \??\b: svchost.com File opened (read-only) \??\e: svchost.com File opened (read-only) \??\i: svchost.com File opened (read-only) \??\n: svchost.com File opened (read-only) \??\w: svchost.com File opened (read-only) \??\r: svchost.com File opened (read-only) \??\x: svchost.com File opened (read-only) \??\j: svchost.com File opened (read-only) \??\t: svchost.com File opened (read-only) \??\x: svchost.com File opened (read-only) \??\z: svchost.com File opened (read-only) \??\j: svchost.com File opened (read-only) \??\o: svchost.com File opened (read-only) \??\e: svchost.com File opened (read-only) \??\g: svchost.com File opened (read-only) \??\o: svchost.com File opened (read-only) \??\k: svchost.com File opened (read-only) \??\s: svchost.com File opened (read-only) \??\a: svchost.com File opened (read-only) \??\h: svchost.com File opened (read-only) \??\m: svchost.com File opened (read-only) \??\n: svchost.com File opened (read-only) \??\a: svchost.com File opened (read-only) \??\h: svchost.com File opened (read-only) \??\b: svchost.com File opened (read-only) \??\m: svchost.com File opened (read-only) \??\y: svchost.com File opened (read-only) \??\u: svchost.com File opened (read-only) \??\v: svchost.com File opened (read-only) \??\i: svchost.com File opened (read-only) \??\r: svchost.com File opened (read-only) \??\s: svchost.com File opened (read-only) \??\u: svchost.com File opened (read-only) \??\v: svchost.com File opened (read-only) \??\t: svchost.com File opened (read-only) \??\k: svchost.com File opened (read-only) \??\l: svchost.com File opened (read-only) \??\g: svchost.com File opened (read-only) \??\l: svchost.com File opened (read-only) \??\z: svchost.com -
Modifies WinLogon 2 TTPs 5 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Network_Service = "0" svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\KeepRasConnections = "1" svchost.com Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList svchost.com -
AutoIT Executable 43 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/memory/2044-20-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/2832-54-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/1248-86-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/1756-98-0x00000000026C0000-0x0000000002775000-memory.dmp autoit_exe behavioral1/memory/1756-97-0x00000000026C0000-0x0000000002775000-memory.dmp autoit_exe behavioral1/memory/1756-96-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/2240-95-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/2832-65-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/1756-105-0x00000000026C0000-0x0000000002775000-memory.dmp autoit_exe behavioral1/memory/1756-140-0x00000000026C0000-0x0000000002775000-memory.dmp autoit_exe behavioral1/memory/2240-151-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/1756-152-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/1248-150-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/2240-183-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/1756-184-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/2240-191-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/1756-192-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/2240-194-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/1756-195-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/2240-197-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/1756-198-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/1756-201-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/1248-199-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/2240-200-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/2240-203-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/1756-204-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/2240-206-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/1756-207-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/2240-209-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/1756-210-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/1248-211-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/2240-212-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/1756-213-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/1756-216-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/2240-215-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/2240-218-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/1756-219-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/2240-221-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/1756-222-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/2240-228-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/1756-229-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/1248-227-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe behavioral1/memory/1756-234-0x0000000000400000-0x00000000004B5000-memory.dmp autoit_exe -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\c:\autorun.inf svchost.com File opened for modification C:\\autorun.inf svchost.com File opened for modification \??\f:\autorun.inf svchost.com File opened for modification F:\\autorun.inf svchost.com -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\fdisk.com svchost.com File opened for modification C:\Windows\SysWOW64\fdisk.com svchost.com -
