Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-01-2025 21:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe
Resource
win7-20240903-en
windows7-x64
34 signatures
150 seconds
General
-
Target
JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe
-
Size
512KB
-
MD5
68562c2c53ee5f3e1046d29db2e48d6e
-
SHA1
d2a5863d23a243b645d4ce8a0488addf44f3c2f6
-
SHA256
9afddc81be9abc9dae2079f5d34bb983931794060e4f7a06e03913b2b9e10d81
-
SHA512
46707c634064ea5f4db59b86462f3c774dff1fe94628dd7a1c80d26c41e5dd2dfd123f3c84c248ece69996b72f9dd8d669165eef1092bece4ae3bc92fecf5fa9
-
SSDEEP
12288:eNge6O1X/GkpN4hpCHvmc+5zR2JqaAwUKPF2mqhScG:496SPGm4b06aqpwl2mqIc
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2120-120-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/1636-122-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2120-234-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2372-236-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2120-409-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" 3nob.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vrSlJ6C3.exe Set value (int) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" zaoabi.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 1952 cmd.exe -
Executes dropped EXE 12 IoCs
pid Process 2800 vrSlJ6C3.exe 2704 zaoabi.exe 3008 2nob.exe 1760 2nob.exe 1116 2nob.exe 2420 2nob.exe 2128 2nob.exe 376 2nob.exe 2120 3nob.exe 1636 3nob.exe 2372 3nob.exe 2024 8102.tmp -
Loads dropped DLL 10 IoCs
pid Process 2084 JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe 2084 JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe 2800 vrSlJ6C3.exe 2800 vrSlJ6C3.exe 2084 JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe 2084 JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe 2084 JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe 2084 JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe 2120 3nob.exe 2120 3nob.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /N" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /l" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /o" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /D" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /n" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /C" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /v" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /O" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /q" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /g" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /U" zaoabi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\747.exe = "C:\\Program Files (x86)\\LP\\7E68\\747.exe" 3nob.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /V" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /h" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /j" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /W" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /t" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /R" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /Z" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /E" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /k" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /a" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /I" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /x" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /w" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /L" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /p" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /G" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /u" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /e" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /y" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /H" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /S" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /r" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /X" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /T" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /F" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /K" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /i" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /Q" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /z" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /B" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /c" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /s" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /P" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /d" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /J" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /Y" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /A" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /M" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /m" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /J" vrSlJ6C3.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /b" zaoabi.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\zaoabi = "C:\\Users\\Admin\\zaoabi.exe /f" zaoabi.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2nob.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2nob.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 1068 tasklist.exe 1632 tasklist.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 3008 set thread context of 1760 3008 2nob.exe 38 PID 3008 set thread context of 1116 3008 2nob.exe 39 PID 3008 set thread context of 2420 3008 2nob.exe 40 PID 3008 set thread context of 2128 3008 2nob.exe 41 PID 3008 set thread context of 376 3008 2nob.exe 42 -
resource yara_rule behavioral1/memory/1116-47-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1116-50-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2128-67-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2420-59-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2420-56-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/376-92-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2128-88-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2128-87-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/376-84-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/376-83-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2420-61-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/376-82-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/376-76-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/376-74-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2128-71-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2420-69-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2128-64-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2420-54-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1116-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1116-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1116-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1116-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/1116-104-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2420-115-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2128-116-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2120-120-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1636-122-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2120-234-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2372-236-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2120-409-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\7E68\747.exe 3nob.exe File opened for modification C:\Program Files (x86)\LP\7E68\747.exe 3nob.exe File opened for modification C:\Program Files (x86)\LP\7E68\8102.tmp 3nob.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8102.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrSlJ6C3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2nob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2nob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zaoabi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2nob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2nob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nob.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2800 vrSlJ6C3.exe 2800 vrSlJ6C3.exe 1116 2nob.exe 2704 zaoabi.exe 2704 zaoabi.exe 1116 2nob.exe 2704 zaoabi.exe 2704 zaoabi.exe 2120 3nob.exe 2120 3nob.exe 2120 3nob.exe 2120 3nob.exe 2120 3nob.exe 2120 3nob.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2120 3nob.exe 2120 3nob.exe 2120 3nob.exe 2120 3nob.exe 2120 3nob.exe 2120 3nob.exe 2120 3nob.exe 2120 3nob.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe 2704 zaoabi.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2336 explorer.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
description pid Process Token: SeDebugPrivilege 1068 tasklist.exe Token: SeRestorePrivilege 2408 msiexec.exe Token: SeTakeOwnershipPrivilege 2408 msiexec.exe Token: SeSecurityPrivilege 2408 msiexec.exe Token: SeDebugPrivilege 1632 tasklist.exe Token: SeShutdownPrivilege 2336 explorer.exe Token: SeShutdownPrivilege 2336 explorer.exe Token: SeShutdownPrivilege 2336 explorer.exe Token: SeShutdownPrivilege 2336 explorer.exe Token: SeShutdownPrivilege 2336 explorer.exe Token: SeShutdownPrivilege 2336 explorer.exe Token: SeShutdownPrivilege 2336 explorer.exe Token: SeShutdownPrivilege 2336 explorer.exe Token: SeShutdownPrivilege 2336 explorer.exe Token: SeShutdownPrivilege 2336 explorer.exe Token: SeShutdownPrivilege 2336 explorer.exe Token: SeShutdownPrivilege 2336 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe -
Suspicious use of SendNotifyMessage 22 IoCs
pid Process 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe 2336 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2084 JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe 2800 vrSlJ6C3.exe 2704 zaoabi.exe 3008 2nob.exe 376 2nob.exe 2128 2nob.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2084 wrote to memory of 2800 2084 JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe 31 PID 2084 wrote to memory of 2800 2084 JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe 31 PID 2084 wrote to memory of 2800 2084 JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe 31 PID 2084 wrote to memory of 2800 2084 JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe 31 PID 2800 wrote to memory of 2704 2800 vrSlJ6C3.exe 32 PID 2800 wrote to memory of 2704 2800 vrSlJ6C3.exe 32 PID 2800 wrote to memory of 2704 2800 vrSlJ6C3.exe 32 PID 2800 wrote to memory of 2704 2800 vrSlJ6C3.exe 32 PID 2800 wrote to memory of 2556 2800 vrSlJ6C3.exe 33 PID 2800 wrote to memory of 2556 2800 vrSlJ6C3.exe 33 PID 2800 wrote to memory of 2556 2800 vrSlJ6C3.exe 33 PID 2800 wrote to memory of 2556 2800 vrSlJ6C3.exe 33 PID 2556 wrote to memory of 1068 2556 cmd.exe 35 PID 2556 wrote to memory of 1068 2556 cmd.exe 35 PID 2556 wrote to memory of 1068 2556 cmd.exe 35 PID 2556 wrote to memory of 1068 2556 cmd.exe 35 PID 2084 wrote to memory of 3008 2084 JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe 37 PID 2084 wrote to memory of 3008 2084 JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe 37 PID 2084 wrote to memory of 3008 2084 JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe 37 PID 2084 wrote to memory of 3008 2084 JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe 37 PID 3008 wrote to memory of 1760 3008 2nob.exe 38 PID 3008 wrote to memory of 1760 3008 2nob.exe 38 PID 3008 wrote to memory of 1760 3008 2nob.exe 38 PID 3008 wrote to memory of 1760 3008 2nob.exe 38 PID 3008 wrote to memory of 1760 3008 2nob.exe 38 PID 3008 wrote to memory of 1116 3008 2nob.exe 39 PID 3008 wrote to memory of 1116 3008 2nob.exe 39 PID 3008 wrote to memory of 1116 3008 2nob.exe 39 PID 3008 wrote to memory of 1116 3008 2nob.exe 39 PID 3008 wrote to memory of 1116 3008 2nob.exe 39 PID 3008 wrote to memory of 1116 3008 2nob.exe 39 PID 3008 wrote to memory of 1116 3008 2nob.exe 39 PID 3008 wrote to memory of 1116 3008 2nob.exe 39 PID 3008 wrote to memory of 2420 3008 2nob.exe 40 PID 3008 wrote to memory of 2420 3008 2nob.exe 40 PID 3008 wrote to memory of 2420 3008 2nob.exe 40 PID 3008 wrote to memory of 2420 3008 2nob.exe 40 PID 3008 wrote to memory of 2420 3008 2nob.exe 40 PID 3008 wrote to memory of 2420 3008 2nob.exe 40 PID 3008 wrote to memory of 2420 3008 2nob.exe 40 PID 3008 wrote to memory of 2420 3008 2nob.exe 40 PID 3008 wrote to memory of 2128 3008 2nob.exe 41 PID 3008 wrote to memory of 2128 3008 2nob.exe 41 PID 3008 wrote to memory of 2128 3008 2nob.exe 41 PID 3008 wrote to memory of 2128 3008 2nob.exe 41 PID 3008 wrote to memory of 2128 3008 2nob.exe 41 PID 3008 wrote to memory of 2128 3008 2nob.exe 41 PID 3008 wrote to memory of 2128 3008 2nob.exe 41 PID 3008 wrote to memory of 2128 3008 2nob.exe 41 PID 3008 wrote to memory of 376 3008 2nob.exe 42 PID 3008 wrote to memory of 376 3008 2nob.exe 42 PID 3008 wrote to memory of 376 3008 2nob.exe 42 PID 3008 wrote to memory of 376 3008 2nob.exe 42 PID 3008 wrote to memory of 376 3008 2nob.exe 42 PID 3008 wrote to memory of 376 3008 2nob.exe 42 PID 3008 wrote to memory of 376 3008 2nob.exe 42 PID 3008 wrote to memory of 376 3008 2nob.exe 42 PID 2084 wrote to memory of 2120 2084 JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe 43 PID 2084 wrote to memory of 2120 2084 JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe 43 PID 2084 wrote to memory of 2120 2084 JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe 43 PID 2084 wrote to memory of 2120 2084 JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe 43 PID 2084 wrote to memory of 1952 2084 JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe 46 PID 2084 wrote to memory of 1952 2084 JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe 46 PID 2084 wrote to memory of 1952 2084 JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe 46 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 3nob.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 3nob.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Users\Admin\vrSlJ6C3.exeC:\Users\Admin\vrSlJ6C3.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Users\Admin\zaoabi.exe"C:\Users\Admin\zaoabi.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2704
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del vrSlJ6C3.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1068
-
-
-
-
C:\Users\Admin\2nob.exeC:\Users\Admin\2nob.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\2nob.exe"C:\Users\Admin\2nob.exe"3⤵
- Executes dropped EXE
PID:1760
-
-
C:\Users\Admin\2nob.exe"C:\Users\Admin\2nob.exe"3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:1116
-
-
C:\Users\Admin\2nob.exe"C:\Users\Admin\2nob.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2420
-
-
C:\Users\Admin\2nob.exe"C:\Users\Admin\2nob.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2128
-
-
C:\Users\Admin\2nob.exe"C:\Users\Admin\2nob.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:376
-
-
-
C:\Users\Admin\3nob.exeC:\Users\Admin\3nob.exe2⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2120 -
C:\Users\Admin\3nob.exeC:\Users\Admin\3nob.exe startC:\Users\Admin\AppData\Roaming\8E716\D117E.exe%C:\Users\Admin\AppData\Roaming\8E7163⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1636
-
-
C:\Users\Admin\3nob.exeC:\Users\Admin\3nob.exe startC:\Program Files (x86)\16CE7\lvvm.exe%C:\Program Files (x86)\16CE73⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2372
-
-
C:\Program Files (x86)\LP\7E68\8102.tmp"C:\Program Files (x86)\LP\7E68\8102.tmp"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2024
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_68562c2c53ee5f3e1046d29db2e48d6e.exe2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1952 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1632
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2336
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600B
MD55bc5f47ca3d113fc39fc4bbe43a07a10
SHA1d5f24f7567e6deea127a313407ba51b5c4db9685
SHA256bcc2faad9967e06a4907020ef4646439d0562913d9705eef4796b5a2ec7b98ae
SHA5121353d901114a61a5fa7ff3d1055900fb40dbb0c1b6d0f95de9857e89431b6a84c8f3dbde2c26f23fa8f6e4fdd1a769428606dedab1ce9e35ca42882a2dd3550c
-
Filesize
996B
MD5847f3b8312906fb30e75b71b7436974c
SHA159841afe0894f3de0fd9703413107a23d889b391
SHA256c5278c134e95e428dbbacc37b75bc8e01f9550e73e6cd877435bd34b89db5432
SHA51275ea12f7997394da5e12677d2f52b616a084f55b1ac380c1cfa45d866c50bddd3c27f8c92e33e4feb76e6152caf0d66e7e90fae36e2e0d3619ccb81a6fd28611
-
Filesize
1KB
MD5452d860460b1d3a690a42c8da9225a03
SHA10e63fdd81432de4fe902e2c3f18b73a5cfc4e4e2
SHA2569014ba99119ec219141e736c5bbfcdf71408b282fa7bbd745c91fb5d03f65c20
SHA5121492fa5612f2d4349e915c1ef98fedef85e5c7f8e01d6fc8b8c79b135ae5123cfd3a82f0fdf3a92c220bd76f981a83f3eefd7f83e789510d3c63c3fec499af23
-
Filesize
180KB
MD59fca8cdebc98f935571c71d8cda50b3d
SHA193338057f318d6cc7022b3dc5d1bae74704f9933
SHA2561eb5973643db05477d5e93f6a6ff3ca4073f305dcb5ce3440f2d622843c6274e
SHA51231b8718302f9c7a418db9340a4bd277a15fa28381e76dd19b228307a8d51df39ac348522796d7e15f22c1e8bca7bb147740ff22b104ffe3506d16c10d5646913
-
Filesize
96KB
MD574a1e9547eb8c42e9ca482c5c8bdd261
SHA1c56c60e84b4ef45065289636cfdfab21654acdb3
SHA256f4ac8ead1ff2f95c2b50405531d433d7af912b8f848095d3cb00401576ee90fb
SHA512ae90627a5f1485383b6de178aea4b36f9e44891d78fe5a274d1632727dd71906061323725a7c3c106b039cb65e10ea7e9c7d277ce35fb0ac6458fdc3e346ecb9
-
Filesize
148KB
MD5b7146cf0b0ce852ffb2edc1b43499d36
SHA17a65b2d9a243f0a9d5e1d22e19619c9b057cfdf7
SHA2563c553adafe4adc74c390d9190aca168b822a902bbab695988de7efe30b2c3f4d
SHA512d182fb2afe61832da56b7446de87ca8f65965b7a0cc284dd4d51df0453d304c157e2dea302239f038e71f73f7dd662d138903366367601b42aa3c4b03416a711
-
Filesize
272KB
MD57ddee7ec4bd22ba0b43bc4105e5b7901
SHA19fb11a97faff55730d5f838db2bfd5dbcce9f0b6
SHA256e765624ac2a2e40e95befcf847804345e74d3a35872f279c5d86f6a0dc51071f
SHA512c1307d2851949d8809a71f3255cabfb18c2b9e5a41633bf09192ccf778026f894e0b6564502763bac440b1442e2b6fcff90e8b0090b9503290bd140875ea62fc
-
Filesize
180KB
MD57401ba7763fe55ddc93dd8bac9ec9879
SHA10dcdcf981aa98b878e311626478bf71545051ecd
SHA2564cba3615f537b6273a7fa8be2f96942b27dc858fa1cd217f8db1ab1a5ffb21ab
SHA51257b744717249d6e97b90a09c2a5e5636df6ebc0f6c1a48fac27ce536391b3bc31b1554e1ac252aa26d40f15b7f039d6c9b25df782db0ab55155284fc9d601d8c