dd673bf12478240e13e74fdb025929d396a306deac934b41dab8eb3cde2a223e

Analysis

max time kernel
150s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 02:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eeeff91c80c874a15cec2c4cc68e5587_JaffaCakes118.exe
Size

636KB
MD5

eeeff91c80c874a15cec2c4cc68e5587
SHA1

321aa0a799136832f23ad43c27cd60db540b2623
SHA256

dd673bf12478240e13e74fdb025929d396a306deac934b41dab8eb3cde2a223e
SHA512

6af340efd4e9bb7ef151016f1905503540f42591e9a5ecf0056f4a45b9199283590f05f7c8f6b860584324ff0d65ad0d038227fa35e662a6b848d3727e2a4e2a
SSDEEP

12288:jLkcoxg7v3qnC11ErwIhh0F4qwUgUnyI8oLqfSJzZ:3fmMv6Ckr7MnyI8o6SJF

Score

10^/10

defense_evasion discovery evasion persistence

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\SysWOW64\\fdisk.com"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\userinit.exe,C:\\Windows\\SysWOW64\\fdisk.com"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\SysWOW64\\userinit.exe,C:\\Windows\\SysWOW64\\fdisk.com"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe C:\\Windows\\SysWOW64\\fdisk.com"	svchost.com

Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "2"	svchost.com
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "2"	svchost.com

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.com
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.com

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Disables RegEdit via registry modification 2 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	svchost.com
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	svchost.com

Disables Task Manager via registry modification
evasion

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 48 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctsgui.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\resmon.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pctstray.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VPTRAY.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\USBGUARD.EXE	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashdisp.exe	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE\debugger = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com Kll_dis"	svchost.com

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	cftmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	eeeff91c80c874a15cec2c4cc68e5587_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	svchost.com

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe	svchost.com
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sndvol32.exe	svchost.com

Executes dropped EXE 4 IoCs

pid	Process
2380	svchost.com
2408	cftmon.exe
3588	svchost.com
4876	cftmon.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\User Agent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HotKey = "C:\\Users\\Admin\\Templates\\cache\\SFCsrvc.pif"	svchost.com
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HotKey = "C:\\Users\\Admin\\Templates\\cache\\SFCsrvc.pif"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\User Agent = "C:\\Windows\\SysWOW64\\fdisk.com"	svchost.com
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\User Agent = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.com"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\HotKey = "C:\\Users\\Admin\\Templates\\cache\\SFCsrvc.pif"	svchost.com
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HotKey = "C:\\Users\\Admin\\Templates\\cache\\SFCsrvc.pif"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\User Agent = "C:\\Windows\\SysWOW64\\fdisk.com"	svchost.com

Drops desktop.ini file(s) 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini	eeeff91c80c874a15cec2c4cc68e5587_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\Templates\cache\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini	svchost.com
File opened for modification	C:\Users\Admin\Templates\cache\desktop.ini	svchost.com
File opened for modification	\??\c:\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini	svchost.com
File opened for modification	\??\f:\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\desktop.ini	svchost.com

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\r:	svchost.com
File opened (read-only)	\??\u:	svchost.com
File opened (read-only)	\??\x:	svchost.com
File opened (read-only)	\??\k:	svchost.com
File opened (read-only)	\??\p:	svchost.com
File opened (read-only)	\??\g:	svchost.com
File opened (read-only)	\??\n:	svchost.com
File opened (read-only)	\??\q:	svchost.com
File opened (read-only)	\??\v:	svchost.com
File opened (read-only)	\??\j:	svchost.com
File opened (read-only)	\??\q:	svchost.com
File opened (read-only)	\??\e:	svchost.com
File opened (read-only)	\??\y:	svchost.com
File opened (read-only)	\??\b:	svchost.com
File opened (read-only)	\??\x:	svchost.com
File opened (read-only)	\??\y:	svchost.com
File opened (read-only)	\??\i:	svchost.com
File opened (read-only)	\??\l:	svchost.com
File opened (read-only)	\??\u:	svchost.com
File opened (read-only)	\??\b:	svchost.com
File opened (read-only)	\??\k:	svchost.com
File opened (read-only)	\??\a:	svchost.com
File opened (read-only)	\??\e:	svchost.com
File opened (read-only)	\??\g:	svchost.com
File opened (read-only)	\??\m:	svchost.com
File opened (read-only)	\??\n:	svchost.com
File opened (read-only)	\??\t:	svchost.com
File opened (read-only)	\??\h:	svchost.com
File opened (read-only)	\??\i:	svchost.com
File opened (read-only)	\??\l:	svchost.com
File opened (read-only)	\??\p:	svchost.com
File opened (read-only)	\??\s:	svchost.com
File opened (read-only)	\??\m:	svchost.com
File opened (read-only)	\??\v:	svchost.com
File opened (read-only)	\??\a:	svchost.com
File opened (read-only)	\??\w:	svchost.com
File opened (read-only)	\??\z:	svchost.com
File opened (read-only)	\??\t:	svchost.com
File opened (read-only)	\??\o:	svchost.com
File opened (read-only)	\??\h:	svchost.com
File opened (read-only)	\??\r:	svchost.com
File opened (read-only)	\??\s:	svchost.com
File opened (read-only)	\??\j:	svchost.com
File opened (read-only)	\??\o:	svchost.com
File opened (read-only)	\??\w:	svchost.com
File opened (read-only)	\??\z:	svchost.com

Modifies WinLogon 2 TTPs 5 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	svchost.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Network_Service = "0"	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\KeepRasConnections = "1"	svchost.com
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	svchost.com

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3292-0-0x0000000000400000-0x00000000004B0000-memory.dmp	autoit_exe
behavioral2/files/0x00090000000233d9-7.dat	autoit_exe

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	\??\c:\autorun.inf	svchost.com
File opened for modification	C:\\autorun.inf	svchost.com
File opened for modification	\??\f:\autorun.inf	svchost.com
File opened for modification	F:\\autorun.inf	svchost.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\fdisk.com	svchost.com
File opened for modification	C:\Windows\SysWOW64\fdisk.com	svchost.com

Hide Artifacts: Hidden Users 1 TTPs 1 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Network_Service = "0"	svchost.com

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\System\cftmon.exe	svchost.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Help\cliconf.chm	svchost.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cftmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eeeff91c80c874a15cec2c4cc68e5587_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cftmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Modifies registry class 15 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\LibraryFolder\ShellEx\SharingHandler\	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Applications	svchost.com
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Applications\xnotepad.exe\shell\open\command\ = "C:\\Program Files (x86)\\Common Files\\System\\cftmon.exe %1"	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Applications\xmspaint.exe\shell	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Applications\xnotepad.exe\shell\open\command	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Applications\xmspaint.exe\shell\open	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Network\SharingHandler	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Applications\xnotepad.exe\shell\open	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Applications\xmspaint.exe\shell\open\command	svchost.com
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Network\SharingHandler\	svchost.com
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Applications\xmspaint.exe\shell\open\command\ = "C:\\Program Files (x86)\\Common Files\\System\\cftmon.exe %1"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\LibraryFolder\shellex\SharingHandler	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Applications\xnotepad.exe	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Applications\xnotepad.exe\shell	svchost.com
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Applications\xmspaint.exe	svchost.com

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3292	eeeff91c80c874a15cec2c4cc68e5587_JaffaCakes118.exe
3292	eeeff91c80c874a15cec2c4cc68e5587_JaffaCakes118.exe
2380	svchost.com
2380	svchost.com
2380	svchost.com
2380	svchost.com
2380	svchost.com
2380	svchost.com
2380	svchost.com
2380	svchost.com
2380	svchost.com
2380	svchost.com
2380	svchost.com
2380	svchost.com
2380	svchost.com
2380	svchost.com
2380	svchost.com
2380	svchost.com
2380	svchost.com
2380	svchost.com
2380	svchost.com
2380	svchost.com
2380	svchost.com
2380	svchost.com
2380	svchost.com
2380	svchost.com
2380	svchost.com
2380	svchost.com
3588	svchost.com
3588	svchost.com
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe
4876	cftmon.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 2380	3292	eeeff91c80c874a15cec2c4cc68e5587_JaffaCakes118.exe	82
PID 3292 wrote to memory of 2380	3292	eeeff91c80c874a15cec2c4cc68e5587_JaffaCakes118.exe	82
PID 3292 wrote to memory of 2380	3292	eeeff91c80c874a15cec2c4cc68e5587_JaffaCakes118.exe	82
PID 2380 wrote to memory of 2408	2380	svchost.com	84
PID 2380 wrote to memory of 2408	2380	svchost.com	84
PID 2380 wrote to memory of 2408	2380	svchost.com	84
PID 2380 wrote to memory of 3588	2380	svchost.com	85
PID 2380 wrote to memory of 3588	2380	svchost.com	85
PID 2380 wrote to memory of 3588	2380	svchost.com	85
PID 2408 wrote to memory of 4876	2408	cftmon.exe	86
PID 2408 wrote to memory of 4876	2408	cftmon.exe	86
PID 2408 wrote to memory of 4876	2408	cftmon.exe	86
PID 2380 wrote to memory of 968	2380	svchost.com	96
PID 2380 wrote to memory of 968	2380	svchost.com	96
PID 2380 wrote to memory of 968	2380	svchost.com	96
PID 2380 wrote to memory of 2276	2380	svchost.com	98
PID 2380 wrote to memory of 2276	2380	svchost.com	98
PID 2380 wrote to memory of 2276	2380	svchost.com	98
PID 2380 wrote to memory of 2916	2380	svchost.com	100
PID 2380 wrote to memory of 2916	2380	svchost.com	100
PID 2380 wrote to memory of 2916	2380	svchost.com	100
PID 968 wrote to memory of 4772	968	net.exe	102
PID 968 wrote to memory of 4772	968	net.exe	102
PID 968 wrote to memory of 4772	968	net.exe	102
PID 2276 wrote to memory of 4912	2276	net.exe	103
PID 2276 wrote to memory of 4912	2276	net.exe	103
PID 2276 wrote to memory of 4912	2276	net.exe	103
PID 2916 wrote to memory of 780	2916	net.exe	104
PID 2916 wrote to memory of 780	2916	net.exe	104
PID 2916 wrote to memory of 780	2916	net.exe	104
PID 2380 wrote to memory of 4344	2380	svchost.com	105
PID 2380 wrote to memory of 4344	2380	svchost.com	105
PID 2380 wrote to memory of 4344	2380	svchost.com	105
PID 4344 wrote to memory of 1200	4344	net.exe	107
PID 4344 wrote to memory of 1200	4344	net.exe	107
PID 4344 wrote to memory of 1200	4344	net.exe	107
PID 2380 wrote to memory of 1008	2380	svchost.com	108
PID 2380 wrote to memory of 1008	2380	svchost.com	108
PID 2380 wrote to memory of 1008	2380	svchost.com	108
PID 1008 wrote to memory of 4932	1008	net.exe	110
PID 1008 wrote to memory of 4932	1008	net.exe	110
PID 1008 wrote to memory of 4932	1008	net.exe	110
PID 2380 wrote to memory of 3200	2380	svchost.com	111
PID 2380 wrote to memory of 3200	2380	svchost.com	111
PID 2380 wrote to memory of 3200	2380	svchost.com	111
PID 3200 wrote to memory of 1928	3200	net.exe	113
PID 3200 wrote to memory of 1928	3200	net.exe	113
PID 3200 wrote to memory of 1928	3200	net.exe	113