Hide Artifacts: Hidden Users 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Network_Service = "0" svchost.com -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\System\cftmon.exe svchost.com -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\Help\cliconf.chm svchost.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
-
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cftmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cftmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.com -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Applications\xnotepad.exe svchost.com Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Applications\xmspaint.exe svchost.com Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Applications\xmspaint.exe\shell svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\LibraryFolder\shellex\SharingHandler\ svchost.com Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Applications svchost.com Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Applications\xnotepad.exe\shell\open svchost.com Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Applications\xmspaint.exe\shell\open svchost.com Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Applications\xmspaint.exe\shell\open\command\ = "C:\\Program Files (x86)\\Common Files\\System\\cftmon.exe %1" svchost.com Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Applications\xnotepad.exe\shell\open\command svchost.com Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Applications\xnotepad.exe\shell svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Network\SharingHandler svchost.com Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Network\SharingHandler\ svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Classes\LibraryFolder\shellex\SharingHandler svchost.com Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Applications\xnotepad.exe\shell\open\command\ = "C:\\Program Files (x86)\\Common Files\\System\\cftmon.exe %1" svchost.com Key created \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000_CLASSES\Applications\xmspaint.exe\shell\open\command svchost.com -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2044 c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe 1248 svchost.com 1248 svchost.com 1248 svchost.com 1248 svchost.com 1248 svchost.com 1248 svchost.com 1248 svchost.com 1248 svchost.com 1248 svchost.com 1248 svchost.com 1248 svchost.com 1248 svchost.com 1248 svchost.com 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 1756 svchost.com 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe 2240 cftmon.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2044 wrote to memory of 1248 2044 c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe 30 PID 2044 wrote to memory of 1248 2044 c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe 30 PID 2044 wrote to memory of 1248 2044 c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe 30 PID 2044 wrote to memory of 1248 2044 c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe 30 PID 1248 wrote to memory of 2832 1248 svchost.com 31 PID 1248 wrote to memory of 2832 1248 svchost.com 31 PID 1248 wrote to memory of 2832 1248 svchost.com 31 PID 1248 wrote to memory of 2832 1248 svchost.com 31 PID 2832 wrote to memory of 2240 2832 cftmon.exe 32 PID 2832 wrote to memory of 2240 2832 cftmon.exe 32 PID 2832 wrote to memory of 2240 2832 cftmon.exe 32 PID 2832 wrote to memory of 2240 2832 cftmon.exe 32 PID 1248 wrote to memory of 1756 1248 svchost.com 33 PID 1248 wrote to memory of 1756 1248 svchost.com 33 PID 1248 wrote to memory of 1756 1248 svchost.com 33 PID 1248 wrote to memory of 1756 1248 svchost.com 33 PID 1248 wrote to memory of 2968 1248 svchost.com 37 PID 1248 wrote to memory of 2968 1248 svchost.com 37 PID 1248 wrote to memory of 2968 1248 svchost.com 37 PID 1248 wrote to memory of 2968 1248 svchost.com 37 PID 1248 wrote to memory of 2964 1248 svchost.com 39 PID 1248 wrote to memory of 2964 1248 svchost.com 39 PID 1248 wrote to memory of 2964 1248 svchost.com 39 PID 1248 wrote to memory of 2964 1248 svchost.com 39 PID 1248 wrote to memory of 2620 1248 svchost.com 41 PID 1248 wrote to memory of 2620 1248 svchost.com 41 PID 1248 wrote to memory of 2620 1248 svchost.com 41 PID 1248 wrote to memory of 2620 1248 svchost.com 41 PID 2968 wrote to memory of 2312 2968 net.exe 43 PID 2968 wrote to memory of 2312 2968 net.exe 43 PID 2968 wrote to memory of 2312 2968 net.exe 43 PID 2968 wrote to memory of 2312 2968 net.exe 43 PID 2964 wrote to memory of 1984 2964 net.exe 44 PID 2964 wrote to memory of 1984 2964 net.exe 44 PID 2964 wrote to memory of 1984 2964 net.exe 44 PID 2964 wrote to memory of 1984 2964 net.exe 44 PID 2620 wrote to memory of 2456 2620 net.exe 45 PID 2620 wrote to memory of 2456 2620 net.exe 45 PID 2620 wrote to memory of 2456 2620 net.exe 45 PID 2620 wrote to memory of 2456 2620 net.exe 45 PID 1248 wrote to memory of 2612 1248 svchost.com 46 PID 1248 wrote to memory of 2612 1248 svchost.com 46 PID 1248 wrote to memory of 2612 1248 svchost.com 46 PID 1248 wrote to memory of 2612 1248 svchost.com 46 PID 2612 wrote to memory of 1948 2612 net.exe 48 PID 2612 wrote to memory of 1948 2612 net.exe 48 PID 2612 wrote to memory of 1948 2612 net.exe 48 PID 2612 wrote to memory of 1948 2612 net.exe 48 PID 1248 wrote to memory of 2496 1248 svchost.com 49 PID 1248 wrote to memory of 2496 1248 svchost.com 49 PID 1248 wrote to memory of 2496 1248 svchost.com 49 PID 1248 wrote to memory of 2496 1248 svchost.com 49 PID 2496 wrote to memory of 1980 2496 net.exe 51 PID 2496 wrote to memory of 1980 2496 net.exe 51 PID 2496 wrote to memory of 1980 2496 net.exe 51 PID 2496 wrote to memory of 1980 2496 net.exe 51 PID 1248 wrote to memory of 2436 1248 svchost.com 52 PID 1248 wrote to memory of 2436 1248 svchost.com 52 PID 1248 wrote to memory of 2436 1248 svchost.com 52 PID 1248 wrote to memory of 2436 1248 svchost.com 52 PID 2436 wrote to memory of 1720 2436 net.exe 54 PID 2436 wrote to memory of 1720 2436 net.exe 54 PID 2436 wrote to memory of 1720 2436 net.exe 54 PID 2436 wrote to memory of 1720 2436 net.exe 54 -
System policy modification 1 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System svchost.com Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1" svchost.com Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network svchost.com Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network\NoFileSharingControl = "1" svchost.com Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network\NoFileSharing = "0" svchost.com Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network\NoPrintSharing = "0" svchost.com
Processes
-
C:\Users\Admin\AppData\Local\Temp\c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c941f52156a23b7d68e472985e7a20c8_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\svchost.com"C:\Users\Admin\AppData\Local\Temp\svchost.com"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops desktop.ini file(s)
- Enumerates connected drives
- Modifies WinLogon
- Drops autorun.inf file
- Drops file in System32 directory
- Hide Artifacts: Hidden Users
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1248 -
C:\Program Files (x86)\Common Files\System\cftmon.exe"C:\Program Files (x86)\Common Files\System\cftmon.exe" stay_alive -in3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Program Files (x86)\Common Files\System\cftmon.exe"C:\Program Files (x86)\Common Files\System\cftmon.exe" stay_alive -r4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2240
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchost.comC:\Users\Admin\AppData\Local\Temp\svchost.com keep_fucking3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- Disables RegEdit via registry modification
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1756
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" share SYS_c$=c:\3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share SYS_c$=c:\4⤵
- System Location Discovery: System Language Discovery
PID:2312
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" share SYS_f$=f:\3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 share SYS_f$=f:\4⤵
- System Location Discovery: System Language Discovery
PID:1984
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" user guest guest3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user guest guest4⤵
- System Location Discovery: System Language Discovery
PID:2456
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" user /add Network_Service3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user /add Network_Service4⤵
- System Location Discovery: System Language Discovery
PID:1948
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" user Network_Service 10167603⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user Network_Service 10167604⤵
- System Location Discovery: System Language Discovery
PID:1980
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\System32\net.exe" localgroup administrators Network_Service /add3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators Network_Service /add4⤵
- System Location Discovery: System Language Discovery
PID:1720
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Account Manipulation
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Account Manipulation
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
1Winlogon Helper DLL
2Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
3Hidden Files and Directories
2Hidden Users
1Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD5a526b9e7c716b3489d8cc062fbce4005
SHA12df502a944ff721241be20a9e449d2acd07e0312
SHA256e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066
SHA512d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88
-
Filesize
1KB
MD51a2daea3dd2626a4fc3aeafdc43b48de
SHA147052b84871b8cf73f31da977b9deb0f9df6038b
SHA2560d99ee32a9dbca164f108632871516201015798c2db69c8b2d48dac4c16acebd
SHA512d1551cf8135ff2338ad6e240b99af2cea3862f98443649d0023bed1f1cd132fd3ae04430d6db2f288a81f7833185178f63e7d740874d99322b3c8474c218e93c
-
Filesize
292KB
MD5c941f52156a23b7d68e472985e7a20c8
SHA10abf6219aca6b805778b389a7fd1692a85d00b18
SHA25697e9d8fedf5738ce3f5ca2e84d3c250cc7e903ba286510fb4ed3a2f30d47813f
SHA512fc26638882acdc5646cbefb43972a9db92e06204a6765488066c9c7af1272683e0d0f346a8ae331b5a52e48c90e358124cfd30f9b1e25d68ab342507e6380ee1