Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15/10/2024, 18:48
Static task
static1
Behavioral task
behavioral1
Sample
496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe
-
Size
658KB
-
MD5
496f1defa92daf684818e5d161c71e8b
-
SHA1
de21e1d8c5645f4550f09d11295b81293164a0f1
-
SHA256
745115e5515092ad108ad14211fc1f03e0dd4730bfeb79b5fadd753a4ba14f36
-
SHA512
805a88a93ddd3b4dc9bafaebf91723a7db70302007b8603a33c6cdea4f769ca15f62c84a689fef131be73fe15984491bc434e6a8a1d51839a441bf9a933a50fc
-
SSDEEP
12288:qa11Gr3+pfNixGTdIkIxJIEo3gMH70mVogKp4tQ3BfS6oN+qESVBx7neivjX/I:qWixGpuIEow7WG4tQxa6ojxvnei7
Malware Config
Signatures
-
Modifies security service 2 TTPs 3 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\MpsSvc\Parameters\PortKeywords\DHCP\Collection Process not Found Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" svchost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\MpsSvc\Parameters\PortKeywords\DHCP Process not Found -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\userinit\ImagePath = "\\\\.\\globalroot\\systemroot\\system32\\usеrinit.exe" usеrinit.exe -
Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
-
Deletes itself 1 IoCs
pid Process 2696 cmd.exe -
Executes dropped EXE 1 IoCs
pid Process 2796 usеrinit.exe -
Indicator Removal: Clear Windows Event Logs 1 TTPs 1 IoCs
Clear Windows Event Logs to hide the activity of an intrusion.
description ioc Process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx Process not Found -
Loads dropped DLL 1 IoCs
pid Process 2640 496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"exefile\" /shell <%1> %*" svchost.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks registry for disk virtualization 3 TTPs 1 IoCs
Detecting virtualization disks is order done to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI\Disk&Ven_Dell&Prod_VIRTUAL_DISK svchost.exe -
Drops desktop.ini file(s) 5 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8NROS34R\desktop.ini Process not Found File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini Process not Found File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HWUYADN5\desktop.ini Process not Found File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WY6T2DFU\desktop.ini Process not Found File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y3Z0XF05\desktop.ini Process not Found -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: svchost.exe File opened (read-only) \??\P: svchost.exe File opened (read-only) \??\M: svchost.exe File opened (read-only) \??\O: svchost.exe File opened (read-only) \??\N: svchost.exe File opened (read-only) \??\I: svchost.exe File opened (read-only) \??\H: svchost.exe File opened (read-only) \??\B: svchost.exe File opened (read-only) \??\A: svchost.exe File opened (read-only) \??\V: svchost.exe File opened (read-only) \??\U: svchost.exe File opened (read-only) \??\W: svchost.exe File opened (read-only) \??\Q: svchost.exe File opened (read-only) \??\L: svchost.exe File opened (read-only) \??\J: svchost.exe File opened (read-only) \??\G: svchost.exe File opened (read-only) \??\E: svchost.exe File opened (read-only) \??\Z: svchost.exe File opened (read-only) \??\X: svchost.exe File opened (read-only) \??\S: svchost.exe File opened (read-only) \??\R: svchost.exe File opened (read-only) \??\Y: svchost.exe File opened (read-only) \??\T: svchost.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum svchost.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum svchost.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT usеrinit.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT svchost.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 32 IoCs
pid Process 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe -
Suspicious use of SetThreadContext 25 IoCs
description pid Process procid_target PID 2640 set thread context of 2696 2640 496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe 30 PID 2808 set thread context of 268 2808 svchost.exe 16 PID 2808 set thread context of 268 2808 svchost.exe 16 PID 2808 set thread context of 268 2808 svchost.exe 16 PID 2808 set thread context of 268 2808 svchost.exe 16 PID 2808 set thread context of 268 2808 svchost.exe 16 PID 2808 set thread context of 268 2808 svchost.exe 16 PID 2808 set thread context of 268 2808 svchost.exe 16 PID 2808 set thread context of 268 2808 svchost.exe 16 PID 2808 set thread context of 268 2808 svchost.exe 16 PID 2808 set thread context of 268 2808 svchost.exe 16 PID 2808 set thread context of 268 2808 svchost.exe 16 PID 2808 set thread context of 268 2808 svchost.exe 16 PID 2808 set thread context of 268 2808 svchost.exe 16 PID 2808 set thread context of 268 2808 svchost.exe 16 PID 2808 set thread context of 268 2808 svchost.exe 16 PID 2808 set thread context of 268 2808 svchost.exe 16 PID 2808 set thread context of 268 2808 svchost.exe 16 PID 2808 set thread context of 268 2808 svchost.exe 16 PID 2808 set thread context of 268 2808 svchost.exe 16 PID 2808 set thread context of 268 2808 svchost.exe 16 PID 2808 set thread context of 268 2808 svchost.exe 16 PID 2808 set thread context of 268 2808 svchost.exe 16 PID 2808 set thread context of 268 2808 svchost.exe 16 PID 2808 set thread context of 268 2808 svchost.exe 16 -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 4 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh svchost.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh svchost.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh svchost.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh svchost.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language svchost.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Nls\Language svchost.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet002\Control\Nls\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI\Disk&Ven_Dell&Prod_VIRTUAL_DISK svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI svchost.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_Dell&Prod_THINAIR_DISK svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI svchost.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet002\Enum\SCSI svchost.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe -
Enumerates system info in registry 2 TTPs 41 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor svchost.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 svchost.exe -
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000d1df066d4f56d9994131b2b945d2c30fcf0d86b14dc56014dff510184722cd2b000000000e8000000002000020000000e92122932cff679b444d4960a7927f122c0899edc1995333b40d35ad61fe4e66900000007f11f5887b6de4ac9f964526310579dfdc2ed0b6281a7c64d4c915efe734fca138c4aec3b4b257c8bff815c402e2031f19edf9d7834a664b31fb6b6038a043e0270466f3019275c18546181b0337801cbdfcbddee18aacdcd808d15906ee2cd315262e457dff26a762b11df6b3bb295d7679db3a5b2e457c698ea2f86e825fd908e36006323d5879fd86ee253be2b57e40000000bb5717d605c313f4affba544125b75885c0bb78b2819b8f0c79422a2f39472ab91f84fa2832e10017d5f61f2a6ff05188273ed3c9818605361a22d0e292edde9 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd3000000000200000000001066000000010000200000006b81f76b2b25b973d213c1ee6cd6e8a8b0b1ecd7023883706c88c93cffa72441000000000e80000000020000200000006a426de4ae0f7ba5dad4826102dd71aa4a6dc26f79966cdcaf5b3fc7c751fb5d20000000c273f0dbba6b22deb8a8856c492f379810aae1f5e408c21b2827acedab75e16e40000000209eb58eef4bc8c6b40fb5a4016be64fbaa1ac1459c7d0485d9fde8e08779a4deb355976b5f3372d467d4e054d165630b0edc2cd5eb4f7bf759721be2b4954e5 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0078525331fdb01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{50DDF3E1-8B26-11EF-A742-6E295C7D81A3} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe -
Modifies data under HKEY_USERS 30 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f00a5000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-95-6d-94-bc-6f\WpadDecisionTime = 60f893df321fdb01 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" usеrinit.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{687FF929-9171-4A34-920E-236F73574715}\7a-95-6d-94-bc-6f svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ usеrinit.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000003000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{687FF929-9171-4A34-920E-236F73574715}\WpadNetworkName = "Network 3" svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Internet Explorer\Main usеrinit.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{687FF929-9171-4A34-920E-236F73574715}\WpadDecision = "0" svchost.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{687FF929-9171-4A34-920E-236F73574715} svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{687FF929-9171-4A34-920E-236F73574715}\WpadDecisionReason = "1" svchost.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{687FF929-9171-4A34-920E-236F73574715}\WpadDecisionTime = 60f893df321fdb01 svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" usеrinit.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-95-6d-94-bc-6f svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-95-6d-94-bc-6f\WpadDecisionReason = "1" svchost.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\7a-95-6d-94-bc-6f\WpadDecision = "0" svchost.exe -
Modifies registry class 6 IoCs
description ioc Process Key created \registry\machine\Software\Classes\Wow6432Node\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55} 496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55}\u = "131087" 496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe Key created \registry\machine\Software\Classes\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55} 496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2ea8c9d4-7b76-aecf-38db-17f923ffdd55}\u = "131087" 496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe Key created \registry\machine\Software\Classes\Interface\{507e1fac-b73d-1bbf-56af-f783afcbf39c} svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "\"exefile\" /shell <%1> %*" svchost.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2796 usеrinit.exe 2796 usеrinit.exe 2796 usеrinit.exe 2796 usеrinit.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe -
Suspicious behavior: MapViewOfSection 33 IoCs
pid Process 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2640 496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe Token: SeSecurityPrivilege 2640 496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe Token: SeDebugPrivilege 2796 usеrinit.exe Token: SeShutdownPrivilege 1260 Process not Found Token: SeShutdownPrivilege 1260 Process not Found Token: SeShutdownPrivilege 1260 Process not Found Token: SeAssignPrimaryTokenPrivilege 860 Process not Found Token: SeIncreaseQuotaPrivilege 860 Process not Found Token: SeSecurityPrivilege 860 Process not Found Token: SeTakeOwnershipPrivilege 860 Process not Found Token: SeLoadDriverPrivilege 860 Process not Found Token: SeSystemtimePrivilege 860 Process not Found Token: SeBackupPrivilege 860 Process not Found Token: SeRestorePrivilege 860 Process not Found Token: SeShutdownPrivilege 860 Process not Found Token: SeSystemEnvironmentPrivilege 860 Process not Found Token: SeUndockPrivilege 860 Process not Found Token: SeManageVolumePrivilege 860 Process not Found Token: SeAssignPrimaryTokenPrivilege 860 Process not Found Token: SeIncreaseQuotaPrivilege 860 Process not Found Token: SeSecurityPrivilege 860 Process not Found Token: SeTakeOwnershipPrivilege 860 Process not Found Token: SeLoadDriverPrivilege 860 Process not Found Token: SeSystemtimePrivilege 860 Process not Found Token: SeBackupPrivilege 860 Process not Found Token: SeRestorePrivilege 860 Process not Found Token: SeShutdownPrivilege 860 Process not Found Token: SeSystemEnvironmentPrivilege 860 Process not Found Token: SeUndockPrivilege 860 Process not Found Token: SeManageVolumePrivilege 860 Process not Found Token: SeAssignPrimaryTokenPrivilege 860 Process not Found Token: SeIncreaseQuotaPrivilege 860 Process not Found Token: SeSecurityPrivilege 860 Process not Found Token: SeTakeOwnershipPrivilege 860 Process not Found Token: SeLoadDriverPrivilege 860 Process not Found Token: SeSystemtimePrivilege 860 Process not Found Token: SeBackupPrivilege 860 Process not Found Token: SeRestorePrivilege 860 Process not Found Token: SeShutdownPrivilege 860 Process not Found Token: SeSystemEnvironmentPrivilege 860 Process not Found Token: SeUndockPrivilege 860 Process not Found Token: SeManageVolumePrivilege 860 Process not Found Token: SeAssignPrimaryTokenPrivilege 860 Process not Found Token: SeIncreaseQuotaPrivilege 860 Process not Found Token: SeSecurityPrivilege 860 Process not Found Token: SeTakeOwnershipPrivilege 860 Process not Found Token: SeLoadDriverPrivilege 860 Process not Found Token: SeSystemtimePrivilege 860 Process not Found Token: SeBackupPrivilege 860 Process not Found Token: SeRestorePrivilege 860 Process not Found Token: SeShutdownPrivilege 860 Process not Found Token: SeSystemEnvironmentPrivilege 860 Process not Found Token: SeUndockPrivilege 860 Process not Found Token: SeManageVolumePrivilege 860 Process not Found Token: SeAssignPrimaryTokenPrivilege 860 Process not Found Token: SeIncreaseQuotaPrivilege 860 Process not Found Token: SeSecurityPrivilege 860 Process not Found Token: SeTakeOwnershipPrivilege 860 Process not Found Token: SeLoadDriverPrivilege 860 Process not Found Token: SeSystemtimePrivilege 860 Process not Found Token: SeBackupPrivilege 860 Process not Found Token: SeRestorePrivilege 860 Process not Found Token: SeShutdownPrivilege 860 Process not Found Token: SeSystemEnvironmentPrivilege 860 Process not Found -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 1260 Process not Found 1260 Process not Found 1260 Process not Found 1260 Process not Found 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe 2808 svchost.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2292 iexplore.exe 2292 iexplore.exe 552 IEXPLORE.EXE 552 IEXPLORE.EXE 552 IEXPLORE.EXE 552 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 608 Process not Found -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 2640 wrote to memory of 2696 2640 496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe 30 PID 2640 wrote to memory of 2696 2640 496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe 30 PID 2640 wrote to memory of 2696 2640 496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe 30 PID 2640 wrote to memory of 2696 2640 496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe 30 PID 2640 wrote to memory of 2696 2640 496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe 30 PID 2640 wrote to memory of 2796 2640 496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe 32 PID 2640 wrote to memory of 2796 2640 496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe 32 PID 2640 wrote to memory of 2796 2640 496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe 32 PID 2640 wrote to memory of 2796 2640 496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe 32 PID 2796 wrote to memory of 2808 2796 usеrinit.exe 33 PID 2796 wrote to memory of 2808 2796 usеrinit.exe 33 PID 2796 wrote to memory of 2808 2796 usеrinit.exe 33 PID 2796 wrote to memory of 2808 2796 usеrinit.exe 33 PID 2796 wrote to memory of 2808 2796 usеrinit.exe 33 PID 2808 wrote to memory of 268 2808 svchost.exe 16 PID 332 wrote to memory of 2512 332 Process not Found 34 PID 332 wrote to memory of 2512 332 Process not Found 34 PID 608 wrote to memory of 2512 608 Process not Found 34 PID 608 wrote to memory of 2512 608 Process not Found 34 PID 608 wrote to memory of 2512 608 Process not Found 34 PID 388 wrote to memory of 2292 388 Process not Found 35 PID 388 wrote to memory of 2292 388 Process not Found 35 PID 2808 wrote to memory of 2292 2808 svchost.exe 35 PID 2808 wrote to memory of 2292 2808 svchost.exe 35 PID 2808 wrote to memory of 2292 2808 svchost.exe 35 PID 388 wrote to memory of 2292 388 Process not Found 35 PID 388 wrote to memory of 2292 388 Process not Found 35 PID 388 wrote to memory of 2292 388 Process not Found 35 PID 388 wrote to memory of 552 388 Process not Found 36 PID 388 wrote to memory of 552 388 Process not Found 36 PID 388 wrote to memory of 552 388 Process not Found 36 PID 388 wrote to memory of 552 388 Process not Found 36 PID 2292 wrote to memory of 552 2292 iexplore.exe 36 PID 2292 wrote to memory of 552 2292 iexplore.exe 36 PID 2292 wrote to memory of 552 2292 iexplore.exe 36 PID 2292 wrote to memory of 552 2292 iexplore.exe 36 PID 388 wrote to memory of 552 388 Process not Found 36 PID 388 wrote to memory of 552 388 Process not Found 36 PID 388 wrote to memory of 2292 388 Process not Found 35 PID 388 wrote to memory of 552 388 Process not Found 36 PID 388 wrote to memory of 552 388 Process not Found 36 PID 388 wrote to memory of 552 388 Process not Found 36 PID 332 wrote to memory of 592 332 Process not Found 37 PID 608 wrote to memory of 592 608 Process not Found 37 PID 608 wrote to memory of 592 608 Process not Found 37 PID 608 wrote to memory of 592 608 Process not Found 37 PID 488 wrote to memory of 2292 488 Process not Found 35 PID 488 wrote to memory of 2292 488 Process not Found 35 PID 488 wrote to memory of 2292 488 Process not Found 35 PID 488 wrote to memory of 2292 488 Process not Found 35 PID 488 wrote to memory of 2292 488 Process not Found 35 PID 488 wrote to memory of 2292 488 Process not Found 35 PID 488 wrote to memory of 2292 488 Process not Found 35 PID 488 wrote to memory of 2292 488 Process not Found 35 PID 488 wrote to memory of 2292 488 Process not Found 35 PID 388 wrote to memory of 2292 388 Process not Found 35 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService1⤵PID:268
-
C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\496f1defa92daf684818e5d161c71e8b_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2696
-
-
\??\globalroot\systemroot\system32\usеrinit.exe/install2⤵
- Sets service image path in registry
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- Modifies security service
- Windows security bypass
- Modifies system executable filetype association
- Checks registry for disk virtualization
- Enumerates connected drives
- Maps connected drives based on registry
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of SetThreadContext
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://secure.exbilling.com/get/product.php?id=intsec&advert=131087&extern=0&lang=EN4⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2292 CREDAT:275457 /prefetch:25⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:552
-
-
-
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵PID:2512
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:592
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
2Change Default File Association
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify Tools
1Indicator Removal
1Clear Windows Event Logs
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e04df4d0e3a2822ef8080f38c0ab2b37
SHA17413938e2481805fbcf0d5e59cb2c483cf36abe8
SHA256953e62a81391a16d74301704e2b48abacf7caf7331f6544574604f0e55866945
SHA512f1d142e81457b7d3e44573db89decb80fd873a58b7e21ef4f254ed9d2bff31d9b071fbd806e7535f0c66fc36c27a300f8c81c3f77c30ab772f73843365c097c0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ae3bc922b706d88d7dd0676329dc7ab2
SHA119b546ddc19f69bf0447065c0e8b773adcbcfb0e
SHA256e3bfa9fdfb7d893928182bc85a1442fb93e725a8d94b65dea3a1b1c23d108bd7
SHA512bd454c87115b8a6730630bf87be0fd5736b1e26b5e51141d7371eeda8c7820e00403b149ae77a52196eed731df2a37a23324858828a9dfdd36ada2aa18cd2f95
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5996fd57d8c1f15ffeaf6b11dd539996f
SHA1a8d4e909c53a6309be2a46b0b7f29f804a65b4c2
SHA2568804cf908633976ba8bbd8a3a957e0500edfef80f9b276a104f235fd90d000a7
SHA5123685d260315066738f54b6ebce7417e573271a1fbfca48fc120dfd1de6e151a505b7e1a98d72acbf4643e66e0b2c2ee58caba6903364a5aea3a718c24f23ca89
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55a0c34b7800455ce71c024106690779f
SHA181c013616d2a5940597fe5bb959ea3f06188889e
SHA256505cde7fc413a7bcbfec990a8dbacd4c6bd54caefa5007570085128db68e774b
SHA51276f3078855daaae909e866a400740fc2af14c099311f263af03e4932280acccbdcf6a7b211b85b30cda9d52380cfb6f4b86c50993b6091f245440e962df1e594
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD572cf8a79616709a415d151d48919a386
SHA14c49ed10900806d51c0d33bd4b84da5b7dd2606a
SHA2560922d6c7f9e7597ca3489db9814b2a148fab453c1e1996b419ec1d98c39cfcd8
SHA5123051b069b1db76ce923c92ae845da32693286c5bf968af625e96dcbafb0b0c12855ce3aa72c630f23eabdb4c6edd7f2a434f1f57013eac6829ba9c8d05ce1ab0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD531d423e32c90515547e3437f04fb075b
SHA18576b0ecaf0490f29761578d5f804fa3385510ac
SHA25648be57868dd26e259c87a3e0af1105ab3565a32183d62c9ab138d6e4ac701a90
SHA5128fbed755dd6882e6110ed50b2cae5d50af519d6dea2f82a34517faa92c2c758e697e7e84ebdf872feae34d55830b951a72dc362e9632d9c6478a63aba80ede33
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5332764916617e1b7d9cd5cdfc98c87a0
SHA1b0ec320bafebfb3294ca8da3bda286288a416581
SHA256c3d13dd2c97e78b9ef462b42109df797dbdb0fa43072437d52f8a150d7668159
SHA512c5d4ea431e573e466c79686fbc81015d9f1971ef6c1046b4adca94464eca9c540571197bf52b7939b06744c108156db00ee56f725ca66d0729070d5d446125ff
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD542b06110edf22de7faa46c9fc55ee57e
SHA17d1f8a661eed9b00fc5202ccba85e32b49f69fe5
SHA256117b60e0b0ccac0255e34bfdf4da193c02b921f71e908d672dfd045951eafe46
SHA512bf3d2d7457b3a9ada630f6106e6206d7f54209a7a93b1fba1662e90eb1e055ebf7f7cf9aa1cd2ecfbdff2bc717076cb94640310c4bfdcb405a21d24a6c3a51c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a642a9b802b09c5735db1b6f59dfb06b
SHA1a36ac43267b27a3cab1f73bb7950753108268807
SHA2568ca4be3647c2d25fe0b718b6dc28c2660187fdad03d1d7ebd4a1896ab8e74284
SHA512f43b20d7fc5e160abf1ff2f4829bc1f9af5caaf871c2af6e849be25d3e51bfd0f042307c3d2da488c3dc02244937adcc3d54737b11442f02fbe2cf3981e8e993
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
2KB
MD563881935b6ff930a39df13a27c18c3f5
SHA1d5464ca24d61b2efb562b1b4f4e0bef69c94cf04
SHA25650d712b007a3339855619a4ad283661c07e13ec0a74465ea3d121439005cd1e5
SHA512011d0307d088ac7a691ff504f8c3e99a06097fc27e10d40d62721cf6c6d0500120d040a7d32fd10aa50aeef1ef12be67501fff122bed129a354fb57c213a0ed9
-
Filesize
3KB
MD533d277c7477cedb2644df98b7a06a64d
SHA13a01e8ef0ac09348c9f282cb7380c5670e950178
SHA256b46c95f1ad6bc432d029288e40d570cc3db24b92d8d5dd1f05f7784a23db64d9
SHA512343e2f9fd67188d91cb13d423d01700af15ab8e50538f9356e3985a8acd2d73c1dd4c2256d426ae04eea957a5083e8720a166a0d278386a9d9fc011e5014a6bc
-
Filesize
68KB
MD5f76794743b87c6704ef54f548bc4640d
SHA12f64a17121772839350513b88b29362e0f6d5322
SHA2564df6e2656c52ac5172b60c363eb637ffca80676dc43e4a3f04792067250efcee
SHA512b762d80c62f31941396abca602f908b75ccc6805aea3491698b6daba86adb3b9a21fe6f7a4a01fe20d7273b63d11d1b5012fbf2b3b27afdb9a8bd7c7700621bd
-
Filesize
139KB
MD54acd14244d2cd76d06939163127cfb10
SHA175f3e3c764f7d20c9950f5410f753f3210bcc2e7
SHA25629b5b65a1cdf119ac7c6c9df76c6843b25a81bd00aa5a5e995ec675e34bf1acb
SHA512001504da15c1825102479ba379b0be7ec15e779626d450d9d763552d7e1ac71f5bb86110f9361363bd401aabc53cdfd2d554480aec8bef85ed8c7b03cebf4031
-
Filesize
718KB
MD5dc1277e7b67690d454af6bc63a10567a
SHA1dd92ac19af235b659377688b5ff387ab45475c5b
SHA256a281b3f4a1c161ec7a4de14d88b4a5709e5f712a1937e106478f19eb57c23cc4
SHA51264f3d080b2d0388b5921ab1110ae69769456836193e56dc86e857886ed1f05c4508d8c319c4a5b22655f584c0d844447135596a350b68bcff38384bc393ee152