Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 05:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f78185d7e35f70d1e9ae88545cfbb3b8_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
f78185d7e35f70d1e9ae88545cfbb3b8_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
25 signatures
150 seconds
General
-
Target
f78185d7e35f70d1e9ae88545cfbb3b8_JaffaCakes118.exe
-
Size
914KB
-
MD5
f78185d7e35f70d1e9ae88545cfbb3b8
-
SHA1
07308ea95155535301d9d8b33f0dd4ce3485704e
-
SHA256
848aaaf10168fe96c7ce4a7b836c92f6eacaa059f479da357975e5d5252e1536
-
SHA512
21a7bf00a56afff3f95e6af9ab8c6421035dbd13103db2678f3edefd3db169fb28de3a62c4fe460dfe0f940bfbe3e41021f58d3a75e8843201b86c94721d8502
-
SSDEEP
24576:Xh6XqAaeKch19xKNoTjJubG8vQDPbxZEJNyssWwcQKL:eqAaeKch19xKNoTl+G8vQjbkUssWwQL
Score
10/10
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies firewall policy service 3 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List NvTaskbarInh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile NvTaskbarInh.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications NvTaskbarInh.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\NvTaskbarInh.exe = "C:\\Windows\\system32\\NvTaskbarInh.exe:*:Enabled:Explorer" NvTaskbarInh.exe -
Modiloader family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NvTaskbarInh.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "1" NvTaskbarInh.exe -
ModiLoader Second Stage 13 IoCs
resource yara_rule behavioral2/memory/5040-57-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral2/memory/5040-64-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral2/memory/5040-62-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral2/memory/5040-60-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral2/memory/5040-58-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral2/memory/5040-68-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral2/memory/5040-69-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral2/memory/5040-71-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral2/memory/5040-72-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral2/memory/5040-107-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral2/memory/3340-123-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral2/memory/3340-125-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 behavioral2/memory/3340-124-0x0000000000400000-0x000000000042C000-memory.dmp modiloader_stage2 -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\IDT PC Audio = "C:\\Windows\\statcvs.exe" statcvs.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run statcvs.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{N5DKJK5H-5XG7-8421-4V52-B1QQ0LF833CU} statcvs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{N5DKJK5H-5XG7-8421-4V52-B1QQ0LF833CU}\StubPath = "\"C:\\Windows\\statcvs.exe\"" statcvs.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation statcvs.exe -
Executes dropped EXE 8 IoCs
pid Process 1020 CWBUITSK.EXE 4676 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 1640 statcvs.exe 1900 foxit.exe 5040 statcvs.exe 888 statcvs.exe 3340 statcvs.exe -
Loads dropped DLL 2 IoCs
pid Process 4424 rundll32.exe 3892 rundll32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UACDisableNotify = "1" NvTaskbarInh.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Aluwan = "rundll32.exe \"C:\\Users\\Admin\\AppData\\Local\\d3dosar.dll\",Startup" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\IDT PC Audio = "C:\\Windows\\statcvs.exe" statcvs.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" f78185d7e35f70d1e9ae88545cfbb3b8_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nvidia Control Center3 = "C:\\Windows\\system32\\NvTaskbarInh.exe" NvTaskbarInh.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NvTaskbarInh.exe -