System policy modification 1 TTPs 6 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	svchost.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoAdminPage = "1"	svchost.com
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network	svchost.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network\NoFileSharingControl = "1"	svchost.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network\NoFileSharing = "0"	svchost.com
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network\NoPrintSharing = "0"	svchost.com

C:\Users\Admin\AppData\Local\Temp\eeeff91c80c874a15cec2c4cc68e5587_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\eeeff91c80c874a15cec2c4cc68e5587_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Users\Admin\AppData\Local\Temp\svchost.com
  "C:\Users\Admin\AppData\Local\Temp\svchost.com"
  2⤵
  - Modifies WinLogon for persistence
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  - Disables RegEdit via registry modification
  - Event Triggered Execution: Image File Execution Options Injection
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops desktop.ini file(s)
  - Enumerates connected drives
  - Modifies WinLogon
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Hide Artifacts: Hidden Users
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2380
- - C:\Program Files (x86)\Common Files\System\cftmon.exe
    "C:\Program Files (x86)\Common Files\System\cftmon.exe" stay_alive -in
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2408
  - - C:\Program Files (x86)\Common Files\System\cftmon.exe
      "C:\Program Files (x86)\Common Files\System\cftmon.exe" stay_alive -r
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4876
- - C:\Users\Admin\AppData\Local\Temp\svchost.com
    C:\Users\Admin\AppData\Local\Temp\svchost.com keep_fucking
    3⤵
    - Modifies WinLogon for persistence
    - Modifies visibility of file extensions in Explorer
    - Modifies visiblity of hidden/system files in Explorer
    - Disables RegEdit via registry modification
    - Event Triggered Execution: Image File Execution Options Injection
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3588
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" share SYS_c=c:\
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 share SYS_c=c:\
      4⤵
      System Location Discovery: System Language Discovery
      PID:4772
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" share SYS_f=f:\
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2276
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 share SYS_f=f:\
      4⤵
      System Location Discovery: System Language Discovery
      PID:4912
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" user guest guest
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user guest guest
      4⤵
      System Location Discovery: System Language Discovery
      PID:780
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" user /add Network_Service
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user /add Network_Service
      4⤵
      System Location Discovery: System Language Discovery
      PID:1200
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" user Network_Service 1016760
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Network_Service 1016760
      4⤵
      System Location Discovery: System Language Discovery
      PID:4932
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" localgroup administrators Network_Service /add
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup administrators Network_Service /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Modify Registry

T1112

Credential Access

Discovery

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$RECYCLE.BIN\{5F229C11-5039-40E4-8537-6950BB1C9ECC}\temp.db

Filesize
1KB

MD5
85467c7848acb30cf0b3ccfeded28c17

SHA1
25153f3040106e1ae04cd0be7b7bc439cde281bd

SHA256
103bd9a5853d6400f982041478d41a65ad484f43453d3d5311240a1c44d04f5a

SHA512
91b71f01b14baa37fce63019c6ba0d19267bd5e4c196080660a320b3b02b1172530ee0832d247b6879ec792408b5b4199a46ded45f7a6f5f509692bb987fe064

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.com

Filesize
636KB

MD5
eeeff91c80c874a15cec2c4cc68e5587

SHA1
321aa0a799136832f23ad43c27cd60db540b2623

SHA256
dd673bf12478240e13e74fdb025929d396a306deac934b41dab8eb3cde2a223e

SHA512
6af340efd4e9bb7ef151016f1905503540f42591e9a5ecf0056f4a45b9199283590f05f7c8f6b860584324ff0d65ad0d038227fa35e662a6b848d3727e2a4e2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\cache\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
memory/3292-0-0x0000000000400000-0x00000000004B0000-memory.dmp

Filesize
704KB

Download