Analysis
-
max time kernel
149s -
max time network
104s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24-01-2025 17:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe
Resource
win7-20241010-en
windows7-x64
34 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
36 signatures
150 seconds
General
-
Target
JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe
-
Size
512KB
-
MD5
23c963ff57132a7f600379b2a417e775
-
SHA1
29f7b090f08f693e2840fdad3a4da9a68ec9f2ff
-
SHA256
9658fc02da663b3011bb34dae7a1d6b5de5849eaeab93c0c6bd9e9814426f197
-
SHA512
36f6af3dbb9c8c4407bdd8a7fbc3429c98f6b28b579ce672cca0d5476d4de8957daa3699f73774641428feef3834b4df2241d887ffa155b978bb7e327e984dc1
-
SSDEEP
12288:kNge6O1X/GkpN4hpCHvmc+5zR2JqaAwUKPF2mqhScG:+96SPGm4b06aqpwl2mqIc
Malware Config
Signatures
-
Cycbot family
-
Detects Cycbot payload 6 IoCs
Cycbot is a backdoor and trojan written in C++.
resource yara_rule behavioral1/memory/2872-111-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/548-123-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2872-127-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/3028-245-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2872-295-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot behavioral1/memory/2872-426-0x0000000000400000-0x000000000046A000-memory.dmp family_cycbot -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "3" 3nob.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" vrSlJ6C3.exe Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" bzveah.exe -
Pony family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Deletes itself 1 IoCs
pid Process 1644 cmd.exe -
Executes dropped EXE 12 IoCs
pid Process 1856 vrSlJ6C3.exe 2932 bzveah.exe 2864 2nob.exe 2876 2nob.exe 3044 2nob.exe 2712 2nob.exe 2728 2nob.exe 2648 2nob.exe 2872 3nob.exe 548 3nob.exe 3028 3nob.exe 2560 F5A5.tmp -
Loads dropped DLL 10 IoCs
pid Process 2052 JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe 2052 JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe 1856 vrSlJ6C3.exe 1856 vrSlJ6C3.exe 2052 JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe 2052 JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe 2052 JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe 2052 JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe 2872 3nob.exe 2872 3nob.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Adds Run key to start application 2 TTPs 54 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /j" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /L" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /u" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /C" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /S" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /q" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /O" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /Z" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /h" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /d" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /V" bzveah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\73C.exe = "C:\\Program Files (x86)\\LP\\053B\\73C.exe" 3nob.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /k" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /Y" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /U" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /y" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /W" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /g" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /i" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /s" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /J" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /A" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /f" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /p" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /b" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /z" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /e" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /F" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /w" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /H" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /a" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /Z" vrSlJ6C3.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /N" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /T" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /G" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /x" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /m" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /P" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /l" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /r" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /D" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /Q" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /M" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /B" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /E" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /I" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /t" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /R" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /K" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /v" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /c" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /X" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /o" bzveah.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\bzveah = "C:\\Users\\Admin\\bzveah.exe /n" bzveah.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 2nob.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 2nob.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
pid Process 2652 tasklist.exe 2376 tasklist.exe -
Suspicious use of SetThreadContext 5 IoCs
description pid Process procid_target PID 2864 set thread context of 2876 2864 2nob.exe 32 PID 2864 set thread context of 3044 2864 2nob.exe 33 PID 2864 set thread context of 2712 2864 2nob.exe 34 PID 2864 set thread context of 2728 2864 2nob.exe 35 PID 2864 set thread context of 2648 2864 2nob.exe 36 -
resource yara_rule behavioral1/memory/3044-48-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3044-50-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3044-52-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3044-51-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2712-64-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2712-63-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2712-62-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2712-60-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2712-57-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2712-55-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/3044-45-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/3044-43-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2728-74-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2728-76-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2728-72-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2728-69-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2728-67-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2648-90-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2648-95-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2648-89-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2648-88-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2648-83-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/2648-81-0x0000000000400000-0x000000000040A000-memory.dmp upx behavioral1/memory/3044-105-0x0000000000400000-0x0000000000429000-memory.dmp upx behavioral1/memory/2712-106-0x0000000000400000-0x0000000000455000-memory.dmp upx behavioral1/memory/2728-107-0x0000000000400000-0x0000000000407000-memory.dmp upx behavioral1/memory/2872-111-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/548-123-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2872-127-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/3028-245-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2872-295-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2872-426-0x0000000000400000-0x000000000046A000-memory.dmp upx -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\LP\053B\73C.exe 3nob.exe File opened for modification C:\Program Files (x86)\LP\053B\F5A5.tmp 3nob.exe File opened for modification C:\Program Files (x86)\LP\053B\73C.exe 3nob.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 15 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2nob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2nob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bzveah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2nob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vrSlJ6C3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language tasklist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3nob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language F5A5.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2nob.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1856 vrSlJ6C3.exe 1856 vrSlJ6C3.exe 3044 2nob.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 3044 2nob.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2872 3nob.exe 2872 3nob.exe 2872 3nob.exe 2872 3nob.exe 2872 3nob.exe 2872 3nob.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2872 3nob.exe 2872 3nob.exe 2872 3nob.exe 2872 3nob.exe 2872 3nob.exe 2872 3nob.exe 2872 3nob.exe 2872 3nob.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe 2932 bzveah.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1472 explorer.