Analysis
-
max time kernel
150s -
max time network
102s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
21-01-2025 16:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_05e7034160522201de6324078818b562.exe
Resource
win7-20241010-en
windows7-x64
34 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_05e7034160522201de6324078818b562.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
38 signatures
150 seconds
General
-
Target
JaffaCakes118_05e7034160522201de6324078818b562.exe
-
Size
512KB
-
MD5
05e7034160522201de6324078818b562
-
SHA1
29d72e130ce958186446839139d25e0415cdc587
-
SHA256
8679615f3852762d7dd71fcd657b86cdf0c4f56dcf3e6e991b65770752c57bfe
-
SHA512
5d566113f3ed3df1a4baebc8ce80a300901a5ab8e20dafaabf33e824c26191f4281c64a783901743ebd71e69602b239f4158819a536e3d147d7e629c5efe4e9a
-
SSDEEP
12288:WNge6O1X/GkpN4hpCHvmc+5zR2JqaAwUKPF2mqhScG:Q96SPGm4b06aqpwl2mqIc
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 5 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/1492-108-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2340-175-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/1492-179-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/1864-296-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/1492-300-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" 3nob.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vrSlJ6C3.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" beigob.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 2452 cmd.exe -
Executes dropped EXE 12 IoCs
pid Process 2548 vrSlJ6C3.exe 2800 beigob.exe 2960 2nob.exe 2852 2nob.exe 2304 2nob.exe 2768 2nob.exe 2036 2nob.exe 2296 2nob.exe 1492 3nob.exe 2340 3nob.exe 2132 C246.tmp 1864 3nob.exe -
Loads dropped DLL 10 IoCs
pid Process 432 JaffaCakes118_05e7034160522201de6324078818b562.exe 432 JaffaCakes118_05e7034160522201de6324078818b562.exe 2548 vrSlJ6C3.exe 2548 vrSlJ6C3.exe 432 JaffaCakes118_05e7034160522201de6324078818b562.exe 432 JaffaCakes118_05e7034160522201de6324078818b562.exe 432 JaffaCakes118_05e7034160522201de6324078818b562.exe 432 JaffaCakes118_05e7034160522201de6324078818b562.exe 1492 3nob.exe 1492 3nob.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /O" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /F" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /a" beigob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FE4.exe = "C:\\Program Files (x86)\\LP\\1C34\\FE4.exe" 3nob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /q" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /I" vrSlJ6C3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /m" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /B" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /C" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /Q" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /b" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /k" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /M" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /r" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /V" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /h" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /u" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /v" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /X" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /T" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /j" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /D" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /d" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /H" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /o" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /Y" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /n" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /I" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /x" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /W" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /S" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /w" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /R" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /N" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /A" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /P" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /U" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /t" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /G" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /s" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /L" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /E" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /l" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /J" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /z" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /g" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /f" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /Z" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /i" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /c" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /y" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /p" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /K" beigob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\beigob = "C:\\Users\\Admin\\beigob.exe /e" beigob.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2nob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2nob.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2840 tasklist.exe 2096 tasklist.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2960 set thread context of 2852 2960 2nob.exe 35 PID 2960 set thread context of 2304 2960 2nob.exe 36 PID 2960 set thread context of 2036 2960 2nob.exe 37 PID 2960 set thread context of 2768 2960 2nob.exe 38 PID 2960 set thread context of 2296 2960 2nob.exe 39 -
resource yara_rule behavioral1/memory/2768-69-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2768-67-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2768-76-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2296-74-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2296-72-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2768-64-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2768-62-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2036-56-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2036-54-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2304-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2304-50-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2304-49-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2304-44-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2304-42-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2296-88-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2296-92-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2296-87-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2036-86-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2296-84-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2036-82-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2768-81-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2036-59-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2304-103-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2036-104-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/1492-108-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2340-175-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1492-179-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1864-296-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/1492-300-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\1C34\FE4.exe 3nob.exe File opened for modification C:\Program Files (x86)\LP\1C34\FE4.exe 3nob.exe File opened for modification C:\Program Files (x86)\LP\1C34\C246.tmp 3nob.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_05e7034160522201de6324078818b562.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2nob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language beigob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2nob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrSlJ6C3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2nob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2nob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C246.tmp -
Modifies registry class 5 IoCs
description ioc Process Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2548 vrSlJ6C3.exe 2548 vrSlJ6C3.exe 2304 2nob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2304 2nob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 1492 3nob.exe 1492 3nob.exe 1492 3nob.exe 1492 3nob.exe 1492 3nob.exe 1492 3nob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 1492 3nob.exe 1492 3nob.exe 1492 3nob.exe 1492 3nob.exe 1492 3nob.exe 1492 3nob.exe 1492 3nob.exe 1492 3nob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe 2800 beigob.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2644 explorer.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 2840 tasklist.exe Token: SeRestorePrivilege 1612 msiexec.exe Token: SeTakeOwnershipPrivilege 1612 msiexec.exe Token: SeSecurityPrivilege 1612 msiexec.exe Token: SeDebugPrivilege 2096 tasklist.exe Token: SeShutdownPrivilege 2644 explorer.exe Token: SeShutdownPrivilege 2644 explorer.exe Token: SeShutdownPrivilege 2644 explorer.exe Token: SeShutdownPrivilege 2644 explorer.exe Token: SeShutdownPrivilege 2644 explorer.exe Token: SeShutdownPrivilege 2644 explorer.exe Token: SeShutdownPrivilege 2644 explorer.exe Token: SeShutdownPrivilege 2644 explorer.exe Token: SeShutdownPrivilege 2644 explorer.exe Token: SeShutdownPrivilege 2644 explorer.exe Token: 33 2880 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2880 AUDIODG.EXE Token: 33 2880 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2880 AUDIODG.EXE Token: SeShutdownPrivilege 2644 explorer.exe Token: SeShutdownPrivilege 2644 explorer.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe -
Suspicious use of SendNotifyMessage 19 IoCs
pid Process 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe 2644 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 432 JaffaCakes118_05e7034160522201de6324078818b562.exe 2548 vrSlJ6C3.exe 2800 beigob.exe 2960 2nob.exe 2768 2nob.exe 2296 2nob.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 432 wrote to memory of 2548 432 JaffaCakes118_05e7034160522201de6324078818b562.exe 29 PID 432 wrote to memory of 2548 432 JaffaCakes118_05e7034160522201de6324078818b562.exe 29 PID 432 wrote to memory of 2548 432 JaffaCakes118_05e7034160522201de6324078818b562.exe 29 PID 432 wrote to memory of 2548 432 JaffaCakes118_05e7034160522201de6324078818b562.exe 29 PID 2548 wrote to memory of 2800 2548 vrSlJ6C3.exe 30 PID 2548 wrote to memory of 2800 2548 vrSlJ6C3.exe 30 PID 2548 wrote to memory of 2800 2548 vrSlJ6C3.exe 30 PID 2548 wrote to memory of 2800 2548 vrSlJ6C3.exe 30 PID 2548 wrote to memory of 2916 2548 vrSlJ6C3.exe 31 PID 2548 wrote to memory of 2916 2548 vrSlJ6C3.exe 31 PID 2548 wrote to memory of 2916 2548 vrSlJ6C3.exe 31 PID 2548 wrote to memory of 2916 2548 vrSlJ6C3.exe 31 PID 432 wrote to memory of 2960 432 JaffaCakes118_05e7034160522201de6324078818b562.exe 34 PID 432 wrote to memory of 2960 432 JaffaCakes118_05e7034160522201de6324078818b562.exe 34 PID 432 wrote to memory of 2960 432 JaffaCakes118_05e7034160522201de6324078818b562.exe 34 PID 432 wrote to memory of 2960 432 JaffaCakes118_05e7034160522201de6324078818b562.exe 34 PID 2916 wrote to memory of 2840 2916 cmd.exe 33 PID 2916 wrote to memory of 2840 2916 cmd.exe 33 PID 2916 wrote to memory of 2840 2916 cmd.exe 33 PID 2916 wrote to memory of 2840 2916 cmd.exe 33 PID 2960 wrote to memory of 2852 2960 2nob.exe 35 PID 2960 wrote to memory of 2852 2960 2nob.exe 35 PID 2960 wrote to memory of 2852 2960 2nob.exe 35 PID 2960 wrote to memory of 2852 2960 2nob.exe 35 PID 2960 wrote to memory of 2852 2960 2nob.exe 35 PID 2960 wrote to memory of 2304 2960 2nob.exe 36 PID 2960 wrote to memory of 2304 2960 2nob.exe 36 PID 2960 wrote to memory of 2304 2960 2nob.exe 36 PID 2960 wrote to memory of 2304 2960 2nob.exe 36 PID 2960 wrote to memory of 2304 2960 2nob.exe 36 PID 2960 wrote to memory of 2304 2960 2nob.exe 36 PID 2960 wrote to memory of 2304 2960 2nob.exe 36 PID 2960 wrote to memory of 2304 2960 2nob.exe 36 PID 2960 wrote to memory of 2036 2960 2nob.exe 37 PID 2960 wrote to memory of 2036 2960 2nob.exe 37 PID 2960 wrote to memory of 2036 2960 2nob.exe 37 PID 2960 wrote to memory of 2036 2960 2nob.exe 37 PID 2960 wrote to memory of 2036 2960 2nob.exe 37 PID 2960 wrote to memory of 2036 2960 2nob.exe 37 PID 2960 wrote to memory of 2036 2960 2nob.exe 37 PID 2960 wrote to memory of 2036 2960 2nob.exe 37 PID 2960 wrote to memory of 2768 2960 2nob.exe 38 PID 2960 wrote to memory of 2768 2960 2nob.exe 38 PID 2960 wrote to memory of 2768 2960 2nob.exe 38 PID 2960 wrote to memory of 2768 2960 2nob.exe 38 PID 2960 wrote to memory of 2768 2960 2nob.exe 38 PID 2960 wrote to memory of 2768 2960 2nob.exe 38 PID 2960 wrote to memory of 2768 2960 2nob.exe 38 PID 2960 wrote to memory of 2768 2960 2nob.exe 38 PID 2960 wrote to memory of 2296 2960 2nob.exe 39 PID 2960 wrote to memory of 2296 2960 2nob.exe 39 PID 2960 wrote to memory of 2296 2960 2nob.exe 39 PID 2960 wrote to memory of 2296 2960 2nob.exe 39 PID 2960 wrote to memory of 2296 2960 2nob.exe 39 PID 2960 wrote to memory of 2296 2960 2nob.exe 39 PID 2960 wrote to memory of 2296 2960 2nob.exe 39 PID 2960 wrote to memory of 2296 2960 2nob.exe 39 PID 432 wrote to memory of 1492 432 JaffaCakes118_05e7034160522201de6324078818b562.exe 41 PID 432 wrote to memory of 1492 432 JaffaCakes118_05e7034160522201de6324078818b562.exe 41 PID 432 wrote to memory of 1492 432 JaffaCakes118_05e7034160522201de6324078818b562.exe 41 PID 432 wrote to memory of 1492 432 JaffaCakes118_05e7034160522201de6324078818b562.exe 41 PID 432 wrote to memory of 2452 432 JaffaCakes118_05e7034160522201de6324078818b562.exe 44 PID 432 wrote to memory of 2452 432 JaffaCakes118_05e7034160522201de6324078818b562.exe 44 PID 432 wrote to memory of 2452 432 JaffaCakes118_05e7034160522201de6324078818b562.exe 44 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 3nob.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 3nob.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_05e7034160522201de6324078818b562.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_05e7034160522201de6324078818b562.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Users\Admin\vrSlJ6C3.exeC:\Users\Admin\vrSlJ6C3.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Users\Admin\beigob.exe"C:\Users\Admin\beigob.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2800
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del vrSlJ6C3.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2840
-
-
-
-
C:\Users\Admin\2nob.exeC:\Users\Admin\2nob.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Users\Admin\2nob.exe"C:\Users\Admin\2nob.exe"3⤵
- Executes dropped EXE
PID:2852
-
-
C:\Users\Admin\2nob.exe"C:\Users\Admin\2nob.exe"3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:2304
-
-
C:\Users\Admin\2nob.exe"C:\Users\Admin\2nob.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2036
-
-
C:\Users\Admin\2nob.exe"C:\Users\Admin\2nob.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2768
-
-
C:\Users\Admin\2nob.exe"C:\Users\Admin\2nob.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2296
-
-
-
C:\Users\Admin\3nob.exeC:\Users\Admin\3nob.exe2⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1492 -
C:\Users\Admin\3nob.exeC:\Users\Admin\3nob.exe startC:\Users\Admin\AppData\Roaming\44FBC\7451C.exe%C:\Users\Admin\AppData\Roaming\44FBC3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2340
-
-
C:\Program Files (x86)\LP\1C34\C246.tmp"C:\Program Files (x86)\LP\1C34\C246.tmp"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2132
-
-
C:\Users\Admin\3nob.exeC:\Users\Admin\3nob.exe startC:\Program Files (x86)\BCA85\lvvm.exe%C:\Program Files (x86)\BCA853⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1864
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_05e7034160522201de6324078818b562.exe2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2096
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2644
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5881⤵
- Suspicious use of AdjustPrivilegeToken
PID:2880
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
148KB
MD5b7146cf0b0ce852ffb2edc1b43499d36
SHA17a65b2d9a243f0a9d5e1d22e19619c9b057cfdf7
SHA2563c553adafe4adc74c390d9190aca168b822a902bbab695988de7efe30b2c3f4d
SHA512d182fb2afe61832da56b7446de87ca8f65965b7a0cc284dd4d51df0453d304c157e2dea302239f038e71f73f7dd662d138903366367601b42aa3c4b03416a711
-
Filesize
600B
MD54b48a1e3704d0622fb3810cfed083d18
SHA1fbfd5cbe2aa6136bae487cfbc800556bcd7e6af3
SHA256829953dcd20a6bbd91e027b091a1aff74a625a681d31dc1a3f66fa7f37dac4d6
SHA5124d16fc2e0e05e1272ea5eb566f1e200cfc58515f94d4f21e66940af3fb7c3ae3200584ad744a5a15b1167617d011ce1365661dfa5f01d03fa3207161d7f891f3
-
Filesize
897B
MD5a4bc0fa5c95a910119f9ede3a4008e62
SHA1106c6095e1b45750dc133029f879b5bf29abae5d
SHA256054ef5bed96d78396943ddd5237c0b3300092828121eb8652037e018c44ef71f
SHA51206b29b5642df10897b2308fff6fa17b17b2c4d0dce1dcd62c77d1c8cc163142fca5ae4cece6c97bad3c9c335ab331e92da367616c3013feb754c3e4d5b773b32
-
Filesize
1KB
MD50e8e86f7f18fbc01033e8287f49fd019
SHA11ce3dbfaf96b67f4f23691a09ec91ca9f0a80ecd
SHA25695654a90eeb9b9712805e9f2e9f962e1858b3d79c173a68f7a61d6644d84485f
SHA5127f695a05bf0b2df7372c82dfee4c374b07ae0d229d9a1ff801dd1beaa0e6b386bf78344a4e08f36283ec8593feb67cf1ccfdfce9c51ae443efc7e5be99d674f3
-
Filesize
1KB
MD547036aa9095be20917c49f0887894ce0
SHA1429911a28488ea5fa60f367ff5a91e4871d4569a
SHA256d48b4c969f2cd992a0b2722dedd90b721fa3388dd9d0443e75e811bffa689bce
SHA51246b39b6010762a6fa20a7a9a7f8683d3f8e761ebde68688d3e073e8d3bad8ffdf98bd3bb56f8142abf139ffb73afd31e7d6d17f41816d866caaef0c480af9add
-
Filesize
96KB
MD574a1e9547eb8c42e9ca482c5c8bdd261
SHA1c56c60e84b4ef45065289636cfdfab21654acdb3
SHA256f4ac8ead1ff2f95c2b50405531d433d7af912b8f848095d3cb00401576ee90fb
SHA512ae90627a5f1485383b6de178aea4b36f9e44891d78fe5a274d1632727dd71906061323725a7c3c106b039cb65e10ea7e9c7d277ce35fb0ac6458fdc3e346ecb9
-
Filesize
272KB
MD57ddee7ec4bd22ba0b43bc4105e5b7901
SHA19fb11a97faff55730d5f838db2bfd5dbcce9f0b6
SHA256e765624ac2a2e40e95befcf847804345e74d3a35872f279c5d86f6a0dc51071f
SHA512c1307d2851949d8809a71f3255cabfb18c2b9e5a41633bf09192ccf778026f894e0b6564502763bac440b1442e2b6fcff90e8b0090b9503290bd140875ea62fc
-
Filesize
180KB
MD58c0fd1dcc026218cb7970f99d6cb95fc
SHA1428766b095c739c10c77d779e2d1507a67318ac3
SHA256e2a1b68d28984c4e3fe0b7f9a9107fd7a5acd27b9f1d7eb906183e08a1fe7d73
SHA51206ca765d17f9b005328bef78d6735ef886598bc9a37c09bb5ed85988695b7c5bcc9c5408655def0de4a432a879dec1617a59c45cc51ad25d743903e10564e6e2
-
Filesize
180KB
MD57401ba7763fe55ddc93dd8bac9ec9879
SHA10dcdcf981aa98b878e311626478bf71545051ecd
SHA2564cba3615f537b6273a7fa8be2f96942b27dc858fa1cd217f8db1ab1a5ffb21ab
SHA51257b744717249d6e97b90a09c2a5e5636df6ebc0f6c1a48fac27ce536391b3bc31b1554e1ac252aa26d40f15b7f039d6c9b25df782db0ab55155284fc9d601d8c