Enumerates connected drives 3 TTPs 20 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\J: NvTaskbarInh.exe File opened (read-only) \??\S: NvTaskbarInh.exe File opened (read-only) \??\W: NvTaskbarInh.exe File opened (read-only) \??\X: NvTaskbarInh.exe File opened (read-only) \??\E: NvTaskbarInh.exe File opened (read-only) \??\K: NvTaskbarInh.exe File opened (read-only) \??\L: NvTaskbarInh.exe File opened (read-only) \??\Q: NvTaskbarInh.exe File opened (read-only) \??\N: NvTaskbarInh.exe File opened (read-only) \??\U: NvTaskbarInh.exe File opened (read-only) \??\Y: NvTaskbarInh.exe File opened (read-only) \??\G: NvTaskbarInh.exe File opened (read-only) \??\H: NvTaskbarInh.exe File opened (read-only) \??\I: NvTaskbarInh.exe File opened (read-only) \??\M: NvTaskbarInh.exe File opened (read-only) \??\V: NvTaskbarInh.exe File opened (read-only) \??\O: NvTaskbarInh.exe File opened (read-only) \??\P: NvTaskbarInh.exe File opened (read-only) \??\R: NvTaskbarInh.exe File opened (read-only) \??\T: NvTaskbarInh.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\NvTaskbarInh.exe NvTaskbarInh.exe File created C:\Windows\SysWOW64\NvTaskbarInh.exe NvTaskbarInh.exe File created C:\Windows\SysWOW64\statcvs.exe NvTaskbarInh.exe File created C:\Windows\SysWOW64\foxit.exe NvTaskbarInh.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 4676 set thread context of 3384 4676 NvTaskbarInh.exe 87 PID 1640 set thread context of 5040 1640 statcvs.exe 101 PID 888 set thread context of 3340 888 statcvs.exe 103 -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\program files\grokster\my grokster\Windows XP PRO Corp SP3 valid-key generator.exe NvTaskbarInh.exe File created C:\program files\grokster\my grokster\Starcraft2 battle.net key generator.exe NvTaskbarInh.exe File created C:\program files\tesla\files\Adobe Acrobat Reader keygen.exe NvTaskbarInh.exe File created C:\program files\tesla\files\VmWare keygen.exe NvTaskbarInh.exe File created C:\program files\winmx\shared\Internet Download Manager V5.exe NvTaskbarInh.exe File created C:\program files\icq\shared folder\Blaze DVD Player Pro v6.52.exe NvTaskbarInh.exe File created C:\program files\icq\shared folder\Adobe Acrobat Reader keygen.exe NvTaskbarInh.exe File created C:\program files\icq\shared folder\Tuneup Ultilities 2010.exe NvTaskbarInh.exe File created C:\program files\grokster\my grokster\Myspace theme collection.exe NvTaskbarInh.exe File created C:\program files\morpheus\my shared folder\Windows 2008 Enterprise Server VMWare Virtual Machine.exe NvTaskbarInh.exe File created C:\program files\morpheus\my shared folder\DVD Tools Nero 10.5.6.0.exe NvTaskbarInh.exe File created C:\program files\emule\incoming\Trojan Killer v2.9.4173.exe NvTaskbarInh.exe File created C:\program files\morpheus\my shared folder\CleanMyPC Registry Cleaner v6.02.exe NvTaskbarInh.exe File created C:\program files\morpheus\my shared folder\Sony Vegas Pro v9.0a incl crack.exe NvTaskbarInh.exe File created C:\program files\winmx\shared\Adobe Acrobat Reader keygen.exe NvTaskbarInh.exe File created C:\program files\grokster\my grokster\Adobe Acrobat Reader keygen.exe NvTaskbarInh.exe File created C:\program files\morpheus\my shared folder\Myspace theme collection.exe NvTaskbarInh.exe File created C:\program files\limewire\shared\Image Size Reducer Pro v1.0.1.exe NvTaskbarInh.exe File created C:\program files\icq\shared folder\Rapidshare Auto Downloader 3.8.exe NvTaskbarInh.exe File created C:\program files\icq\shared folder\Adobe Photoshop CS5 crack.exe NvTaskbarInh.exe File created C:\program files\tesla\files\RapidShare Killer AIO 2010.exe NvTaskbarInh.exe File created C:\program files\emule\incoming\RapidShare Killer AIO 2010.exe NvTaskbarInh.exe File created C:\program files\tesla\files\Twitter FriendAdder 2.1.1.exe NvTaskbarInh.exe File created C:\program files\winmx\shared\VmWare 7.0 keygen.exe NvTaskbarInh.exe File created C:\program files\winmx\shared\Daemon Tools Pro 4.50.exe NvTaskbarInh.exe File created C:\program files\winmx\shared\Winamp.Pro.v7.33.PowerPack.Portable+installer.exe NvTaskbarInh.exe File created C:\program files\icq\shared folder\Kaspersky AntiVirus 2010 crack.exe NvTaskbarInh.exe File created C:\program files\morpheus\my shared folder\PDF-XChange Pro.exe NvTaskbarInh.exe File created C:\program files\limewire\shared\Kaspersky AntiVirus 2010 crack.exe NvTaskbarInh.exe File created C:\program files\tesla\files\Norton Internet Security 2010 crack.exe NvTaskbarInh.exe File created C:\program files\winmx\shared\AVS Video Converter v6.3.1.365 CRACKED.exe NvTaskbarInh.exe File created C:\program files\winmx\shared\Windows 2008 Enterprise Server VMWare Virtual Machine.exe NvTaskbarInh.exe File created C:\program files\icq\shared folder\K-Lite Mega Codec v5.5.1.exe NvTaskbarInh.exe File created C:\program files\icq\shared folder\AVS Video Converter v6.3.1.365 CRACKED.exe NvTaskbarInh.exe File created C:\program files\emule\incoming\Total Commander7 license+keygen.exe NvTaskbarInh.exe File created C:\program files\morpheus\my shared folder\Youtube Music Downloader 1.0.exe NvTaskbarInh.exe File created C:\program files\morpheus\my shared folder\Download Accelerator Plus v9.exe NvTaskbarInh.exe File created C:\program files\morpheus\my shared folder\Alcohol 120 v1.9.7.exe NvTaskbarInh.exe File created C:\program files\tesla\files\Image Size Reducer Pro v1.0.1.exe NvTaskbarInh.exe File created C:\program files\winmx\shared\Rapidshare Auto Downloader 3.8.exe NvTaskbarInh.exe File created C:\program files\limewire\shared\Motorola, nokia, ericsson mobil phone tools.exe NvTaskbarInh.exe File created C:\program files\limewire\shared\CleanMyPC Registry Cleaner v6.02.exe NvTaskbarInh.exe File created C:\program files\grokster\my grokster\Power ISO v4.2 + keygen axxo.exe NvTaskbarInh.exe File created C:\program files\limewire\shared\LimeWire Pro v4.18.3.exe NvTaskbarInh.exe File created C:\program files\winmx\shared\Ad-aware 2010.exe NvTaskbarInh.exe File created C:\program files\emule\incoming\G-Force Platinum v3.7.5.exe NvTaskbarInh.exe File created C:\program files\tesla\files\Ashampoo Snap 3.02.exe NvTaskbarInh.exe File created C:\program files\grokster\my grokster\PDF to Word Converter 3.0.exe NvTaskbarInh.exe File created C:\program files\grokster\my grokster\DVD Tools Nero 10.5.6.0.exe NvTaskbarInh.exe File created C:\program files\morpheus\my shared folder\Starcraft2 REGION-UNLOCKER.exe NvTaskbarInh.exe File created C:\program files\tesla\files\Google SketchUp 7.1 Pro.exe NvTaskbarInh.exe File created C:\program files\tesla\files\Total Commander7 license+keygen.exe NvTaskbarInh.exe File created C:\program files\emule\incoming\WinRAR v3.x keygen RaZoR.exe NvTaskbarInh.exe File created C:\program files\emule\incoming\Starcraft2 REGION-UNLOCKER.exe NvTaskbarInh.exe File created C:\program files\emule\incoming\AVS Video Converter v6.3.1.365 CRACKED.exe NvTaskbarInh.exe File created C:\program files\morpheus\my shared folder\VmWare 7.0 keygen.exe NvTaskbarInh.exe File created C:\program files\limewire\shared\Power ISO v4.2 + keygen axxo.exe NvTaskbarInh.exe File created C:\program files\winmx\shared\Twitter FriendAdder 2.1.1.exe NvTaskbarInh.exe File created C:\program files\tesla\files\YouTubeGet 5.4.exe NvTaskbarInh.exe File created C:\program files\icq\shared folder\Motorola, nokia, ericsson mobil phone tools.exe NvTaskbarInh.exe File created C:\program files\grokster\my grokster\Windows 7 Ultimate keygen.exe NvTaskbarInh.exe File created C:\program files\grokster\my grokster\AVS Video Converter v6.3.1.365 CRACKED.exe NvTaskbarInh.exe File created C:\program files\emule\incoming\Microsoft.Windows 7 ULTIMATE FINAL activator+keygen x86.exe NvTaskbarInh.exe File created C:\program files\emule\incoming\Starcraft2 battle.net keys.txt.exe NvTaskbarInh.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\statcvs.exe statcvs.exe File opened for modification C:\Windows\statcvs.exe statcvs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NvTaskbarInh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NvTaskbarInh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language foxit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f78185d7e35f70d1e9ae88545cfbb3b8_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language statcvs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language statcvs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language statcvs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language statcvs.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CWBUITSK.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ statcvs.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe 3384 NvTaskbarInh.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1648 wrote to memory of 1020 1648 f78185d7e35f70d1e9ae88545cfbb3b8_JaffaCakes118.exe 83 PID 1648 wrote to memory of 1020 1648 f78185d7e35f70d1e9ae88545cfbb3b8_JaffaCakes118.exe 83 PID 1648 wrote to memory of 1020 1648 f78185d7e35f70d1e9ae88545cfbb3b8_JaffaCakes118.exe 83 PID 1648 wrote to memory of 4676 1648 f78185d7e35f70d1e9ae88545cfbb3b8_JaffaCakes118.exe 84 PID 1648 wrote to memory of 4676 1648 f78185d7e35f70d1e9ae88545cfbb3b8_JaffaCakes118.exe 84 PID 1648 wrote to memory of 4676 1648 f78185d7e35f70d1e9ae88545cfbb3b8_JaffaCakes118.exe 84 PID 4676 wrote to memory of 3384 4676 NvTaskbarInh.exe 87 PID 4676 wrote to memory of 3384 4676 NvTaskbarInh.exe 87 PID 4676 wrote to memory of 3384 4676 NvTaskbarInh.exe 87 PID 4676 wrote to memory of 3384 4676 NvTaskbarInh.exe 87 PID 4676 wrote to memory of 3384 4676 NvTaskbarInh.exe 87 PID 4676 wrote to memory of 3384 4676 NvTaskbarInh.exe 87 PID 4676 wrote to memory of 3384 4676 NvTaskbarInh.exe 87 PID 4676 wrote to memory of 3384 4676 NvTaskbarInh.exe 87 PID 4676 wrote to memory of 3384 4676 NvTaskbarInh.exe 87 PID 4676 wrote to memory of 3384 4676 NvTaskbarInh.exe 87 PID 4676 wrote to memory of 3384 4676 NvTaskbarInh.exe 87 PID 3384 wrote to memory of 1640 3384 NvTaskbarInh.exe 94 PID 3384 wrote to memory of 1640 3384 NvTaskbarInh.exe 94 PID 3384 wrote to memory of 1640 3384 NvTaskbarInh.exe 94 PID 3384 wrote to memory of 1900 3384 NvTaskbarInh.exe 95 PID 3384 wrote to memory of 1900 3384 NvTaskbarInh.exe 95 PID 3384 wrote to memory of 1900 3384 NvTaskbarInh.exe 95 PID 1900 wrote to memory of 4424 1900 foxit.exe 97 PID 1900 wrote to memory of 4424 1900 foxit.exe 97 PID 1900 wrote to memory of 4424 1900 foxit.exe 97 PID 1640 wrote to memory of 5040 1640 statcvs.exe 101 PID 1640 wrote to memory of 5040 1640 statcvs.exe 101 PID 1640 wrote to memory of 5040 1640 statcvs.exe 101 PID 1640 wrote to memory of 5040 1640 statcvs.exe 101 PID 1640 wrote to memory of 5040 1640 statcvs.exe 101 PID 1640 wrote to memory of 5040 1640 statcvs.exe 101 PID 1640 wrote to memory of 5040 1640 statcvs.exe 101 PID 1640 wrote to memory of 5040 1640 statcvs.exe 101 PID 1640 wrote to memory of 5040 1640 statcvs.exe 101 PID 1640 wrote to memory of 5040 1640 statcvs.exe 101 PID 1640 wrote to memory of 5040 1640 statcvs.exe 101 PID 1640 wrote to memory of 5040 1640 statcvs.exe 101 PID 1640 wrote to memory of 5040 1640 statcvs.exe 101 PID 5040 wrote to memory of 888 5040 statcvs.exe 102 PID 5040 wrote to memory of 888 5040 statcvs.exe 102 PID 5040 wrote to memory of 888 5040 statcvs.exe 102 PID 888 wrote to memory of 3340 888 statcvs.exe 103 PID 888 wrote to memory of 3340 888 statcvs.exe 103 PID 888 wrote to memory of 3340 888 statcvs.exe 103 PID 888 wrote to memory of 3340 888 statcvs.exe 103 PID 888 wrote to memory of 3340 888 statcvs.exe 103 PID 888 wrote to memory of 3340 888 statcvs.exe 103 PID 888 wrote to memory of 3340 888 statcvs.exe 103 PID 888 wrote to memory of 3340 888 statcvs.exe 103 PID 888 wrote to memory of 3340 888 statcvs.exe 103 PID 888 wrote to memory of 3340 888 statcvs.exe 103 PID 888 wrote to memory of 3340 888 statcvs.exe 103 PID 888 wrote to memory of 3340 888 statcvs.exe 103 PID 888 wrote to memory of 3340 888 statcvs.exe 103 PID 3340 wrote to memory of 4584 3340 statcvs.exe 104 PID 3340 wrote to memory of 4584 3340 statcvs.exe 104 PID 3340 wrote to memory of 4584 3340 statcvs.exe 104 PID 3340 wrote to memory of 4584 3340 statcvs.exe 104 PID 3340 wrote to memory of 4584 3340 statcvs.exe 104 PID 3340 wrote to memory of 4584 3340 statcvs.exe 104 PID 3340 wrote to memory of 4584 3340 statcvs.exe 104 PID 3340 wrote to memory of 4584 3340 statcvs.exe 104 PID 3340 wrote to memory of 4584 3340 statcvs.exe 104 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" NvTaskbarInh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f78185d7e35f70d1e9ae88545cfbb3b8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f78185d7e35f70d1e9ae88545cfbb3b8_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CWBUITSK.EXEC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CWBUITSK.EXE2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1020
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NvTaskbarInh.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NvTaskbarInh.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4676 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NvTaskbarInh.exe"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\NvTaskbarInh.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3384 -
C:\Windows\SysWOW64\statcvs.exe"C:\Windows\system32\statcvs.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\statcvs.exe"C:\Windows\SysWOW64\statcvs.exe"5⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\statcvs.exe"C:\Windows\statcvs.exe"6⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\statcvs.exe"C:\Windows\statcvs.exe"7⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3340 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"8⤵PID:4584
-
-
-
-
-
-
C:\Windows\SysWOW64\foxit.exe"C:\Windows\system32\foxit.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\d3dosar.dll",Startup5⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:4424 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Local\d3dosar.dll",iep6⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3892
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD51ec9daf45844cd7b6740ecf3b60ff0d4
SHA1f7e3583eb5cd9f014614ed5f30ae9b6eb5597ef9
SHA25685258219117d091659af9e7b28f4aca677c18eb2a962c27a92d9550f79325045
SHA512d3f5aea8572cc670f5cf7843369a1129851d6c2d832acf14b012a9d635a63883e29ae7b8204696d41332f112c6f178c8aee905fa561329c3a4adb0e96527f4bc
-
Filesize
962KB
MD55988f5eea2e0f6275a0f4232b4386bf9
SHA10d4352fa00586ca07c2a8238b0ab0b5a5e2aced2
SHA256c9bd30a42eedcf7e96088925f13ea4c4741d0ce5d8cdc9c1a033bd81a49164b6
SHA5126f29ac43baf202dfa802a7d4d9f12b55aa5f838fe342ac1638377e9bb12d915c4c29a974cc22776b63ec989d2d4915a32b0a6d15943d6c9bbb746828e8772fba
-
Filesize
78KB
MD53cd79b8e7d198f5fcff729911a0c0b42
SHA1053449f4b2c64dd4c7134b1d0b63c680b5c8b674
SHA2566f99507bbcc36a1f4cad50821dc65d8cead470b8f94b514b0440cabb4fb8afcd
SHA5126f800b7ae774957c251965af1ea2c26d67329dfee9ecd599025c9b3aaa2d6b6b8e204947f2e3f166a4b067f306e57e6deaf05e66c7a0532d969098e6ce707661
-
Filesize
78KB
MD5ff68d7e9435a7195144c09dc1d6c3fc0
SHA1dca962999faa110e44c0fe4f0aceeebcb740eb44
SHA256cd9ae5c0ef4a2447fec3944131e925babe6ed4ffaf9b69fdfc2153e7d4ced758
SHA5128ccab41fdf23ed30548420fc0ac98427866467e1ba474b112c92a9185ebae90f42ee91388ab69157a3dab8975e19c47df158022609cc4d9df36be96ca8074941
-
Filesize
411KB
MD5eaf07a44a7dcab1d1614e82518d93b67
SHA1c1742c8e1f6869568c45a4791ef61e0ab8f0c41d
SHA2566a00dd21ad5c795c9ebce734c58005dbd2a08d55035acbc622e29249fb4cec5b
SHA51260c642daae05bc4de105db5471ae05caacf4d5079e733d5b975c6573f5ca82f4e7b83398e9ef029ffd5a837562bbac499dcb30f6db7a64efa6339e53fa2f2604