2d49431463da6ba1b804807898881ad7695ad705d1ae0eb3c340b64420eb26c0

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 00:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Size

40KB
MD5

eeb24a1ba8ac5d382158a0cf6818be1d
SHA1

078dd0c061a3afe3171437d504d2562e9ebd3201
SHA256

2d49431463da6ba1b804807898881ad7695ad705d1ae0eb3c340b64420eb26c0
SHA512

af8b8acbaf670a9dd3d76e35e42f082967a2c50fd4439a98a230625fe18ee78dce67cc957c4847e2f79853f3601b256c97600f661ab83d55871f46b6b2781a41
SSDEEP

384:Rczr6iaVwJpxlyLdvjLCCvetrUJWiaV7r:RelxrojOxrUXI

Score

10^/10

discovery evasion persistence trojan

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Yukime.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Michelle.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Ria.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 5 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Michelle.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Ria.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	Yukime.exe

UAC bypass 3 TTPs 5 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Yukime.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Michelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Ria.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe

Disables RegEdit via registry modification 5 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	csrss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Yukime.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Michelle.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Ria.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops file in Drivers directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\drivers\csrss.exe	Yukime.exe
File opened for modification	C:\Windows\SysWOW64\drivers\csrss.exe	Michelle.exe
File opened for modification	C:\Windows\SysWOW64\drivers\csrss.exe	Ria.exe
File opened for modification	C:\Windows\SysWOW64\drivers\csrss.exe	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\csrss.exe	Ria.exe
File opened for modification	C:\Windows\SysWOW64\drivers\csrss.exe	csrss.exe
File created	C:\Windows\SysWOW64\drivers\csrss.exe	Michelle.exe
File created	C:\Windows\SysWOW64\drivers\csrss.exe	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\drivers\csrss.exe	csrss.exe
File created	C:\Windows\SysWOW64\drivers\csrss.exe	Yukime.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 40 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "calc.exe"	Yukime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	Yukime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "calc"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	Michelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "calc.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	Yukime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	Yukime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	Yukime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	Michelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	Ria.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "calc"	Ria.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	Michelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	Michelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	Ria.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	Michelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "calc"	Michelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	Ria.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	Ria.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "calc.exe"	Ria.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	Michelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "calc"	Yukime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "calc.exe"	Michelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del"	Ria.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "calc.exe"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "calc"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	Yukime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	Yukime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	Ria.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe

Executes dropped EXE 20 IoCs

pid	Process
2560	csrss.exe
3468	csrss.exe
2772	Yukime.exe
3416	csrss.exe
2652	Yukime.exe
4380	Michelle.exe
2860	csrss.exe
368	Yukime.exe
2848	Michelle.exe
4624	Ria.exe
2548	csrss.exe
2996	Yukime.exe
1572	Michelle.exe
1452	Ria.exe
1400	Ria.exe
5080	Michelle.exe
4360	Ria.exe
1996	Yukime.exe
3184	Michelle.exe
372	Ria.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Windows\\System32\\drivers\\csrss.exe"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Optimize Windows = "C:\\Windows\\System32\\Kuntilanak.exe"	Yukime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Windows\\System32\\drivers\\csrss.exe"	Yukime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Optimize Windows = "C:\\Windows\\System32\\Kuntilanak.exe"	Michelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Optimize Windows = "C:\\Windows\\System32\\Kuntilanak.exe"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Tweak System = "C:\\Windows\\System32\\Genderowo.exe"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\W32.Formalin.Beta = "C:\\Windows\\System32\\Pocong.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Tweak System = "C:\\Windows\\System32\\Genderowo.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\W32.Formalin.Beta = "C:\\Windows\\System32\\Pocong.exe"	Michelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Windows\\System32\\drivers\\csrss.exe"	Michelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Tweak System = "C:\\Windows\\System32\\Genderowo.exe"	Ria.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\W32.Formalin.Beta = "C:\\Windows\\System32\\Pocong.exe"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\W32.Formalin.Beta = "C:\\Windows\\System32\\Pocong.exe"	Ria.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Optimize Windows = "C:\\Windows\\System32\\Kuntilanak.exe"	Ria.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Optimize Windows = "C:\\Windows\\System32\\Kuntilanak.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\W32.Formalin.Beta = "C:\\Windows\\System32\\Pocong.exe"	Yukime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Tweak System = "C:\\Windows\\System32\\Genderowo.exe"	Yukime.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Tweak System = "C:\\Windows\\System32\\Genderowo.exe"	Michelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Windows\\System32\\drivers\\csrss.exe"	Ria.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Windows\\System32\\drivers\\csrss.exe"	csrss.exe

Checks whether UAC is enabled 1 TTPs 5 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Yukime.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Michelle.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Ria.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Yukime.exe
File opened (read-only)	\??\X:	Yukime.exe
File opened (read-only)	\??\Y:	Yukime.exe
File opened (read-only)	\??\E:	Ria.exe
File opened (read-only)	\??\A:	Michelle.exe
File opened (read-only)	\??\H:	Michelle.exe
File opened (read-only)	\??\B:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\E:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\I:	csrss.exe
File opened (read-only)	\??\O:	csrss.exe
File opened (read-only)	\??\Z:	csrss.exe
File opened (read-only)	\??\A:	Yukime.exe
File opened (read-only)	\??\Q:	Michelle.exe
File opened (read-only)	\??\O:	Ria.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\V:	Yukime.exe
File opened (read-only)	\??\M:	Michelle.exe
File opened (read-only)	\??\V:	Ria.exe
File opened (read-only)	\??\S:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\E:	Yukime.exe
File opened (read-only)	\??\W:	Michelle.exe
File opened (read-only)	\??\R:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\A:	csrss.exe
File opened (read-only)	\??\T:	csrss.exe
File opened (read-only)	\??\O:	Yukime.exe
File opened (read-only)	\??\U:	Michelle.exe
File opened (read-only)	\??\B:	Yukime.exe
File opened (read-only)	\??\K:	Yukime.exe
File opened (read-only)	\??\U:	Yukime.exe
File opened (read-only)	\??\P:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\Y:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\B:	csrss.exe
File opened (read-only)	\??\J:	csrss.exe
File opened (read-only)	\??\X:	Michelle.exe
File opened (read-only)	\??\H:	Ria.exe
File opened (read-only)	\??\H:	csrss.exe
File opened (read-only)	\??\K:	csrss.exe
File opened (read-only)	\??\Y:	Michelle.exe
File opened (read-only)	\??\S:	csrss.exe
File opened (read-only)	\??\K:	Michelle.exe
File opened (read-only)	\??\X:	csrss.exe
File opened (read-only)	\??\Z:	Yukime.exe
File opened (read-only)	\??\A:	Ria.exe
File opened (read-only)	\??\T:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\X:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\Q:	csrss.exe
File opened (read-only)	\??\R:	csrss.exe
File opened (read-only)	\??\R:	Yukime.exe
File opened (read-only)	\??\N:	Michelle.exe
File opened (read-only)	\??\K:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\P:	Yukime.exe
File opened (read-only)	\??\P:	Ria.exe
File opened (read-only)	\??\Q:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\V:	csrss.exe
File opened (read-only)	\??\L:	Michelle.exe
File opened (read-only)	\??\X:	Ria.exe
File opened (read-only)	\??\Q:	Yukime.exe
File opened (read-only)	\??\L:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\U:	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened (read-only)	\??\J:	Yukime.exe
File opened (read-only)	\??\S:	Ria.exe
File opened (read-only)	\??\I:	Ria.exe
File opened (read-only)	\??\K:	Ria.exe
File opened (read-only)	\??\M:	Ria.exe

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "WARNING"	Michelle.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "WARNING"	Ria.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "WARNING"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "WARNING"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption = "WARNING"	Yukime.exe

Drops file in System32 directory 30 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Ria.exe	csrss.exe
File created	C:\Windows\SysWOW64\Michelle.exe	Yukime.exe
File created	C:\Windows\SysWOW64\Ria.exe	Michelle.exe
File opened for modification	C:\Windows\SysWOW64\Ria.exe	Ria.exe
File opened for modification	C:\Windows\SysWOW64\Yukime.exe	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Yukime.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\Ria.exe	Yukime.exe
File opened for modification	C:\Windows\SysWOW64\Ria.exe	Michelle.exe
File opened for modification	C:\Windows\SysWOW64\Michelle.exe	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Yukime.exe	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Yukime.exe	Yukime.exe
File created	C:\Windows\SysWOW64\Yukime.exe	Ria.exe
File created	C:\Windows\SysWOW64\Michelle.exe	Michelle.exe
File created	C:\Windows\SysWOW64\Ria.exe	Ria.exe
File created	C:\Windows\SysWOW64\Michelle.exe	csrss.exe
File created	C:\Windows\SysWOW64\Yukime.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\Michelle.exe	csrss.exe
File created	C:\Windows\SysWOW64\Ria.exe	Yukime.exe
File created	C:\Windows\SysWOW64\Yukime.exe	Yukime.exe
File opened for modification	C:\Windows\SysWOW64\Michelle.exe	Yukime.exe
File opened for modification	C:\Windows\SysWOW64\Ria.exe	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\Ria.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\Michelle.exe	Michelle.exe
File opened for modification	C:\Windows\SysWOW64\Yukime.exe	Michelle.exe
File created	C:\Windows\SysWOW64\Michelle.exe	Ria.exe
File opened for modification	C:\Windows\SysWOW64\Michelle.exe	Ria.exe
File created	C:\Windows\SysWOW64\Ria.exe	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\Yukime.exe	Michelle.exe
File opened for modification	C:\Windows\SysWOW64\Yukime.exe	Ria.exe
File created	C:\Windows\SysWOW64\Michelle.exe	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64	csrss.exe
File opened for modification	C:\Windows\SysWOW64	Yukime.exe
File opened for modification	C:\Windows\SysWOW64	Michelle.exe
File opened for modification	C:\Windows\SysWOW64	Ria.exe

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yukime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ria.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yukime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yukime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Michelle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yukime.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Michelle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ria.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ria.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ria.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ria.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Michelle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Michelle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Michelle.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Yukime.exe

Modifies Internet Explorer settings 1 TTPs 10 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Your computer has been infected virus Formalin"	Yukime.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Your computer has been infected virus Formalin"	Michelle.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main	Yukime.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main	Ria.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Your computer has been infected virus Formalin"	Ria.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Your computer has been infected virus Formalin"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "Your computer has been infected virus Formalin"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Software\Microsoft\Internet Explorer\Main	Michelle.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
4508	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
2560	csrss.exe
3468	csrss.exe
2772	Yukime.exe
3416	csrss.exe
2652	Yukime.exe
4380	Michelle.exe
2860	csrss.exe
368	Yukime.exe
2848	Michelle.exe
4624	Ria.exe
2548	csrss.exe
2996	Yukime.exe
1572	Michelle.exe
1452	Ria.exe
1400	Ria.exe
5080	Michelle.exe
4360	Ria.exe
1996	Yukime.exe
3184	Michelle.exe
372	Ria.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 2560	4508	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe	82
PID 4508 wrote to memory of 2560	4508	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe	82
PID 4508 wrote to memory of 2560	4508	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe	82
PID 2560 wrote to memory of 3468	2560	csrss.exe	83
PID 2560 wrote to memory of 3468	2560	csrss.exe	83
PID 2560 wrote to memory of 3468	2560	csrss.exe	83
PID 2560 wrote to memory of 2772	2560	csrss.exe	84
PID 2560 wrote to memory of 2772	2560	csrss.exe	84
PID 2560 wrote to memory of 2772	2560	csrss.exe	84
PID 2772 wrote to memory of 3416	2772	Yukime.exe	85
PID 2772 wrote to memory of 3416	2772	Yukime.exe	85
PID 2772 wrote to memory of 3416	2772	Yukime.exe	85
PID 2772 wrote to memory of 2652	2772	Yukime.exe	86
PID 2772 wrote to memory of 2652	2772	Yukime.exe	86
PID 2772 wrote to memory of 2652	2772	Yukime.exe	86
PID 2772 wrote to memory of 4380	2772	Yukime.exe	87
PID 2772 wrote to memory of 4380	2772	Yukime.exe	87
PID 2772 wrote to memory of 4380	2772	Yukime.exe	87
PID 4380 wrote to memory of 2860	4380	Michelle.exe	88
PID 4380 wrote to memory of 2860	4380	Michelle.exe	88
PID 4380 wrote to memory of 2860	4380	Michelle.exe	88
PID 4380 wrote to memory of 368	4380	Michelle.exe	89
PID 4380 wrote to memory of 368	4380	Michelle.exe	89
PID 4380 wrote to memory of 368	4380	Michelle.exe	89
PID 4380 wrote to memory of 2848	4380	Michelle.exe	90
PID 4380 wrote to memory of 2848	4380	Michelle.exe	90
PID 4380 wrote to memory of 2848	4380	Michelle.exe	90
PID 4380 wrote to memory of 4624	4380	Michelle.exe	91
PID 4380 wrote to memory of 4624	4380	Michelle.exe	91
PID 4380 wrote to memory of 4624	4380	Michelle.exe	91
PID 4624 wrote to memory of 2548	4624	Ria.exe	92
PID 4624 wrote to memory of 2548	4624	Ria.exe	92
PID 4624 wrote to memory of 2548	4624	Ria.exe	92
PID 4624 wrote to memory of 2996	4624	Ria.exe	93
PID 4624 wrote to memory of 2996	4624	Ria.exe	93
PID 4624 wrote to memory of 2996	4624	Ria.exe	93
PID 4624 wrote to memory of 1572	4624	Ria.exe	94
PID 4624 wrote to memory of 1572	4624	Ria.exe	94
PID 4624 wrote to memory of 1572	4624	Ria.exe	94
PID 4624 wrote to memory of 1452	4624	Ria.exe	95
PID 4624 wrote to memory of 1452	4624	Ria.exe	95
PID 4624 wrote to memory of 1452	4624	Ria.exe	95
PID 2772 wrote to memory of 1400	2772	Yukime.exe	96
PID 2772 wrote to memory of 1400	2772	Yukime.exe	96
PID 2772 wrote to memory of 1400	2772	Yukime.exe	96
PID 2560 wrote to memory of 5080	2560	csrss.exe	97
PID 2560 wrote to memory of 5080	2560	csrss.exe	97
PID 2560 wrote to memory of 5080	2560	csrss.exe	97
PID 2560 wrote to memory of 4360	2560	csrss.exe	98
PID 2560 wrote to memory of 4360	2560	csrss.exe	98
PID 2560 wrote to memory of 4360	2560	csrss.exe	98
PID 4508 wrote to memory of 1996	4508	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe	99
PID 4508 wrote to memory of 1996	4508	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe	99
PID 4508 wrote to memory of 1996	4508	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe	99
PID 4508 wrote to memory of 3184	4508	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe	100
PID 4508 wrote to memory of 3184	4508	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe	100
PID 4508 wrote to memory of 3184	4508	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe	100
PID 4508 wrote to memory of 372	4508	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe	101
PID 4508 wrote to memory of 372	4508	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe	101
PID 4508 wrote to memory of 372	4508	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe	101

System policy modification 1 TTPs 10 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Yukime.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Michelle.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Ria.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Ria.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Yukime.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Michelle.exe

C:\Users\Admin\AppData\Local\Temp\eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eeb24a1ba8ac5d382158a0cf6818be1d_JaffaCakes118.exe"
1⤵
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4508
- C:\Windows\SysWOW64\drivers\csrss.exe
  C:\Windows\System32\drivers\csrss.exe
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - UAC bypass
  - Disables RegEdit via registry modification
  - Drops file in Drivers directory
  - Event Triggered Execution: Image File Execution Options Injection
  - Executes dropped EXE
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2560
- - C:\Windows\SysWOW64\drivers\csrss.exe
    C:\Windows\System32\drivers\csrss.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3468
- - C:\Windows\SysWOW64\Yukime.exe
    C:\Windows\System32\Yukime.exe
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - UAC bypass
    - Disables RegEdit via registry modification
    - Drops file in Drivers directory
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Enumerates connected drives
    - Modifies WinLogon
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:2772
  - - C:\Windows\SysWOW64\drivers\csrss.exe
      C:\Windows\System32\drivers\csrss.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3416
  - - C:\Windows\SysWOW64\Yukime.exe
      C:\Windows\System32\Yukime.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2652
  - - C:\Windows\SysWOW64\Michelle.exe
      C:\Windows\System32\Michelle.exe
      4⤵
      Modifies visibility of file extensions in Explorer
      Modifies visiblity of hidden/system files in Explorer
      UAC bypass
      Disables RegEdit via registry modification
      Drops file in Drivers directory
      Event Triggered Execution: Image File Execution Options Injection
      Executes dropped EXE
      Adds Run key to start application
      Checks whether UAC is enabled
      Enumerates connected drives
      Modifies WinLogon
      Drops file in System32 directory
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:4380
    - - C:\Windows\SysWOW64\drivers\csrss.exe
        
        C:\Windows\System32\drivers\csrss.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2860
    - - C:\Windows\SysWOW64\Yukime.exe
        
        C:\Windows\System32\Yukime.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:368
    - - C:\Windows\SysWOW64\Michelle.exe
        
        C:\Windows\System32\Michelle.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2848
    - - C:\Windows\SysWOW64\Ria.exe
        
        C:\Windows\System32\Ria.exe
        5⤵
        Modifies visibility of file extensions in Explorer
        Modifies visiblity of hidden/system files in Explorer
        UAC bypass
        Disables RegEdit via registry modification
        Drops file in Drivers directory
        Event Triggered Execution: Image File Execution Options Injection
        Executes dropped EXE
        Adds Run key to start application
        Checks whether UAC is enabled
        Enumerates connected drives
        Modifies WinLogon
        Drops file in System32 directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:4624
      - C:\Windows\SysWOW64\drivers\csrss.exe
        
        C:\Windows\System32\drivers\csrss.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2548
      - C:\Windows\SysWOW64\Yukime.exe
        
        C:\Windows\System32\Yukime.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2996
      - C:\Windows\SysWOW64\Michelle.exe
        
        C:\Windows\System32\Michelle.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1572
      - C:\Windows\SysWOW64\Ria.exe
        
        C:\Windows\System32\Ria.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1452
  - - C:\Windows\SysWOW64\Ria.exe
      C:\Windows\System32\Ria.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1400
- - C:\Windows\SysWOW64\Michelle.exe
    C:\Windows\System32\Michelle.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5080
- - C:\Windows\SysWOW64\Ria.exe
    C:\Windows\System32\Ria.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4360
- C:\Windows\SysWOW64\Yukime.exe
  C:\Windows\System32\Yukime.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1996
- C:\Windows\SysWOW64\Michelle.exe
  C:\Windows\System32\Michelle.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3184
- C:\Windows\SysWOW64\Ria.exe
  C:\Windows\System32\Ria.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Yukime.exe

Filesize
40KB

MD5
eeb24a1ba8ac5d382158a0cf6818be1d

SHA1
078dd0c061a3afe3171437d504d2562e9ebd3201

SHA256
2d49431463da6ba1b804807898881ad7695ad705d1ae0eb3c340b64420eb26c0

SHA512
af8b8acbaf670a9dd3d76e35e42f082967a2c50fd4439a98a230625fe18ee78dce67cc957c4847e2f79853f3601b256c97600f661ab83d55871f46b6b2781a41

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads