Analysis
-
max time kernel
95s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
01-01-2025 21:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe
Resource
win7-20240903-en
windows7-x64
5 signatures
150 seconds
General
-
Target
JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe
-
Size
811KB
-
MD5
60cfaa931b01a8f08ffe203ec8506080
-
SHA1
8fb983e216e23bc857d1a90ef63b00ac3b9c9a88
-
SHA256
101c0a9d2fa8c5a0458bebd09f231c907b2ffd0a1e631fc462bd70d3e290ff29
-
SHA512
cb07b18b4c83ff26e9906545b8f82698dc00186f4bc9fa286fbdce131f81d3134d614ce8ba0967bc58f715029a0e8a883be4c660c121fe2c816e44a29127c878
-
SSDEEP
12288:gRm0OqZQDi02wPW6QIHd4/vqUfcfSpKUy0:K2Dd2g1z+3tfYSpL
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" WaterMarkmgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" WaterMarkmgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" WaterMarkmgr.exe -
Ramnit family
-
Sality family
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMarkmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMark.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WaterMarkmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" WaterMarkmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WaterMarkmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" WaterMarkmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WaterMarkmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WaterMarkmgr.exe -
Disables RegEdit via registry modification 3 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" WaterMarkmgr.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" WaterMark.exe -
Disables Task Manager via registry modification
-
Deletes itself 1 IoCs
pid Process 2652 WaterMark.exe -
Executes dropped EXE 5 IoCs
pid Process 3556 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080mgr.exe 852 WaterMark.exe 3452 WaterMarkmgr.exe 2652 WaterMark.exe 2220 WaterMark.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" WaterMarkmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WaterMarkmgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc WaterMarkmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WaterMarkmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" WaterMarkmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" WaterMarkmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" WaterMark.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" WaterMarkmgr.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMarkmgr.exe -
resource yara_rule behavioral2/memory/3844-6-0x00000000032B0000-0x00000000042DA000-memory.dmp upx behavioral2/memory/3844-13-0x00000000032B0000-0x00000000042DA000-memory.dmp upx behavioral2/memory/3844-16-0x00000000032B0000-0x00000000042DA000-memory.dmp upx behavioral2/memory/3844-17-0x0000000005FE0000-0x000000000706E000-memory.dmp upx behavioral2/memory/3844-34-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2652-70-0x0000000003350000-0x000000000437A000-memory.dmp upx behavioral2/memory/3452-81-0x00000000035C0000-0x000000000464E000-memory.dmp upx behavioral2/memory/3452-98-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3452-80-0x00000000035C0000-0x000000000464E000-memory.dmp upx behavioral2/memory/2652-76-0x0000000003350000-0x000000000437A000-memory.dmp upx behavioral2/memory/852-68-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/852-62-0x0000000000400000-0x00000000004D6000-memory.dmp upx behavioral2/memory/3844-51-0x0000000005FE0000-0x000000000706E000-memory.dmp upx behavioral2/memory/3556-48-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3844-28-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3844-27-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3844-21-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3844-20-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3844-19-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3844-18-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/852-174-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2652-192-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/2220-199-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 10 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\WaterMark.exe JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080mgr.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File opened for modification C:\Program Files (x86)\Microsoft\pxA519.tmp WaterMarkmgr.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe WaterMarkmgr.exe File opened for modification C:\Program Files (x86)\Microsoft\pxA0F3.tmp JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe File created C:\Program Files (x86)\Microsoft\WaterMark.exe JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe File created C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe WaterMark.exe File opened for modification C:\Program Files (x86)\Microsoft\WaterMark.exe JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe File opened for modification C:\Program Files (x86)\Microsoft\pxA170.tmp JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080mgr.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMarkmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080mgr.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31153302" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31153302" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31153302" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31153302" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31153302" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "360260248" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31153302" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "356979199" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "360260248" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "362604098" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "367604051" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31153302" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "367604051" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "362604098" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "362916430" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{40CCD625-C889-11EF-A4B7-CA65FB447F0B} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31153302" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{40D66045-C889-11EF-A4B7-CA65FB447F0B} = "0" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe 852 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 2652 WaterMark.exe 2652 WaterMark.exe 3452 WaterMarkmgr.exe 3452 WaterMarkmgr.exe 2652 WaterMark.exe 2652 WaterMark.exe 2652 WaterMark.exe 2652 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 2220 WaterMark.exe 2220 WaterMark.exe 2220 WaterMark.exe 2220 WaterMark.exe 2220 WaterMark.exe 2220 WaterMark.exe 2220 WaterMark.exe 2220 WaterMark.exe 2220 WaterMark.exe 2220 WaterMark.exe 2220 WaterMark.exe 2220 WaterMark.exe 2220 WaterMark.exe 2220 WaterMark.exe 2652 WaterMark.exe 2652 WaterMark.exe 2220 WaterMark.exe 2220 WaterMark.exe 2652 WaterMark.exe 2652 WaterMark.exe 2652 WaterMark.exe 2652 WaterMark.exe 2652 WaterMark.exe 2652 WaterMark.exe 2652 WaterMark.exe 2652 WaterMark.exe 2652 WaterMark.exe 2652 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe 852 WaterMark.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Token: SeDebugPrivilege 852 WaterMark.exe Token: SeDebugPrivilege 2652 WaterMark.exe Token: SeDebugPrivilege 2652 WaterMark.exe Token: SeDebugPrivilege 2652 WaterMark.exe Token: SeDebugPrivilege 2652 WaterMark.exe Token: SeDebugPrivilege 2652 WaterMark.exe Token: SeDebugPrivilege 2652 WaterMark.exe Token: SeDebugPrivilege 2652 WaterMark.exe Token: SeDebugPrivilege 2652 WaterMark.exe Token: SeDebugPrivilege 2652 WaterMark.exe Token: SeDebugPrivilege 2652 WaterMark.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 1680 iexplore.exe 3892 iexplore.exe 2212 iexplore.exe 3656 iexplore.exe -
Suspicious use of SetWindowsHookEx 18 IoCs
pid Process 2212 iexplore.exe 2212 iexplore.exe 3656 iexplore.exe 3656 iexplore.exe 1680 iexplore.exe 1680 iexplore.exe 3892 iexplore.exe 3892 iexplore.exe 2804 IEXPLORE.EXE 2804 IEXPLORE.EXE 3868 IEXPLORE.EXE 3868 IEXPLORE.EXE 3776 IEXPLORE.EXE 3776 IEXPLORE.EXE 2676 IEXPLORE.EXE 2676 IEXPLORE.EXE 2804 IEXPLORE.EXE 2804 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 6 IoCs
pid Process 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe 3556 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080mgr.exe 852 WaterMark.exe 3452 WaterMarkmgr.exe 2652 WaterMark.exe 2220 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3844 wrote to memory of 3556 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe 82 PID 3844 wrote to memory of 3556 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe 82 PID 3844 wrote to memory of 3556 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe 82 PID 3844 wrote to memory of 788 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe 8 PID 3844 wrote to memory of 792 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe 9 PID 3844 wrote to memory of 384 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe 13 PID 3844 wrote to memory of 2440 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe 42 PID 3844 wrote to memory of 2448 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe 43 PID 3844 wrote to memory of 2624 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe 47 PID 3844 wrote to memory of 852 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe 83 PID 3844 wrote to memory of 852 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe 83 PID 3844 wrote to memory of 852 3844 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe 83 PID 852 wrote to memory of 3452 852 WaterMark.exe 85 PID 852 wrote to memory of 3452 852 WaterMark.exe 85 PID 852 wrote to memory of 3452 852 WaterMark.exe 85 PID 3556 wrote to memory of 2652 3556 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080mgr.exe 84 PID 3556 wrote to memory of 2652 3556 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080mgr.exe 84 PID 3556 wrote to memory of 2652 3556 JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080mgr.exe 84 PID 852 wrote to memory of 4212 852 WaterMark.exe 86 PID 852 wrote to memory of 4212 852 WaterMark.exe 86 PID 852 wrote to memory of 4212 852 WaterMark.exe 86 PID 852 wrote to memory of 4212 852 WaterMark.exe 86 PID 852 wrote to memory of 4212 852 WaterMark.exe 86 PID 852 wrote to memory of 4212 852 WaterMark.exe 86 PID 852 wrote to memory of 4212 852 WaterMark.exe 86 PID 852 wrote to memory of 4212 852 WaterMark.exe 86 PID 852 wrote to memory of 4212 852 WaterMark.exe 86 PID 2652 wrote to memory of 788 2652 WaterMark.exe 8 PID 2652 wrote to memory of 792 2652 WaterMark.exe 9 PID 2652 wrote to memory of 384 2652 WaterMark.exe 13 PID 2652 wrote to memory of 2440 2652 WaterMark.exe 42 PID 2652 wrote to memory of 2448 2652 WaterMark.exe 43 PID 2652 wrote to memory of 2624 2652 WaterMark.exe 47 PID 2652 wrote to memory of 3460 2652 WaterMark.exe 56 PID 2652 wrote to memory of 3624 2652 WaterMark.exe 57 PID 2652 wrote to memory of 3856 2652 WaterMark.exe 58 PID 3452 wrote to memory of 788 3452 WaterMarkmgr.exe 8 PID 3452 wrote to memory of 792 3452 WaterMarkmgr.exe 9 PID 3452 wrote to memory of 384 3452 WaterMarkmgr.exe 13 PID 3452 wrote to memory of 2440 3452 WaterMarkmgr.exe 42 PID 3452 wrote to memory of 2448 3452 WaterMarkmgr.exe 43 PID 3452 wrote to memory of 2624 3452 WaterMarkmgr.exe 47 PID 3452 wrote to memory of 3460 3452 WaterMarkmgr.exe 56 PID 3452 wrote to memory of 3624 3452 WaterMarkmgr.exe 57 PID 3452 wrote to memory of 3856 3452 WaterMarkmgr.exe 58 PID 3452 wrote to memory of 3956 3452 WaterMarkmgr.exe 59 PID 3452 wrote to memory of 4020 3452 WaterMarkmgr.exe 60 PID 3452 wrote to memory of 3568 3452 WaterMarkmgr.exe 61 PID 3452 wrote to memory of 4176 3452 WaterMarkmgr.exe 62 PID 3452 wrote to memory of 2400 3452 WaterMarkmgr.exe 75 PID 3452 wrote to memory of 812 3452 WaterMarkmgr.exe 76 PID 3452 wrote to memory of 852 3452 WaterMarkmgr.exe 83 PID 3452 wrote to memory of 852 3452 WaterMarkmgr.exe 83 PID 3452 wrote to memory of 2652 3452 WaterMarkmgr.exe 84 PID 3452 wrote to memory of 2652 3452 WaterMarkmgr.exe 84 PID 3452 wrote to memory of 4212 3452 WaterMarkmgr.exe 86 PID 3452 wrote to memory of 4212 3452 WaterMarkmgr.exe 86 PID 3452 wrote to memory of 2220 3452 WaterMarkmgr.exe 87 PID 3452 wrote to memory of 2220 3452 WaterMarkmgr.exe 87 PID 3452 wrote to memory of 2220 3452 WaterMarkmgr.exe 87 PID 2652 wrote to memory of 3956 2652 WaterMark.exe 59 PID 2652 wrote to memory of 4020 2652 WaterMark.exe 60 PID 2652 wrote to memory of 4072 2652 WaterMark.exe 88 PID 2652 wrote to memory of 4072 2652 WaterMark.exe 88 -
System policy modification 1 TTPs 4 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMark.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMarkmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WaterMark.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2440
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2448
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2624
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080.exe"2⤵
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3844 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080mgr.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_60cfaa931b01a8f08ffe203ec8506080mgr.exe3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"4⤵
- UAC bypass
- Deletes itself
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2652 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:4072
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3656 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3656 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3776
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"5⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1680 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1680 CREDAT:17410 /prefetch:26⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2804
-
-
-
-
-
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:852 -
C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"C:\Program Files (x86)\Microsoft\WaterMarkmgr.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3452 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of UnmapMainImage
PID:2220 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵PID:3312
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2212 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2212 CREDAT:17410 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2676
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3892 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3892 CREDAT:17410 /prefetch:27⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3868
-
-
-
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe4⤵PID:4212
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
PID:4556
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
PID:2532
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3624
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3856
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3956
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4020
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3568
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4176
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2400
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:812
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
811KB
MD560cfaa931b01a8f08ffe203ec8506080
SHA18fb983e216e23bc857d1a90ef63b00ac3b9c9a88
SHA256101c0a9d2fa8c5a0458bebd09f231c907b2ffd0a1e631fc462bd70d3e290ff29
SHA512cb07b18b4c83ff26e9906545b8f82698dc00186f4bc9fa286fbdce131f81d3134d614ce8ba0967bc58f715029a0e8a883be4c660c121fe2c816e44a29127c878
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize471B
MD530f59b20e935520badc298242cb4cff1
SHA100622b2054eb148a8459c2ccd0b22606c2d5c7f6
SHA2564a981d199e551f2b8c8fa22f0e3fbc264e876e5ed243d83331b2a6083a753e3c
SHA512f22ca09eb3266cee3f363e4f3f955745382679d136d61e7c27f81081cd77efa5f82f82220526928f73049e692b7c060f64032dfae0f967c579c6e6acfd2e8d21
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD54c3cf6811cc25d9e277750258429d1f5
SHA1dadcea272b706d5471cfd602b784b36e85259ffe
SHA256b62e24e146ba4eafe92b1464b4a5a5e19aa12b028261f48d37a9f65ef2186b2b
SHA51225d80116cf0c7c260d299822c3d5b918288f2c738006d87ac6077a705821a82ead473f1e5aa4720207eec6f612c53b651a89635d15d95a6544e8d8887ba958d5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD54029e4a3ecc3ab28afd9ecee127709ef
SHA13a5feccf1dcf743918f67d9c81f916253d3ab0c8
SHA256c46cabb7e68638d929a92f41bdcf83f97928522a9d534ba1021a04cce2386a98
SHA5124630edeb89976662de5550ed614248ae7127a94e8034043705fd12b7f345cbde99c4dfdd99649171fb53cd6a01f0b2205d67c1ff90d10cc76f648c6d1a8904b2
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{40CCFD35-C889-11EF-A4B7-CA65FB447F0B}.dat
Filesize5KB
MD5c6c57e3619f707cdb04976b6567e73cd
SHA1ceddc005e377f68b3a4941d70e409278350755cf
SHA2566df67f66beea6c861ae7cc0899a1fae1aad2b2758c38cbedaf8923bfc8b22248
SHA512d1f1c754ddeb4d434bb2f734d476cbf964429a7b4d2930a2d4902afd6a9e3ef7a4da74b857c5c638f6bcb7aa37c3b22ee06c7f4b41f0a4904d08492835568049
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{40CD2445-C889-11EF-A4B7-CA65FB447F0B}.dat
Filesize3KB
MD501ffcc7b342ed0c1d439937bc0dd1b04
SHA158c4ab288efe0b2527fce80146e48c1cb01dd5cc
SHA2564d3eaf1c862c2f8f19e06a1165e5eab3068e81536becd688371f16bea02e7ea1
SHA512ca97ac6c70eb120a2b29f5b5283c65ddf422ad1d8b77617b3c01b330fc03969df24c5fd1bb4ea7d24b7bcb4cae308c1c204dc58f3d1ad951f3645f88cf64c84c
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{40CD2445-C889-11EF-A4B7-CA65FB447F0B}.dat
Filesize5KB
MD581df706dde115d8561f23255775999f3
SHA1bb8f915a3a9d6026d2ee4f8c21ecf3cf835b4c0e
SHA256e214750275f7c87f276dcab703554731bce0104d5c2b9d0d69d6b0e7c20f09e9
SHA512fd981f8480163f16200c38b519a07b72d298a0b6c71c412f3269f2ef380f438ad8989d8c54a89d2ea8a42736eaf6f1c485cc53e8632726f9f56136af010f3f87
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{40D66045-C889-11EF-A4B7-CA65FB447F0B}.dat
Filesize5KB
MD55ec317f12ebffb0507ca68f8a9c3a98d
SHA1050032a693ac8aee748709a5aa15f9ce8c10964b
SHA256a9555a11c5e548d204e3576d39e4ffbd21c6c797316ce8b2d7ba48325ab13da5
SHA51275f75e628a9c0f98506099acff0146c8a9854e0025ab2e60ce2a789b6c9c97a345c4915491fe4ed0662b92d74a7bab9b51e3c8f6e4064e0b435d86e38e45bb09
-
Filesize
15KB
MD51a545d0052b581fbb2ab4c52133846bc
SHA162f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
404KB
MD53a51be334f3cedd7185130cd60047496
SHA15572a04718cffb848ae660713415b8ab95b3ec5c
SHA2563e6d0b2887dad2ea3845139a31dfc8b8a2923c3f58ae8ba241d1498e1cc7747b
SHA512ed2dda92f22f1d972508ede37cf6b8cf719e1d53271c2af988fe700e53f4ca0feb7e39712135e1c128f63ebf08ee6a555f35b555243c233afc943a22c9fe5783
-
Filesize
258B
MD52181a66ca40f77f59a4ccaafae9dfa1d
SHA1903ffbc5a205dc1bbe184eeab5b7cb1be359ca80
SHA25616335641c7836c29166a6e195bc74ffb965ed2253f82d7494bf3fcb33f54cf2c
SHA512aa48a5d78ecf7353ffa76cc4134b488d2ab20d79f7518d25ac7cfa2bdaac6fecd4ab9bcfc37908f655c3e4a202f4b2c0dabde9cabc0ad3a745675a430ab005d5