Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11/12/2024, 02:09
Behavioral task
behavioral1
Sample
df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe
-
Size
684KB
-
MD5
df79f1fe2a4c23d2841dee29e264a376
-
SHA1
7ff3fe1fecb0e4dfb03cdfc46d3b64a952146180
-
SHA256
93f0db4969baf8887c4f2336109b53cb0477dfcfde43364b9fd64441ef42bb09
-
SHA512
b016d2ac37f7cd6d2333dc35181658464dc2974c8c59ac95f6c2b498e5604138c3376b2a4fdf1e116755c0d9584b924bfb5cd4ac23f89259aeb868fcc21a3ddd
-
SSDEEP
12288:aj+AbsdYfNIvK5B+DWyzPtMs484wSeCi/f5ZntMreOKjP36Iy:6XJ2iyxVnki3tM6OX
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 3 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/1868-103-0x0000000000400000-0x000000000044C000-memory.dmp family_cycbot behavioral1/memory/1780-176-0x0000000000400000-0x000000000044C000-memory.dmp family_cycbot behavioral1/memory/1728-177-0x0000000000400000-0x000000000044C000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" bchost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" yA6npPl9.exe Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" mooigud.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 2044 cmd.exe -
Executes dropped EXE 10 IoCs
pid Process 2684 yA6npPl9.exe 2664 mooigud.exe 1324 achost.exe 2292 achost.exe 1728 bchost.exe 1868 bchost.exe 1780 bchost.exe 2156 cchost.exe 1316 dchost.exe 336 csrss.exe -
Loads dropped DLL 12 IoCs
pid Process 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 2684 yA6npPl9.exe 2684 yA6npPl9.exe 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 52 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /J" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /e" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /Z" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /R" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /H" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /V" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /U" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /f" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /B" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /y" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /M" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /b" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /x" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /i" mooigud.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\C47.exe = "C:\\Program Files (x86)\\Internet Explorer\\D3A5\\C47.exe" bchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /w" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /O" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /A" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /E" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /C" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /L" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /o" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /p" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /S" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /s" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /l" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /v" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /Y" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /j" yA6npPl9.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /I" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /j" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /h" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /k" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /n" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /m" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /d" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /g" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /X" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /z" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /N" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /D" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /t" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /q" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /Q" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /F" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /T" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /P" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /a" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /K" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /c" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /r" mooigud.exe Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\mooigud = "C:\\Users\\Admin\\mooigud.exe /W" mooigud.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created \systemroot\assembly\GAC_64\Desktop.ini csrss.exe File created \systemroot\assembly\GAC_32\Desktop.ini csrss.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 3028 tasklist.exe 1052 tasklist.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2432 set thread context of 2660 2432 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 30 PID 1324 set thread context of 2292 1324 achost.exe 38 PID 2156 set thread context of 592 2156 cchost.exe 47 -
resource yara_rule behavioral1/memory/2432-0-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/memory/2432-1-0x0000000000230000-0x0000000000260000-memory.dmp upx behavioral1/memory/2432-17-0x0000000000400000-0x0000000000430000-memory.dmp upx behavioral1/files/0x0008000000015d29-47.dat upx behavioral1/memory/1324-56-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/2660-54-0x00000000002C0000-0x00000000002EE000-memory.dmp upx behavioral1/memory/1324-79-0x0000000000400000-0x000000000042E000-memory.dmp upx behavioral1/memory/1868-103-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/1780-176-0x0000000000400000-0x000000000044C000-memory.dmp upx behavioral1/memory/1728-177-0x0000000000400000-0x000000000044C000-memory.dmp upx -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Internet Explorer\D3A5\C47.exe bchost.exe File opened for modification C:\Program Files (x86)\Internet Explorer\D3A5\C47.exe bchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language yA6npPl9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mooigud.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language achost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bchost.exe -
Modifies registry class 8 IoCs
description ioc Process Key created \registry\machine\Software\Classes\Interface\{07ff6090-7824-f88b-387c-b3a0a15df8b0} explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07ff6090-7824-f88b-387c-b3a0a15df8b0}\u = "860049491" explorer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{07ff6090-7824-f88b-387c-b3a0a15df8b0}\cid = "2587820510208330626" explorer.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2684 yA6npPl9.exe 2684 yA6npPl9.exe 2664 mooigud.exe 2664 mooigud.exe 2664 mooigud.exe 2664 mooigud.exe 2664 mooigud.exe 2664 mooigud.exe 2664 mooigud.exe 2664 mooigud.exe 2664 mooigud.exe 2292 achost.exe 2664 mooigud.exe 2664 mooigud.exe 2664 mooigud.exe 2664 mooigud.exe 2292 achost.exe 2664 mooigud.exe 2664 mooigud.exe 2664 mooigud.exe 2664 mooigud.exe 2292 achost.exe 2664 mooigud.exe 2292 achost.exe 2292 achost.exe 2664 mooigud.exe 2664 mooigud.exe 2664 mooigud.exe 2292 achost.exe 2664 mooigud.exe 2292 achost.exe 2292 achost.exe 2664 mooigud.exe 2664 mooigud.exe 2664 mooigud.exe 2292 achost.exe 2292 achost.exe 2664 mooigud.exe 2292 achost.exe 2664 mooigud.exe 2292 achost.exe 2292 achost.exe 2664 mooigud.exe 2292 achost.exe 2664 mooigud.exe 2292 achost.exe 2664 mooigud.exe 2292 achost.exe 2664 mooigud.exe 2292 achost.exe 2664 mooigud.exe 2292 achost.exe 2292 achost.exe 2664 mooigud.exe 2292 achost.exe 2664 mooigud.exe 2292 achost.exe 2664 mooigud.exe 2664 mooigud.exe 2292 achost.exe 2292 achost.exe 2292 achost.exe 2664 mooigud.exe 2292 achost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2752 explorer.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
description pid Process Token: SeDebugPrivilege 3028 tasklist.exe Token: SeShutdownPrivilege 2752 explorer.exe Token: SeShutdownPrivilege 2752 explorer.exe Token: SeShutdownPrivilege 2752 explorer.exe Token: SeShutdownPrivilege 2752 explorer.exe Token: SeShutdownPrivilege 2752 explorer.exe Token: SeShutdownPrivilege 2752 explorer.exe Token: SeShutdownPrivilege 2752 explorer.exe Token: SeShutdownPrivilege 2752 explorer.exe Token: SeShutdownPrivilege 2752 explorer.exe Token: SeShutdownPrivilege 2752 explorer.exe Token: SeDebugPrivilege 592 explorer.exe Token: SeShutdownPrivilege 2752 explorer.exe Token: SeShutdownPrivilege 2752 explorer.exe Token: SeDebugPrivilege 1052 tasklist.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe -
Suspicious use of SendNotifyMessage 22 IoCs
pid Process 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe 2752 explorer.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 2684 yA6npPl9.exe 2664 mooigud.exe 1316 dchost.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 336 csrss.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2432 wrote to memory of 2660 2432 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 30 PID 2432 wrote to memory of 2660 2432 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 30 PID 2432 wrote to memory of 2660 2432 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 30 PID 2432 wrote to memory of 2660 2432 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 30 PID 2432 wrote to memory of 2660 2432 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 30 PID 2432 wrote to memory of 2660 2432 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 30 PID 2432 wrote to memory of 2660 2432 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 30 PID 2432 wrote to memory of 2660 2432 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 30 PID 2432 wrote to memory of 2660 2432 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 30 PID 2660 wrote to memory of 2684 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 31 PID 2660 wrote to memory of 2684 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 31 PID 2660 wrote to memory of 2684 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 31 PID 2660 wrote to memory of 2684 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 31 PID 2684 wrote to memory of 2664 2684 yA6npPl9.exe 32 PID 2684 wrote to memory of 2664 2684 yA6npPl9.exe 32 PID 2684 wrote to memory of 2664 2684 yA6npPl9.exe 32 PID 2684 wrote to memory of 2664 2684 yA6npPl9.exe 32 PID 2684 wrote to memory of 2624 2684 yA6npPl9.exe 33 PID 2684 wrote to memory of 2624 2684 yA6npPl9.exe 33 PID 2684 wrote to memory of 2624 2684 yA6npPl9.exe 33 PID 2684 wrote to memory of 2624 2684 yA6npPl9.exe 33 PID 2624 wrote to memory of 3028 2624 cmd.exe 35 PID 2624 wrote to memory of 3028 2624 cmd.exe 35 PID 2624 wrote to memory of 3028 2624 cmd.exe 35 PID 2624 wrote to memory of 3028 2624 cmd.exe 35 PID 2660 wrote to memory of 1324 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 37 PID 2660 wrote to memory of 1324 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 37 PID 2660 wrote to memory of 1324 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 37 PID 2660 wrote to memory of 1324 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 37 PID 1324 wrote to memory of 2292 1324 achost.exe 38 PID 1324 wrote to memory of 2292 1324 achost.exe 38 PID 1324 wrote to memory of 2292 1324 achost.exe 38 PID 1324 wrote to memory of 2292 1324 achost.exe 38 PID 1324 wrote to memory of 2292 1324 achost.exe 38 PID 1324 wrote to memory of 2292 1324 achost.exe 38 PID 1324 wrote to memory of 2292 1324 achost.exe 38 PID 1324 wrote to memory of 2292 1324 achost.exe 38 PID 1324 wrote to memory of 2292 1324 achost.exe 38 PID 1324 wrote to memory of 2292 1324 achost.exe 38 PID 1324 wrote to memory of 2292 1324 achost.exe 38 PID 2660 wrote to memory of 1728 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 39 PID 2660 wrote to memory of 1728 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 39 PID 2660 wrote to memory of 1728 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 39 PID 2660 wrote to memory of 1728 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 39 PID 1728 wrote to memory of 1868 1728 bchost.exe 40 PID 1728 wrote to memory of 1868 1728 bchost.exe 40 PID 1728 wrote to memory of 1868 1728 bchost.exe 40 PID 1728 wrote to memory of 1868 1728 bchost.exe 40 PID 1728 wrote to memory of 1780 1728 bchost.exe 42 PID 1728 wrote to memory of 1780 1728 bchost.exe 42 PID 1728 wrote to memory of 1780 1728 bchost.exe 42 PID 1728 wrote to memory of 1780 1728 bchost.exe 42 PID 2660 wrote to memory of 2156 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 46 PID 2660 wrote to memory of 2156 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 46 PID 2660 wrote to memory of 2156 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 46 PID 2660 wrote to memory of 2156 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 46 PID 2156 wrote to memory of 592 2156 cchost.exe 47 PID 2156 wrote to memory of 592 2156 cchost.exe 47 PID 2156 wrote to memory of 592 2156 cchost.exe 47 PID 2156 wrote to memory of 592 2156 cchost.exe 47 PID 2156 wrote to memory of 592 2156 cchost.exe 47 PID 2660 wrote to memory of 1316 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 48 PID 2660 wrote to memory of 1316 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 48 PID 2660 wrote to memory of 1316 2660 df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe 48 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" bchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Suspicious use of UnmapMainImage
PID:336
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs1⤵PID:848
-
C:\Users\Admin\AppData\Local\Temp\df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Users\Admin\AppData\Local\Temp\df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exedf79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\yA6npPl9.exeC:\Users\Admin\yA6npPl9.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Users\Admin\mooigud.exe"C:\Users\Admin\mooigud.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2664
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del yA6npPl9.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
-
-
C:\Users\Admin\achost.exeC:\Users\Admin\achost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Users\Admin\achost.exeachost.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2292
-
-
-
C:\Users\Admin\bchost.exeC:\Users\Admin\bchost.exe3⤵
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1728 -
C:\Users\Admin\bchost.exeC:\Users\Admin\bchost.exe startC:\Users\Admin\AppData\Roaming\582B9\1DED3.exe%C:\Users\Admin\AppData\Roaming\582B94⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1868
-
-
C:\Users\Admin\bchost.exeC:\Users\Admin\bchost.exe startC:\Program Files (x86)\B90A0\lvvm.exe%C:\Program Files (x86)\B90A04⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1780
-
-
-
C:\Users\Admin\cchost.exeC:\Users\Admin\cchost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\explorer.exe0000005C*4⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:592
-
-
-
C:\Users\Admin\dchost.exeC:\Users\Admin\dchost.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1316
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del df79f1fe2a4c23d2841dee29e264a376_JaffaCakes118.exe3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1052
-
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2752
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600B
MD5f841cde9a1f6018aad81355062c77605
SHA1c666cba61847b7aac93d08e6cdb710537ce733e0
SHA256c52a252bee70ac2ed5c2a461b26fc0a06271674a3b04d873804e92fb476b3b01
SHA512e3c915a4c23998879c2ba095c9344ade54da1e3dc5dfdaf0821437f54f3ebdd8ee25f8f9793ff930e4fedf965ee299eb434435bc089e64ec25e5aec21c302974
-
Filesize
996B
MD591887b859a6580b9858d5593c49b1281
SHA168e4482da30e8130cc5ef5dc07bc4513b5423c85
SHA256e682e38599fbfaee9bf7499297b7e7308d803912fd79c7059516b04d9fd44dd7
SHA51226d8df4e0dce97e691698114a3bbe4c6700db59684090840562c7971aaca3a3becb60fbae1f21ed27495adcf8776024ff1ca1cfe97976a458de9e91a8f1c4b0a
-
Filesize
1KB
MD5483fc164468993d714cf57ebf9078b7a
SHA1a139cde9b28ae84903d3f8793a5feb2d5d106ade
SHA2562a58bff7cbde121c70837bf8a0a42ca75b26c7d4bdbd86e68f859ff3033634e8
SHA512b839f5444cb72e367b3f25b657a5276717d0c3396d9e4c24172a461719d1af8c39849e58703ef2a7e4c17b4e76f05b6f0444e3b3397978ed8c31c73a317a0dc9
-
Filesize
148KB
MD564266f59ace9947e641694499d87549b
SHA1e0a8411743f0280ce5efcd5f754aa17ee3f2fdce
SHA256a71cde63f2964b8282b6726bc6fe8c8f5d77878ca4e69e2fe9087abb362ab0e0
SHA51214a7d8c012eae52196732cf2b451bb1f87497388c5f31a5086186e3554a8d69fb02495b4c56779cf31eec80ed82dbd71c39199c99d9c409cd9bafbdca2396037
-
Filesize
53KB
MD5d3bd9c7e7a29daa24c66dc62cd5f5633
SHA13895247052b6244659e73334e6398677dafa0ac1
SHA2566b87925d0e03ab5daa4760b1a62bed66c49cb489d011e2c9633eb0fe466df83f
SHA512e243a2272887b02417b08b0d0728689c8f01cc57d473ed811ba98c2f5aa4d985d02d0fd7772bc33356474abcc815609ab7a6c0e905d6fe884fb7bc70bc67e9d0
-
Filesize
2KB
MD55e381e2d47d956b50d829d408092dada
SHA1f1769111bf834ff3c4f050e351024a2030871db0
SHA25613e19f5e701342f29f1b91612349409e6c454af2ccffcb61132097d50ba05a2e
SHA5126441159ac7dfa9f3d6cc4ee09d392a65010e926b8a5d37831462dd3235d8610ab1d9ea972e1112edeec24b09605c75a20973b89a50fd3950259f8d7041c386fd
-
Filesize
84KB
MD50f28771c5c63ba1ee758b0598b747e2a
SHA1bbf814808225de2dc0624ceb150bb38765696c03
SHA25682a73d06a9cc73ce5546f7f3634466088180e17993cc1fc79304fffd9c322156
SHA5129b68022e9e9d9b9e83eed5d82a2afa0f88afd3c7a1ce562d58745b9089a750294b0e003f1dbfaad144c7de4b5dc7f184342ee4d762da8b0465edceafcd9f75fb
-
Filesize
172KB
MD5d82e4d57ce973815501ee96404e0a41f
SHA17a963af97583f3a978b0ba28807105be82d2d5ed
SHA256e598647ccb381e4113d6bf03d2e18bdb39f33071e541907d6309b93805ede7fc
SHA5125bbb242e37f353f501733508477995949536c0ad859254c1a61e76a25490e55ffcd7d8fcf72c7388ce59c9516b7d2b8faae35daf76dd0e1c09aa8fbe57ae8882
-
Filesize
24KB
MD5b16b0d79216cb4dd198455e77fb24d51
SHA11bfddfa7fc31643083568507b5f30510bb9bf181
SHA256bbebcee985c17aa7f20f842bb722d331ea69a104f5d880254b8da61df3610d0c
SHA5125fd8d58d098b726f4668394c1f76bcaacd46c9824525c70c887a3dbd4b0fdedd292f2c13ab21da5708b7493612da7c40b2d5fd4fdf6987df52b574f5ee637b9b
-
Filesize
172KB
MD550f57eca739be18629787e3c85f7f9ff
SHA18ba3f5153105a1301ddc65a917483562e750cd28
SHA256367cfeccae1c453d7faa5e9b3618994366e758150722ef118e79a91bf692cd52
SHA51206609ef3eb1dcac80e50e680b3d1c4d85a5feee754e28fdaedb6c741a1e95803585edd98391a258ecf4d1237436b0327f819c0ecd0ffc68a140f2b4af995c991
-
Filesize
172KB
MD50cecbddc80b2521b7c155678faaadb7c
SHA13bf737f74c7792fa523dda57d547170efbe4cb6b
SHA256b51359458b30c171625de6e1f0eab133193a66d5d4c8c0f96fb763c4d90c10e3
SHA512ff71bf9bb4cfb429459f2dfc6fa8d52e7870f038a44c7b65c2c6f333a6bf609666eb4a636ffadb6fe17e660b66462b637692323e9821372c822b27f9e83ad2fb