dcrat | 7849b02c1912451ca4703361443e161953750e9783ee237985db9cafaff76c04

Windows Service

T1543.003

Disable or Modify Tools

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe

Process spawned unexpected child process 11 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2688	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2688	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2688	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2688	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2688	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2688	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2688	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2688	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2688	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2688	schtasks.exe	36
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2688	schtasks.exe	36

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe = "0"	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\Windows Defender\fr-FR\d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe = "0"	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2952-23-0x0000000000400000-0x00000000004AC000-memory.dmp	dcrat
behavioral1/memory/2952-30-0x0000000000400000-0x00000000004AC000-memory.dmp	dcrat
behavioral1/memory/2952-29-0x0000000000400000-0x00000000004AC000-memory.dmp	dcrat
behavioral1/memory/2952-28-0x0000000000400000-0x00000000004AC000-memory.dmp	dcrat
behavioral1/memory/2952-25-0x0000000000400000-0x00000000004AC000-memory.dmp	dcrat
behavioral1/memory/2056-75-0x0000000000400000-0x00000000004AC000-memory.dmp	dcrat
behavioral1/memory/2056-77-0x0000000000400000-0x00000000004AC000-memory.dmp	dcrat

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/files/0x00070000000186e7-7.dat	Nirsoft

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2820	powershell.exe
1072	powershell.exe
1600	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
2608	AdvancedRun.exe
1152	AdvancedRun.exe
1440	AdvancedRun.exe
560	AdvancedRun.exe
2188	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
1772	AdvancedRun.exe
2204	AdvancedRun.exe
1988	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe

Loads dropped DLL 13 IoCs

pid	Process
2140	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
2140	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
2608	AdvancedRun.exe
2608	AdvancedRun.exe
2024	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
2024	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
1440	AdvancedRun.exe
1440	AdvancedRun.exe
2056	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
2188	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
2188	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
1772	AdvancedRun.exe
1772	AdvancedRun.exe

Windows security modification 2 TTPs 9 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Program Files (x86)\Windows Defender\fr-FR\d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe = "0"	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe = "0"	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Real-Time Protection	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 11 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

defense_evasion privilege_escalation

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Documents and Settings\\explorer.exe\""	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\SPInf\\wininit.exe\""	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Windows\\System32\\ReAgent\\wininit.exe\""	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files\\Microsoft Office\\Office14\\1033\\Idle.exe\""	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Program Files (x86)\\Microsoft Visual Studio 8\\SDK\\Idle.exe\""	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\ProgramData\\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\\updates\\308046B0AF4A39CB\\sppsvc.exe\""	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Windows\\System32\\wbem\\mpssvc\\WmiPrvSE.exe\""	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\Speech\\System.exe\""	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Windows\\System32\\pl-PL\\smss.exe\""	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Users\\Admin\\Music\\services.exe\""	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118 = "\"C:\\Program Files (x86)\\Windows Defender\\fr-FR\\d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe\""	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe

Drops file in System32 directory 8 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\SPInf\wininit.exe	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\SPInf\560854153607923c4c5f107085a7db67be01f252	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ReAgent\wininit.exe	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\ReAgent\560854153607923c4c5f107085a7db67be01f252	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\pl-PL\smss.exe	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\pl-PL\69ddcba757bf72f7d36c464c71f42baab150b2b9	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\mpssvc\WmiPrvSE.exe	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\wbem\mpssvc\24dbde2999530ef5fd907494bc374d663924116c	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2140 set thread context of 2952	2140	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	35
PID 2024 set thread context of 2056	2024	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	52
PID 2188 set thread context of 1988	2188	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	64

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office14\1033\Idle.exe	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\6ccacd8608530fba3a93e87ae2225c7032aa18c1	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\Idle.exe	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\6ccacd8608530fba3a93e87ae2225c7032aa18c1	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\23bafe3d118821396627f9f3b74ae32804db0c7c	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Speech\System.exe	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
File created	C:\Windows\Speech\27d1bcfc3c54e0e44ea423ffd4ee81fe73670a2a	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe

Access Token Manipulation: Create Process with Token 1 TTPs 3 IoCs

Create Process with Token

T1134.002

pid	Process
2608	AdvancedRun.exe
1440	AdvancedRun.exe
1772	AdvancedRun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	w32tm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 11 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1044	schtasks.exe
2764	schtasks.exe
1316	schtasks.exe
1308	schtasks.exe
1812	schtasks.exe
1900	schtasks.exe
1536	schtasks.exe
796	schtasks.exe
1688	schtasks.exe
2552	schtasks.exe
1156	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2608	AdvancedRun.exe
2608	AdvancedRun.exe
1152	AdvancedRun.exe
1152	AdvancedRun.exe
2820	powershell.exe
2952	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
2952	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
2952	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
1440	AdvancedRun.exe
1440	AdvancedRun.exe
560	AdvancedRun.exe
560	AdvancedRun.exe
1072	powershell.exe
2056	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
1772	AdvancedRun.exe
1772	AdvancedRun.exe
2204	AdvancedRun.exe
2204	AdvancedRun.exe
1600	powershell.exe
1988	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2608	AdvancedRun.exe
Token: SeImpersonatePrivilege	2608	AdvancedRun.exe
Token: SeDebugPrivilege	1152	AdvancedRun.exe
Token: SeImpersonatePrivilege	1152	AdvancedRun.exe
Token: SeDebugPrivilege	2140	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Token: SeDebugPrivilege	2952	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	1440	AdvancedRun.exe
Token: SeImpersonatePrivilege	1440	AdvancedRun.exe
Token: SeDebugPrivilege	560	AdvancedRun.exe
Token: SeImpersonatePrivilege	560	AdvancedRun.exe
Token: SeDebugPrivilege	2024	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Token: SeDebugPrivilege	2056	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	1772	AdvancedRun.exe
Token: SeImpersonatePrivilege	1772	AdvancedRun.exe
Token: SeDebugPrivilege	2204	AdvancedRun.exe
Token: SeImpersonatePrivilege	2204	AdvancedRun.exe
Token: SeDebugPrivilege	2188	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Token: SeDebugPrivilege	1988	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
Token: SeDebugPrivilege	1600	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 2608	2140	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2608	2140	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2608	2140	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	30
PID 2140 wrote to memory of 2608	2140	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	30
PID 2608 wrote to memory of 1152	2608	AdvancedRun.exe	31
PID 2608 wrote to memory of 1152	2608	AdvancedRun.exe	31
PID 2608 wrote to memory of 1152	2608	AdvancedRun.exe	31
PID 2608 wrote to memory of 1152	2608	AdvancedRun.exe	31
PID 2140 wrote to memory of 2820	2140	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	33
PID 2140 wrote to memory of 2820	2140	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	33
PID 2140 wrote to memory of 2820	2140	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	33
PID 2140 wrote to memory of 2820	2140	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	33
PID 2140 wrote to memory of 2952	2140	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	35
PID 2140 wrote to memory of 2952	2140	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	35
PID 2140 wrote to memory of 2952	2140	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	35
PID 2140 wrote to memory of 2952	2140	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	35
PID 2140 wrote to memory of 2952	2140	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	35
PID 2140 wrote to memory of 2952	2140	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	35
PID 2140 wrote to memory of 2952	2140	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	35
PID 2140 wrote to memory of 2952	2140	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	35
PID 2140 wrote to memory of 2952	2140	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	35
PID 2952 wrote to memory of 1672	2952	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	42
PID 2952 wrote to memory of 1672	2952	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	42
PID 2952 wrote to memory of 1672	2952	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	42
PID 2952 wrote to memory of 1672	2952	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	42
PID 1672 wrote to memory of 1340	1672	cmd.exe	44
PID 1672 wrote to memory of 1340	1672	cmd.exe	44
PID 1672 wrote to memory of 1340	1672	cmd.exe	44
PID 1672 wrote to memory of 1340	1672	cmd.exe	44
PID 1672 wrote to memory of 1716	1672	cmd.exe	45
PID 1672 wrote to memory of 1716	1672	cmd.exe	45
PID 1672 wrote to memory of 1716	1672	cmd.exe	45
PID 1672 wrote to memory of 1716	1672	cmd.exe	45
PID 1716 wrote to memory of 1864	1716	w32tm.exe	46
PID 1716 wrote to memory of 1864	1716	w32tm.exe	46
PID 1716 wrote to memory of 1864	1716	w32tm.exe	46
PID 1716 wrote to memory of 1864	1716	w32tm.exe	46
PID 1672 wrote to memory of 2024	1672	cmd.exe	47
PID 1672 wrote to memory of 2024	1672	cmd.exe	47
PID 1672 wrote to memory of 2024	1672	cmd.exe	47
PID 1672 wrote to memory of 2024	1672	cmd.exe	47
PID 2024 wrote to memory of 1440	2024	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	48
PID 2024 wrote to memory of 1440	2024	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	48
PID 2024 wrote to memory of 1440	2024	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	48
PID 2024 wrote to memory of 1440	2024	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	48
PID 1440 wrote to memory of 560	1440	AdvancedRun.exe	49
PID 1440 wrote to memory of 560	1440	AdvancedRun.exe	49
PID 1440 wrote to memory of 560	1440	AdvancedRun.exe	49
PID 1440 wrote to memory of 560	1440	AdvancedRun.exe	49
PID 2024 wrote to memory of 1072	2024	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	50
PID 2024 wrote to memory of 1072	2024	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	50
PID 2024 wrote to memory of 1072	2024	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	50
PID 2024 wrote to memory of 1072	2024	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	50
PID 2024 wrote to memory of 2056	2024	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	52
PID 2024 wrote to memory of 2056	2024	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	52
PID 2024 wrote to memory of 2056	2024	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	52
PID 2024 wrote to memory of 2056	2024	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	52
PID 2024 wrote to memory of 2056	2024	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	52
PID 2024 wrote to memory of 2056	2024	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	52
PID 2024 wrote to memory of 2056	2024	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	52
PID 2024 wrote to memory of 2056	2024	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	52
PID 2024 wrote to memory of 2056	2024	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	52
PID 2056 wrote to memory of 2188	2056	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	59
PID 2056 wrote to memory of 2188	2056	d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe	59

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe"
1⤵
- DcRat
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\454bdd99-72e7-42d8-a6a7-60c7091d3343\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\454bdd99-72e7-42d8-a6a7-60c7091d3343\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\454bdd99-72e7-42d8-a6a7-60c7091d3343\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Access Token Manipulation: Create Process with Token
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\454bdd99-72e7-42d8-a6a7-60c7091d3343\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\454bdd99-72e7-42d8-a6a7-60c7091d3343\AdvancedRun.exe" /SpecialRun 4101d8 2608
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1152
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2820
- C:\Users\Admin\AppData\Local\Temp\d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1PdlJXOkrr.bat"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      System Location Discovery: System Language Discovery
      PID:1340
  - - C:\Windows\SysWOW64\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1864
  - - C:\Users\Admin\AppData\Local\Temp\d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe"
      4⤵
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2024
    - - C:\Users\Admin\AppData\Local\Temp\ad76edb5-f41f-44a7-a407-1f92f0ff3b50\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ad76edb5-f41f-44a7-a407-1f92f0ff3b50\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\ad76edb5-f41f-44a7-a407-1f92f0ff3b50\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Access Token Manipulation: Create Process with Token
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1440
      - C:\Users\Admin\AppData\Local\Temp\ad76edb5-f41f-44a7-a407-1f92f0ff3b50\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ad76edb5-f41f-44a7-a407-1f92f0ff3b50\AdvancedRun.exe" /SpecialRun 4101d8 1440
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe" -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1072
    - - C:\Users\Admin\AppData\Local\Temp\d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
        
        "C:\Users\Admin\AppData\Local\Temp\d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe"
        5⤵
        Loads dropped DLL
        Adds Run key to start application
        Drops file in System32 directory
        Drops file in Program Files directory
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
      - C:\Program Files (x86)\Windows Defender\fr-FR\d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe"
        6⤵
        Windows security bypass
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\5cf6cadf-0cf2-4c4f-ba19-9f368cf26a10\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5cf6cadf-0cf2-4c4f-ba19-9f368cf26a10\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\5cf6cadf-0cf2-4c4f-ba19-9f368cf26a10\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Access Token Manipulation: Create Process with Token
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\5cf6cadf-0cf2-4c4f-ba19-9f368cf26a10\AdvancedRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\5cf6cadf-0cf2-4c4f-ba19-9f368cf26a10\AdvancedRun.exe" /SpecialRun 4101d8 1772
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Program Files (x86)\Windows Defender\fr-FR\d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe" -Force
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Program Files (x86)\Windows Defender\fr-FR\d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\System32\wbem\mpssvc\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Documents and Settings\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\SPInf\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\System32\ReAgent\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Admin\Music\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\d6b8c1db03cd0f282e1718daf0dc35cf_JaffaCakes118.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Speech\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\System32\pl-PL\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry