Analysis
-
max time kernel
124s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-11-2024 03:59
Behavioral task
behavioral1
Sample
a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
27 signatures
150 seconds
General
-
Target
a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe
-
Size
4.6MB
-
MD5
a5c993b58253e0a4ce783c0ac17ce484
-
SHA1
23eb0429016a479f990a1db1f48e66adee765d22
-
SHA256
aacce8c7e3e53c47a0830c4bc3a30b7e3d584010453665c9d46cf1de7b870b3f
-
SHA512
644de74dd2fb33a6e1cbd2bde8bca5c03620ab4f4d1f6008d85e76846d5f7b35f4d282c461a7e9e053006a078ff18e4e91938d83b7c83a6343e79975d7cb59b2
-
SSDEEP
98304:6Ulr4veVzbSJljtFUd6+3lsgL0cxJYWUTYdMSrZ7cp:vUvOz2Jljtq0+1v3xUToWp
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Detect Neshta payload 3 IoCs
resource yara_rule behavioral2/files/0x000600000002021e-43.dat family_neshta behavioral2/memory/3396-129-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/3396-158-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 20 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\O: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\R: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\E: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\J: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\S: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\T: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\U: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\V: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\W: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\G: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\L: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\M: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\N: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\P: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\X: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\I: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\Q: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\Y: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened (read-only) \??\Z: a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification F:\autorun.inf a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/2360-17-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-13-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-12-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-16-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-34-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-33-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-32-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-15-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-35-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-36-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-14-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-38-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-54-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-78-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-125-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-126-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-127-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-130-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-134-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-136-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-138-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-142-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-143-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-145-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-148-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-154-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-156-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-159-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-162-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-164-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-166-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-168-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-170-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-172-0x0000000002340000-0x00000000033CE000-memory.dmp upx behavioral2/memory/2360-174-0x0000000002340000-0x00000000033CE000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MI9C33~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~3.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe File opened for modification C:\Windows\SYSTEM.INI a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe Token: SeDebugPrivilege 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3396 wrote to memory of 2360 3396 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 83 PID 3396 wrote to memory of 2360 3396 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 83 PID 3396 wrote to memory of 2360 3396 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 83 PID 2360 wrote to memory of 780 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 8 PID 2360 wrote to memory of 788 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 9 PID 2360 wrote to memory of 388 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 13 PID 2360 wrote to memory of 2500 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 42 PID 2360 wrote to memory of 2512 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 43 PID 2360 wrote to memory of 2764 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 49 PID 2360 wrote to memory of 3592 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 56 PID 2360 wrote to memory of 3720 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 57 PID 2360 wrote to memory of 3908 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 58 PID 2360 wrote to memory of 4000 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 59 PID 2360 wrote to memory of 4064 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 60 PID 2360 wrote to memory of 2744 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 61 PID 2360 wrote to memory of 4192 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 62 PID 2360 wrote to memory of 4852 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 74 PID 2360 wrote to memory of 3192 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 76 PID 2360 wrote to memory of 2108 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 81 PID 2360 wrote to memory of 3396 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 82 PID 2360 wrote to memory of 3396 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 82 PID 2360 wrote to memory of 780 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 8 PID 2360 wrote to memory of 788 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 9 PID 2360 wrote to memory of 388 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 13 PID 2360 wrote to memory of 2500 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 42 PID 2360 wrote to memory of 2512 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 43 PID 2360 wrote to memory of 2764 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 49 PID 2360 wrote to memory of 3592 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 56 PID 2360 wrote to memory of 3720 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 57 PID 2360 wrote to memory of 3908 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 58 PID 2360 wrote to memory of 4000 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 59 PID 2360 wrote to memory of 4064 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 60 PID 2360 wrote to memory of 2744 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 61 PID 2360 wrote to memory of 4192 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 62 PID 2360 wrote to memory of 4852 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 74 PID 2360 wrote to memory of 3192 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 76 PID 2360 wrote to memory of 780 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 8 PID 2360 wrote to memory of 788 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 9 PID 2360 wrote to memory of 388 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 13 PID 2360 wrote to memory of 2500 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 42 PID 2360 wrote to memory of 2512 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 43 PID 2360 wrote to memory of 2764 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 49 PID 2360 wrote to memory of 3592 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 56 PID 2360 wrote to memory of 3720 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 57 PID 2360 wrote to memory of 3908 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 58 PID 2360 wrote to memory of 4000 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 59 PID 2360 wrote to memory of 4064 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 60 PID 2360 wrote to memory of 2744 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 61 PID 2360 wrote to memory of 4192 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 62 PID 2360 wrote to memory of 4852 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 74 PID 2360 wrote to memory of 3192 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 76 PID 2360 wrote to memory of 780 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 8 PID 2360 wrote to memory of 788 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 9 PID 2360 wrote to memory of 388 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 13 PID 2360 wrote to memory of 2500 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 42 PID 2360 wrote to memory of 2512 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 43 PID 2360 wrote to memory of 2764 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 49 PID 2360 wrote to memory of 3592 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 56 PID 2360 wrote to memory of 3720 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 57 PID 2360 wrote to memory of 3908 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 58 PID 2360 wrote to memory of 4000 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 59 PID 2360 wrote to memory of 4064 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 60 PID 2360 wrote to memory of 2744 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 61 PID 2360 wrote to memory of 4192 2360 a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe 62 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:388
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2500
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2512
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2764
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3592
-
C:\Users\Admin\AppData\Local\Temp\a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Modifies system executable filetype association
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Users\Admin\AppData\Local\Temp\3582-490\a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\a5c993b58253e0a4ce783c0ac17ce484_JaffaCakes118.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2360
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3720
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3908
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4064
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2744
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4192
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4852
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3192
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2108
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2932
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD53b73078a714bf61d1c19ebc3afc0e454
SHA19abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA51275959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4
-
Filesize
4.5MB
MD53b0816f52f746ebf1dd47e740e0a4b7f
SHA1cfba462a6a55b4ed034e25509580f5b59ae8276d
SHA2560208474404d467aeaaded47aede764f0e41f922bf17ffbdf6d12ea080296bb93
SHA5125223f6d7003a38f91d5a48442fc522eb31ab23672eda7f3462d94592f83a46d53057c2c920ccb51e57a65c3041c172c2dcc34237572b7be273a96b4cc4e5f96b
-
Filesize
4.6MB
MD5aa7b81283aba57ca419cebab25705121
SHA1ad3f26958ac6c5579d410577f6d77cd7637907ec
SHA256f0a909dbe7d8eb762c4cb5063468b3bbee2c8624860fcdbfeadce89edbec7c86
SHA512e94a02e983cb97b5ff9688257cfef149c1f01daefe2aa95ba1f853a28e0a59459c585f640c3ac3ff40de9d08e473eeeeb5408b4d9999ee14af1c5974256c0de7
-
Filesize
100KB
MD5dfc66dcdafd86ec95b504d5ae4351628
SHA1062ee32720785c325b969e12a1f1a374379ee6c7
SHA25619021eb367c9669cf825c5b3df8418feb794bde3c25c569f2c9b74f74cbfe400
SHA512a440a9c1830b85dea12da8ce3ccb21d8b11f225f0b19a2af64eedde7a532ccbf7d5ed3285e3562e013ee60a4c8f615b1e19874f523c450faa27d348ced9498cd