2d49431463da6ba1b804807898881ad7695ad705d1ae0eb3c340b64420eb26c0

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Size

40KB
MD5

eeb24a1ba8ac5d382158a0cf6818be1d
SHA1

078dd0c061a3afe3171437d504d2562e9ebd3201
SHA256

2d49431463da6ba1b804807898881ad7695ad705d1ae0eb3c340b64420eb26c0
SHA512

af8b8acbaf670a9dd3d76e35e42f082967a2c50fd4439a98a230625fe18ee78dce67cc957c4847e2f79853f3601b256c97600f661ab83d55871f46b6b2781a41
SSDEEP

384:Rczr6iaVwJpxlyLdvjLCCvetrUJWiaV7r:RelxrojOxrUXI

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Yukime.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Michelle.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Ria.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Yukime.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Michelle.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Ria.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Yukime.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Michelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Ria.exe

Disables RegEdit via registry modification 5 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Yukime.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Michelle.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Ria.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops file in Drivers directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\csrss.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\drivers\csrss.exe	Ria.exe
File created	C:\Windows\SysWOW64\drivers\csrss.exe	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\drivers\csrss.exe	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\csrss.exe	Yukime.exe
File opened for modification	C:\Windows\SysWOW64\drivers\csrss.exe	Yukime.exe
File opened for modification	C:\Windows\SysWOW64\drivers\csrss.exe	Michelle.exe
File created	C:\Windows\SysWOW64\drivers\csrss.exe	csrss.exe
File created	C:\Windows\SysWOW64\drivers\csrss.exe	Michelle.exe
File created	C:\Windows\SysWOW64\drivers\csrss.exe	Ria.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	Michelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	Ria.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "calc.exe"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	Yukime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	Michelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	Michelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	Michelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	Ria.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	Ria.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "calc"	Yukime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	Yukime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "calc.exe"	Yukime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	Yukime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	Ria.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "calc"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "calc.exe"	Michelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "calc"	Michelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	Ria.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "calc.exe"	Ria.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "calc"	Ria.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "calc"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "calc.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	Yukime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	Yukime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	Yukime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	Ria.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	Michelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	Michelle.exe

Executes dropped EXE 20 IoCs

pid	Process
2936	csrss.exe
1604	csrss.exe
2356	Yukime.exe
2204	csrss.exe
2596	Yukime.exe
2552	Michelle.exe
2616	csrss.exe
2588	Yukime.exe
3016	Michelle.exe
1408	Ria.exe
1948	csrss.exe
2728	Yukime.exe
3020	Michelle.exe
2212	Ria.exe
2088	Ria.exe
580	Michelle.exe
2032	Ria.exe
644	Yukime.exe
2608	Michelle.exe
1784	Ria.exe

Loads dropped DLL 40 IoCs

pid	Process
2140	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
2140	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
2936	csrss.exe
2936	csrss.exe
2936	csrss.exe
2936	csrss.exe
2356	Yukime.exe
2356	Yukime.exe
2356	Yukime.exe
2356	Yukime.exe
2356	Yukime.exe
2356	Yukime.exe
2552	Michelle.exe
2552	Michelle.exe
2552	Michelle.exe
2552	Michelle.exe
2552	Michelle.exe
2552	Michelle.exe
2552	Michelle.exe
2552	Michelle.exe
1408	Ria.exe
1408	Ria.exe
1408	Ria.exe
1408	Ria.exe
1408	Ria.exe
1408	Ria.exe
1408	Ria.exe
1408	Ria.exe
2356	Yukime.exe
2356	Yukime.exe
2936	csrss.exe
2936	csrss.exe
2936	csrss.exe
2936	csrss.exe
2140	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
2140	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
2140	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
2140	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
2140	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
2140	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Optimize Windows = "C:\\Windows\\System32\\Kuntilanak.exe"	Michelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\W32.Formalin.Beta = "C:\\Windows\\System32\\Pocong.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Windows\\System32\\drivers\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Windows\\System32\\drivers\\csrss.exe"	Yukime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tweak System = "C:\\Windows\\System32\\Genderowo.exe"	Michelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\W32.Formalin.Beta = "C:\\Windows\\System32\\Pocong.exe"	Ria.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Optimize Windows = "C:\\Windows\\System32\\Kuntilanak.exe"	Ria.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tweak System = "C:\\Windows\\System32\\Genderowo.exe"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Optimize Windows = "C:\\Windows\\System32\\Kuntilanak.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tweak System = "C:\\Windows\\System32\\Genderowo.exe"	Yukime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Optimize Windows = "C:\\Windows\\System32\\Kuntilanak.exe"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tweak System = "C:\\Windows\\System32\\Genderowo.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\W32.Formalin.Beta = "C:\\Windows\\System32\\Pocong.exe"	Michelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Optimize Windows = "C:\\Windows\\System32\\Kuntilanak.exe"	Yukime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Windows\\System32\\drivers\\csrss.exe"	Michelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Tweak System = "C:\\Windows\\System32\\Genderowo.exe"	Ria.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Windows\\System32\\drivers\\csrss.exe"	Ria.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\W32.Formalin.Beta = "C:\\Windows\\System32\\Pocong.exe"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Windows\\System32\\drivers\\csrss.exe"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\W32.Formalin.Beta = "C:\\Windows\\System32\\Pocong.exe"	Yukime.exe

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Yukime.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Michelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Ria.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\O:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\K:	Yukime.exe
File opened (read-only)	\??\V:	Ria.exe
File opened (read-only)	\??\B:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\R:	Yukime.exe
File opened (read-only)	\??\T:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\N:	Michelle.exe
File opened (read-only)	\??\M:	Ria.exe
File opened (read-only)	\??\Z:	Ria.exe
File opened (read-only)	\??\H:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\G:	csrss.exe
File opened (read-only)	\??\I:	Yukime.exe
File opened (read-only)	\??\J:	csrss.exe
File opened (read-only)	\??\A:	Ria.exe
File opened (read-only)	\??\O:	Ria.exe
File opened (read-only)	\??\V:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\U:	csrss.exe
File opened (read-only)	\??\E:	Ria.exe
File opened (read-only)	\??\X:	Ria.exe
File opened (read-only)	\??\O:	csrss.exe
File opened (read-only)	\??\W:	csrss.exe
File opened (read-only)	\??\Q:	Yukime.exe
File opened (read-only)	\??\Q:	Ria.exe
File opened (read-only)	\??\Y:	Ria.exe
File opened (read-only)	\??\S:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\Q:	csrss.exe
File opened (read-only)	\??\J:	Yukime.exe
File opened (read-only)	\??\A:	Michelle.exe
File opened (read-only)	\??\M:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\P:	Michelle.exe
File opened (read-only)	\??\R:	Michelle.exe
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\Y:	Yukime.exe
File opened (read-only)	\??\Z:	Michelle.exe
File opened (read-only)	\??\G:	Ria.exe
File opened (read-only)	\??\I:	Ria.exe
File opened (read-only)	\??\U:	Ria.exe
File opened (read-only)	\??\P:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\K:	Michelle.exe
File opened (read-only)	\??\M:	Michelle.exe
File opened (read-only)	\??\O:	Michelle.exe
File opened (read-only)	\??\H:	Ria.exe
File opened (read-only)	\??\K:	Ria.exe
File opened (read-only)	\??\X:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\G:	Yukime.exe
File opened (read-only)	\??\M:	Yukime.exe
File opened (read-only)	\??\T:	Yukime.exe
File opened (read-only)	\??\T:	Ria.exe
File opened (read-only)	\??\Z:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\B:	Yukime.exe
File opened (read-only)	\??\N:	Ria.exe
File opened (read-only)	\??\R:	Ria.exe
File opened (read-only)	\??\J:	Michelle.exe
File opened (read-only)	\??\L:	Michelle.exe
File opened (read-only)	\??\N:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\L:	csrss.exe
File opened (read-only)	\??\V:	Michelle.exe
File opened (read-only)	\??\S:	Ria.exe
File opened (read-only)	\??\Q:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\P:	csrss.exe
File opened (read-only)	\??\R:	csrss.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "WARNING"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "WARNING"	Yukime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "WARNING"	Michelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "WARNING"	Ria.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "WARNING"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Yukime.exe	csrss.exe
File created	C:\Windows\SysWOW64\Ria.exe	Yukime.exe
File opened for modification	C:\Windows\SysWOW64\Michelle.exe	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Yukime.exe	Yukime.exe
File created	C:\Windows\SysWOW64\Ria.exe	Michelle.exe
File created	C:\Windows\SysWOW64\Yukime.exe	Ria.exe
File opened for modification	C:\Windows\SysWOW64\Ria.exe	Ria.exe
File created	C:\Windows\SysWOW64\Ria.exe	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Ria.exe	csrss.exe
File created	C:\Windows\SysWOW64\Michelle.exe	Michelle.exe
File opened for modification	C:\Windows\SysWOW64\Michelle.exe	Michelle.exe
File created	C:\Windows\SysWOW64\Yukime.exe	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ria.exe	Yukime.exe
File opened for modification	C:\Windows\SysWOW64\Michelle.exe	Yukime.exe
File created	C:\Windows\SysWOW64\Michelle.exe	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Michelle.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\Yukime.exe	Yukime.exe
File created	C:\Windows\SysWOW64\Yukime.exe	Michelle.exe
File created	C:\Windows\SysWOW64\Michelle.exe	Ria.exe
File opened for modification	C:\Windows\SysWOW64\Ria.exe	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Yukime.exe	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ria.exe	csrss.exe
File created	C:\Windows\SysWOW64\Michelle.exe	Yukime.exe
File created	C:\Windows\SysWOW64\Ria.exe	Ria.exe
File opened for modification	C:\Windows\SysWOW64\Michelle.exe	Ria.exe
File opened for modification	C:\Windows\SysWOW64\Michelle.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\Yukime.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\Ria.exe	Michelle.exe
File opened for modification	C:\Windows\SysWOW64\Yukime.exe	Michelle.exe
File opened for modification	C:\Windows\SysWOW64\Yukime.exe	Ria.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	csrss.exe
File opened for modification	C:\Windows\SysWOW64	Yukime.exe
File opened for modification	C:\Windows\SysWOW64	Michelle.exe
File opened for modification	C:\Windows\SysWOW64	Ria.exe
File opened for modification	C:\Windows\SysWOW64	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ria.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ria.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yukime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ria.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yukime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Michelle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yukime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Michelle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Michelle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yukime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Michelle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yukime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Michelle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ria.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ria.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	Michelle.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Your computer has been infected virus Formalin"	Michelle.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Your computer has been infected virus Formalin"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	Ria.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Your computer has been infected virus Formalin"	Ria.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Your computer has been infected virus Formalin"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	Yukime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "Your computer has been infected virus Formalin"	Yukime.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
2140	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
2936	csrss.exe
1604	csrss.exe
2356	Yukime.exe
2204	csrss.exe
2596	Yukime.exe
2552	Michelle.exe
2616	csrss.exe
2588	Yukime.exe
3016	Michelle.exe
1408	Ria.exe
1948	csrss.exe
2728	Yukime.exe
3020	Michelle.exe
2212	Ria.exe
2088	Ria.exe
580	Michelle.exe
2032	Ria.exe
644	Yukime.exe
2608	Michelle.exe
1784	Ria.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2936	2140	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2936	2140	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2936	2140	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2936	2140	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe	30
PID 2936 wrote to memory of 1604	2936	csrss.exe	31
PID 2936 wrote to memory of 1604	2936	csrss.exe	31
PID 2936 wrote to memory of 1604	2936	csrss.exe	31
PID 2936 wrote to memory of 1604	2936	csrss.exe	31
PID 2936 wrote to memory of 2356	2936	csrss.exe	32
PID 2936 wrote to memory of 2356	2936	csrss.exe	32
PID 2936 wrote to memory of 2356	2936	csrss.exe	32
PID 2936 wrote to memory of 2356	2936	csrss.exe	32
PID 2356 wrote to memory of 2204	2356	Yukime.exe	33
PID 2356 wrote to memory of 2204	2356	Yukime.exe	33
PID 2356 wrote to memory of 2204	2356	Yukime.exe	33
PID 2356 wrote to memory of 2204	2356	Yukime.exe	33
PID 2356 wrote to memory of 2596	2356	Yukime.exe	34
PID 2356 wrote to memory of 2596	2356	Yukime.exe	34
PID 2356 wrote to memory of 2596	2356	Yukime.exe	34
PID 2356 wrote to memory of 2596	2356	Yukime.exe	34
PID 2356 wrote to memory of 2552	2356	Yukime.exe	35
PID 2356 wrote to memory of 2552	2356	Yukime.exe	35
PID 2356 wrote to memory of 2552	2356	Yukime.exe	35
PID 2356 wrote to memory of 2552	2356	Yukime.exe	35
PID 2552 wrote to memory of 2616	2552	Michelle.exe	36
PID 2552 wrote to memory of 2616	2552	Michelle.exe	36
PID 2552 wrote to memory of 2616	2552	Michelle.exe	36
PID 2552 wrote to memory of 2616	2552	Michelle.exe	36
PID 2552 wrote to memory of 2588	2552	Michelle.exe	37
PID 2552 wrote to memory of 2588	2552	Michelle.exe	37
PID 2552 wrote to memory of 2588	2552	Michelle.exe	37
PID 2552 wrote to memory of 2588	2552	Michelle.exe	37
PID 2552 wrote to memory of 3016	2552	Michelle.exe	38
PID 2552 wrote to memory of 3016	2552	Michelle.exe	38
PID 2552 wrote to memory of 3016	2552	Michelle.exe	38
PID 2552 wrote to memory of 3016	2552	Michelle.exe	38
PID 2552 wrote to memory of 1408	2552	Michelle.exe	39
PID 2552 wrote to memory of 1408	2552	Michelle.exe	39
PID 2552 wrote to memory of 1408	2552	Michelle.exe	39
PID 2552 wrote to memory of 1408	2552	Michelle.exe	39
PID 1408 wrote to memory of 1948	1408	Ria.exe	40
PID 1408 wrote to memory of 1948	1408	Ria.exe	40
PID 1408 wrote to memory of 1948	1408	Ria.exe	40
PID 1408 wrote to memory of 1948	1408	Ria.exe	40
PID 1408 wrote to memory of 2728	1408	Ria.exe	41
PID 1408 wrote to memory of 2728	1408	Ria.exe	41
PID 1408 wrote to memory of 2728	1408	Ria.exe	41
PID 1408 wrote to memory of 2728	1408	Ria.exe	41
PID 1408 wrote to memory of 3020	1408	Ria.exe	42
PID 1408 wrote to memory of 3020	1408	Ria.exe	42
PID 1408 wrote to memory of 3020	1408	Ria.exe	42
PID 1408 wrote to memory of 3020	1408	Ria.exe	42
PID 1408 wrote to memory of 2212	1408	Ria.exe	43
PID 1408 wrote to memory of 2212	1408	Ria.exe	43
PID 1408 wrote to memory of 2212	1408	Ria.exe	43
PID 1408 wrote to memory of 2212	1408	Ria.exe	43
PID 2356 wrote to memory of 2088	2356	Yukime.exe	44
PID 2356 wrote to memory of 2088	2356	Yukime.exe	44
PID 2356 wrote to memory of 2088	2356	Yukime.exe	44
PID 2356 wrote to memory of 2088	2356	Yukime.exe	44
PID 2936 wrote to memory of 580	2936	csrss.exe	45
PID 2936 wrote to memory of 580	2936	csrss.exe	45
PID 2936 wrote to memory of 580	2936	csrss.exe	45
PID 2936 wrote to memory of 580	2936	csrss.exe	45

System policy modification 1 TTPs 10 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Yukime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Michelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Michelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Ria.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Ria.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Yukime.exe

C:\Users\Admin\AppData\Local\Temp\eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2140
- C:\Windows\SysWOW64\drivers\csrss.exe
  C:\Windows\System32\drivers\csrss.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Disables RegEdit via registry modification
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2936
- - C:\Windows\SysWOW64\drivers\csrss.exe
    C:\Windows\System32\drivers\csrss.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1604
- - C:\Windows\SysWOW64\Yukime.exe
    C:\Windows\System32\Yukime.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - UAC bypass
    - Disables RegEdit via registry modification
    - Drops file in Drivers directory
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2356
  - - C:\Windows\SysWOW64\drivers\csrss.exe
      C:\Windows\System32\drivers\csrss.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2204
  - - C:\Windows\SysWOW64\Yukime.exe
      C:\Windows\System32\Yukime.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2596
  - - C:\Windows\SysWOW64\Michelle.exe
      C:\Windows\System32\Michelle.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      UAC bypass
      Disables RegEdit via registry modification
      Drops file in Drivers directory
      Event Triggered Execution: Image File Execution Options Injection
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Checks whether UAC is enabled
      Enumerates connected drives
      Modifies WinLogon
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2552
    - - C:\Windows\SysWOW64\drivers\csrss.exe
        
        C:\Windows\System32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2616
    - - C:\Windows\SysWOW64\Yukime.exe
        
        C:\Windows\System32\Yukime.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2588
    - - C:\Windows\SysWOW64\Michelle.exe
        
        C:\Windows\System32\Michelle.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3016
    - - C:\Windows\SysWOW64\Ria.exe
        
        C:\Windows\System32\Ria.exe
        5⤵
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Event Triggered Execution: Image File Execution Options Injection
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Checks whether UAC is enabled
        Enumerates connected drives
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1408
      - C:\Windows\SysWOW64\drivers\csrss.exe
        
        C:\Windows\System32\drivers\csrss.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1948
      - C:\Windows\SysWOW64\Yukime.exe
        
        C:\Windows\System32\Yukime.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2728
      - C:\Windows\SysWOW64\Michelle.exe
        
        C:\Windows\System32\Michelle.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:3020
      - C:\Windows\SysWOW64\Ria.exe
        
        C:\Windows\System32\Ria.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2212
  - - C:\Windows\SysWOW64\Ria.exe
      C:\Windows\System32\Ria.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2088
- - C:\Windows\SysWOW64\Michelle.exe
    C:\Windows\System32\Michelle.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:580
- - C:\Windows\SysWOW64\Ria.exe
    C:\Windows\System32\Ria.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2032
- C:\Windows\SysWOW64\Yukime.exe
  C:\Windows\System32\Yukime.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:644
- C:\Windows\SysWOW64\Michelle.exe
  C:\Windows\System32\Michelle.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2608
- C:\Windows\SysWOW64\Ria.exe
  C:\Windows\System32\Ria.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\drivers\csrss.exe

Filesize
40KB

MD5
eeb24a1ba8ac5d382158a0cf6818be1d

SHA1
078dd0c061a3afe3171437d504d2562e9ebd3201

SHA256
2d49431463da6ba1b804807898881ad7695ad705d1ae0eb3c340b64420eb26c0

SHA512
af8b8acbaf670a9dd3d76e35e42f082967a2c50fd4439a98a230625fe18ee78dce67cc957c4847e2f79853f3601b256c97600f661ab83d55871f46b6b2781a41

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads