metasploit | f42ee437ef9c0ca78a4cead554f84704b79b9092284db57923f5a480c3ac0065

Windows Service

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmipsrt.exe = "C:\\Windows\\SysWOW64\\wmipsrt.exe:*:Enabled:Windows Live"	wmipsrt.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List	wmipsrt.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	wmipsrt.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications	wmipsrt.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\C:\Windows\SysWOW64\wmipsrt.exe = "C:\\Windows\\SysWOW64\\wmipsrt.exe:*:Enabled:Windows Live"	wmipsrt.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	wmipsrt.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	wmipsrt.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	wmipsrt.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

Windows Service

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	wmipsrt.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	wmipsrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	wmipsrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	wmipsrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	wmipsrt.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	wmipsrt.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "wmipsrt.exe"	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe	wmipsrt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "wmipsrt.exe"	wmipsrt.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
5032	wmipsrt.exe
3728	wmipsrt.exe

Impair Defenses: Safe Mode Boot 1 TTPs 2 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ctfmon.exe = "ctfmon.exe"	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ctfmon.exe = "ctfmon.exe"	wmipsrt.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	wmipsrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	wmipsrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	wmipsrt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	wmipsrt.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "ctfmon.exe"	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ctfmon.exe = "ctfmon.exe"	wmipsrt.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Maps connected drives based on registry 3 TTPs 4 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	wmipsrt.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	wmipsrt.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wmipsrt.exe	wmipsrt.exe
File created	C:\Windows\SysWOW64\wmipsrt.exe	wmipsrt.exe
File created	C:\Windows\SysWOW64\wmipsrt.exe	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\wmipsrt.exe	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2588 set thread context of 3120	2588	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe	83
PID 5032 set thread context of 3728	5032	wmipsrt.exe	89

Launches sc.exe 27 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3600	sc.exe
3120	sc.exe
32	sc.exe
4692	sc.exe
4536	sc.exe
3060	sc.exe
724	sc.exe
1044	sc.exe
2560	sc.exe
3352	sc.exe
2768	sc.exe
3464	sc.exe
4960	sc.exe
544	sc.exe
4976	sc.exe
3536	sc.exe
1504	sc.exe
4480	sc.exe
4828	sc.exe
3208	sc.exe
3280	sc.exe
1192	sc.exe
4112	sc.exe
1804	sc.exe
3372	sc.exe
3912	sc.exe
4320	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmipsrt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmipsrt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CMD.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

T1059

pid	Process
2660	ipconfig.exe
4068	ipconfig.exe
3968	ipconfig.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3120	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe
3120	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe
3728	wmipsrt.exe
3728	wmipsrt.exe
3728	wmipsrt.exe
3728	wmipsrt.exe
3728	wmipsrt.exe
3728	wmipsrt.exe
3728	wmipsrt.exe
3728	wmipsrt.exe
3728	wmipsrt.exe
3728	wmipsrt.exe
3728	wmipsrt.exe
3728	wmipsrt.exe
3728	wmipsrt.exe
3728	wmipsrt.exe
3728	wmipsrt.exe
3728	wmipsrt.exe
3728	wmipsrt.exe
3728	wmipsrt.exe
3728	wmipsrt.exe
3728	wmipsrt.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	3120	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3728	wmipsrt.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2588 wrote to memory of 3120	2588	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe	83
PID 2588 wrote to memory of 3120	2588	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe	83
PID 2588 wrote to memory of 3120	2588	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe	83
PID 2588 wrote to memory of 3120	2588	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe	83
PID 2588 wrote to memory of 3120	2588	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe	83
PID 3120 wrote to memory of 5032	3120	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe	84
PID 3120 wrote to memory of 5032	3120	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe	84
PID 3120 wrote to memory of 5032	3120	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe	84
PID 3120 wrote to memory of 4952	3120	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe	85
PID 3120 wrote to memory of 4952	3120	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe	85
PID 3120 wrote to memory of 4952	3120	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe	85
PID 3120 wrote to memory of 3704	3120	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe	87
PID 3120 wrote to memory of 3704	3120	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe	87
PID 3120 wrote to memory of 3704	3120	bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe	87
PID 5032 wrote to memory of 3728	5032	wmipsrt.exe	89
PID 5032 wrote to memory of 3728	5032	wmipsrt.exe	89
PID 5032 wrote to memory of 3728	5032	wmipsrt.exe	89
PID 5032 wrote to memory of 3728	5032	wmipsrt.exe	89
PID 5032 wrote to memory of 3728	5032	wmipsrt.exe	89
PID 3728 wrote to memory of 3484	3728	wmipsrt.exe	56
PID 3728 wrote to memory of 3484	3728	wmipsrt.exe	56
PID 3728 wrote to memory of 3864	3728	wmipsrt.exe	98
PID 3728 wrote to memory of 3864	3728	wmipsrt.exe	98
PID 3728 wrote to memory of 3864	3728	wmipsrt.exe	98
PID 3728 wrote to memory of 2520	3728	wmipsrt.exe	99
PID 3728 wrote to memory of 2520	3728	wmipsrt.exe	99
PID 3728 wrote to memory of 2520	3728	wmipsrt.exe	99
PID 3728 wrote to memory of 3244	3728	wmipsrt.exe	100
PID 3728 wrote to memory of 3244	3728	wmipsrt.exe	100
PID 3728 wrote to memory of 3244	3728	wmipsrt.exe	100
PID 2520 wrote to memory of 3464	2520	CMD.exe	105
PID 2520 wrote to memory of 3464	2520	CMD.exe	105
PID 2520 wrote to memory of 3464	2520	CMD.exe	105
PID 3864 wrote to memory of 2320	3864	CMD.exe	106
PID 3864 wrote to memory of 2320	3864	CMD.exe	106
PID 3864 wrote to memory of 2320	3864	CMD.exe	106
PID 3244 wrote to memory of 724	3244	CMD.exe	107
PID 3244 wrote to memory of 724	3244	CMD.exe	107
PID 3244 wrote to memory of 724	3244	CMD.exe	107
PID 2320 wrote to memory of 4292	2320	net.exe	108
PID 2320 wrote to memory of 4292	2320	net.exe	108
PID 2320 wrote to memory of 4292	2320	net.exe	108
PID 3728 wrote to memory of 2660	3728	wmipsrt.exe	109
PID 3728 wrote to memory of 2660	3728	wmipsrt.exe	109
PID 3728 wrote to memory of 2660	3728	wmipsrt.exe	109
PID 3728 wrote to memory of 4852	3728	wmipsrt.exe	111
PID 3728 wrote to memory of 4852	3728	wmipsrt.exe	111
PID 3728 wrote to memory of 4852	3728	wmipsrt.exe	111
PID 4852 wrote to memory of 544	4852	CMD.exe	113
PID 4852 wrote to memory of 544	4852	CMD.exe	113
PID 4852 wrote to memory of 544	4852	CMD.exe	113
PID 3728 wrote to memory of 3968	3728	wmipsrt.exe	114
PID 3728 wrote to memory of 3968	3728	wmipsrt.exe	114
PID 3728 wrote to memory of 3968	3728	wmipsrt.exe	114
PID 3728 wrote to memory of 4020	3728	wmipsrt.exe	115
PID 3728 wrote to memory of 4020	3728	wmipsrt.exe	115
PID 3728 wrote to memory of 4020	3728	wmipsrt.exe	115
PID 3728 wrote to memory of 4120	3728	wmipsrt.exe	116
PID 3728 wrote to memory of 4120	3728	wmipsrt.exe	116
PID 3728 wrote to memory of 4120	3728	wmipsrt.exe	116
PID 4020 wrote to memory of 4960	4020	CMD.exe	120
PID 4020 wrote to memory of 4960	4020	CMD.exe	120
PID 4020 wrote to memory of 4960	4020	CMD.exe	120
PID 3968 wrote to memory of 4484	3968	CMD.exe	121

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3484
- C:\Users\Admin\AppData\Local\Temp\bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe"
  2⤵
  - Maps connected drives based on registry
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Users\Admin\AppData\Local\Temp\bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\bd0802393b51f7b88fd1caf18cfb9d59_JaffaCakes118.exe
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Checks computer location settings
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3120
  - - C:\Windows\SysWOW64\wmipsrt.exe
      "C:\Windows\system32\wmipsrt.exe"
      4⤵
      Executes dropped EXE
      Maps connected drives based on registry
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5032
    - - C:\Windows\SysWOW64\wmipsrt.exe
        
        C:\Windows\SysWOW64\wmipsrt.exe
        5⤵
        Modifies firewall policy service
        Modifies security service
        Windows security bypass
        Drops file in Drivers directory
        Event Triggered Execution: Image File Execution Options Injection
        Executes dropped EXE
        Impair Defenses: Safe Mode Boot
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:3728
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C net stop "avast! Antivirus"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3864
        
        C:\Windows\SysWOW64\net.exe
        
        net stop "avast! Antivirus"
        7⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "avast! Antivirus"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4292
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc stop "avast! Antivirus"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop "avast! Antivirus"
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3464
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc config "avast! Antivirus" start= disabled
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config "avast! Antivirus" start= disabled
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:724
      - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /flushdns
        6⤵
        Gathers network information
        
        PID:2660
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc delete "avast! Antivirus"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete "avast! Antivirus"
        7⤵
        Launches sc.exe
        
        PID:544
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C net stop AntiVirService
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\SysWOW64\net.exe
        
        net stop AntiVirService
        7⤵
        
        PID:4484
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop AntiVirService
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc stop AntiVirService
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4020
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop AntiVirService
        7⤵
        Launches sc.exe
        
        PID:4960
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc config AntiVirService start= disabled
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config AntiVirService start= disabled
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1804
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc delete AntiVirService
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4116
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete AntiVirService
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3600
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C net stop PASRV
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3288
        
        C:\Windows\SysWOW64\net.exe
        
        net stop PASRV
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop PASRV
        8⤵
        
        PID:3704
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc stop PASRV
        6⤵
        
        PID:1372
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop PASRV
        7⤵
        Launches sc.exe
        
        PID:3120
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc config PASRV start= disabled
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3532
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config PASRV start= disabled
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3536
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc delete PASRV
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete PASRV
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1504
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C net stop VSSERV
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Windows\SysWOW64\net.exe
        
        net stop VSSERV
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1128
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop VSSERV
        8⤵
        
        PID:4904
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc stop VSSERV
        6⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop VSSERV
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:32
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc config VSSERV start= disabled
        6⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config VSSERV start= disabled
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4692
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc delete VSSERV
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4060
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete VSSERV
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2768
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C net stop avg8wd
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
        
        C:\Windows\SysWOW64\net.exe
        
        net stop avg8wd
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4024
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop avg8wd
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc stop avg8wd
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3624
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop avg8wd
        7⤵
        Launches sc.exe
        
        PID:3280
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc config avg8wd start= disabled
        6⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config avg8wd start= disabled
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4536
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc delete avg8wd
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete avg8wd
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1192
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C net stop NOD32krn
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2776
        
        C:\Windows\SysWOW64\net.exe
        
        net stop NOD32krn
        7⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop NOD32krn
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2096
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc stop NOD32krn
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:388
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop NOD32krn
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4320
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc config NOD32krn start= disabled
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2628
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config NOD32krn start= disabled
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3352
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc delete NOD32krn
        6⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete NOD32krn
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4480
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C net stop SbPF.Launcher
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3348
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SbPF.Launcher
        7⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SbPF.Launcher
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:836
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc stop SbPF.Launcher
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3320
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop SbPF.Launcher
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:1044
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc config SbPF.Launcher start= disabled
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config SbPF.Launcher start= disabled
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3060
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc delete SbPF.Launcher
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4284
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete SbPF.Launcher
        7⤵
        Launches sc.exe
        
        PID:4828
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C net stop SPF4
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4036
        
        C:\Windows\SysWOW64\net.exe
        
        net stop SPF4
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4048
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop SPF4
        8⤵
        
        PID:3380
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc stop SPF4
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4208
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop SPF4
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4112
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc config SPF4 start= disabled
        6⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config SPF4 start= disabled
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:3208
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc delete SPF4
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete SPF4
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2560
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C net stop acssrv
        6⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\net.exe
        
        net stop acssrv
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop acssrv
        8⤵
        
        PID:3552
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc stop acssrv
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3172
        
        C:\Windows\SysWOW64\sc.exe
        
        sc stop acssrv
        7⤵
        Launches sc.exe
        
        PID:4976
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc config acssrv start= disabled
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config acssrv start= disabled
        7⤵
        Launches sc.exe
        
        PID:3372
      - C:\Windows\SysWOW64\CMD.exe
        
        CMD /C sc delete acssrv
        6⤵
        
        PID:4400
        
        C:\Windows\SysWOW64\sc.exe
        
        sc delete acssrv
        7⤵
        Launches sc.exe
        
        PID:3912
      - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /flushdns
        6⤵
        Gathers network information
        
        PID:4068
      - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /flushdns
        6⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:3968
  - - C:\Windows\SysWOW64\CMD.exe
      CMD /C del /F /S /Q *.zip
      4⤵
      PID:4952
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\BD0802~1.EXE > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:3704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery