darkcomet | 768fda903d3dbfff95d02026b7b04be4f33c700abfee7232ce36111a7b4e1f94

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/01/2025, 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Size

734KB
MD5

112d6c58e5ce7056787fe6adfe4ea0f1
SHA1

cfe1085a466387243eb4b4f6b459b343792b8d56
SHA256

768fda903d3dbfff95d02026b7b04be4f33c700abfee7232ce36111a7b4e1f94
SHA512

a11bde670c1179d59cd318f2511b57b58a02dd6183057238ab449759ab70560e25c3b524633d15eaf785e91942ac1658aa47c4606cb8fdbec8ece7e54037fc25
SSDEEP

12288:DpwABK90BOe/x9lPAYvxPQVjdsAY2XjWlnlpTMMXG91uhKIXn/:FwAcu99lPzvxP+Bsz2XjWTRMQckkIXn

Score

10^/10

darkcomet discovery persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 24 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Checks BIOS information in registry 2 TTPs 24 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	winupdate.exe

Checks computer location settings 2 TTPs 24 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	winupdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	winupdate.exe

Executes dropped EXE 23 IoCs

pid	Process
3168	winupdate.exe
4488	winupdate.exe
1688	winupdate.exe
1384	winupdate.exe
2728	winupdate.exe
1500	winupdate.exe
1408	winupdate.exe
3896	winupdate.exe
2376	winupdate.exe
4060	winupdate.exe
3816	winupdate.exe
3100	winupdate.exe
3216	winupdate.exe
4344	winupdate.exe
3408	winupdate.exe
4352	winupdate.exe
3748	winupdate.exe
3836	winupdate.exe
5036	winupdate.exe
4992	winupdate.exe
3380	winupdate.exe
2332	winupdate.exe
2660	winupdate.exe

Adds Run key to start application 2 TTPs 24 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 47 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ping.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 24 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2644	ping.exe
3200	ping.exe
2280	ping.exe
4580	ping.exe
1008	ping.exe
3792	ping.exe
1320	ping.exe
2092	ping.exe
3444	ping.exe
2808	ping.exe
3112	ping.exe
2696	ping.exe
4376	ping.exe
1876	ping.exe
2244	ping.exe
1900	ping.exe
3996	ping.exe
1340	ping.exe
4896	ping.exe
5008	ping.exe
3784	ping.exe
3040	ping.exe
1776	ping.exe
4004	ping.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	winupdate.exe

Enumerates system info in registry 2 TTPs 24 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	winupdate.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe

Runs ping.exe 1 TTPs 24 IoCs

Remote System Discovery

T1018

pid	Process
2696	ping.exe
3996	ping.exe
4896	ping.exe
1776	ping.exe
3112	ping.exe
2280	ping.exe
1320	ping.exe
3784	ping.exe
3444	ping.exe
3040	ping.exe
1340	ping.exe
2644	ping.exe
4376	ping.exe
5008	ping.exe
4580	ping.exe
2244	ping.exe
3792	ping.exe
2092	ping.exe
3200	ping.exe
4004	ping.exe
1876	ping.exe
1008	ping.exe
1900	ping.exe
2808	ping.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Token: SeSecurityPrivilege	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Token: SeTakeOwnershipPrivilege	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Token: SeLoadDriverPrivilege	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Token: SeSystemProfilePrivilege	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Token: SeSystemtimePrivilege	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Token: SeProfSingleProcessPrivilege	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Token: SeIncBasePriorityPrivilege	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Token: SeCreatePagefilePrivilege	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Token: SeBackupPrivilege	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Token: SeRestorePrivilege	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Token: SeShutdownPrivilege	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Token: SeDebugPrivilege	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Token: SeSystemEnvironmentPrivilege	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Token: SeChangeNotifyPrivilege	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Token: SeRemoteShutdownPrivilege	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Token: SeUndockPrivilege	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Token: SeManageVolumePrivilege	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Token: SeImpersonatePrivilege	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Token: SeCreateGlobalPrivilege	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Token: 33	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Token: 34	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Token: 35	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Token: 36	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
Token: SeIncreaseQuotaPrivilege	3168	winupdate.exe
Token: SeSecurityPrivilege	3168	winupdate.exe
Token: SeTakeOwnershipPrivilege	3168	winupdate.exe
Token: SeLoadDriverPrivilege	3168	winupdate.exe
Token: SeSystemProfilePrivilege	3168	winupdate.exe
Token: SeSystemtimePrivilege	3168	winupdate.exe
Token: SeProfSingleProcessPrivilege	3168	winupdate.exe
Token: SeIncBasePriorityPrivilege	3168	winupdate.exe
Token: SeCreatePagefilePrivilege	3168	winupdate.exe
Token: SeBackupPrivilege	3168	winupdate.exe
Token: SeRestorePrivilege	3168	winupdate.exe
Token: SeShutdownPrivilege	3168	winupdate.exe
Token: SeDebugPrivilege	3168	winupdate.exe
Token: SeSystemEnvironmentPrivilege	3168	winupdate.exe
Token: SeChangeNotifyPrivilege	3168	winupdate.exe
Token: SeRemoteShutdownPrivilege	3168	winupdate.exe
Token: SeUndockPrivilege	3168	winupdate.exe
Token: SeManageVolumePrivilege	3168	winupdate.exe
Token: SeImpersonatePrivilege	3168	winupdate.exe
Token: SeCreateGlobalPrivilege	3168	winupdate.exe
Token: 33	3168	winupdate.exe
Token: 34	3168	winupdate.exe
Token: 35	3168	winupdate.exe
Token: 36	3168	winupdate.exe
Token: SeIncreaseQuotaPrivilege	4488	winupdate.exe
Token: SeSecurityPrivilege	4488	winupdate.exe
Token: SeTakeOwnershipPrivilege	4488	winupdate.exe
Token: SeLoadDriverPrivilege	4488	winupdate.exe
Token: SeSystemProfilePrivilege	4488	winupdate.exe
Token: SeSystemtimePrivilege	4488	winupdate.exe
Token: SeProfSingleProcessPrivilege	4488	winupdate.exe
Token: SeIncBasePriorityPrivilege	4488	winupdate.exe
Token: SeCreatePagefilePrivilege	4488	winupdate.exe
Token: SeBackupPrivilege	4488	winupdate.exe
Token: SeRestorePrivilege	4488	winupdate.exe
Token: SeShutdownPrivilege	4488	winupdate.exe
Token: SeDebugPrivilege	4488	winupdate.exe
Token: SeSystemEnvironmentPrivilege	4488	winupdate.exe
Token: SeChangeNotifyPrivilege	4488	winupdate.exe
Token: SeRemoteShutdownPrivilege	4488	winupdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 1828	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe	91
PID 2376 wrote to memory of 1828	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe	91
PID 2376 wrote to memory of 1828	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe	91
PID 2376 wrote to memory of 3168	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe	92
PID 2376 wrote to memory of 3168	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe	92
PID 2376 wrote to memory of 3168	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe	92
PID 2376 wrote to memory of 2808	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe	93
PID 2376 wrote to memory of 2808	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe	93
PID 2376 wrote to memory of 2808	2376	JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe	93
PID 3168 wrote to memory of 4444	3168	winupdate.exe	101
PID 3168 wrote to memory of 4444	3168	winupdate.exe	101
PID 3168 wrote to memory of 4444	3168	winupdate.exe	101
PID 3168 wrote to memory of 4488	3168	winupdate.exe	102
PID 3168 wrote to memory of 4488	3168	winupdate.exe	102
PID 3168 wrote to memory of 4488	3168	winupdate.exe	102
PID 3168 wrote to memory of 1340	3168	winupdate.exe	103
PID 3168 wrote to memory of 1340	3168	winupdate.exe	103
PID 3168 wrote to memory of 1340	3168	winupdate.exe	103
PID 4488 wrote to memory of 1592	4488	winupdate.exe	105
PID 4488 wrote to memory of 1592	4488	winupdate.exe	105
PID 4488 wrote to memory of 1592	4488	winupdate.exe	105
PID 4488 wrote to memory of 1688	4488	winupdate.exe	106
PID 4488 wrote to memory of 1688	4488	winupdate.exe	106
PID 4488 wrote to memory of 1688	4488	winupdate.exe	106
PID 4488 wrote to memory of 2280	4488	winupdate.exe	107
PID 4488 wrote to memory of 2280	4488	winupdate.exe	107
PID 4488 wrote to memory of 2280	4488	winupdate.exe	107
PID 1688 wrote to memory of 4484	1688	winupdate.exe	109
PID 1688 wrote to memory of 4484	1688	winupdate.exe	109
PID 1688 wrote to memory of 4484	1688	winupdate.exe	109
PID 1688 wrote to memory of 1384	1688	winupdate.exe	110
PID 1688 wrote to memory of 1384	1688	winupdate.exe	110
PID 1688 wrote to memory of 1384	1688	winupdate.exe	110
PID 1688 wrote to memory of 3200	1688	winupdate.exe	111
PID 1688 wrote to memory of 3200	1688	winupdate.exe	111
PID 1688 wrote to memory of 3200	1688	winupdate.exe	111
PID 1384 wrote to memory of 5000	1384	winupdate.exe	115
PID 1384 wrote to memory of 5000	1384	winupdate.exe	115
PID 1384 wrote to memory of 5000	1384	winupdate.exe	115
PID 1384 wrote to memory of 2728	1384	winupdate.exe	116
PID 1384 wrote to memory of 2728	1384	winupdate.exe	116
PID 1384 wrote to memory of 2728	1384	winupdate.exe	116
PID 1384 wrote to memory of 2644	1384	winupdate.exe	118
PID 1384 wrote to memory of 2644	1384	winupdate.exe	118
PID 1384 wrote to memory of 2644	1384	winupdate.exe	118
PID 2728 wrote to memory of 4036	2728	winupdate.exe	120
PID 2728 wrote to memory of 4036	2728	winupdate.exe	120
PID 2728 wrote to memory of 4036	2728	winupdate.exe	120
PID 2728 wrote to memory of 1500	2728	winupdate.exe	121
PID 2728 wrote to memory of 1500	2728	winupdate.exe	121
PID 2728 wrote to memory of 1500	2728	winupdate.exe	121
PID 2728 wrote to memory of 3112	2728	winupdate.exe	122
PID 2728 wrote to memory of 3112	2728	winupdate.exe	122
PID 2728 wrote to memory of 3112	2728	winupdate.exe	122
PID 1500 wrote to memory of 376	1500	winupdate.exe	124
PID 1500 wrote to memory of 376	1500	winupdate.exe	124
PID 1500 wrote to memory of 376	1500	winupdate.exe	124
PID 1500 wrote to memory of 1408	1500	winupdate.exe	125
PID 1500 wrote to memory of 1408	1500	winupdate.exe	125
PID 1500 wrote to memory of 1408	1500	winupdate.exe	125
PID 1500 wrote to memory of 2696	1500	winupdate.exe	126
PID 1500 wrote to memory of 2696	1500	winupdate.exe	126
PID 1500 wrote to memory of 2696	1500	winupdate.exe	126
PID 1408 wrote to memory of 2668	1408	winupdate.exe	128

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe"
1⤵
- Modifies WinLogon for persistence
- Checks BIOS information in registry
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  PID:1828
- C:\Windows\SysWOW64\Windupdt\winupdate.exe
  "C:\Windows\system32\Windupdt\winupdate.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks BIOS information in registry
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\SysWOW64\explorer.exe"
    3⤵
    PID:4444
- - C:\Windows\SysWOW64\Windupdt\winupdate.exe
    "C:\Windows\system32\Windupdt\winupdate.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks BIOS information in registry
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      4⤵
      PID:1592
  - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
      "C:\Windows\system32\Windupdt\winupdate.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks BIOS information in registry
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Enumerates system info in registry
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1688
    - - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        5⤵
        
        PID:4484
    - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        5⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1384
      - C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        6⤵
        
        PID:5000
      - C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        6⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        7⤵
        
        PID:4036
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        7⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        8⤵
        
        PID:376
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        8⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        9⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        9⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3896
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        10⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        10⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        11⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        11⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4060
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        12⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        12⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        13⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        13⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3100
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        14⤵
        
        PID:3904
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        14⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3216
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        15⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        15⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4344
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        16⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        16⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        17⤵
        
        PID:3492
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        17⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        18⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        18⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3748
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        19⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        19⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Enumerates system info in registry
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        20⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        20⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        21⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        21⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:4992
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        22⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        22⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        23⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        23⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:2332
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        24⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        24⤵
        Modifies WinLogon for persistence
        Checks BIOS information in registry
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Enumerates system info in registry
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\explorer.exe
        
        "C:\Windows\SysWOW64\explorer.exe"
        25⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        25⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\ping.exe
        
        ping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1776
        
        C:\Windows\SysWOW64\ping.exe
        
        ping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        24⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3040
        
        C:\Windows\SysWOW64\ping.exe
        
        ping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        23⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3444
        
        C:\Windows\SysWOW64\ping.exe
        
        ping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        22⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4896
        
        C:\Windows\SysWOW64\ping.exe
        
        ping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        21⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2092
        
        C:\Windows\SysWOW64\ping.exe
        
        ping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        20⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3784
        
        C:\Windows\SysWOW64\ping.exe
        
        ping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        19⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3996
        
        C:\Windows\SysWOW64\ping.exe
        
        ping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        18⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1320
        
        C:\Windows\SysWOW64\ping.exe
        
        ping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        17⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3792
        
        C:\Windows\SysWOW64\ping.exe
        
        ping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        16⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1900
        
        C:\Windows\SysWOW64\ping.exe
        
        ping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        15⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2244
        
        C:\Windows\SysWOW64\ping.exe
        
        ping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        14⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1008
        
        C:\Windows\SysWOW64\ping.exe
        
        ping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        13⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4580
        
        C:\Windows\SysWOW64\ping.exe
        
        ping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        12⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5008
        
        C:\Windows\SysWOW64\ping.exe
        
        ping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        11⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1876
        
        C:\Windows\SysWOW64\ping.exe
        
        ping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        10⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4004
        
        C:\Windows\SysWOW64\ping.exe
        
        ping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        9⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4376
        
        C:\Windows\SysWOW64\ping.exe
        
        ping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        8⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2696
        
        C:\Windows\SysWOW64\ping.exe
        
        ping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        7⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3112
      - C:\Windows\SysWOW64\ping.exe
        
        ping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        6⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2644
    - - C:\Windows\SysWOW64\ping.exe
        
        ping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3200
  - - C:\Windows\SysWOW64\ping.exe
      ping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2280
- - C:\Windows\SysWOW64\ping.exe
    ping 127.0.0.1 -n 5 > NUL del "C:\Windows\SysWOW64\Windupdt\winupdate.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1340
- C:\Windows\SysWOW64\ping.exe
  ping 127.0.0.1 -n 5 > NUL del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_112d6c58e5ce7056787fe6adfe4ea0f1.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
734KB

MD5
112d6c58e5ce7056787fe6adfe4ea0f1

SHA1
cfe1085a466387243eb4b4f6b459b343792b8d56

SHA256
768fda903d3dbfff95d02026b7b04be4f33c700abfee7232ce36111a7b4e1f94

SHA512
a11bde670c1179d59cd318f2511b57b58a02dd6183057238ab449759ab70560e25c3b524633d15eaf785e91942ac1658aa47c4606cb8fdbec8ece7e54037fc25

Download Submit
memory/1384-44-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1408-50-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1500-48-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/1688-42-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2332-81-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2376-54-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2376-0-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2376-35-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/2728-46-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3100-60-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3168-36-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/3168-38-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3216-63-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3380-79-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3408-67-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3748-71-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3816-58-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3836-73-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/3896-52-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4060-56-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4344-65-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4352-69-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4488-40-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/4992-77-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download
memory/5036-75-0x0000000000400000-0x00000000004C8000-memory.dmp

Filesize
800KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads