21107ad941129c46c1e8bacedc1abb8a34308f00b5b4960ba496c1415046e957

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 00:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
Size

672KB
MD5

f6851d3106481744b99132d5d47f7098
SHA1

3904070d2e59a51b9aefedd3b9ac9bc7b0808f92
SHA256

21107ad941129c46c1e8bacedc1abb8a34308f00b5b4960ba496c1415046e957
SHA512

9ea022e42689f4f777e72d7afb8f353c1657dd1a786feea58d0b68f6c92c5ec45a872aa3ea3e2844f8c75deda5e9ac03d5e7439328a927b42d461d7a500f722a
SSDEEP

12288:seBNUbTVO86UqHcyB53eEYRbA1F8eKEa6Nmz7wSR8YEst/:sJIUqHrB5ZeM1jNmz7wSNl

Score

8^/10

discovery evasion trojan

Malware Config

Signatures

Disables taskbar notifications via registry modification
evasion

Executes dropped EXE 8 IoCs

pid	Process
532	alg.exe
3356	DiagnosticsHub.StandardCollector.Service.exe
888	fxssvc.exe
4856	elevation_service.exe
396	elevation_service.exe
3584	maintenanceservice.exe
992	msdtc.exe
4036	msiexec.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3756129449-3121373848-4276368241-1000\EnableNotifications = "0"	alg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-3756129449-3121373848-4276368241-1000	alg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\E:	alg.exe
File opened (read-only)	\??\E:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\K:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\L:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\P:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\U:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\V:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\I:	alg.exe
File opened (read-only)	\??\W:	alg.exe
File opened (read-only)	\??\H:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\M:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\S:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\O:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\Y:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\K:	alg.exe
File opened (read-only)	\??\N:	alg.exe
File opened (read-only)	\??\P:	alg.exe
File opened (read-only)	\??\S:	alg.exe
File opened (read-only)	\??\I:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\N:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\Q:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\O:	alg.exe
File opened (read-only)	\??\R:	alg.exe
File opened (read-only)	\??\V:	alg.exe
File opened (read-only)	\??\Y:	alg.exe
File opened (read-only)	\??\J:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\R:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\G:	alg.exe
File opened (read-only)	\??\J:	alg.exe
File opened (read-only)	\??\M:	alg.exe
File opened (read-only)	\??\Z:	alg.exe
File opened (read-only)	\??\T:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\X:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\L:	alg.exe
File opened (read-only)	\??\Q:	alg.exe
File opened (read-only)	\??\T:	alg.exe
File opened (read-only)	\??\U:	alg.exe
File opened (read-only)	\??\X:	alg.exe
File opened (read-only)	\??\G:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened (read-only)	\??\H:	alg.exe
File opened (read-only)	\??\W:	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File created	\??\c:\windows\system32\mfnmbhmn.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\vds.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\windows\system32\hjipahdk.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Windows\System32\WindowsPowerShell\v1.0\dohapkbe.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\windows\system32\openssh\jedldehq.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\windows\system32\wbem\oefnohla.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\gpakgnng.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\alg.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	alg.exe
File created	\??\c:\windows\system32\dolpifid.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\windows\system32\blgbbkcl.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\windows\system32\koojidbn.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\locator.exe	alg.exe
File created	\??\c:\windows\system32\caidpihe.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	alg.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	alg.exe
File created	\??\c:\windows\system32\nbcgonlb.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	alg.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	alg.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\windows\system32\lklcnknb.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\windows\system32\acgeinje.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\windows\system32\oqdhdfko.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\windows\system32\dhoenjpb.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\windows\system32\diagsvcs\ipmnfgec.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	alg.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	alg.exe
File created	\??\c:\windows\system32\ebhmfokb.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\windows\system32\kqbpblnd.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\locator.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	alg.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	alg.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vds.exe	alg.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	alg.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	alg.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\jgpijieg.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\nnbpngba.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\program files (x86)\mozilla maintenance service\qjodamih.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pppjqpbi.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lgamkbac.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\bcndimhd.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\gkfbdaji.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\program files\google\chrome\Application\123.0.6312.123\fnhokhfn.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	alg.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ocnfphoi.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ckideamg.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\idklmhke.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	alg.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\pgildlkb.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\gonmdlab.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\policytool.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\hoanallo.tmp	alg.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\olemadei.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ekchdkjb.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\plqcccib.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\kinit.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	alg.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\kihlpche.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\jmofaklb.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\ldcnmoao.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\occlljkq.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File created	C:\Program Files\Java\jdk-1.8\bin\camigjbg.tmp	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	alg.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe
532	alg.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	4608	f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
Token: SeAuditPrivilege	888	fxssvc.exe
Token: SeTakeOwnershipPrivilege	532	alg.exe
Token: SeSecurityPrivilege	4036	msiexec.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1"	alg.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	alg.exe

C:\Users\Admin\AppData\Local\Temp\f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6851d3106481744b99132d5d47f7098_JaffaCakes118.exe"
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4608

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:532

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:3356

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:3272

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4856

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:396

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3584

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:992

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
1.9MB

MD5
22ce3572fcb0cb20419edc1b829da325

SHA1
7769c2c358154806242b7d960963c448796edb72

SHA256
e6f478ee5fb798e616ec9bcd3a53fe7241ee3f41b7e8e893fa91631b5f99d66b

SHA512
7fc5992cc08efffb2e007e0e4694f492bb3d660c5e0ca4d0e7f06e99d6cb00e234f80e7ff0e91ef1fb17cb4ec5e92e0b38840e6a65965b82ad29c0c74f766c9e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
621KB

MD5
386f82d73957486326a097fbc2dffe0b

SHA1
845a331ad73b51e08ea098201793de51cf29a5b8

SHA256
0f382ebb17e44a3e10df4628d2cc51069f829afa8ef13fde09df8a8894a3a36f

SHA512
2e455db163dfac8a86a74dd8e5743247b8bd18944026fcf9c13d1ed8cfee4edb2ff7e9e318efcb657ac602dee317432c7cf8df08766bacb436a034ea1752e3b7

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
940KB

MD5
7813f46d390f7051fc500c15f89e4a78

SHA1
e2d33fe5882429fee93421011b114533700a2450

SHA256
3965781987a7d9c284b5f7090836d8911ca5f4d1ef391cbe388029f6d46fe446

SHA512
44d7a5c5e40d7b273734d3db72d244a2e89be1be56c63d4da5ce5236df704d5ae392e4821e8f7a806f3b1597ec95846e32bcb270ed69e8d31f06caa1fe720bd5

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.3MB

MD5
4f9fcf2932d4d866d393a0be5944d915

SHA1
2ae7c25d541a3b1ba2435f8b09593ffadd39b909

SHA256
b85c6256774c4cc942562c624f4521840ceffd39ba2122bb841e4583b36401fd

SHA512
ebe0dd373dade64b626a2fef5f210c87c26f37b00c25c6459430380b9003cd3ce9070ce26935a9501122d62022a218d3c01c0888b39aa1c3c79daf7fd3e9de84

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.1MB

MD5
36791da8de335f59702dc239777cb1c8

SHA1
f8c8cff9c64dd53b92b35ed711296dbb96b0627f

SHA256
b1ca06609278c606d95cfe9526e393811b875a5706bd7c63125cc5de2e823814

SHA512
f2dfc1c8e06a6e02572193cd951785bcc86e1f6ce79b20dc5762612cb8dfed2fda8565bd4e1729a0cf3be6d1066c02caaf748fe40853226b0f1f9c9919d6140c

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
410KB

MD5
7e8221e227548fffaa52ee94e30fd53c

SHA1
f8956ea9cbdd81496ee700365b062af12c44bbd0

SHA256
b53b795bcc47717550b932aa97379d69624a9a80f3773fcfce0b0b1c91f1adb8

SHA512
2ca4f50270953e21db177ee53b7af75c4169cd3b26a810360a825f96727b1430f59aa4aec68f0b3e13166f07fdb256813f2aa973f2e5f7c6693fa7b6a2d71006

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
672KB

MD5
8ab8cb51ba08232f6659848aed11a2b2

SHA1
19616473b79925dae1a49772eb85800894c55d66

SHA256
aac05a0644ff9fe2ff170dac84f80c080c6bc808b11fe74a484292316fb2539b

SHA512
e10fe3152b835cfb35159a35a38a7f1e2f2d23a02d10c076599ef1175a5037330fbd2d1ed58cc304181a9288a18879961d1a65968e5dc77a397ca4e14bdb9a83

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.5MB

MD5
1dc70b65274b1e9b490cca740f405b74

SHA1
7f713c8cb6f7cb55a2d6b4bd1df890b1f7752c22

SHA256
a97ecc8ce605f842e1d9091c643943dd77d03abe15baf2c5c6907f07cf9749f9

SHA512
90f9b1e9095023ce7e6310c25e60046b122c49eeae14b524b791b22b95c4c1358574a7db96863093275864b911c63ea00762efe902b90dc9bea01bb5c8184510

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
738KB

MD5
bd1c90042721a4d0d70e699ce9570ef6

SHA1
5e2beb48ee9edac4f9e6d8dfdcf3aab2d5a69d4f

SHA256
5a6950b0f43132fb596bc647b0aa949d00977077ec00bef07ca20b1c4d8cd6fe

SHA512
c9207f41d5e7facafbe762f82306244fbc598935ac3677f30c2d7efec72fe9d11276a65a3753c320955dcc3fc5a3d2f754690443f17cca16a7811be075fd9d9e

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
23.8MB

MD5
e55ffabb60636cc6d049532325815a9a

SHA1
a24568d7361cd745c75dcc9dea0c4a80243faf5b

SHA256
90f092315cae84163259c4b9ad5b65b40e3fad402bdb4c46f6ad10e6de2a1294

SHA512
603fa1d2c8c677b802dbec5ed8c6a03f5a06ab6755b4f1b91b20cfc04f9dfdb3e36710dc874c2e019d89fa6a67677c816c59dfaedb940167396b2fcee2bf6b6d

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.5MB

MD5
fbe167316d17380913816080260d2e2a

SHA1
5b4a238f2ed5967ae9a4bb52a32d4cbd03202287

SHA256
1484c13721aa219ff772f82c57bf9b50cc79c9c465965db8d8eb6107e51515d6

SHA512
bccf7960876d3c938608aa81960b454709c48afeb8396545c6225bf2fed1ed5ae8f6f62a1105189fc97f4adc4b75ef5702188cbd7ee93273be1ff9ecd42b6b75

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\hoanallo.tmp

Filesize
637KB

MD5
fb9668f1899b61507fdc1265785176bd

SHA1
fc84eaf4f9bb8451a4f154c214e0128cc03663df

SHA256
509f4d909c38aaed464debb2ec137acfe9716991c8e73ff013f5f23351ce9b5f

SHA512
db908ca4fb53ecca0e07041f1e3b11e32a61a332ad65e95ab26b48061ba519b65dfd4884ea2d773fc6f47ea0de500f1f02e71493de872c70353df201b53bc006

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.0MB

MD5
4082fa04b3cae2b860cbe9c751912dfe

SHA1
1d8e307e2d7f1f8c5d18c2fcb6f2a97eb36d2889

SHA256
8f622a17a84d4bbd485cbd3861213ee068100388ae66ce276cf3ee969d718378

SHA512
bc1652a067c9cb85c819ea608daafc48067d5b480d7303204107372187f9169a715642615369a8265146e3b8b9ab0c94141a88af6f1faa84e35c8d792c3d43aa

Download Submit
C:\Users\Admin\AppData\Local\qqqnrajn\moficheh.tmp

Filesize
678KB

MD5
4859e8a50aaf582a2fcdadb259dabda2

SHA1
1b9bc44e0811c7e80038cd140c472119801ba370

SHA256
35af35ce1f2b1f2d6e9fba8dcc085dc22b007b0106a34cb519889da548cddfa9

SHA512
02f455ed0704fa28dd784899c507df265a606e0096a7ebe1932ec9d93b62daa4875b21ea8af1ba67c9b495359b94afa03d2359777e2c875404a7bec670f5256a

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
487KB

MD5
45ae528ab73ce295e58430fd67e59452

SHA1
922a240640e1326cdeddb171637af1805239657d

SHA256
1c9107a2d5871e74c15ca5e4e641e311614d9193a47a87f9ccda4997ab728351

SHA512
a85b448dbdbea9ae682b91db4e0219c507de6918549fbe94a2a8d7f9b137e34f323aad8bbeb534f0c934409f277c9bb563cd75a4b3610c5776cd5ce1f212f760

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.0MB

MD5
dbe28022185e0b7d8266153d18462a90

SHA1
efc5f935a96d7af9584bb9f32eb686e9d4e53584

SHA256
c42f493f2de94d154d7ad9993e4699cde7f556ea9c760d1424419a96614a9ab9

SHA512
0d10dd847d93c16f0aaab91ff7493a994bc52e4214fec91e9a06e65d4a5ddf01e5c2dba1208386b0956ab26c78659d1bf5f2fe1cb1d81fdabf14a0b9e914f5b3

Download Submit
C:\Windows\System32\alg.exe

Filesize
489KB

MD5
c3c9d0579d2632d33080ce6edf264ec6

SHA1
daf927c9db8c8af3f3f02375de97b96a4d802b2c

SHA256
6845b0db37a76d74d983d8a9054f0dc44422a6ec94bdb701788479c8a105308a

SHA512
e2f322eec6f5655789ccd3c4810ab4fe6e39fadfeb952ac4f2d2b65770198437d6fcbaffd6555e3ff7a6eac5d2d62104adff1d178eb41a8950899ee9b256501a

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
540KB

MD5
13e49fc281d40e5ae084af8783c30363

SHA1
afece5ad86e1dbec96f3d630168967bc21a6c38b

SHA256
0a3228720cb55dfff41c08a5f0abb7def2c943de5f9517b39dca60590c677384

SHA512
92e8b65988798e4d2602fd8a5de37408a62b38b6ee7c3585ba0d66f105d06cb37ee856c7cc0aa2d756a9024aa392e8c9e181496229722f564f103a946b23830c

Download Submit
C:\Windows\System32\msiexec.exe

Filesize
463KB

MD5
26da974c0955d904a364092b1c480eac

SHA1
925508ba262b3a7b01c3ca4657f9b66abda44f5d

SHA256
943728c3a2da4a94cd61c4815544e7b75a712da4c3bfaee49b6e3a2fca83b506

SHA512
38cf4ce80e89b1dbb29153b98f2dcd5a1015fa4ca739b4e69f057603abe53f329777df89f3bb868cc00f34e1e2545734a7cb59376974fba85a1e00475251bb55

Download Submit
\??\c:\windows\system32\Appvclient.exe

Filesize
1.1MB

MD5
7c13a2d732cafa0f2a3a66a6310ce437

SHA1
3ee855bcafe66e61561bd6bee718cb229769c343

SHA256
46572fff19d3988f3a4a5dfd7734e5a9d559102cecc6018fe213ca85b3bbac05

SHA512
500d97a86760b5b80aa441d4e29976210f2ad82606bef91bbe51ccfafccb1a454dbb5e9d70fc362b526301cce70da15df073dee250bedf1fafdf21d293c6bb90

Download Submit
memory/532-17-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/532-57-0x0000000140000000-0x0000000140136000-memory.dmp

Filesize
1.2MB

Download
memory/532-56-0x000000014000D000-0x000000014001C000-memory.dmp

Filesize
60KB

Download
memory/888-43-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/888-36-0x0000000140000000-0x00000001401C2000-memory.dmp

Filesize
1.8MB

Download
memory/3356-29-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/3356-68-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4608-0-0x00007FF677F15000-0x00007FF677F24000-memory.dmp

Filesize
60KB

Download
memory/4608-2-0x00007FF677F00000-0x00007FF678063000-memory.dmp

Filesize
1.4MB

Download