b7bceb202f9ed86ebb0516b0f62100f74b531678f24906676c28515fe235ac15

Analysis

max time kernel
147s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Size

740KB
MD5

d648bf95611f90a0a182335b3dbf5808
SHA1

e6dfeab4c8ba31f92517b7c835bf50da337c5be3
SHA256

b7bceb202f9ed86ebb0516b0f62100f74b531678f24906676c28515fe235ac15
SHA512

d96817d5baf75854c99f6caa5d40f26953ba993227e98c21df4a079dea08e0e2b662fa32474b87dde75a847ca77dadba54e0a6cd7b98d93dfd14b4ef9e1082a8
SSDEEP

12288:ou7sOe8PiOmd6bh0aDFD5HME8Rn9PH7hClylCyUCaJbW2iy:TMdSpFctH7hClylCyUCaHiy

Score

8^/10

defense_evasion discovery persistence

Malware Config

Signatures

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe	Reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe	Reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\debugger = "IFEOFILE"	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashMaisv.exe	Reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Vstskmgr.exe\debugger = "IFEOFILE"	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.exe\debugger = "IFEOFILE"	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\graph.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe	Reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe\debugger = "IFEOFILE"	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guaid.exe	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfwsvc.exe	Reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\knownsvr.exe\debugger = "IFEOFILE"	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe	Reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ras.exe	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rtvscan.exe	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngentask.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmon.exe	Reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe\debugger = "IFEOFILE"	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVFW.EXE	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ras.exe	Reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashMaisv.exe	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guaid.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe	Reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\knownsvr.exe	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\naPrdMgr.exe	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ExtExport.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe	Reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGAS.EXE	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\debugger = "IFEOFILE"	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RavmonD.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excelcnv.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenotem.exe	Reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Vstskmgr.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngen.exe	Reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashMaisv.exe\debugger = "IFEOFILE"	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpdaterUI.exe	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\splwow64.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashWebSv.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\knownsvr.exe	Reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Mcshield.exe	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe	Reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmon.exe\debugger = "IFEOFILE"	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Tbmon.exe	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe	Reg.exe

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\midoll.._sadll;.\Parameters\ServiceDll = "C:\\Windows\\system32\\Clean.dll"	22.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	22.exe

Executes dropped EXE 1 IoCs

pid	Process
2348	22.exe

Loads dropped DLL 3 IoCs

pid	Process
2348	22.exe
1928	svchost.exe
552	rundll32.exe

Indicator Removal: Clear Persistence 1 TTPs 64 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kavstart.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmsk.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32Info.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintIsolationHost.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kmailmon.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PFW.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shstat.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UpLive.EXE	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscntfy.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MRT.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msosync.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ngentask.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GoogleUpdate.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32kui.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rtvscan.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avast.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kav32.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kpfw32.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SymSPort.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Tbmon.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KVFW.EXE	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrServicesUpdater.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AppSvc32.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieUnatt.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rav.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ravmon.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\selfcert.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ielowutil.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guaid.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ieinstal.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\excel.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ras.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RdrCEF.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\orgchart.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\powerpnt.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\RSTray.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wordconv.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msohtmed.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msqry32.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sdxhelper.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashServ.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoasb.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setlang.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvw.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\onenote.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AcroRd32.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Iparmor.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safelive.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wuauclt.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PrintDialog.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msoxmled.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clview.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PresentationHost.exe	Reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashWebSv.exe	Reg.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Clean.dll	22.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	22.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2348	22.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 2348	5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe	86
PID 5076 wrote to memory of 2348	5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe	86
PID 5076 wrote to memory of 2348	5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe	86
PID 5076 wrote to memory of 4708	5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe	87
PID 5076 wrote to memory of 4708	5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe	87
PID 5076 wrote to memory of 4708	5076	d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe	87
PID 1928 wrote to memory of 552	1928	svchost.exe	90
PID 1928 wrote to memory of 552	1928	svchost.exe	90
PID 1928 wrote to memory of 552	1928	svchost.exe	90
PID 2348 wrote to memory of 2404	2348	22.exe	91
PID 2348 wrote to memory of 2404	2348	22.exe	91
PID 2348 wrote to memory of 2404	2348	22.exe	91

C:\Users\Admin\AppData\Local\Temp\d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d648bf95611f90a0a182335b3dbf5808_JaffaCakes118.exe"
1⤵
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Temp\22.exe
  "C:\Temp\22.exe"
  2⤵
  - Server Software Component: Terminal Services DLL
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del "C:\Temp\22.exe" > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2404
- C:\Windows\SysWOW64\Reg.exe
  Reg Delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /F
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  - Indicator Removal: Clear Persistence
  - System Location Discovery: System Language Discovery
  PID:4708

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k "midoll.._sadll;."
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe c:\windows\system32\clean.dll, Launch
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Server Software Component

T1505

Terminal Services DLL

T1505.005

Privilege Escalation

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Indicator Removal

T1070

Clear Persistence

T1070.009

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\22.exe

Filesize
696KB

MD5
5bfaf22b3a306a6aafb4a6927b97d9dd

SHA1
61da887abbcf6afaadbea0f810729dd6ef58cdc7

SHA256
6ffee294875330a89d6df36db796046e45ed87fc93bed253b4fcac8710add5e3

SHA512
dfb966ff29944f681c875c901470bedcc0f65d47b02c8205c69f0eb1e3861640d751807bc06513229fb37e4cb0527b934c5620d084f3c6da0b2b3d71b5c706cc

Download Submit
C:\Windows\SysWOW64\Clean.dll

Filesize
634KB

MD5
b7f913cb568249f2540b3c8cc034f8fd

SHA1
9481f3ac51089ed3f83f4a3c99f30868e93fb4a3

SHA256
089bbbe5cff872668f7f9be20ada5567b82dd53df8f1fcc16d1eddd59e9a5da8

SHA512
5b283d1f74937e01e7830d340366db100e2645902c29dec04b6b87a450b728d68ffc9bf941116dc2f0e32a46dccf9748ec9194d93980becc4b2218311e2438f5

Download Submit
memory/552-21-0x0000000074460000-0x000000007457B000-memory.dmp

Filesize
1.1MB

Download
memory/552-24-0x0000000074460000-0x000000007457B000-memory.dmp

Filesize
1.1MB

Download
memory/1928-19-0x0000000074460000-0x000000007457B000-memory.dmp

Filesize
1.1MB

Download
memory/1928-23-0x0000000074460000-0x000000007457B000-memory.dmp

Filesize
1.1MB

Download
memory/2348-9-0x0000000000400000-0x00000000004AF400-memory.dmp

Filesize
701KB

Download
memory/2348-13-0x0000000074460000-0x000000007457B000-memory.dmp

Filesize
1.1MB

Download
memory/2348-22-0x0000000000400000-0x00000000004AF400-memory.dmp

Filesize
701KB

Download