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeDebugPrivilege 2652 tasklist.exe Token: SeRestorePrivilege 1212 msiexec.exe Token: SeTakeOwnershipPrivilege 1212 msiexec.exe Token: SeSecurityPrivilege 1212 msiexec.exe Token: SeDebugPrivilege 2376 tasklist.exe Token: SeShutdownPrivilege 1472 explorer.exe Token: SeShutdownPrivilege 1472 explorer.exe Token: SeShutdownPrivilege 1472 explorer.exe Token: SeShutdownPrivilege 1472 explorer.exe Token: SeShutdownPrivilege 1472 explorer.exe Token: SeShutdownPrivilege 1472 explorer.exe Token: SeShutdownPrivilege 1472 explorer.exe Token: SeShutdownPrivilege 1472 explorer.exe Token: SeShutdownPrivilege 1472 explorer.exe Token: SeShutdownPrivilege 1472 explorer.exe Token: 33 2176 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2176 AUDIODG.EXE Token: 33 2176 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2176 AUDIODG.EXE Token: SeShutdownPrivilege 1472 explorer.exe Token: SeShutdownPrivilege 1472 explorer.exe -
Suspicious use of FindShellTrayWindow 28 IoCs
pid Process 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe -
Suspicious use of SendNotifyMessage 17 IoCs
pid Process 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe 1472 explorer.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2052 JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe 1856 vrSlJ6C3.exe 2932 bzveah.exe 2864 2nob.exe 2728 2nob.exe 2648 2nob.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2052 wrote to memory of 1856 2052 JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe 29 PID 2052 wrote to memory of 1856 2052 JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe 29 PID 2052 wrote to memory of 1856 2052 JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe 29 PID 2052 wrote to memory of 1856 2052 JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe 29 PID 1856 wrote to memory of 2932 1856 vrSlJ6C3.exe 30 PID 1856 wrote to memory of 2932 1856 vrSlJ6C3.exe 30 PID 1856 wrote to memory of 2932 1856 vrSlJ6C3.exe 30 PID 1856 wrote to memory of 2932 1856 vrSlJ6C3.exe 30 PID 2052 wrote to memory of 2864 2052 JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe 31 PID 2052 wrote to memory of 2864 2052 JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe 31 PID 2052 wrote to memory of 2864 2052 JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe 31 PID 2052 wrote to memory of 2864 2052 JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe 31 PID 2864 wrote to memory of 2876 2864 2nob.exe 32 PID 2864 wrote to memory of 2876 2864 2nob.exe 32 PID 2864 wrote to memory of 2876 2864 2nob.exe 32 PID 2864 wrote to memory of 2876 2864 2nob.exe 32 PID 2864 wrote to memory of 2876 2864 2nob.exe 32 PID 2864 wrote to memory of 3044 2864 2nob.exe 33 PID 2864 wrote to memory of 3044 2864 2nob.exe 33 PID 2864 wrote to memory of 3044 2864 2nob.exe 33 PID 2864 wrote to memory of 3044 2864 2nob.exe 33 PID 2864 wrote to memory of 3044 2864 2nob.exe 33 PID 2864 wrote to memory of 3044 2864 2nob.exe 33 PID 2864 wrote to memory of 3044 2864 2nob.exe 33 PID 2864 wrote to memory of 3044 2864 2nob.exe 33 PID 2864 wrote to memory of 2712 2864 2nob.exe 34 PID 2864 wrote to memory of 2712 2864 2nob.exe 34 PID 2864 wrote to memory of 2712 2864 2nob.exe 34 PID 2864 wrote to memory of 2712 2864 2nob.exe 34 PID 2864 wrote to memory of 2712 2864 2nob.exe 34 PID 2864 wrote to memory of 2712 2864 2nob.exe 34 PID 2864 wrote to memory of 2712 2864 2nob.exe 34 PID 2864 wrote to memory of 2712 2864 2nob.exe 34 PID 2864 wrote to memory of 2728 2864 2nob.exe 35 PID 2864 wrote to memory of 2728 2864 2nob.exe 35 PID 2864 wrote to memory of 2728 2864 2nob.exe 35 PID 2864 wrote to memory of 2728 2864 2nob.exe 35 PID 2864 wrote to memory of 2728 2864 2nob.exe 35 PID 2864 wrote to memory of 2728 2864 2nob.exe 35 PID 2864 wrote to memory of 2728 2864 2nob.exe 35 PID 2864 wrote to memory of 2728 2864 2nob.exe 35 PID 2864 wrote to memory of 2648 2864 2nob.exe 36 PID 2864 wrote to memory of 2648 2864 2nob.exe 36 PID 2864 wrote to memory of 2648 2864 2nob.exe 36 PID 2864 wrote to memory of 2648 2864 2nob.exe 36 PID 2864 wrote to memory of 2648 2864 2nob.exe 36 PID 2864 wrote to memory of 2648 2864 2nob.exe 36 PID 2864 wrote to memory of 2648 2864 2nob.exe 36 PID 2864 wrote to memory of 2648 2864 2nob.exe 36 PID 1856 wrote to memory of 3000 1856 vrSlJ6C3.exe 37 PID 1856 wrote to memory of 3000 1856 vrSlJ6C3.exe 37 PID 1856 wrote to memory of 3000 1856 vrSlJ6C3.exe 37 PID 1856 wrote to memory of 3000 1856 vrSlJ6C3.exe 37 PID 2052 wrote to memory of 2872 2052 JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe 39 PID 2052 wrote to memory of 2872 2052 JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe 39 PID 2052 wrote to memory of 2872 2052 JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe 39 PID 2052 wrote to memory of 2872 2052 JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe 39 PID 3000 wrote to memory of 2652 3000 cmd.exe 40 PID 3000 wrote to memory of 2652 3000 cmd.exe 40 PID 3000 wrote to memory of 2652 3000 cmd.exe 40 PID 3000 wrote to memory of 2652 3000 cmd.exe 40 PID 2932 wrote to memory of 2652 2932 bzveah.exe 40 PID 2932 wrote to memory of 2652 2932 bzveah.exe 40 PID 2932 wrote to memory of 2652 2932 bzveah.exe 40 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer 3nob.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" 3nob.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Users\Admin\vrSlJ6C3.exeC:\Users\Admin\vrSlJ6C3.exe2⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Users\Admin\bzveah.exe"C:\Users\Admin\bzveah.exe"3⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2932
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del vrSlJ6C3.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2652
-
-
-
-
C:\Users\Admin\2nob.exeC:\Users\Admin\2nob.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Users\Admin\2nob.exe"C:\Users\Admin\2nob.exe"3⤵
- Executes dropped EXE
PID:2876
-
-
C:\Users\Admin\2nob.exe"C:\Users\Admin\2nob.exe"3⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
PID:3044
-
-
C:\Users\Admin\2nob.exe"C:\Users\Admin\2nob.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2712
-
-
C:\Users\Admin\2nob.exe"C:\Users\Admin\2nob.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2728
-
-
C:\Users\Admin\2nob.exe"C:\Users\Admin\2nob.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2648
-
-
-
C:\Users\Admin\3nob.exeC:\Users\Admin\3nob.exe2⤵
- Modifies security service
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:2872 -
C:\Users\Admin\3nob.exeC:\Users\Admin\3nob.exe startC:\Users\Admin\AppData\Roaming\B646E\15105.exe%C:\Users\Admin\AppData\Roaming\B646E3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:548
-
-
C:\Users\Admin\3nob.exeC:\Users\Admin\3nob.exe startC:\Program Files (x86)\6E201\lvvm.exe%C:\Program Files (x86)\6E2013⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3028
-
-
C:\Program Files (x86)\LP\053B\F5A5.tmp"C:\Program Files (x86)\LP\053B\F5A5.tmp"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2560
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_23c963ff57132a7f600379b2a417e775.exe2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Windows\SysWOW64\tasklist.exetasklist3⤵
- Enumerates processes with tasklist
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2376
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1472
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x55c1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
5Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
3Credentials In Files
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
600B
MD54c5ab9b72314df6b134b016b375a41a7
SHA173c1f7c31cc8499d86b89082fbd1b4890f4f5bbb
SHA2565074c28a6a4d4364e5dbee269e9d1d4c356c38bc4eada46478382e0e6d6b0e5f
SHA512dd0940700c1be0a592e5f8f02092fc64b0b4501126413f0cd01bc05aa4c31ddc7eb38216be3c3ce51ad486438031f98063445070923ced5023085a8965060c17
-
Filesize
996B
MD54f89ac9b5608938fda174b009e55ebac
SHA142b85ea6619a2adfc8fb78f6753b77b2445f1133
SHA2564a8a64adcf262e4c2aff969536c3f70163e49fb4759f3b04a49e0ab8637e38c0
SHA512ff64018670c8a4e2ae5b715d4e4a844f695f9a3dc8a3cbbfa780374973fcb186d269d04f50da62b6f474e62ef133abac03187c38ffcc5962ecf6ae191ecc7c7a
-
Filesize
1KB
MD5dbcfd3649211e322b56ccda6e19e101a
SHA1d33389c5c2cb2ea4c240d91f1b6ea14b1e15e0f3
SHA2568ec1e48bdad4ee121e9f585382fe45e6cb10a2b61f53118bf513d40d5fde867f
SHA5121c75b1995867b395265c4eb99e4779ca75628b1d012ab8186b886c24a477692b6773fdddb159d3d9e2da006154294929ad73d3036b3d83446d0d18cdd0294820
-
Filesize
96KB
MD574a1e9547eb8c42e9ca482c5c8bdd261
SHA1c56c60e84b4ef45065289636cfdfab21654acdb3
SHA256f4ac8ead1ff2f95c2b50405531d433d7af912b8f848095d3cb00401576ee90fb
SHA512ae90627a5f1485383b6de178aea4b36f9e44891d78fe5a274d1632727dd71906061323725a7c3c106b039cb65e10ea7e9c7d277ce35fb0ac6458fdc3e346ecb9
-
Filesize
148KB
MD5b7146cf0b0ce852ffb2edc1b43499d36
SHA17a65b2d9a243f0a9d5e1d22e19619c9b057cfdf7
SHA2563c553adafe4adc74c390d9190aca168b822a902bbab695988de7efe30b2c3f4d
SHA512d182fb2afe61832da56b7446de87ca8f65965b7a0cc284dd4d51df0453d304c157e2dea302239f038e71f73f7dd662d138903366367601b42aa3c4b03416a711
-
Filesize
272KB
MD57ddee7ec4bd22ba0b43bc4105e5b7901
SHA19fb11a97faff55730d5f838db2bfd5dbcce9f0b6
SHA256e765624ac2a2e40e95befcf847804345e74d3a35872f279c5d86f6a0dc51071f
SHA512c1307d2851949d8809a71f3255cabfb18c2b9e5a41633bf09192ccf778026f894e0b6564502763bac440b1442e2b6fcff90e8b0090b9503290bd140875ea62fc
-
Filesize
180KB
MD5d8fc9365192f6f07cc4ee622913474ad
SHA1f30e0986b12e4fb098b2d2fe9c4131716439044d
SHA256c0ae87986b041fb9bc7b31a25e6010192b3a2ea4149e348ab9296f853493d365
SHA5128bbb858234b881f0da11c2106baa212a8fef2c296bc3980fc23351d808f6a7f07f8344729b44d271255022b5e0f01938276cee91d2ad2f97cab3406a9a467e3d
-
Filesize
180KB
MD57401ba7763fe55ddc93dd8bac9ec9879
SHA10dcdcf981aa98b878e311626478bf71545051ecd
SHA2564cba3615f537b6273a7fa8be2f96942b27dc858fa1cd217f8db1ab1a5ffb21ab
SHA51257b744717249d6e97b90a09c2a5e5636df6ebc0f6c1a48fac27ce536391b3bc31b1554e1ac252aa26d40f15b7f039d6c9b25df782db0ab55155284fc9d601d8c