Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04/12/2024, 04:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c0e02963d743434c336adfc1328659cb_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
14 signatures
150 seconds
Behavioral task
behavioral2
Sample
c0e02963d743434c336adfc1328659cb_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
c0e02963d743434c336adfc1328659cb_JaffaCakes118.exe
-
Size
6.6MB
-
MD5
c0e02963d743434c336adfc1328659cb
-
SHA1
d91f98f3a53600098956731f1fed2449ecc8f62f
-
SHA256
11bbd3b3821a5464478af90b19b0f185ea22dea49ae915cdcc5dfc61e476b179
-
SHA512
7386048787a1c11487eb2d54ca86fb8eef493e16fd864fc6064051e613fe008565c052456930ef439dfd8917815b34aa1553285836e67f16f2a87e00b1e4d5c2
-
SSDEEP
196608:+kvE8Reda7V7KeWkMmzBoVKKW6W+H94icTIEA:tReoV+ezMqBoUOSzTIt
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" goldsetup_trial87.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" goldsetup_trial87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" goldsetup_trial87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" goldsetup_trial87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" goldsetup_trial87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" goldsetup_trial87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" goldsetup_trial87.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" goldsetup_trial87.exe -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 928 netsh.exe -
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.
resource yara_rule behavioral2/files/0x0008000000023cd2-35.dat acprotect -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation c0e02963d743434c336adfc1328659cb_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
pid Process 324 goldsetup_trial87.exe 736 Stp9FAB_TMP.EXE 1748 Stp9FAB_TMP.tmp -
Loads dropped DLL 1 IoCs
pid Process 4460 c0e02963d743434c336adfc1328659cb_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" goldsetup_trial87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" goldsetup_trial87.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc goldsetup_trial87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" goldsetup_trial87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" goldsetup_trial87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" goldsetup_trial87.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" goldsetup_trial87.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" goldsetup_trial87.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4460 set thread context of 4820 4460 c0e02963d743434c336adfc1328659cb_JaffaCakes118.exe 86 -
resource yara_rule behavioral2/memory/324-15-0x00000000022E0000-0x0000000003313000-memory.dmp upx behavioral2/memory/324-28-0x00000000022E0000-0x0000000003313000-memory.dmp upx behavioral2/memory/324-22-0x00000000022E0000-0x0000000003313000-memory.dmp upx behavioral2/files/0x0008000000023cd2-35.dat upx behavioral2/memory/4820-40-0x0000000000400000-0x0000000000416000-memory.dmp upx behavioral2/memory/4460-38-0x0000000010000000-0x000000001005A000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI goldsetup_trial87.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c0e02963d743434c336adfc1328659cb_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language goldsetup_trial87.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Stp9FAB_TMP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Stp9FAB_TMP.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2748679094" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10c6c7a50746db01 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000042e7dba96731da408b68fe0ed5b0a24600000000020000000000106600000001000020000000c4747ef9fa92c6db238842f7484a191c8179bb7f67f43f0b0339959a2942a0dc000000000e800000000200002000000003088a7660541d8b845347806cf3af1b0c33f2e1d521c59659085a99528557c5200000006000ffb5d4d23b3718380d39fc857ce2941c30803c5d25161d9a2ad992f5b509400000004b51b28bca0214423f67ad73f385a72f10633efcd7b189e72802c58c3834227cce79da72fb6e7f16da5f1ab1f8093a911bf0f12f4831acfee1f46619b15d76bc iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{CF5B4754-B1FA-11EF-91C3-F6235BFAC6D3} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31147527" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000042e7dba96731da408b68fe0ed5b0a2460000000002000000000010660000000100002000000092136b88f3f2c2c4cbc9a0f4cf072e51e19f78a302ad9f6bc70e02cd9aec7f3e000000000e800000000200002000000010547b824ce1fbfaf5d26254d846f0e34ecb018aed6949738fd8312ae9f4216e200000004229072e71ead0097c021b0a735b592e032e024c4d94ddc5dceea0d09fcce1a74000000059f9147efba9436faac1fbaf2b04c5411a033331db68489566e0d9d3c6fde44e56eb141c7be6e2b7fd7fb2bd892d006523458b7df591f55dc4c4180771e41305 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "440052602" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31147527" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31147527" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30dfbba50746db01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2771335123" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2748679094" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 32 IoCs
pid Process 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 4460 c0e02963d743434c336adfc1328659cb_JaffaCakes118.exe 4460 c0e02963d743434c336adfc1328659cb_JaffaCakes118.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe 324 goldsetup_trial87.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe Token: SeDebugPrivilege 324 goldsetup_trial87.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 4820 iexplore.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4460 c0e02963d743434c336adfc1328659cb_JaffaCakes118.exe 4820 iexplore.exe 4820 iexplore.exe 3924 IEXPLORE.EXE 3924 IEXPLORE.EXE 3924 IEXPLORE.EXE 3924 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4460 wrote to memory of 324 4460 c0e02963d743434c336adfc1328659cb_JaffaCakes118.exe 83 PID 4460 wrote to memory of 324 4460 c0e02963d743434c336adfc1328659cb_JaffaCakes118.exe 83 PID 4460 wrote to memory of 324 4460 c0e02963d743434c336adfc1328659cb_JaffaCakes118.exe 83 PID 324 wrote to memory of 784 324 goldsetup_trial87.exe 8 PID 324 wrote to memory of 792 324 goldsetup_trial87.exe 9 PID 324 wrote to memory of 384 324 goldsetup_trial87.exe 13 PID 324 wrote to memory of 3040 324 goldsetup_trial87.exe 50 PID 324 wrote to memory of 2528 324 goldsetup_trial87.exe 52 PID 324 wrote to memory of 3124 324 goldsetup_trial87.exe 53 PID 324 wrote to memory of 3452 324 goldsetup_trial87.exe 56 PID 324 wrote to memory of 3584 324 goldsetup_trial87.exe 57 PID 324 wrote to memory of 3788 324 goldsetup_trial87.exe 58 PID 324 wrote to memory of 3872 324 goldsetup_trial87.exe 59 PID 324 wrote to memory of 3936 324 goldsetup_trial87.exe 60 PID 324 wrote to memory of 4020 324 goldsetup_trial87.exe 61 PID 324 wrote to memory of 3612 324 goldsetup_trial87.exe 62 PID 324 wrote to memory of 1460 324 goldsetup_trial87.exe 75 PID 324 wrote to memory of 3628 324 goldsetup_trial87.exe 76 PID 324 wrote to memory of 2632 324 goldsetup_trial87.exe 81 PID 324 wrote to memory of 4460 324 goldsetup_trial87.exe 82 PID 324 wrote to memory of 4460 324 goldsetup_trial87.exe 82 PID 324 wrote to memory of 928 324 goldsetup_trial87.exe 84 PID 324 wrote to memory of 928 324 goldsetup_trial87.exe 84 PID 324 wrote to memory of 928 324 goldsetup_trial87.exe 84 PID 4460 wrote to memory of 4820 4460 c0e02963d743434c336adfc1328659cb_JaffaCakes118.exe 86 PID 4460 wrote to memory of 4820 4460 c0e02963d743434c336adfc1328659cb_JaffaCakes118.exe 86 PID 4460 wrote to memory of 4820 4460 c0e02963d743434c336adfc1328659cb_JaffaCakes118.exe 86 PID 4460 wrote to memory of 4820 4460 c0e02963d743434c336adfc1328659cb_JaffaCakes118.exe 86 PID 4460 wrote to memory of 4820 4460 c0e02963d743434c336adfc1328659cb_JaffaCakes118.exe 86 PID 4460 wrote to memory of 4820 4460 c0e02963d743434c336adfc1328659cb_JaffaCakes118.exe 86 PID 4460 wrote to memory of 4820 4460 c0e02963d743434c336adfc1328659cb_JaffaCakes118.exe 86 PID 324 wrote to memory of 736 324 goldsetup_trial87.exe 87 PID 324 wrote to memory of 736 324 goldsetup_trial87.exe 87 PID 324 wrote to memory of 736 324 goldsetup_trial87.exe 87 PID 736 wrote to memory of 1748 736 Stp9FAB_TMP.EXE 88 PID 736 wrote to memory of 1748 736 Stp9FAB_TMP.EXE 88 PID 736 wrote to memory of 1748 736 Stp9FAB_TMP.EXE 88 PID 4820 wrote to memory of 3924 4820 iexplore.exe 89 PID 4820 wrote to memory of 3924 4820 iexplore.exe 89 PID 4820 wrote to memory of 3924 4820 iexplore.exe 89 PID 324 wrote to memory of 784 324 goldsetup_trial87.exe 8 PID 324 wrote to memory of 792 324 goldsetup_trial87.exe 9 PID 324 wrote to memory of 384 324 goldsetup_trial87.exe 13 PID 324 wrote to memory of 3040 324 goldsetup_trial87.exe 50 PID 324 wrote to memory of 2528 324 goldsetup_trial87.exe 52 PID 324 wrote to memory of 3124 324 goldsetup_trial87.exe 53 PID 324 wrote to memory of 3452 324 goldsetup_trial87.exe 56 PID 324 wrote to memory of 3584 324 goldsetup_trial87.exe 57 PID 324 wrote to memory of 3788 324 goldsetup_trial87.exe 58 PID 324 wrote to memory of 3872 324 goldsetup_trial87.exe 59 PID 324 wrote to memory of 3936 324 goldsetup_trial87.exe 60 PID 324 wrote to memory of 4020 324 goldsetup_trial87.exe 61 PID 324 wrote to memory of 3612 324 goldsetup_trial87.exe 62 PID 324 wrote to memory of 1460 324 goldsetup_trial87.exe 75 PID 324 wrote to memory of 3628 324 goldsetup_trial87.exe 76 PID 324 wrote to memory of 4820 324 goldsetup_trial87.exe 86 PID 324 wrote to memory of 736 324 goldsetup_trial87.exe 87 PID 324 wrote to memory of 736 324 goldsetup_trial87.exe 87 PID 324 wrote to memory of 1748 324 goldsetup_trial87.exe 88 PID 324 wrote to memory of 1748 324 goldsetup_trial87.exe 88 PID 324 wrote to memory of 3924 324 goldsetup_trial87.exe 89 PID 324 wrote to memory of 3924 324 goldsetup_trial87.exe 89 PID 324 wrote to memory of 784 324 goldsetup_trial87.exe 8 PID 324 wrote to memory of 792 324 goldsetup_trial87.exe 9 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" goldsetup_trial87.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2528
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3124
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\c0e02963d743434c336adfc1328659cb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\c0e02963d743434c336adfc1328659cb_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Users\Admin\AppData\Local\Temp\goldsetup_trial87.exe"C:\Users\Admin\AppData\Local\Temp\goldsetup_trial87.exe" 03⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:324 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:928
-
-
C:\Users\Admin\AppData\Local\Temp\Stp9FAB_TMP.EXE"C:\Users\Admin\AppData\Local\Temp\Stp9FAB_TMP.EXE"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Users\Admin\AppData\Local\Temp\is-FQUD6.tmp\Stp9FAB_TMP.tmp"C:\Users\Admin\AppData\Local\Temp\is-FQUD6.tmp\Stp9FAB_TMP.tmp" /SL5="$80248,6258361,54272,C:\Users\Admin\AppData\Local\Temp\Stp9FAB_TMP.EXE"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1748
-
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe/scomma "C:\Users\Admin\AppData\Local\Temp\tmp.ini3⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4820 CREDAT:17410 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3924
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3584
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3788
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3872
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3936
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4020
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3612
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1460
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3628
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2632
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD56f35d010be70338c65989d51b31c9b03
SHA11856c3b4f263b41656d1e7ef5f98457fd5be5378
SHA2568a7716b8f12fdf60b238d6dfea3d49008558bcb81864d60e014a64e72bdb3ece
SHA5123c3bf46642e85fe593b66ed0609b62a09820aad92f3e5736da751cab568b45c574aeab59c0ace5aea562c77b24ddfc8f967ab26e38f251b2c628978aca36d25e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD55a6d29e64aafb59b5abb9806c756d04c
SHA12cafa94d67aef3eb704a6e121d60b3622e861acc
SHA256f8cefb34f39d0377e6919216d3a14440432991a0c725b09f7f277c76a5cc9869
SHA512670b2234844dd0a51e41abfee6309b122d200ad8a359d2e72c3425aab16c79b7527b715819f31cffad536c30e266166909fc333e3af6201de399abfdabd7393b
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
6.2MB
MD50ea1fc0bfd095713656881e8c70d74be
SHA1f43cea9402a87bad99336e02d12c39a1fd7c2564
SHA256f2af5bff9c3654a5cfe56a5ac423a5165667dfae0d18d0cbd4583456783d766c
SHA51255da3352924d9c291c34438a0e581ede64f4fcd468951b1abbb0038aaaa3143a878094410dc6c81894507a8459c13c375f214875f2a4127f6a9f99f1d6f87da9
-
Filesize
6.3MB
MD5e8544164afab86d5e65e49a07238d035
SHA12c266f17d17eab5f101c421721a1e5964283da4a
SHA2561942fccb26fa9fce6e320a9cb8343dc8c656d32c4f1dc739aac5e0b6d8469148
SHA512bf65d8c824409c8d686eaf999d8441b4354cce913fd06561c50c72ae4b8bf36ee39885dc679e17b6c7f2d4d60f4b4a43b48f1ac5119309432c08d21c3deef871
-
Filesize
677KB
MD5c04af2e8479e97b7734a912456464ca8
SHA1abc4a5744c5a48bde3644ed92fc8a685d56cd60b
SHA2569e18f7e9753f2951bf13f8cd2e972202af5d87b21b54a5e2b2bc53e1285ead48
SHA5126b820ecb369e0b86acdade06d17552b2c9aa953bc3b65dff52eb4388393bbe5b36eaa9518f86d3f25ea2758fe3b03b184a74f2585268d6063c2ff8a4e72a132c
-
Filesize
171KB
MD5744dcc4cbbfbb18fe3878c4e769ec48f
SHA1c1f2c56ee2d91203a01d3465f185295477a1217d
SHA25633eb31a2a576e663474a895ff0190316c64a93d9ce05a55df0d53f9beeb61163
SHA512706630be2ca09e574a7794e32e515a0a3f993643d034647b8cb976c1e7045e87e30362757cc65fcdb95f4a4327f0dcda3edc82ba84e5ed9115870a037e13af21