Analysis
-
max time kernel
26s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-01-2025 16:21
Behavioral task
behavioral1
Sample
JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe
Resource
win7-20240903-en
windows7-x64
26 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
26 signatures
150 seconds
General
-
Target
JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe
-
Size
165KB
-
MD5
3733e6da82859409e65b7871f6cc08ed
-
SHA1
53a6482b4be7e4274fe7523618689a5daa9adc26
-
SHA256
46a75b3dadbc6f9cdccd2edd93c00e29f7982d0c1f5b4267d0a7032b913c4097
-
SHA512
3291c14487598f62421faa51156f3f584cf0fe7bfc80cbab37df95fd11b0b2d2ff05cd8ecddc7ed0c52bdfd23c6143c79df2eed3db5673bf3b3449bfde830ebc
-
SSDEEP
3072:sr85C8Oedj30QpoZ3RJRrmyuXod5rQIpRTXJ:k9QdjkQG5Vluer5
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Detect Neshta payload 3 IoCs
resource yara_rule behavioral2/files/0x000600000002023a-30.dat family_neshta behavioral2/memory/2360-130-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/2360-158-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Neshta family
-
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe -
Executes dropped EXE 1 IoCs
pid Process 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Windows security modification 2 TTPs 14 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe -
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened (read-only) \??\H: JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened (read-only) \??\I: JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened (read-only) \??\J: JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened (read-only) \??\K: JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened (read-only) \??\E: JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe -
resource yara_rule behavioral2/memory/4132-15-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/4132-13-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/4132-14-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/4132-21-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/4132-20-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/4132-12-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/4132-26-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/4132-111-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/4132-107-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/4132-113-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/4132-112-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/4132-114-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/4132-115-0x00000000022B0000-0x000000000333E000-memory.dmp upx behavioral2/memory/2360-133-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/2360-137-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/2360-136-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/2360-138-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/2360-134-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/2360-135-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/2360-140-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/2360-141-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/2360-142-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/2360-143-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/2360-144-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/2360-145-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/2360-146-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/2360-147-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/2360-149-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/2360-150-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/2360-151-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/2360-153-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/2360-154-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/2360-156-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/2360-159-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/2360-162-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/2360-164-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/2360-217-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~2.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MID1AD~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~4.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File opened for modification C:\Windows\svchost.com JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe -
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x000a000000023b88-4.dat nsis_installer_1 behavioral2/files/0x000a000000023b88-4.dat nsis_installer_2 -
Modifies registry class 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Token: SeDebugPrivilege 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe -
Suspicious use of WriteProcessMemory 53 IoCs
description pid Process procid_target PID 2360 wrote to memory of 4132 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 83 PID 2360 wrote to memory of 4132 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 83 PID 2360 wrote to memory of 4132 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 83 PID 4132 wrote to memory of 780 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 8 PID 4132 wrote to memory of 788 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 9 PID 4132 wrote to memory of 1020 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 13 PID 4132 wrote to memory of 2544 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 44 PID 4132 wrote to memory of 2556 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 45 PID 4132 wrote to memory of 2724 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 47 PID 4132 wrote to memory of 3520 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 56 PID 4132 wrote to memory of 3660 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 57 PID 4132 wrote to memory of 3848 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 58 PID 4132 wrote to memory of 3940 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 59 PID 4132 wrote to memory of 4004 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 60 PID 4132 wrote to memory of 4092 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 61 PID 4132 wrote to memory of 4156 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 62 PID 4132 wrote to memory of 4348 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 74 PID 4132 wrote to memory of 3280 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 76 PID 4132 wrote to memory of 1216 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 81 PID 4132 wrote to memory of 2360 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 82 PID 4132 wrote to memory of 2360 4132 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 82 PID 2360 wrote to memory of 780 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 8 PID 2360 wrote to memory of 788 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 9 PID 2360 wrote to memory of 1020 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 13 PID 2360 wrote to memory of 2544 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 44 PID 2360 wrote to memory of 2556 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 45 PID 2360 wrote to memory of 2724 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 47 PID 2360 wrote to memory of 3520 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 56 PID 2360 wrote to memory of 3660 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 57 PID 2360 wrote to memory of 3848 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 58 PID 2360 wrote to memory of 3940 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 59 PID 2360 wrote to memory of 4004 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 60 PID 2360 wrote to memory of 4092 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 61 PID 2360 wrote to memory of 4156 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 62 PID 2360 wrote to memory of 4348 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 74 PID 2360 wrote to memory of 3280 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 76 PID 2360 wrote to memory of 1216 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 81 PID 2360 wrote to memory of 780 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 8 PID 2360 wrote to memory of 788 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 9 PID 2360 wrote to memory of 1020 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 13 PID 2360 wrote to memory of 2544 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 44 PID 2360 wrote to memory of 2556 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 45 PID 2360 wrote to memory of 2724 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 47 PID 2360 wrote to memory of 3520 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 56 PID 2360 wrote to memory of 3660 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 57 PID 2360 wrote to memory of 3848 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 58 PID 2360 wrote to memory of 3940 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 59 PID 2360 wrote to memory of 4004 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 60 PID 2360 wrote to memory of 4092 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 61 PID 2360 wrote to memory of 4156 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 62 PID 2360 wrote to memory of 4348 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 74 PID 2360 wrote to memory of 3280 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 76 PID 2360 wrote to memory of 1216 2360 JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe 81 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2556
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2724
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3520
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Modifies system executable filetype association
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\JaffaCakes118_3733e6da82859409e65b7871f6cc08ed.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4132
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3660
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3848
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3940
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4004
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4092
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4156
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4348
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3280
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1216
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD53b73078a714bf61d1c19ebc3afc0e454
SHA19abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA51275959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4
-
Filesize
124KB
MD52c87ec1ef2724981f1782caf9e910cec
SHA1dd7ba1aee1729ef277f4881c0aaa5bf176228d06
SHA2568d1f7a569f29385027c04adc92c109798085c10ae9b958025a092454b6654716
SHA5126ddc21ba3c9ba205a5b588a9debdef72a54444396d35fdc56231233065ae636fe4539e850399eb6b6adeb32211ea6d7bb2845650e51f49e637729827e07d4e79
-
Filesize
257B
MD5f0d0c78cd1bdce5b2c271843ac68f963
SHA1dcb71615bfc3e29191008cd96c297e439d29ddd3
SHA25645b0e60272bb31cd3abce8f38b5b3537458ef5f53c76b71e195a4d5cec0a49fe
SHA512cbe988d0b5db16688c1ef41309ae2a7787021ff7896db1f029302f55583bd0bcde07ab196482d456cde512b9e7055c882973131a0b7a261117f0cd046fe9c2f8