Analysis
-
max time kernel
22s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 06:10
Static task
static1
Behavioral task
behavioral1
Sample
fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe
-
Size
951KB
-
MD5
fa678b54bc6dc42ca74ab104203475fe
-
SHA1
151df3753808b3d44b5a5255c820c8b928658c1c
-
SHA256
38e98d7bea3c4297e939f8940dc3c2855caecea427156dbe001ea43d03d4a947
-
SHA512
e893d49a446900fbfda12b1a2540a478132db22214fa849e3d95b7b6b8be6783a4e116e614fcde7afe731323492963219aec0cbd21797905ecea74af5b142af2
-
SSDEEP
24576:SUFa7K4Jy/fVtktVGPrfO/WxvaXUTcLHFpSYiVtktVGPrfO/WX:jqMlSyfO/WxyXukHFISyfO/W
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" WINWORD.EXE Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" WINWORD.EXE Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" WINWORD.EXE -
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WINWORD.EXE -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINWORD.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" WINWORD.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" WINWORD.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINWORD.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINWORD.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WINWORD.EXE -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 4812 netsh.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 2880 WINWORD.EXE -
Drops startup file 4 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.com fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.com fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.com WINWORD.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Adobe Gamma Loader.com services.exe -
Executes dropped EXE 7 IoCs
pid Process 2880 WINWORD.EXE 2548 WINWORD.EXE 1012 services.exe 332 WINWORD.EXE 1996 services.exe 4820 smss.exe 2408 services.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WINWORD.EXE Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc WINWORD.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WINWORD.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" WINWORD.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" WINWORD.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WINWORD.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WINWORD.EXE -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WINWORD.EXE -
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe File opened (read-only) \??\E: WINWORD.EXE File opened (read-only) \??\G: WINWORD.EXE File opened (read-only) \??\H: WINWORD.EXE File opened (read-only) \??\I: WINWORD.EXE File opened (read-only) \??\J: WINWORD.EXE -
resource yara_rule behavioral2/memory/4272-5-0x0000000002DA0000-0x0000000003E2E000-memory.dmp upx behavioral2/memory/4272-7-0x0000000002DA0000-0x0000000003E2E000-memory.dmp upx behavioral2/memory/4272-6-0x0000000002DA0000-0x0000000003E2E000-memory.dmp upx behavioral2/memory/4272-12-0x0000000002DA0000-0x0000000003E2E000-memory.dmp upx behavioral2/memory/4272-18-0x0000000002DA0000-0x0000000003E2E000-memory.dmp upx behavioral2/memory/4272-8-0x0000000002DA0000-0x0000000003E2E000-memory.dmp upx behavioral2/memory/4272-3-0x0000000002DA0000-0x0000000003E2E000-memory.dmp upx behavioral2/memory/4272-4-0x0000000002DA0000-0x0000000003E2E000-memory.dmp upx behavioral2/memory/4272-1-0x0000000002DA0000-0x0000000003E2E000-memory.dmp upx behavioral2/memory/4272-15-0x0000000002DA0000-0x0000000003E2E000-memory.dmp upx behavioral2/memory/4272-46-0x0000000002DA0000-0x0000000003E2E000-memory.dmp upx behavioral2/memory/4272-47-0x0000000002DA0000-0x0000000003E2E000-memory.dmp upx behavioral2/memory/4272-64-0x0000000002DA0000-0x0000000003E2E000-memory.dmp upx behavioral2/memory/4272-83-0x0000000002DA0000-0x0000000003E2E000-memory.dmp upx behavioral2/memory/4272-95-0x0000000002DA0000-0x0000000003E2E000-memory.dmp upx behavioral2/memory/4272-127-0x0000000002DA0000-0x0000000003E2E000-memory.dmp upx behavioral2/memory/2880-154-0x0000000003B30000-0x0000000004BBE000-memory.dmp upx behavioral2/memory/2880-153-0x0000000003B30000-0x0000000004BBE000-memory.dmp upx behavioral2/memory/2880-155-0x0000000003B30000-0x0000000004BBE000-memory.dmp upx behavioral2/memory/2880-156-0x0000000003B30000-0x0000000004BBE000-memory.dmp upx behavioral2/memory/2880-158-0x0000000003B30000-0x0000000004BBE000-memory.dmp upx behavioral2/memory/2880-159-0x0000000003B30000-0x0000000004BBE000-memory.dmp upx behavioral2/memory/2880-160-0x0000000003B30000-0x0000000004BBE000-memory.dmp upx behavioral2/memory/2880-157-0x0000000003B30000-0x0000000004BBE000-memory.dmp upx behavioral2/memory/2880-151-0x0000000003B30000-0x0000000004BBE000-memory.dmp upx -
Drops file in Program Files directory 39 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\remote.ini services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\ruimsbbe.dll services.exe File created C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\jwiegh.dll services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\ruimsbbe.dll WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\hjwgsd.dll services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\yofc.dll services.exe File created C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\smss.exe fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\hjwgsd.dll WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\jwiegh.dll WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\remote.ini WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\yofc.dll fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\remote.ini fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\ruimsbbe.dll fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\control.ini WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\smss.exe WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\smss.exe services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\PUB60SP.mrc fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\jwiegh.dll fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\hjwgsd.dll fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe File created C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\Drvics32.dll fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\control.ini services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\Drvics32.dll services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\PUB60SP.mrc services.exe File created C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE services.exe File created C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\Drvics32.dll WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\PUB60SP.mrc WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\yofc.dll WINWORD.EXE File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE services.exe File opened for modification C:\Program Files (x86)\Microsoft Office\OFFICE11\control.ini fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 17 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language services.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WINWORD.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2600 ping.exe 2668 ping.exe 840 ping.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Modifies registry key 1 TTPs 2 IoCs
pid Process 3868 REG.exe 456 REG.exe -
Runs net.exe
-
Runs ping.exe 1 TTPs 3 IoCs
pid Process 840 ping.exe 2600 ping.exe 2668 ping.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 3648 WINWORD.EXE 3648 WINWORD.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 2880 WINWORD.EXE 2880 WINWORD.EXE 2880 WINWORD.EXE 2880 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe Token: SeDebugPrivilege 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 2880 WINWORD.EXE 3648 WINWORD.EXE 3648 WINWORD.EXE 3648 WINWORD.EXE 2548 WINWORD.EXE 1012 services.exe 3648 WINWORD.EXE 332 WINWORD.EXE 1996 services.exe 2408 services.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4272 wrote to memory of 776 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 8 PID 4272 wrote to memory of 780 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 9 PID 4272 wrote to memory of 384 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 13 PID 4272 wrote to memory of 2964 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 49 PID 4272 wrote to memory of 3000 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 50 PID 4272 wrote to memory of 692 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 52 PID 4272 wrote to memory of 3412 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 56 PID 4272 wrote to memory of 3560 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 57 PID 4272 wrote to memory of 3752 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 58 PID 4272 wrote to memory of 3844 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 59 PID 4272 wrote to memory of 3912 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 60 PID 4272 wrote to memory of 4024 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 61 PID 4272 wrote to memory of 3488 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 62 PID 4272 wrote to memory of 3408 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 74 PID 4272 wrote to memory of 2256 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 76 PID 4272 wrote to memory of 4440 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 81 PID 4272 wrote to memory of 3648 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 83 PID 4272 wrote to memory of 3648 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 83 PID 4272 wrote to memory of 2108 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 84 PID 4272 wrote to memory of 2108 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 84 PID 4272 wrote to memory of 2108 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 84 PID 4272 wrote to memory of 2040 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 85 PID 4272 wrote to memory of 2040 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 85 PID 4272 wrote to memory of 2040 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 85 PID 4272 wrote to memory of 4092 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 86 PID 4272 wrote to memory of 4092 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 86 PID 4272 wrote to memory of 4092 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 86 PID 4272 wrote to memory of 4812 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 87 PID 4272 wrote to memory of 4812 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 87 PID 4272 wrote to memory of 4812 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 87 PID 4272 wrote to memory of 2880 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 89 PID 4272 wrote to memory of 2880 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 89 PID 4272 wrote to memory of 2880 4272 fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe 89 PID 2108 wrote to memory of 4232 2108 net.exe 94 PID 2108 wrote to memory of 4232 2108 net.exe 94 PID 2108 wrote to memory of 4232 2108 net.exe 94 PID 4092 wrote to memory of 1732 4092 net.exe 93 PID 4092 wrote to memory of 1732 4092 net.exe 93 PID 4092 wrote to memory of 1732 4092 net.exe 93 PID 2040 wrote to memory of 4616 2040 net.exe 95 PID 2040 wrote to memory of 4616 2040 net.exe 95 PID 2040 wrote to memory of 4616 2040 net.exe 95 PID 2880 wrote to memory of 2548 2880 WINWORD.EXE 96 PID 2880 wrote to memory of 2548 2880 WINWORD.EXE 96 PID 2880 wrote to memory of 2548 2880 WINWORD.EXE 96 PID 2880 wrote to memory of 1012 2880 WINWORD.EXE 98 PID 2880 wrote to memory of 1012 2880 WINWORD.EXE 98 PID 2880 wrote to memory of 1012 2880 WINWORD.EXE 98 PID 1012 wrote to memory of 332 1012 services.exe 99 PID 1012 wrote to memory of 332 1012 services.exe 99 PID 1012 wrote to memory of 332 1012 services.exe 99 PID 1012 wrote to memory of 1996 1012 services.exe 100 PID 1012 wrote to memory of 1996 1012 services.exe 100 PID 1012 wrote to memory of 1996 1012 services.exe 100 PID 1012 wrote to memory of 4820 1012 services.exe 101 PID 1012 wrote to memory of 4820 1012 services.exe 101 PID 1012 wrote to memory of 4820 1012 services.exe 101 PID 1012 wrote to memory of 840 1012 services.exe 102 PID 1012 wrote to memory of 840 1012 services.exe 102 PID 1012 wrote to memory of 840 1012 services.exe 102 PID 1012 wrote to memory of 2668 1012 services.exe 103 PID 1012 wrote to memory of 2668 1012 services.exe 103 PID 1012 wrote to memory of 2668 1012 services.exe 103 PID 1012 wrote to memory of 2600 1012 services.exe 104 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WINWORD.EXE Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2964
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3000
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:692
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3412
-
C:\Users\Admin\AppData\Local\Temp\fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa678b54bc6dc42ca74ab104203475fe_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Drops startup file
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4272 -
C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3648
-
-
C:\Windows\SysWOW64\net.exenet stop "Windows Firewall/Internet Connection Sharing (ICS)"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Windows Firewall/Internet Connection Sharing (ICS)"4⤵
- System Location Discovery: System Language Discovery
PID:4232
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Automatic Updates"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Automatic Updates"4⤵
- System Location Discovery: System Language Discovery
PID:4616
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Security Center"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Security Center"4⤵
- System Location Discovery: System Language Discovery
PID:1732
-
-
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4812
-
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Deletes itself
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2880 -
C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2548
-
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe"C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe"4⤵
- Drops startup file
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE"C:\Program Files (x86)\Microsoft Office\OFFICE11\ WINWORD.EXE"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:332
-
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe"C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1996
-
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\smss.exe"C:\Program Files (x86)\Microsoft Office\OFFICE11\smss.exe"5⤵
- Executes dropped EXE
PID:4820
-
-
C:\Windows\SysWOW64\ping.exeping www.putera.com -t -l 30005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:840 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:3528
-
-
-
C:\Windows\SysWOW64\ping.exeping www.tourism.gov.my -t -l 30005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2668 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:3476
-
-
-
C:\Windows\SysWOW64\ping.exeping www.miti.gov.my -t -l 30005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2600 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵PID:2808
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f5⤵
- Modifies registry key
PID:456
-
-
-
C:\Windows\SysWOW64\REG.exeREG DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /f4⤵
- Modifies registry key
PID:3868
-
-
-
