pony | fd1a09cae9282b6c05cc197be7d9a85f63d284a937ca581a257a4fab12631339

Analysis

max time kernel
145s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16/09/2024, 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe
Size

7.3MB
MD5

e50be41d01aff61dc9d6779e9af971ee
SHA1

37b2431609aa7fd4f5f1411a42d2ad01fee94315
SHA256

fd1a09cae9282b6c05cc197be7d9a85f63d284a937ca581a257a4fab12631339
SHA512

b951bb2a59c8df6bed7c75060c506dcbe7df60127598f8c2bf7ba75cee3919adc68bdaf7c90fdcc71e05bfa580bc776f285a1cb24070d9a502f1e3776ec07ccb
SSDEEP

196608:YLZLgaILbuQPGRCd6y/yg37h25dFzl7LDJ:ELgaUyQOgdv/J37hwdFzl7J

Score

10^/10

pony credential_access defense_evasion discovery evasion persistence rat spyware stealer upx

Malware Config

Signatures

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3"	3R2R.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 9 IoCs

pid	Process
2236	Vaya Con Dios - Don't Cry For Louie.exe
2852	ic4.exe
2360	2 Gansta.exe
2860	3R2R.exe
2980	4tbp.exe
336	csrss.exe
980	3R2R.exe
2448	3R2R.exe
1648	5F6F.tmp

Loads dropped DLL 46 IoCs

pid	Process
2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe
2236	Vaya Con Dios - Don't Cry For Louie.exe
2236	Vaya Con Dios - Don't Cry For Louie.exe
2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe
2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe
2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe
2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe
2852	ic4.exe
2852	ic4.exe
2852	ic4.exe
2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe
2360	2 Gansta.exe
2360	2 Gansta.exe
2360	2 Gansta.exe
2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe
2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe
2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe
2860	3R2R.exe
2860	3R2R.exe
2860	3R2R.exe
2980	4tbp.exe
2980	4tbp.exe
2980	4tbp.exe
1544	rundll32.exe
1544	rundll32.exe
1544	rundll32.exe
1544	rundll32.exe
316	Process not Found
1328	DllHost.exe
2860	3R2R.exe
2860	3R2R.exe
980	3R2R.exe
980	3R2R.exe
980	3R2R.exe
2860	3R2R.exe
2448	3R2R.exe
2448	3R2R.exe
2448	3R2R.exe
2152	rundll32.exe
2152	rundll32.exe
2152	rundll32.exe
2152	rundll32.exe
2860	3R2R.exe
2860	3R2R.exe
1648	5F6F.tmp
2152	rundll32.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2360-46-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/files/0x0007000000017403-45.dat	upx
behavioral1/memory/2360-54-0x0000000000020000-0x000000000002A000-memory.dmp	upx
behavioral1/memory/2308-35-0x0000000000870000-0x000000000087A000-memory.dmp	upx
behavioral1/memory/980-131-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2360-165-0x0000000000400000-0x000000000040A000-memory.dmp	upx
behavioral1/memory/2860-167-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2448-239-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2860-241-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2860-318-0x0000000000400000-0x000000000046B000-memory.dmp	upx
behavioral1/memory/2860-325-0x0000000000400000-0x000000000046B000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dmipezoweqoha = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\WeDa012.dll\",Startup"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\B11.exe = "C:\\Program Files (x86)\\LP\\0FDC\\B11.exe"	3R2R.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	\systemroot\assembly\GAC_64\Desktop.ini	csrss.exe
File created	\systemroot\assembly\GAC_32\Desktop.ini	csrss.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2852 set thread context of 1044	2852	ic4.exe	38

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LP\0FDC\B11.exe	3R2R.exe
File opened for modification	C:\Program Files (x86)\LP\0FDC\5F6F.tmp	3R2R.exe
File opened for modification	C:\Program Files (x86)\LP\0FDC\B11.exe	3R2R.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2 Gansta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3R2R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3R2R.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5F6F.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4tbp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vaya Con Dios - Don't Cry For Louie.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ic4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3R2R.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	Vaya Con Dios - Don't Cry For Louie.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2860	3R2R.exe
2860	3R2R.exe
2860	3R2R.exe
2860	3R2R.exe
2860	3R2R.exe
2860	3R2R.exe
2852	ic4.exe
2852	ic4.exe
2852	ic4.exe
1544	rundll32.exe
2860	3R2R.exe
2860	3R2R.exe
2860	3R2R.exe
2860	3R2R.exe
2860	3R2R.exe
2860	3R2R.exe
2860	3R2R.exe
2860	3R2R.exe
1544	rundll32.exe
336	csrss.exe
1544	rundll32.exe
1544	rundll32.exe
1544	rundll32.exe
1544	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2852	ic4.exe
Token: SeRestorePrivilege	332	msiexec.exe
Token: SeTakeOwnershipPrivilege	332	msiexec.exe
Token: SeSecurityPrivilege	332	msiexec.exe
Token: SeDebugPrivilege	2852	ic4.exe
Token: SeIncBasePriorityPrivilege	2360	2 Gansta.exe
Token: SeShutdownPrivilege	1860	explorer.exe
Token: SeShutdownPrivilege	1860	explorer.exe
Token: SeShutdownPrivilege	1860	explorer.exe
Token: SeShutdownPrivilege	1860	explorer.exe
Token: SeShutdownPrivilege	1860	explorer.exe
Token: SeShutdownPrivilege	1860	explorer.exe
Token: SeShutdownPrivilege	1860	explorer.exe
Token: SeShutdownPrivilege	1860	explorer.exe
Token: SeShutdownPrivilege	1860	explorer.exe
Token: SeShutdownPrivilege	1860	explorer.exe
Token: SeShutdownPrivilege	1860	explorer.exe
Token: SeShutdownPrivilege	1860	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	840	svchost.exe
Token: SeIncreaseQuotaPrivilege	840	svchost.exe
Token: SeSecurityPrivilege	840	svchost.exe
Token: SeTakeOwnershipPrivilege	840	svchost.exe
Token: SeLoadDriverPrivilege	840	svchost.exe
Token: SeSystemtimePrivilege	840	svchost.exe
Token: SeBackupPrivilege	840	svchost.exe
Token: SeRestorePrivilege	840	svchost.exe
Token: SeShutdownPrivilege	840	svchost.exe
Token: SeSystemEnvironmentPrivilege	840	svchost.exe
Token: SeUndockPrivilege	840	svchost.exe
Token: SeManageVolumePrivilege	840	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	840	svchost.exe
Token: SeIncreaseQuotaPrivilege	840	svchost.exe
Token: SeSecurityPrivilege	840	svchost.exe
Token: SeTakeOwnershipPrivilege	840	svchost.exe
Token: SeLoadDriverPrivilege	840	svchost.exe
Token: SeSystemtimePrivilege	840	svchost.exe
Token: SeBackupPrivilege	840	svchost.exe
Token: SeRestorePrivilege	840	svchost.exe
Token: SeShutdownPrivilege	840	svchost.exe
Token: SeSystemEnvironmentPrivilege	840	svchost.exe
Token: SeUndockPrivilege	840	svchost.exe
Token: SeManageVolumePrivilege	840	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	840	svchost.exe
Token: SeIncreaseQuotaPrivilege	840	svchost.exe
Token: SeSecurityPrivilege	840	svchost.exe
Token: SeTakeOwnershipPrivilege	840	svchost.exe
Token: SeLoadDriverPrivilege	840	svchost.exe
Token: SeSystemtimePrivilege	840	svchost.exe
Token: SeBackupPrivilege	840	svchost.exe
Token: SeRestorePrivilege	840	svchost.exe
Token: SeShutdownPrivilege	840	svchost.exe
Token: SeSystemEnvironmentPrivilege	840	svchost.exe
Token: SeUndockPrivilege	840	svchost.exe
Token: SeManageVolumePrivilege	840	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	840	svchost.exe
Token: SeIncreaseQuotaPrivilege	840	svchost.exe
Token: SeSecurityPrivilege	840	svchost.exe
Token: SeTakeOwnershipPrivilege	840	svchost.exe
Token: SeLoadDriverPrivilege	840	svchost.exe
Token: SeSystemtimePrivilege	840	svchost.exe
Token: SeBackupPrivilege	840	svchost.exe
Token: SeRestorePrivilege	840	svchost.exe
Token: SeShutdownPrivilege	840	svchost.exe
Token: SeSystemEnvironmentPrivilege	840	svchost.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe
1860	explorer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2236	Vaya Con Dios - Don't Cry For Louie.exe
2236	Vaya Con Dios - Don't Cry For Louie.exe
2980	4tbp.exe
1544	rundll32.exe
2152	rundll32.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
336	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2236	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2236	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2236	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2236	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2236	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2236	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2236	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	31
PID 2308 wrote to memory of 2852	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	32
PID 2308 wrote to memory of 2852	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	32
PID 2308 wrote to memory of 2852	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	32
PID 2308 wrote to memory of 2852	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	32
PID 2308 wrote to memory of 2852	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	32
PID 2308 wrote to memory of 2852	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	32
PID 2308 wrote to memory of 2852	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	32
PID 2308 wrote to memory of 2360	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	33
PID 2308 wrote to memory of 2360	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	33
PID 2308 wrote to memory of 2360	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	33
PID 2308 wrote to memory of 2360	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	33
PID 2308 wrote to memory of 2360	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	33
PID 2308 wrote to memory of 2360	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	33
PID 2308 wrote to memory of 2360	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	33
PID 2308 wrote to memory of 2860	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	34
PID 2308 wrote to memory of 2860	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	34
PID 2308 wrote to memory of 2860	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	34
PID 2308 wrote to memory of 2860	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	34
PID 2308 wrote to memory of 2860	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	34
PID 2308 wrote to memory of 2860	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	34
PID 2308 wrote to memory of 2860	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	34
PID 2308 wrote to memory of 2980	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	35
PID 2308 wrote to memory of 2980	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	35
PID 2308 wrote to memory of 2980	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	35
PID 2308 wrote to memory of 2980	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	35
PID 2308 wrote to memory of 2980	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	35
PID 2308 wrote to memory of 2980	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	35
PID 2308 wrote to memory of 2980	2308	e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe	35
PID 2980 wrote to memory of 1544	2980	4tbp.exe	36
PID 2980 wrote to memory of 1544	2980	4tbp.exe	36
PID 2980 wrote to memory of 1544	2980	4tbp.exe	36
PID 2980 wrote to memory of 1544	2980	4tbp.exe	36
PID 2980 wrote to memory of 1544	2980	4tbp.exe	36
PID 2980 wrote to memory of 1544	2980	4tbp.exe	36
PID 2980 wrote to memory of 1544	2980	4tbp.exe	36
PID 2852 wrote to memory of 336	2852	ic4.exe	2
PID 2852 wrote to memory of 1044	2852	ic4.exe	38
PID 2852 wrote to memory of 1044	2852	ic4.exe	38
PID 2852 wrote to memory of 1044	2852	ic4.exe	38
PID 2852 wrote to memory of 1044	2852	ic4.exe	38
PID 2852 wrote to memory of 1044	2852	ic4.exe	38
PID 2852 wrote to memory of 1044	2852	ic4.exe	38
PID 2852 wrote to memory of 1044	2852	ic4.exe	38
PID 2852 wrote to memory of 1044	2852	ic4.exe	38
PID 336 wrote to memory of 1328	336	csrss.exe	40
PID 2860 wrote to memory of 980	2860	3R2R.exe	41
PID 2860 wrote to memory of 980	2860	3R2R.exe	41
PID 2860 wrote to memory of 980	2860	3R2R.exe	41
PID 2860 wrote to memory of 980	2860	3R2R.exe	41
PID 2860 wrote to memory of 980	2860	3R2R.exe	41
PID 2860 wrote to memory of 980	2860	3R2R.exe	41
PID 2860 wrote to memory of 980	2860	3R2R.exe	41
PID 2860 wrote to memory of 2448	2860	3R2R.exe	42
PID 2860 wrote to memory of 2448	2860	3R2R.exe	42
PID 2860 wrote to memory of 2448	2860	3R2R.exe	42
PID 2860 wrote to memory of 2448	2860	3R2R.exe	42
PID 2860 wrote to memory of 2448	2860	3R2R.exe	42

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	3R2R.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	3R2R.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:840

C:\Users\Admin\AppData\Local\Temp\e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e50be41d01aff61dc9d6779e9af971ee_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\nsyE236.tmp\Vaya Con Dios - Don't Cry For Louie.exe
  "C:\Users\Admin\AppData\Local\Temp\nsyE236.tmp\Vaya Con Dios - Don't Cry For Louie.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2236
- C:\Users\Admin\AppData\Local\Temp\nsyE236.tmp\ic4.exe
  "C:\Users\Admin\AppData\Local\Temp\nsyE236.tmp\ic4.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1044
- C:\Users\Admin\AppData\Local\Temp\nsyE236.tmp\2 Gansta.exe
  "C:\Users\Admin\AppData\Local\Temp\nsyE236.tmp\2 Gansta.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2360
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\nsyE236.tmp\2GANST~1.EXE > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1596
- C:\Users\Admin\AppData\Local\Temp\nsyE236.tmp\3R2R.exe
  "C:\Users\Admin\AppData\Local\Temp\nsyE236.tmp\3R2R.exe"
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\nsyE236.tmp\3R2R.exe
    C:\Users\Admin\AppData\Local\Temp\nsyE236.tmp\3R2R.exe startC:\Users\Admin\AppData\Roaming\CE2CE\BE40F.exe%C:\Users\Admin\AppData\Roaming\CE2CE
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:980
- - C:\Users\Admin\AppData\Local\Temp\nsyE236.tmp\3R2R.exe
    C:\Users\Admin\AppData\Local\Temp\nsyE236.tmp\3R2R.exe startC:\Program Files (x86)\CEF4F\lvvm.exe%C:\Program Files (x86)\CEF4F
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2448
- - C:\Program Files (x86)\LP\0FDC\5F6F.tmp
    "C:\Program Files (x86)\LP\0FDC\5F6F.tmp"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1648
- C:\Users\Admin\AppData\Local\Temp\nsyE236.tmp\4tbp.exe
  "C:\Users\Admin\AppData\Local\Temp\nsyE236.tmp\4tbp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\WeDa012.dll",Startup
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1544
  - - C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe "C:\Users\Admin\AppData\Local\WeDa012.dll",iep
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2152

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:332

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
- Loads dropped DLL
PID:1328

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1860

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:2396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsyE236.tmp\2 Gansta.exe

Filesize
6KB

MD5
bee76c79e2e63e198038e01f0d571038

SHA1
fcffdd6bb030f516a46e9d303ebae2ab33af222e

SHA256
50a3c7134460bfe5f2840bd8dc957edfaa76da5beaaff70f8da5e0fef80ae876

SHA512
dd2e9488ad365c02722e1a2466acffb8beaf4dbb68d7093e01c50cd915418ca0642cb6bdd43f2f2b014455803f3c69dec24ca9dfee11bdf7790379181cd2f6f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsyE236.tmp\ic4.exe

Filesize
227KB

MD5
cb6a5d7be9b7848a56c785c4d8902015

SHA1
5c533572e746689887bfd9ea759fdc1fdb4d0a2a

SHA256
29fff191f7ea1fdb656d07544aeffdc0ff7f57c77edeb6b672e2ac040fdc0a5c

SHA512
8235b2e065a01cedc5954e66135061c80e6c96da836626ac5fe71998dba8699674064d9d94e8a87a15c5059892c28dd83a5564902db9debe1faa1125a86db831

Download Submit
C:\Users\Admin\AppData\Roaming\CE2CE\EF4F.E2C

Filesize
600B

MD5
e0f27f0ef5faa68db88fd2d349e18703

SHA1
76810a21d54bd798efa219fbbd49cc9773991ef1

SHA256
e95fdb8201a2e0743d379174cbb4f10c98af90620ceffe4a74f6d247aec165b6

SHA512
db2c39629087a576996653c1571990fabf52558041ad57434bac44d7c2a174a51cb0661c601b12e89f34cec55436d5dae028ae01f19608ccdd40d1e01cfd7a6b

Download Submit
C:\Users\Admin\AppData\Roaming\CE2CE\EF4F.E2C

Filesize
996B

MD5
d3fbcde324cb625d1a02ef6cce3523b8

SHA1
efc9b16efb8a80c6aaf94d37f8a6bd6979eed4df

SHA256
e961b40b3d4504f2afd7a67c9093167867928d80cd4837cc9d4a67734577d12a

SHA512
9480b94df21c4aca8e56b8d5c0b3770f1ff4b5eebc914f1ab664c4d755452081935ac417140f0576f74274898e2349f9ddd4966eeb152a59b8fb8c87ce1e2143

Download Submit
C:\Users\Admin\AppData\Roaming\CE2CE\EF4F.E2C

Filesize
1KB

MD5
55544d77c25e7cb3d142923e7e98526b

SHA1
611fd2f5e835c83686fd1f335b5577dc69a636de

SHA256
177061f632190d07f6d9cbfd1fe2850f0b75fadc14b781d193abd9d7b0f08ea6

SHA512
84e9d81fa5b759855d75209215ba0e16557349c750f6c0236591b94f018c19c7f738cbed9bb2e533259c5919b31ebb4f2c5bad993a22c4cad6a9b87869029549

Download Submit
\??\globalroot\systemroot\assembly\temp\@

Filesize
2KB

MD5
37464da42bf62d70ea76e26766557abf

SHA1
923fca35b5bac60c012b44725d91aaaf0ff00bf7

SHA256
af1ffbdd159598678a2eaf24bc02b22f76649a7d2edf836dd660a9e978a5930f

SHA512
795caba548263543f55716be0c15a63e003e8752f3fd69dcdb629bed65add66d499229d6383f934d8b5d6289970e253876f1693cb1e23c072bbd6a3eb43d3ae3

Download Submit
\Program Files (x86)\LP\0FDC\5F6F.tmp

Filesize
97KB

MD5
78193d48f57272fd9ea2e44ed86d608c

SHA1
1e70368bb5a0932f868fdddb22fd23dd2e7dedeb

SHA256
c09d0876bbf956eb381d92a3e9dd61d49a4d65c1d2b65d3d42cb795256804aae

SHA512
4f55914fe2d3780f174843b9f3666a10f63caae9634af925da3dc6aea5a3f6ab9e6ebf693698b781931ce794919558c59f7bfa22be94dc8b556784d948fa14c1

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE236.tmp\3R2R.exe

Filesize
278KB

MD5
c0b900a8932663eb7019fadf5bf040eb

SHA1
81ebb2aec972a23406cc3411eec2ba857fcf093b

SHA256
45c2a8a44e726ba63180d1e87e6a16b9846c4d4279f05b2eebebef4c9223e690

SHA512
103b5d0ce61db59159a566dfcb0a38ea10cd95c6e6db8a2c639b713d937d268a7182ce16150bb7eb3cce3b08be895ed220037004de0d5b9661c4150cc03b8832

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE236.tmp\4tbp.exe

Filesize
108KB

MD5
03b927c7c418bb244c2080e40bc7c20e

SHA1
f8abf451378cbc13ec4c336456d0ba096ed64459

SHA256
317d95ad3f8b58b6e7d7623e4ead965aea9eff10934280ca3cfa104f3d176f48

SHA512
329102dee848ed482c07e3d7cd528088a7526179382d72cf9c5a8325519fe40a5adbb1f8bb560ccd4a8e876f4ca3f0e893f8983195ad775249844dcdf4e39747

Download Submit
\Users\Admin\AppData\Local\Temp\nsyE236.tmp\Vaya Con Dios - Don't Cry For Louie.exe

Filesize
7.0MB

MD5
4a34de090e4e37d8d3f0b0ee0bdce371

SHA1
17972ddff6b799f794a7ad91bc84cff0f1d99a96

SHA256
c3b3216b20f88209c71c4a85f81e2b42d2ae9a84af8db9f3cc2f2bdf29d992b9

SHA512
0373baee90a6e7968e3a3f3aed34e32ba4b816af56323155972bdcfe8d6c8bd1026fcad0a130d61448de5db5aa8aa46a53f0bf74e5a12701573a0dc7bf865b32

Download Submit
\Users\Admin\AppData\Local\WeDa012.dll

Filesize
108KB

MD5
7d7679b1493c32da08daae1949e9724c

SHA1
32da402420f912e637f2a54c73d54d31c73d4912

SHA256
5f73756e6fafd121ddff05750d8c21a4d9a29d319b8022591787451af7766aa5

SHA512
6a57805aa0d0df5020b0290d4b0121621a278dc97f31c93dfd64420a597d90212037e7559fe5550d2f68e850714fbfc326a887ec48651e3617725edf5258d15d

Download Submit
\Windows\System32\consrv.dll

Filesize
53KB

MD5
63e99b675a1337db6d8430195ea3efd2

SHA1
1baead2bf8f433dc82f9b2c03fd65ce697a92155

SHA256
6616179477849205eb4075b75a042056d196f45d67f78929dbb3317a35ccbea9

SHA512
f5b986eafa38dbc9ad7759784ac887ecbb9c8d8009a3f33e91b9c9ceeaf043ed3e4ddab8e6b6b77e54aed9fcecab02442c8ff253f2136ea06996d05ddd68199f

Download Submit
\Windows\assembly\GAC_32\Desktop.ini

Filesize
4KB

MD5
758f90d425814ea5a1d2694e44e7e295

SHA1
64d61731255ef2c3060868f92f6b81b4c9b5fe29

SHA256
896221147d8172197cbbf06c45d461141ce6b4af38027c1a22d57c1165026433

SHA512
11858e498309f611ee6241c026a402d6d979bffe28d4cbf7c9d5a89c3f3de25e1d253ab552ef7bc7cc43dd056307bd625e2e4f09beb21f0214c3946113b97ca9

Download Submit
\Windows\assembly\GAC_64\Desktop.ini

Filesize
5KB

MD5
92f9cdae857253a3895faffa85b3d8b9

SHA1
d28352ff5a02eeb98334e3d0f845a259b2aacff3

SHA256
5653db84679ab49eec2e32127271dacd802b8ed53a5199c5fd5fe998be32a36b

SHA512
f23ec0a005b5d84d26527cd6c26d494b9ecff4b099adfd780fe7953f5affb0f295f92dc663d79bcb60d42f82d249b7e61acb39a38bdbd66185da5bf6126737a6

Download Submit
memory/336-334-0x00000000024A0000-0x00000000024B2000-memory.dmp

Filesize
72KB

Download
memory/336-108-0x00000000024A0000-0x00000000024B2000-memory.dmp

Filesize
72KB

Download
memory/840-345-0x00000000003F0000-0x00000000003FB000-memory.dmp

Filesize
44KB

Download
memory/840-336-0x00000000003E0000-0x00000000003EB000-memory.dmp

Filesize
44KB

Download
memory/840-344-0x00000000003E0000-0x00000000003EB000-memory.dmp

Filesize
44KB

Download
memory/840-340-0x00000000003E0000-0x00000000003EB000-memory.dmp

Filesize
44KB

Download
memory/980-131-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/1544-326-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1544-319-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1544-87-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1544-168-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/1648-323-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/2152-327-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2308-25-0x00000000009C0000-0x0000000000A26000-memory.dmp

Filesize
408KB

Download
memory/2308-35-0x0000000000870000-0x000000000087A000-memory.dmp

Filesize
40KB

Download
memory/2308-31-0x00000000009C0000-0x0000000000A26000-memory.dmp

Filesize
408KB

Download
memory/2308-44-0x0000000000870000-0x000000000087A000-memory.dmp

Filesize
40KB

Download
memory/2360-165-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2360-46-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/2360-54-0x0000000000020000-0x000000000002A000-memory.dmp

Filesize
40KB

Download
memory/2448-239-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2852-94-0x0000000000470000-0x00000000004B6000-memory.dmp

Filesize
280KB

Download
memory/2852-100-0x0000000000470000-0x00000000004B6000-memory.dmp

Filesize
280KB

Download
memory/2852-99-0x0000000000470000-0x00000000004B6000-memory.dmp

Filesize
280KB

Download
memory/2852-113-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2852-114-0x00000000002F0000-0x0000000000356000-memory.dmp

Filesize
408KB

Download
memory/2852-98-0x0000000000470000-0x00000000004B6000-memory.dmp

Filesize
280KB

Download
memory/2852-102-0x0000000000470000-0x00000000004B6000-memory.dmp

Filesize
280KB

Download
memory/2852-90-0x0000000000470000-0x00000000004B6000-memory.dmp

Filesize
280KB

Download
memory/2860-167-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2860-241-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2860-325-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2860-318-0x0000000000400000-0x000000000046B000-memory.dmp

Filesize
428KB

Download
memory/2980-79-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download
memory/2980-88-0x0000000010000000-0x000000001001B000-memory.dmp

Filesize
108KB

Download