Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
26-01-2025 08:47
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_340edd46a331163994c64146f59d8752.dll
Resource
win7-20240708-en
windows7-x64
22 signatures
150 seconds
General
-
Target
JaffaCakes118_340edd46a331163994c64146f59d8752.dll
-
Size
920KB
-
MD5
340edd46a331163994c64146f59d8752
-
SHA1
b8963ded28097ccabbe8b0f4ed83102df4da9ba4
-
SHA256
36a8cefa27a0ac685b5a28e9e47b3d46c17b9c394e3005e8695e5d2fb2e832ff
-
SHA512
d002e1182687285967734102de834ee8a82c67be61c56086f0ce634aa080f3dd3ca53a01d411f58f7caa389500f0efc9ed99945606853f6a3e3ca80a0c9fff97
-
SSDEEP
24576:ddtvig4EWCLljkwVABNzleCOEpnDtm6oC2yjrBzj+J0dE4:dd5ig4PCLljkwVABNzl3OEpxm6PZjFzj
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,c:\\program files (x86)\\microsoft\\watermark.exe" svchost.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" regsvr32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" regsvr32mgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" regsvr32mgr.exe -
Ramnit family
-
Sality family
-
UAC bypass 3 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" regsvr32mgr.exe -
Windows security bypass 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" regsvr32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" regsvr32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" regsvr32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" regsvr32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" regsvr32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" regsvr32mgr.exe -
Executes dropped EXE 2 IoCs
pid Process 2108 regsvr32mgr.exe 2772 WaterMark.exe -
Loads dropped DLL 4 IoCs
pid Process 1708 regsvr32.exe 1708 regsvr32.exe 2108 regsvr32mgr.exe 2108 regsvr32mgr.exe -
Windows security modification 2 TTPs 7 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" regsvr32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" regsvr32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" regsvr32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" regsvr32mgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc regsvr32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" regsvr32mgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" regsvr32mgr.exe -
Checks whether UAC is enabled 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" regsvr32mgr.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\regsvr32mgr.exe regsvr32.exe File created C:\Windows\SysWOW64\dmlconf.dat svchost.exe File opened for modification C:\Windows\SysWOW64\dmlconf.dat svchost.exe -
resource yara_rule behavioral1/memory/2108-15-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2108-17-0x00000000029F0000-0x0000000003A7E000-memory.dmp upx behavioral1/memory/2108-14-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2108-23-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2108-22-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2108-20-0x00000000029F0000-0x0000000003A7E000-memory.dmp upx behavioral1/memory/2108-25-0x00000000029F0000-0x0000000003A7E000-memory.dmp upx behavioral1/memory/2108-13-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2108-19-0x00000000029F0000-0x0000000003A7E000-memory.dmp upx behavioral1/memory/2108-12-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2108-21-0x00000000029F0000-0x0000000003A7E000-memory.dmp upx behavioral1/memory/2108-11-0x00000000029F0000-0x0000000003A7E000-memory.dmp upx behavioral1/memory/2108-29-0x00000000029F0000-0x0000000003A7E000-memory.dmp upx behavioral1/memory/2108-30-0x00000000029F0000-0x0000000003A7E000-memory.dmp upx behavioral1/memory/2108-53-0x00000000029F0000-0x0000000003A7E000-memory.dmp upx behavioral1/memory/2772-73-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2108-31-0x00000000029F0000-0x0000000003A7E000-memory.dmp upx behavioral1/memory/2108-27-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral1/memory/2108-26-0x00000000029F0000-0x0000000003A7E000-memory.dmp upx behavioral1/memory/2772-653-0x0000000000400000-0x0000000000421000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.IdentityModel.Selectors.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\System.Workflow.Activities.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\System.Web.Entity.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\Microsoft.Build.Conversion.v3.5.resources.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\settings.html svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\flyout.html svchost.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\VSTO\vstoee.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\Microsoft.Ink.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\ahclient.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\Microsoft Games\Chess\Chess.exe svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\System.Printing.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libdiracsys_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\clock.html svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javafx-font.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.WorkflowServices.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\libmux_wav_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingEngine.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACEREP.DLL svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\ACETXT.DLL svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_wer.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\shvlzm.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libsatip_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\msvcr100.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\deploy.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\verify.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\IA2Marshal.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegaudio_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libvhs_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\mshwjpn.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\D3DCompiler_47.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\Microsoft.Build.Engine.resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwasapi_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libvpx_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\gui\libskins2_plugin.dll svchost.exe File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libblend_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libwgl_plugin.dll svchost.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeXMP.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\profilerinterface.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\System.ServiceModel.Resources.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\System.ServiceModel.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\libfluidsynth_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\libstats_plugin.dll svchost.exe File opened for modification C:\Program Files\Windows NT\Accessories\WordpadFilter.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\iedvtool.dll svchost.exe File opened for modification C:\Program Files\Microsoft Games\Mahjong\Mahjong.dll svchost.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\System.Data.DataSetExtensions.Resources.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access\libidummy_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\epl-v10.html svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\mlib_image.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudio_format_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\liblogger_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libtdummy_plugin.dll svchost.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\olh.htm svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d9_plugin.dll svchost.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\libdeinterlace_plugin.dll svchost.exe File opened for modification C:\Program Files\Common Files\System\msadc\msadcor.dll svchost.exe File opened for modification C:\Program Files\Internet Explorer\F12Resources.dll svchost.exe File opened for modification C:\Program Files\Java\jre7\bin\jdwp.dll svchost.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI regsvr32mgr.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32mgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WaterMark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
pid Process 2108 regsvr32mgr.exe 2772 WaterMark.exe 2772 WaterMark.exe 2772 WaterMark.exe 2772 WaterMark.exe 2772 WaterMark.exe 2772 WaterMark.exe 2772 WaterMark.exe 2772 WaterMark.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe 1072 svchost.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 2108 regsvr32mgr.exe Token: SeDebugPrivilege 2108 regsvr32mgr.exe Token: SeDebugPrivilege 2108 regsvr32mgr.exe Token: SeDebugPrivilege 2108 regsvr32mgr.exe Token: SeDebugPrivilege 2108 regsvr32mgr.exe Token: SeDebugPrivilege 2108 regsvr32mgr.exe Token: SeDebugPrivilege 2108 regsvr32mgr.exe Token: SeDebugPrivilege 2108 regsvr32mgr.exe Token: SeDebugPrivilege 2108 regsvr32mgr.exe Token: SeDebugPrivilege 2108 regsvr32mgr.exe Token: SeDebugPrivilege 2108 regsvr32mgr.exe Token: SeDebugPrivilege 2108 regsvr32mgr.exe Token: SeDebugPrivilege 2108 regsvr32mgr.exe Token: SeDebugPrivilege 2108 regsvr32mgr.exe Token: SeDebugPrivilege 2108 regsvr32mgr.exe Token: SeDebugPrivilege 2108 regsvr32mgr.exe Token: SeDebugPrivilege 2108 regsvr32mgr.exe Token: SeDebugPrivilege 2108 regsvr32mgr.exe Token: SeDebugPrivilege 2108 regsvr32mgr.exe Token: SeDebugPrivilege 2108 regsvr32mgr.exe Token: SeDebugPrivilege 2108 regsvr32mgr.exe Token: SeDebugPrivilege 2108 regsvr32mgr.exe Token: SeDebugPrivilege 2772 WaterMark.exe Token: SeDebugPrivilege 1072 svchost.exe Token: SeDebugPrivilege 2772 WaterMark.exe -
Suspicious use of UnmapMainImage 2 IoCs
pid Process 2108 regsvr32mgr.exe 2772 WaterMark.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 1708 2092 regsvr32.exe 30 PID 2092 wrote to memory of 1708 2092 regsvr32.exe 30 PID 2092 wrote to memory of 1708 2092 regsvr32.exe 30 PID 2092 wrote to memory of 1708 2092 regsvr32.exe 30 PID 2092 wrote to memory of 1708 2092 regsvr32.exe 30 PID 2092 wrote to memory of 1708 2092 regsvr32.exe 30 PID 2092 wrote to memory of 1708 2092 regsvr32.exe 30 PID 1708 wrote to memory of 2108 1708 regsvr32.exe 31 PID 1708 wrote to memory of 2108 1708 regsvr32.exe 31 PID 1708 wrote to memory of 2108 1708 regsvr32.exe 31 PID 1708 wrote to memory of 2108 1708 regsvr32.exe 31 PID 2108 wrote to memory of 1128 2108 regsvr32mgr.exe 19 PID 2108 wrote to memory of 1180 2108 regsvr32mgr.exe 20 PID 2108 wrote to memory of 1216 2108 regsvr32mgr.exe 21 PID 2108 wrote to memory of 1764 2108 regsvr32mgr.exe 23 PID 2108 wrote to memory of 2772 2108 regsvr32mgr.exe 32 PID 2108 wrote to memory of 2772 2108 regsvr32mgr.exe 32 PID 2108 wrote to memory of 2772 2108 regsvr32mgr.exe 32 PID 2108 wrote to memory of 2772 2108 regsvr32mgr.exe 32 PID 2772 wrote to memory of 1620 2772 WaterMark.exe 33 PID 2772 wrote to memory of 1620 2772 WaterMark.exe 33 PID 2772 wrote to memory of 1620 2772 WaterMark.exe 33 PID 2772 wrote to memory of 1620 2772 WaterMark.exe 33 PID 2772 wrote to memory of 1620 2772 WaterMark.exe 33 PID 2772 wrote to memory of 1620 2772 WaterMark.exe 33 PID 2772 wrote to memory of 1620 2772 WaterMark.exe 33 PID 2772 wrote to memory of 1620 2772 WaterMark.exe 33 PID 2772 wrote to memory of 1620 2772 WaterMark.exe 33 PID 2772 wrote to memory of 1620 2772 WaterMark.exe 33 PID 2772 wrote to memory of 1072 2772 WaterMark.exe 34 PID 2772 wrote to memory of 1072 2772 WaterMark.exe 34 PID 2772 wrote to memory of 1072 2772 WaterMark.exe 34 PID 2772 wrote to memory of 1072 2772 WaterMark.exe 34 PID 2772 wrote to memory of 1072 2772 WaterMark.exe 34 PID 2772 wrote to memory of 1072 2772 WaterMark.exe 34 PID 2772 wrote to memory of 1072 2772 WaterMark.exe 34 PID 2772 wrote to memory of 1072 2772 WaterMark.exe 34 PID 2772 wrote to memory of 1072 2772 WaterMark.exe 34 PID 2772 wrote to memory of 1072 2772 WaterMark.exe 34 PID 1072 wrote to memory of 256 1072 svchost.exe 1 PID 1072 wrote to memory of 256 1072 svchost.exe 1 PID 1072 wrote to memory of 256 1072 svchost.exe 1 PID 1072 wrote to memory of 256 1072 svchost.exe 1 PID 1072 wrote to memory of 256 1072 svchost.exe 1 PID 1072 wrote to memory of 336 1072 svchost.exe 2 PID 1072 wrote to memory of 336 1072 svchost.exe 2 PID 1072 wrote to memory of 336 1072 svchost.exe 2 PID 1072 wrote to memory of 336 1072 svchost.exe 2 PID 1072 wrote to memory of 336 1072 svchost.exe 2 PID 1072 wrote to memory of 384 1072 svchost.exe 3 PID 1072 wrote to memory of 384 1072 svchost.exe 3 PID 1072 wrote to memory of 384 1072 svchost.exe 3 PID 1072 wrote to memory of 384 1072 svchost.exe 3 PID 1072 wrote to memory of 384 1072 svchost.exe 3 PID 1072 wrote to memory of 392 1072 svchost.exe 4 PID 1072 wrote to memory of 392 1072 svchost.exe 4 PID 1072 wrote to memory of 392 1072 svchost.exe 4 PID 1072 wrote to memory of 392 1072 svchost.exe 4 PID 1072 wrote to memory of 392 1072 svchost.exe 4 PID 1072 wrote to memory of 432 1072 svchost.exe 5 PID 1072 wrote to memory of 432 1072 svchost.exe 5 PID 1072 wrote to memory of 432 1072 svchost.exe 5 PID 1072 wrote to memory of 432 1072 svchost.exe 5 PID 1072 wrote to memory of 432 1072 svchost.exe 5 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" regsvr32mgr.exe
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:336
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:384
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:476
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:616
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}4⤵PID:1764
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1828
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:696
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:768
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:832
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1180
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:868
-
C:\Windows\system32\wbem\WMIADAP.EXEwmiadap.exe /F /T /R4⤵PID:1700
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:980
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:292
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:1012
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1080
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1128
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:1064
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:1724
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:2300
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:492
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:500
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:392
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:432
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1216
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_340edd46a331163994c64146f59d8752.dll2⤵
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_340edd46a331163994c64146f59d8752.dll3⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\regsvr32mgr.exeC:\Windows\SysWOW64\regsvr32mgr.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2108 -
C:\Program Files (x86)\Microsoft\WaterMark.exe"C:\Program Files (x86)\Microsoft\WaterMark.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- Modifies WinLogon for persistence
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1620
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\system32\svchost.exe6⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html
Filesize366KB
MD5c3a88cc8dd47b80909e65df1aef2ac1a
SHA1413803cdd33f81046e29bcdecccb1608541cc954
SHA2564aec535eaf6a812e4f838ec697b6ee8aaec67ed1fcbba0474505a24464c9f9a1
SHA512af0602aa21c9d36be7cd6ae1131cc4d5fbbccc15193011175ef3be1fc1fdbba086465b4c7b2b249bf1be984cccfa76232e673ae100d9aaa4bf54d6aea73ff3d6
-
C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html
Filesize362KB
MD59fed0b5583d05ab2d34d67d2f0354223
SHA1c0cef1866063ffe60e0f5339dbeea47fb0d79ed3
SHA2567c4363a0b0dbf71d39957950d8ff36cb7037e673d26f3f1a65c78201df297d09
SHA5122bb0d604fd80f3c4a81e8c88731bc693f6a0adab31ce07d9328da77e9028ec7eb0ead3e48229f5f926bc0a9b9e55c32f2bfa5d1e262bda7b34c6f268f663c3db
-
Filesize
176KB
MD5e84af6679afa662650008962b89ced75
SHA1e88441cfbb29d4823ae5daa800e28edb5b47b295
SHA2561ccef926014568be9bc602b2d56217590590b44167c31507d851b71b89905dfb
SHA5122ebef0ddb954e9faf4d8c7bf29f5011794b50b54e8c413d18c4b3ebb6b211f5e81533a791d87c54c1bb587af68cce43586b9073bb270a2bc8b015bf0248f9302