betabot | 8a5bd38d99ca82232bf4bad6433a6f0358150dfd0c3a8b22c307e39499d4724d

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

Processes:

d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ec79qw93sage7.exe	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ec79qw93sage7.exe\DisableExceptionChainValidation	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "tdcxna.exe"	explorer.exe

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Windows Font Preloader Service = "C:\\ProgramData\\Windows Font Preloader Service\\ec79qw93sage7.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Font Preloader Service = "\"C:\\ProgramData\\Windows Font Preloader Service\\ec79qw93sage7.exe\""	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

Processes:

d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe

Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

remove IFEO.

defense_evasion

Clear Persistence

T1070.009

Processes:

d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ec79qw93sage7.exe\DisableExceptionChainValidation	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs

Processes:

d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exeexplorer.exe

pid	process
1232	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

Processes:

explorer.exed805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

Processes:

explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	explorer.exe

Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs

Modify Registry

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	explorer.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	explorer.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

explorer.exe

pid	process
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exeexplorer.exe

pid	process
1232	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe
1232	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe
2088	explorer.exe
2088	explorer.exe
2088	explorer.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe

pid process

1232 d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

Processes:

d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1232	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe
Token: SeRestorePrivilege	1232	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe
Token: SeBackupPrivilege	1232	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	1232	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	1232	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe
Token: SeShutdownPrivilege	1232	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	1232	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	1232	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe
Token: SeCreateTokenPrivilege	1232	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	1232	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe
Token: SeSecurityPrivilege	1232	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	1232	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	1232	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe
Token: 33	1232	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe
Token: SeDebugPrivilege	2088	explorer.exe
Token: SeRestorePrivilege	2088	explorer.exe
Token: SeBackupPrivilege	2088	explorer.exe
Token: SeLoadDriverPrivilege	2088	explorer.exe
Token: SeCreatePagefilePrivilege	2088	explorer.exe
Token: SeShutdownPrivilege	2088	explorer.exe
Token: SeTakeOwnershipPrivilege	2088	explorer.exe
Token: SeChangeNotifyPrivilege	2088	explorer.exe
Token: SeCreateTokenPrivilege	2088	explorer.exe
Token: SeMachineAccountPrivilege	2088	explorer.exe
Token: SeSecurityPrivilege	2088	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	2088	explorer.exe
Token: SeCreateGlobalPrivilege	2088	explorer.exe
Token: 33	2088	explorer.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exeexplorer.exe

description	pid	process	target process
PID 1232 wrote to memory of 2088	1232	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe	explorer.exe
PID 1232 wrote to memory of 2088	1232	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe	explorer.exe
PID 1232 wrote to memory of 2088	1232	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe	explorer.exe
PID 1232 wrote to memory of 2088	1232	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe	explorer.exe
PID 1232 wrote to memory of 2088	1232	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe	explorer.exe
PID 1232 wrote to memory of 2088	1232	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe	explorer.exe
PID 1232 wrote to memory of 2088	1232	d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe	explorer.exe
PID 2088 wrote to memory of 1156	2088	explorer.exe	Dwm.exe
PID 2088 wrote to memory of 1156	2088	explorer.exe	Dwm.exe
PID 2088 wrote to memory of 1156	2088	explorer.exe	Dwm.exe
PID 2088 wrote to memory of 1156	2088	explorer.exe	Dwm.exe
PID 2088 wrote to memory of 1156	2088	explorer.exe	Dwm.exe
PID 2088 wrote to memory of 1156	2088	explorer.exe	Dwm.exe
PID 2088 wrote to memory of 1188	2088	explorer.exe	Explorer.EXE
PID 2088 wrote to memory of 1188	2088	explorer.exe	Explorer.EXE
PID 2088 wrote to memory of 1188	2088	explorer.exe	Explorer.EXE
PID 2088 wrote to memory of 1188	2088	explorer.exe	Explorer.EXE
PID 2088 wrote to memory of 1188	2088	explorer.exe	Explorer.EXE
PID 2088 wrote to memory of 1188	2088	explorer.exe	Explorer.EXE
PID 2088 wrote to memory of 1552	2088	explorer.exe	DllHost.exe
PID 2088 wrote to memory of 1552	2088	explorer.exe	DllHost.exe
PID 2088 wrote to memory of 1552	2088	explorer.exe	DllHost.exe
PID 2088 wrote to memory of 1552	2088	explorer.exe	DllHost.exe
PID 2088 wrote to memory of 1552	2088	explorer.exe	DllHost.exe
PID 2088 wrote to memory of 1552	2088	explorer.exe	DllHost.exe

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1156

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe"
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  - Checks whether UAC is enabled
  - Indicator Removal: Clear Persistence
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: MapViewOfSection
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\SysWOW64\explorer.exe
    3⤵
    - Modifies firewall policy service
    - Event Triggered Execution: Image File Execution Options Injection
    - Checks BIOS information in registry
    - Adds Run key to start application
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies Internet Explorer Protected Mode
    - Modifies Internet Explorer Protected Mode Banner
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2088

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Indicator Removal

T1070

Clear Persistence

Modify Registry

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

System Location Discovery

T1614

System Language Discovery