Analysis
-
max time kernel
14s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-12-2024 06:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe
Resource
win7-20240903-en
windows7-x64
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
32 signatures
150 seconds
General
-
Target
JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe
-
Size
952KB
-
MD5
09759729987ce000bb838e9fda3b6ff0
-
SHA1
5fe3bd1f39a1a6cc465332a482db605c13cee4f3
-
SHA256
2461aedc90f1dc0443050180fe92cc19ee0d3c20ef1184b03849103d46f07e10
-
SHA512
be3210c84c322c149297b4c4cb95603135e436f17c21951d0654279640cf0a187c714bf4d9f480d07790d9958e01c5b0aac19cf8b57f58344fad80cced725902
-
SSDEEP
12288:btpvoJQSYfFyv+LtpvoJQktpvoJQktpvoJQ:btpvolYfFyv+Ltpvo7tpvo7tpvo
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" svchost.exe -
Adds policy Run key to start application 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe" Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sys = "C:\\WINDOWS\\Fonts\\Fonts.exe" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run system.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" svchost.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 4 IoCs
description ioc Process File opened for modification C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe Global.exe File created C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe svchost.exe File created C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe system.exe File created C:\WINDOWS\SysWOW64\drivers\drivers.cab.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe" Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe" Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "C:\\WINDOWS\\Fonts\\fonts.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\WINDOWS\\Fonts\\Fonts.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe" Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe" Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "C:\\WINDOWS\\Fonts\\fonts.exe" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "C:\\WINDOWS\\Media\\rndll32.pif" Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\WINDOWS\\Fonts\\Fonts.exe" Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com" Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "C:\\WINDOWS\\Fonts\\fonts.exe" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\WINDOWS\\Fonts\\Fonts.exe" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\WINDOWS\\Fonts\\tskmgr.exe" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe\Debugger = "C:\\WINDOWS\\Fonts\\Fonts.exe" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\boot.exe\Debugger = "C:\\WINDOWS\\Fonts\\fonts.exe" Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto.exe\Debugger = "C:\\WINDOWS\\system32\\drivers\\drivers.cab.exe" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autorun.exe system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\autoruns.exe system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system.exe -
Modifies Windows Firewall 2 TTPs 2 IoCs
pid Process 3812 netsh.exe 4992 netsh.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation Global.exe Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation svchost.exe -
Deletes itself 1 IoCs
pid Process 4468 svchost.exe -
Executes dropped EXE 3 IoCs
pid Process 368 Global.exe 4468 svchost.exe 4960 system.exe -
Modifies system executable filetype association 2 TTPs 8 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1" Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe" Global.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe" Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe" Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ = "C:\\WINDOWS\\system32\\dllcache\\Default.exe" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\WINDOWS\\system\\KEYBOARD.exe" system.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe -
Drops autorun.inf file 1 TTPs 11 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created C:\WINDOWS\SysWOW64\dllcache\autorun.inf JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\autorun.inf Global.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\autorun.inf system.exe File opened for modification C:\autorun.inf Global.exe File created C:\autorun.inf Global.exe File created D:\autorun.inf Global.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\autorun.inf JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File opened for modification D:\autorun.inf Global.exe File opened for modification F:\autorun.inf Global.exe File created F:\autorun.inf Global.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\autorun.inf svchost.exe -
Drops file in System32 directory 54 IoCs
description ioc Process File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E)\Global.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache Global.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe Global.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe system.exe File created C:\WINDOWS\SysWOW64\dllcache\svchost.exe system.exe File created C:\WINDOWS\SysWOW64\regedit.exe Global.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\ system.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe system.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E)\svchost.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Default.exe Global.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe svchost.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache system.exe File created C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe system.exe File created C:\WINDOWS\SysWOW64\dllcache\Global.exe system.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\svchost.exe Global.exe File created C:\WINDOWS\SysWOW64\dllcache\Default.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\ JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\autorun.inf system.exe File created C:\WINDOWS\SysWOW64\dllcache\tskmgr.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe Global.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\ Global.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe svchost.exe File created C:\WINDOWS\SysWOW64\dllcache\Default.exe system.exe File created C:\WINDOWS\SysWOW64\dllcache\svchost.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File created C:\WINDOWS\SysWOW64\dllcache\tskmgr.exe Global.exe File created C:\WINDOWS\SysWOW64\dllcache\autorun.inf JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\autorun.inf Global.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache svchost.exe File created C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe svchost.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E} JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File created C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe Global.exe File created C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe svchost.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\tskmgr.exe Global.exe File created C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe svchost.exe File created C:\WINDOWS\SysWOW64\regedit.exe svchost.exe File created C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe system.exe File created C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe system.exe File created C:\WINDOWS\SysWOW64\dllcache\svchost.exe svchost.exe File created C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File created C:\WINDOWS\SysWOW64\regedit.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Global.exe Global.exe File created C:\WINDOWS\SysWOW64\regedit.exe system.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\autorun.inf JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe Global.exe File created C:\WINDOWS\SysWOW64\dllcache\Global.exe svchost.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\ svchost.exe File created C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File opened for modification C:\WINDOWS\SysWOW64\dllcache\autorun.inf svchost.exe File created C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File created C:\WINDOWS\SysWOW64\dllcache\Global.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File created C:\WINDOWS\SysWOW64\dllcache\Default.exe svchost.exe -
resource yara_rule behavioral2/memory/2968-5-0x0000000002B10000-0x0000000003B43000-memory.dmp upx behavioral2/memory/2968-3-0x0000000002B10000-0x0000000003B43000-memory.dmp upx behavioral2/memory/2968-12-0x0000000002B10000-0x0000000003B43000-memory.dmp upx behavioral2/memory/2968-69-0x0000000002B10000-0x0000000003B43000-memory.dmp upx behavioral2/memory/2968-71-0x0000000002B10000-0x0000000003B43000-memory.dmp upx behavioral2/memory/4468-128-0x0000000002E80000-0x0000000003EB3000-memory.dmp upx behavioral2/memory/4468-133-0x0000000002E80000-0x0000000003EB3000-memory.dmp upx behavioral2/memory/4468-126-0x0000000002E80000-0x0000000003EB3000-memory.dmp upx behavioral2/memory/4468-146-0x0000000002E80000-0x0000000003EB3000-memory.dmp upx behavioral2/memory/4468-147-0x0000000002E80000-0x0000000003EB3000-memory.dmp upx behavioral2/memory/4468-180-0x0000000002E80000-0x0000000003EB3000-memory.dmp upx behavioral2/memory/4468-185-0x0000000002E80000-0x0000000003EB3000-memory.dmp upx -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe svchost.exe -
Drops file in Windows directory 39 IoCs
description ioc Process File created C:\WINDOWS\Fonts\tskmgr.exe svchost.exe File created C:\WINDOWS\Media\rndll32.pif svchost.exe File created C:\WINDOWS\pchealth\Global.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File created C:\WINDOWS\system\KEYBOARD.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File created C:\WINDOWS\Cursors\Boom.vbs JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File opened for modification C:\WINDOWS\Fonts\Fonts.exe Global.exe File created C:\WINDOWS\pchealth\Global.exe Global.exe File opened for modification C:\WINDOWS\Cursors\Boom.vbs Global.exe File created C:\WINDOWS\system\KEYBOARD.exe svchost.exe File created C:\WINDOWS\Cursors\Boom.vbs system.exe File created C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File created C:\WINDOWS\pchealth\Global.exe svchost.exe File created C:\WINDOWS\Cursors\Boom.vbs svchost.exe File created C:\WINDOWS\pchealth\Global.exe system.exe File opened for modification C:\WINDOWS\Fonts\wav.wav JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File created C:\WINDOWS\Media\rndll32.pif JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File opened for modification C:\WINDOWS\system\KEYBOARD.exe Global.exe File created C:\WINDOWS\system\KEYBOARD.exe system.exe File created C:\WINDOWS\Media\rndll32.pif system.exe File opened for modification C:\WINDOWS\Cursors\Boom.vbs system.exe File created C:\WINDOWS\Fonts\Fonts.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File created C:\WINDOWS\Help\microsoft.hlp JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File opened for modification C:\WINDOWS\Help\microsoft.hlp Global.exe File opened for modification C:\WINDOWS\Cursors\Boom.vbs svchost.exe File opened for modification C:\WINDOWS\Cursors\Boom.vbs JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File created C:\WINDOWS\Help\microsoft.hlp svchost.exe File created C:\WINDOWS\Fonts\Fonts.exe system.exe File created C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com svchost.exe File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File created C:\WINDOWS\Fonts\tskmgr.exe JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File created C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com Global.exe File opened for modification C:\WINDOWS\Fonts\tskmgr.exe Global.exe File opened for modification C:\WINDOWS\Media\rndll32.pif Global.exe File created C:\WINDOWS\Cursors\Boom.vbs Global.exe File created C:\WINDOWS\Fonts\Fonts.exe svchost.exe File created C:\WINDOWS\pchealth\helpctr\binaries\HelpHost.com system.exe File created C:\WINDOWS\Fonts\tskmgr.exe system.exe File created C:\WINDOWS\Fonts\wav.wav JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe File created C:\WINDOWS\Help\microsoft.hlp system.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Global.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe -
Modifies Control Panel 16 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30" system.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop Global.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com" Global.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30" Global.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com" svchost.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop system.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\AutoEndTasks = "1" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\AutoEndTasks = "1" system.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\AutoEndTasks = "1" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\SCRNSAVE.EXE = "C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpHost.com" system.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\ScreenSaveTimeOut = "30" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\Desktop\AutoEndTasks = "1" Global.exe -
Modifies registry class 46 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe" Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe" Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1" system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile system.exe Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe" Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\comfile Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\Fonts\\Fonts.exe" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command Global.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MSCFile\Shell\Open\Command svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\NeverShowExt = "1" Global.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mscfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\NeverShowExt = "1" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\Shell\Open\Command system.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\regfile\shell\open\command\ = "C:\\WINDOWS\\pchealth\\Global.exe" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.vbs\ = "VBSFile" Global.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe 4468 svchost.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Token: SeDebugPrivilege 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 368 Global.exe 4468 svchost.exe 4960 system.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2968 wrote to memory of 776 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 8 PID 2968 wrote to memory of 780 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 9 PID 2968 wrote to memory of 316 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 13 PID 2968 wrote to memory of 2616 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 44 PID 2968 wrote to memory of 2628 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 45 PID 2968 wrote to memory of 2720 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 47 PID 2968 wrote to memory of 3436 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 56 PID 2968 wrote to memory of 3560 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 57 PID 2968 wrote to memory of 3748 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 58 PID 2968 wrote to memory of 3844 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 59 PID 2968 wrote to memory of 3904 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 60 PID 2968 wrote to memory of 4992 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 83 PID 2968 wrote to memory of 4992 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 83 PID 2968 wrote to memory of 4992 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 83 PID 2968 wrote to memory of 4000 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 61 PID 2968 wrote to memory of 4160 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 62 PID 2968 wrote to memory of 444 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 64 PID 2968 wrote to memory of 1976 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 75 PID 2968 wrote to memory of 2372 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 81 PID 2968 wrote to memory of 368 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 85 PID 2968 wrote to memory of 368 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 85 PID 2968 wrote to memory of 368 2968 JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe 85 PID 368 wrote to memory of 4468 368 Global.exe 86 PID 368 wrote to memory of 4468 368 Global.exe 86 PID 368 wrote to memory of 4468 368 Global.exe 86 PID 4468 wrote to memory of 776 4468 svchost.exe 8 PID 4468 wrote to memory of 780 4468 svchost.exe 9 PID 4468 wrote to memory of 316 4468 svchost.exe 13 PID 4468 wrote to memory of 2616 4468 svchost.exe 44 PID 4468 wrote to memory of 2628 4468 svchost.exe 45 PID 4468 wrote to memory of 2720 4468 svchost.exe 47 PID 4468 wrote to memory of 3436 4468 svchost.exe 56 PID 4468 wrote to memory of 3560 4468 svchost.exe 57 PID 4468 wrote to memory of 3748 4468 svchost.exe 58 PID 4468 wrote to memory of 3844 4468 svchost.exe 59 PID 4468 wrote to memory of 3904 4468 svchost.exe 60 PID 4468 wrote to memory of 4000 4468 svchost.exe 61 PID 4468 wrote to memory of 4160 4468 svchost.exe 62 PID 4468 wrote to memory of 444 4468 svchost.exe 64 PID 4468 wrote to memory of 3812 4468 svchost.exe 88 PID 4468 wrote to memory of 3812 4468 svchost.exe 88 PID 4468 wrote to memory of 3812 4468 svchost.exe 88 PID 4468 wrote to memory of 1976 4468 svchost.exe 75 PID 4468 wrote to memory of 2372 4468 svchost.exe 81 PID 4468 wrote to memory of 368 4468 svchost.exe 85 PID 4468 wrote to memory of 368 4468 svchost.exe 85 PID 4468 wrote to memory of 532 4468 svchost.exe 87 PID 4468 wrote to memory of 4960 4468 svchost.exe 90 PID 4468 wrote to memory of 4960 4468 svchost.exe 90 PID 4468 wrote to memory of 4960 4468 svchost.exe 90 PID 4468 wrote to memory of 776 4468 svchost.exe 8 PID 4468 wrote to memory of 780 4468 svchost.exe 9 PID 4468 wrote to memory of 316 4468 svchost.exe 13 PID 4468 wrote to memory of 2616 4468 svchost.exe 44 PID 4468 wrote to memory of 2628 4468 svchost.exe 45 PID 4468 wrote to memory of 2720 4468 svchost.exe 47 PID 4468 wrote to memory of 3436 4468 svchost.exe 56 PID 4468 wrote to memory of 3560 4468 svchost.exe 57 PID 4468 wrote to memory of 3748 4468 svchost.exe 58 PID 4468 wrote to memory of 3844 4468 svchost.exe 59 PID 4468 wrote to memory of 3904 4468 svchost.exe 60 PID 4468 wrote to memory of 4000 4468 svchost.exe 61 PID 4468 wrote to memory of 4160 4468 svchost.exe 62 PID 4468 wrote to memory of 444 4468 svchost.exe 64 -
System policy modification 1 TTPs 10 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System svchost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1" system.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1" Global.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableStatusMessages = "1" svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Global.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2616
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2628
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2720
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3436
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_09759729987ce000bb838e9fda3b6ff0.exe"2⤵
- UAC bypass
- Windows security bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2968 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:4992
-
-
C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe"C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\Global.exe"3⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:368 -
C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe"C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe"4⤵
- UAC bypass
- Windows security bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Checks computer location settings
- Deletes itself
- Executes dropped EXE
- Modifies system executable filetype association
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4468 -
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode disable5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:3812
-
-
C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\system.exe"5⤵
- Adds policy Run key to start application
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Modifies system executable filetype association
- Adds Run key to start application
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4960
-
-
-
C:\WINDOWS\SysWOW64\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe"C:\WINDOWS\system32\dllcache\Recycler.{645FF040-5081-101B-9F08-00AA002F954E}\svchost.exe"4⤵PID:864
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3560
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3748
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3844
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3904
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4160
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:444
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1976
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2372
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:532
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:2704
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:960
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1740
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
3Change Default File Association
1Image File Execution Options Injection
1Netsh Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
3Change Default File Association
1Image File Execution Options Injection
1Netsh Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD5e72c9789ac7232e3b36766eb2a8f8da6
SHA1a37a9f18e227d103bb4e1ecac0834c2cdf99d112
SHA2567b03603cbc56105470b4bfb250d0ef18fa93126475e2872d63dc52c35866d2a9
SHA512666a2592c5303a1f42a8bbddc2a8e5d3289c612be7401e3530a3afd70d8243276645bad00a82f3254674307583dabae49c16204e790200a34b0707813265f6d0
-
Filesize
118B
MD54eb846be89a1520b7d0181f0736f9a96
SHA1869a156f9bd21b06d896cafa66db628f7b5e9679
SHA2565bf2d22daa1c82872df820f2e5d12fdc60e131f20782cc5e566a04343bfdf6d8
SHA512ee444365384528857a68672a0b1ae1a3b62f7a4b05038d894bc33f603291defdc03a2a3a2849054aa13f4f2def783fdce8f88a5896fd64f11a3f7c9b19c4008c
-
Filesize
952KB
MD509759729987ce000bb838e9fda3b6ff0
SHA15fe3bd1f39a1a6cc465332a482db605c13cee4f3
SHA2562461aedc90f1dc0443050180fe92cc19ee0d3c20ef1184b03849103d46f07e10
SHA512be3210c84c322c149297b4c4cb95603135e436f17c21951d0654279640cf0a187c714bf4d9f480d07790d9958e01c5b0aac19cf8b57f58344fad80cced725902
-
Filesize
257B
MD59a799935ded846f00ec58b0ff75d6b68
SHA118c4f9058b0971822113ae967301d9571647d781
SHA2568393564d7891f6705e6ecbde947b783bbe58e2cf3a160f5e89d39afbe2ac5f78
SHA512fb81fd625cb6a8965b7be344358780786cc7160a5cb03421ff8182feeced556cca48378771e7e60e845a8e4a99943b417d30ebd3cf8ffae85942bc0ed77e7978