C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe"C:\Program Files (x86)\Microsoft Office\OFFICE11\services.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2408
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3560
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3752
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3844
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3912
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4024
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3488
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3408
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2256
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4440
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3224
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:720
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:860
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
5Disable or Modify System Firewall
2Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
808B
MD5f9144a29af9775feb89b66bc8679dff7
SHA186a1246436e2f6c26a7de1a36f7a94cfd6e8202b
SHA25637dd8b6797dc589dbaebb4c6db3b4f343389caf3c68a298b56a8f4faae1d0284
SHA5120c13f645591e85bb8ce4e43bde458e0c2ea771382d1738a495c20d21580a22d6b194a7e1c543c3fa395e2e2c9fc27710cccc1af5742037733b8398ee8dcdd74a
-
Filesize
8KB
MD5cf07b3218b7a13466a3ab1abd929dc04
SHA10357e87e477c6c91af0dae6c7528089112bc4adb
SHA2560f19bef5cf2a0d134e2a8845caf5f8a57925c57c5bcc70b671fdf2dd71f52990
SHA51242e79e6bc3a1b183219fd327531402dd16dab72f1b6a4dd5475ffd5c556ee7a5564962a10880551d9bc27f989fd90beae3756349512e383eae9b3bd5b0bd1cbd
-
Filesize
176B
MD5fc0e51b62b341213d142b5061fe88606
SHA1a36c06ee541061a30ae14702c6d422366f1efda3
SHA256ef820d65689bda87756d2b775f286d992717289bb2e9bb2843903e05a87df3ef
SHA5125f44293217227a29f8031837ff87d7777cb425fb7b3684e925b349c54084d1a52bc1be6b19678c7dd20ed885c34dcafd063676549cdaaa93f1685d7ae8e9a70f
-
Filesize
18KB
MD5ed6b628f8fcc9e5b4634047546b78091
SHA151d55b389381a84205ce07526b606f353e64a8dc
SHA2568aaa8cc5cee89de645ddc34bbaa4fe00274c4802ebda7120d1904fec1137fa33
SHA512ac97820615e26bd51cbc989fcbf3a028f2e5b12658449b4b6692f3cd82b2df08967118ee05aa7fd5063e439d1a0afbb611aa19f11a28d830612512a5438f63c7
-
Filesize
267KB
MD53814086d561a22ed9005ba4f35c5987c
SHA130f3059629c123223208659be7ab45c234aa9434
SHA2565d918c11a0efcfaaea5981aa4b25520584e33d09e4e940c65078ca0581673387
SHA51255197cc81b499b35e14aa80f84a44449335fc85f3b2d757dcea2b1b172ceb7cb0ed4805dd1503d2fb1c3e680f4df0a9487e70b0fa270d4c5cb88e3a00370c9cd
-
Filesize
20KB
MD5d982ae777e8e44019b24bc272d84d582
SHA1a490d6472e8ee57fe7f6046a911dfdf6a5e4ed95
SHA256b9681ebd6aaa8276d307c2e5243eecfea97e045b9ffd432ad75974fb818cac82
SHA51225321a7325e330d37323e05a9a045fcd515cacd9555ba413eab1709cd59db92fbcfbb424ed150199720a338e0017331f4e1fbfcaf5763b64280d9ea29bcf06b2
-
Filesize
2KB
MD5b023650f83ebe604181f657c0d8a4be1
SHA128b808d1fb4e9a6022c8a7de29248fcdb583eea9
SHA2561b12ded49161bc6bf18bf521fe233be4f41a4107d0c76fa2fa66a8023828fa36
SHA5128c4b703a19ab8be5c1c7fdafa1380e4c83f99370afae6dd938ef78066458665668ef4076740d151b6ad53eedc94b5934f486090058ead456d474e96fb7efeeff
-
Filesize
563KB
MD581cfac8335822ba4bea1e50c46adf967
SHA1ea360da28b5aff7112b6f42404dc2ee2610e640c
SHA2561829bf1ccae25c61dca8eb1b4fea10c47276157cc619efb6ab8a8804592770a7
SHA51224dee2758eda2facb07c814737e4f20ea718a4ef42294dfc97a61c1af7b271df5ef0a0d414199ee89c8c496a1063d217173e32bcf4f305c3b41dca1ccf30c738
-
Filesize
2KB
MD505e9217895f13d8b004c83d8223957cc
SHA15655ea6576dceaff14b7b27f4b347e85f322f9b1
SHA2560b767361d3dfbaa8ab7748eb0aecb104f394b4473b228e269addaebe95e2a4d6
SHA5128188c722a25d45a857712be7673a1b9bf43d1f4e64d891004d6b71ba6a20894f0fb833e877230b5cfc833b4d05a0d1a44c930aee6c9fcd3c712e149496482bf8
-
Filesize
263KB
MD5ff0e07eff1333cdf9fc2523d323dd654
SHA177a1ae0dd8dbc3fee65dd6266f31e2a564d088a4
SHA2563f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5
SHA512b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize2KB
MD56f0feee00d6a081fdd660c1eaeb820ba
SHA1a252d4db80e516e8101738719c97abafcec865c9
SHA256a868dbf9b92344188ee2b849fbad6970967d9ec353aaafc7d0b90ba672b4c26a
SHA51256df97620585a0b7b69722524fc8fc34ace3717008ce95362915223b50413f4623ff75799dc81538dff20d8ac45898b3d922b6101d438b49f984cd3aeb54a725
-
Filesize
951KB
MD5fa678b54bc6dc42ca74ab104203475fe
SHA1151df3753808b3d44b5a5255c820c8b928658c1c
SHA25638e98d7bea3c4297e939f8940dc3c2855caecea427156dbe001ea43d03d4a947
SHA512e893d49a446900fbfda12b1a2540a478132db22214fa849e3d95b7b6b8be6783a4e116e614fcde7afe731323492963219aec0cbd21797905ecea74af5b142af2
-
Filesize
257B
MD5839864f0df56511277ab90704bec5bad
SHA1562f29e2b727cae979842383591191d04383f29f
SHA2566bade69e097c6ad1ce6e5a524a33c13d1ad51b61ed295b899ace640970f70531
SHA5120b59d12c820660d896c1a1f482cae60d91b1da358a52f4479e6e393afd5d19d47af8eea07b4116457c1dceb7fcb4b77cc981c1b84f2e32c22d524860fedef35e
-
Filesize
100KB
MD53bc68e3332ebd07f810cdbec74b0b47b
SHA16bb7f943d00115e79b2b67fea3b0047222d0a25b
SHA25688b505696d55775fee9d7cccce22930f8ed68cf24aa5bd32fc5359848e9636d8
SHA512fe854a4d14650338d9650bc1576f8d3c00151d96d56be0864a77cf2666f97de67bd1a81c5d7a0da357a893ce8d0ced7e4f93b0568393e1b971de10856c156f24