Analysis Overview
SHA256
36bb9292501433a0931ca14fc3e32cf8ced0c83da8a32b6bdc2e39e1fb6de157
Threat Level: Known bad
The file JaffaCakes118_4374ffe3395196ca313993c5b6337d2e was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Modifies visiblity of hidden/system files in Explorer
Modiloader family
ModiLoader, DBatLoader
ModiLoader Second Stage
Loads dropped DLL
Deletes itself
Checks computer location settings
Executes dropped EXE
Drops desktop.ini file(s)
Adds Run key to start application
UPX packed file
Suspicious use of SetThreadContext
Enumerates processes with tasklist
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of UnmapMainImage
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2025-01-27 20:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-01-27 20:35
Reported
2025-01-27 20:37
Platform
win7-20240903-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
ModiLoader, DBatLoader
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Users\\Admin\\AppData\\Local\\1be398f8\\X" | C:\Windows\Explorer.EXE | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\srRTMxaDv9.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\woauy.exe | N/A |
Modiloader family
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\srRTMxaDv9.exe | N/A |
| N/A | N/A | C:\Users\Admin\woauy.exe | N/A |
| N/A | N/A | C:\Users\Admin\amhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\amhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bmhost.exe | N/A |
| N/A | N/A | C:\Windows\system32\csrss.exe | N/A |
| N/A | N/A | C:\Users\Admin\cmhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\1be398f8\X | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Users\Admin\dmhost.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /x" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /Q" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /F" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /Y" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /Z" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /K" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /c" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /C" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /u" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /p" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /f" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /i" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /L" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /a" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /j" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /y" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /V" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /n" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /v" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /H" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /U" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /B" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /h" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /W" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /q" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /A" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /T" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /m" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /w" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /R" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /g" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /e" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /l" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /S" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /M" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /P" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /D" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /z" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /o" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /s" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /M" | C:\Users\Admin\srRTMxaDv9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /d" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /t" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /r" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /X" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /k" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /E" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /N" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /b" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /O" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /J" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /I" | C:\Users\Admin\woauy.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\woauy = "C:\\Users\\Admin\\woauy.exe /G" | C:\Users\Admin\woauy.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | \systemroot\assembly\GAC_64\Desktop.ini | C:\Windows\system32\csrss.exe | N/A |
| File created | \systemroot\assembly\GAC_32\Desktop.ini | C:\Windows\system32\csrss.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2640 set thread context of 2780 | N/A | C:\Users\Admin\amhost.exe | C:\Users\Admin\amhost.exe |
| PID 2412 set thread context of 1180 | N/A | C:\Users\Admin\bmhost.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1188 set thread context of 1544 | N/A | C:\Users\Admin\cmhost.exe | C:\Windows\SysWOW64\cmd.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\cmhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\dmhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\srRTMxaDv9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\woauy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\bmhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\amhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\bmhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\bmhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe | N/A |
| N/A | N/A | C:\Users\Admin\srRTMxaDv9.exe | N/A |
| N/A | N/A | C:\Users\Admin\woauy.exe | N/A |
| N/A | N/A | C:\Users\Admin\dmhost.exe | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\csrss.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe"
C:\Users\Admin\srRTMxaDv9.exe
C:\Users\Admin\srRTMxaDv9.exe
C:\Users\Admin\woauy.exe
"C:\Users\Admin\woauy.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del srRTMxaDv9.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Users\Admin\amhost.exe
C:\Users\Admin\amhost.exe
C:\Users\Admin\amhost.exe
amhost.exe
C:\Users\Admin\bmhost.exe
C:\Users\Admin\bmhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\cmhost.exe
C:\Users\Admin\cmhost.exe
C:\Users\Admin\AppData\Local\1be398f8\X
176.53.17.24:80
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\dmhost.exe
C:\Users\Admin\dmhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| TR | 176.53.17.24:80 | tcp | |
| TR | 176.53.17.24:80 | tcp | |
| TR | 176.53.17.24:80 | tcp | |
| UA | 82.193.112.116:21860 | tcp | |
| AU | 101.116.124.29:21860 | tcp | |
| PL | 89.73.219.45:21860 | tcp | |
| RO | 79.118.77.103:21860 | tcp | |
| LT | 88.222.56.69:21860 | tcp | |
| US | 69.250.129.195:21860 | tcp | |
| CA | 70.81.44.41:21860 | tcp | |
| TR | 176.30.86.202:21860 | tcp | |
| US | 174.141.188.24:21860 | tcp | |
| KZ | 178.91.248.14:21860 | tcp | |
| JO | 94.249.55.111:21860 | tcp | |
| US | 24.46.123.138:21860 | tcp | |
| IN | 115.242.209.10:21860 | tcp | |
| CO | 190.26.101.67:21860 | tcp | |
| ID | 203.169.53.84:21860 | tcp | |
| KZ | 212.76.23.88:21860 | tcp | |
| AO | 41.70.167.39:21860 | tcp | |
| KZ | 46.36.136.165:21860 | tcp | |
| US | 128.122.94.12:21860 | tcp | |
| DE | 92.231.15.88:21860 | tcp | |
| US | 75.132.141.34:21860 | tcp | |
| AR | 186.111.236.70:21860 | tcp | |
| RU | 195.96.95.179:21860 | tcp | |
| KG | 178.216.209.13:21860 | tcp | |
| TR | 178.245.145.190:21860 | tcp | |
| RO | 188.25.162.139:21860 | tcp | |
| CA | 131.104.255.1:21860 | tcp | |
| BR | 201.40.210.50:21860 | tcp | |
| SE | 81.170.225.74:21860 | tcp | |
| US | 70.117.153.95:21860 | tcp | |
| AU | 101.116.112.34:21860 | tcp | |
| RU | 136.169.146.2:21860 | tcp | |
| RU | 46.191.210.42:21860 | tcp | |
| IN | 14.96.221.136:21860 | tcp | |
| KZ | 178.90.90.35:21860 | tcp | |
| FR | 46.105.8.114:21860 | tcp | |
| US | 24.107.182.20:21860 | tcp | |
| US | 109.246.238.57:21860 | tcp | |
| US | 67.240.113.178:21860 | tcp | |
| IN | 115.240.16.161:21860 | tcp | |
| FR | 82.234.113.202:21860 | tcp | |
| CO | 190.24.175.156:21860 | tcp | |
| RU | 46.147.192.139:21860 | tcp | |
| SE | 93.182.158.47:21860 | tcp | |
| US | 67.175.138.9:21860 | tcp | |
| CA | 70.65.141.173:21860 | tcp | |
| US | 69.145.125.224:21860 | tcp | |
| RU | 95.220.179.145:21860 | tcp | |
| IN | 106.76.214.92:21860 | tcp | |
| RU | 46.48.158.46:21860 | tcp | |
| RU | 109.111.162.61:21860 | tcp | |
| HK | 119.247.240.204:21860 | tcp | |
| BG | 78.90.135.67:21860 | tcp | |
| TT | 190.213.8.51:21860 | tcp | |
| CA | 216.246.224.198:21860 | tcp | |
| MK | 79.126.214.106:21860 | tcp | |
| RU | 94.41.27.147:21860 | tcp | |
| IN | 182.156.97.233:21860 | tcp | |
| PL | 84.10.70.246:21860 | tcp | |
| HN | 190.99.16.188:21860 | tcp | |
| US | 129.21.84.226:21860 | tcp | |
| BR | 187.11.71.126:21860 | tcp | |
| PT | 188.37.110.241:21860 | tcp | |
| JM | 216.10.209.57:21860 | tcp | |
| US | 67.10.235.214:21860 | tcp | |
| US | 24.11.139.131:21860 | tcp | |
| MD | 188.131.111.69:21860 | tcp | |
| RU | 31.207.206.186:21860 | tcp | |
| OM | 46.40.228.234:21860 | tcp | |
| MY | 182.63.74.42:21860 | tcp | |
| FJ | 210.7.25.105:21860 | tcp | |
| IN | 115.184.99.171:21860 | tcp | |
| MX | 201.167.33.127:21860 | tcp | |
| KZ | 95.58.235.26:21860 | tcp | |
| IN | 14.99.99.197:21860 | tcp | |
| US | 207.191.205.143:21860 | tcp | |
| RU | 46.48.200.108:21860 | tcp | |
| FR | 78.250.140.118:21860 | tcp | |
| IN | 203.90.81.237:21860 | tcp | |
| FR | 82.230.128.86:21860 | tcp | |
| IN | 117.225.6.110:21860 | tcp | |
| PH | 111.68.40.160:21860 | tcp | |
| KZ | 178.91.60.15:21860 | tcp | |
| TW | 125.227.184.100:21860 | tcp | |
| KZ | 212.76.9.85:21860 | tcp | |
| IN | 1.23.234.180:21860 | tcp | |
| UZ | 93.188.84.251:21860 | tcp | |
| DO | 190.166.208.66:21860 | tcp | |
| US | 69.253.17.94:21860 | tcp | |
| IN | 49.204.13.214:21860 | tcp | |
| US | 31.57.100.109:21860 | tcp | |
| ES | 79.112.95.109:21860 | tcp | |
| PK | 111.88.47.52:21860 | tcp | |
| US | 98.160.212.176:21860 | tcp | |
| KR | 58.233.70.8:21860 | tcp | |
| US | 72.19.127.116:21860 | tcp | |
| KG | 158.181.149.196:21860 | tcp | |
| PT | 46.50.88.40:21860 | tcp | |
| HN | 190.53.78.114:21860 | tcp | |
| US | 24.6.120.104:21860 | tcp | |
| IN | 59.93.240.165:21860 | tcp | |
| US | 173.172.156.244:21860 | tcp | |
| PL | 85.222.93.25:21860 | tcp | |
| MX | 189.214.161.23:21860 | tcp | |
| VE | 186.92.84.39:21860 | tcp | |
| ES | 79.116.224.179:21860 | tcp | |
| US | 98.215.149.242:21860 | tcp | |
| ES | 77.27.212.30:21860 | tcp | |
| OM | 188.66.179.19:21860 | tcp | |
| CA | 69.70.45.186:21860 | tcp | |
| IN | 106.79.130.234:21860 | tcp | |
| US | 68.226.243.185:21860 | tcp | |
| US | 70.94.44.23:21860 | tcp | |
| KZ | 95.58.110.93:21860 | tcp | |
| SG | 222.165.56.168:21860 | tcp | |
| IN | 1.23.200.185:21860 | tcp | |
| US | 71.62.88.179:21860 | tcp | |
| US | 96.41.81.39:21860 | tcp | |
| AR | 190.193.7.204:21860 | tcp | |
| AR | 190.246.45.29:21860 | tcp | |
| IN | 115.184.103.41:21860 | tcp | |
| IN | 117.230.77.230:21860 | tcp | |
| CA | 99.231.30.158:21860 | tcp | |
| MK | 77.29.195.154:21860 | tcp | |
| SE | 79.138.235.241:21860 | tcp | |
| LT | 158.129.21.189:21860 | tcp | |
| US | 71.10.127.231:21860 | tcp | |
| IL | 84.94.189.96:21860 | tcp | |
| IN | 14.96.177.186:21860 | tcp | |
| MX | 189.220.204.24:21860 | tcp | |
| IT | 95.75.208.208:21860 | tcp | |
| US | 129.22.53.243:21860 | tcp | |
| US | 76.125.125.76:21860 | tcp | |
| IN | 182.237.128.155:21860 | tcp | |
| BT | 202.144.135.136:21860 | tcp | |
| KZ | 95.56.77.21:21860 | tcp | |
| KZ | 95.56.34.162:21860 | tcp | |
| CL | 190.101.26.74:21860 | tcp | |
| IN | 115.241.41.156:21860 | tcp | |
| US | 67.184.93.17:21860 | tcp | |
| MG | 41.188.33.4:21860 | tcp | |
| DE | 92.231.15.45:21860 | tcp | |
| MX | 189.194.147.244:21860 | tcp | |
| US | 71.202.35.179:21860 | tcp | |
| IR | 31.184.188.154:21860 | tcp | |
| AU | 138.130.89.233:21860 | tcp | |
| IR | 2.176.22.69:21860 | tcp | |
| KE | 197.178.185.64:21860 | tcp | |
| ES | 83.97.225.103:21860 | tcp | |
| CL | 190.164.63.28:21860 | tcp | |
| KZ | 92.47.209.177:21860 | tcp | |
| RU | 178.234.117.240:21860 | tcp | |
| MD | 89.28.102.142:21860 | tcp | |
| AR | 190.113.144.149:21860 | tcp | |
| AU | 124.184.180.45:21860 | tcp | |
| US | 75.74.147.243:21860 | tcp | |
| DE | 89.12.197.164:21860 | tcp | |
| CL | 190.162.186.100:21860 | tcp | |
| US | 66.191.237.173:21860 | tcp | |
| KZ | 95.58.12.224:21860 | tcp | |
| US | 76.16.129.67:21860 | tcp | |
| KZ | 178.89.58.92:21860 | tcp | |
| MX | 201.173.60.230:21860 | tcp | |
| RU | 2.93.157.92:21860 | tcp | |
| DE | 178.238.234.130:21860 | tcp | |
| KZ | 95.57.239.198:21860 | tcp | |
| KZ | 212.76.20.40:21860 | tcp | |
| US | 24.7.86.89:21860 | tcp | |
| KZ | 178.89.136.152:21860 | tcp | |
| CL | 200.83.17.225:21860 | tcp | |
| AR | 190.105.2.83:21860 | tcp | |
| IN | 110.227.229.212:21860 | tcp | |
| US | 71.60.24.124:21860 | tcp | |
| TR | 46.30.176.5:21860 | tcp | |
| FJ | 183.81.130.182:21860 | tcp | |
| ES | 49.0.187.143:21860 | tcp | |
| SA | 188.54.49.121:21860 | tcp | |
| KG | 158.181.182.85:21860 | tcp | |
| EC | 190.130.166.131:21860 | tcp | |
| BR | 189.69.66.187:21860 | tcp | |
| TW | 175.181.123.239:21860 | tcp | |
| KZ | 85.29.157.69:21860 | tcp | |
| KZ | 178.91.238.198:21860 | tcp | |
| HU | 89.132.133.91:21860 | tcp | |
| KZ | 212.76.2.252:21860 | tcp | |
| KZ | 95.56.52.235:21860 | tcp | |
| KH | 87.247.162.223:21860 | tcp | |
| EC | 186.42.33.196:21860 | tcp | |
| US | 67.163.155.160:21860 | tcp | |
| BG | 84.54.175.182:21860 | tcp | |
| IN | 27.4.242.99:21860 | tcp | |
| KR | 121.135.107.52:21860 | tcp | |
| US | 70.190.221.64:21860 | tcp | |
| SG | 111.119.216.149:21860 | tcp | |
| IN | 183.83.43.159:21860 | tcp | |
| US | 98.251.157.5:21860 | tcp | |
| IR | 2.179.82.132:21860 | tcp | |
| PL | 62.141.211.249:21860 | tcp | |
| RU | 89.148.251.241:21860 | tcp | |
| JP | 110.165.135.136:21860 | tcp | |
| IN | 14.97.21.231:21860 | tcp | |
| NO | 188.113.127.144:25700 | tcp | |
| US | 75.110.231.24:25700 | tcp | |
| US | 71.58.52.32:25700 | tcp | |
| HU | 188.143.69.158:25700 | tcp | |
| US | 75.132.11.131:25700 | tcp | |
| PK | 119.154.89.161:25700 | tcp | |
| US | 68.206.39.222:25700 | tcp | |
| LT | 88.118.9.19:25700 | tcp | |
| US | 28.240.130.61:25700 | tcp | |
| US | 198.82.98.127:25700 | tcp | |
| US | 67.197.163.174:25700 | tcp | |
| US | 24.130.41.168:25700 | tcp | |
| CA | 216.104.111.135:25700 | tcp | |
| US | 99.14.85.82:25700 | tcp | |
| US | 71.87.243.75:25700 | tcp | |
| CD | 41.243.65.127:25700 | tcp | |
| US | 97.65.48.207:25700 | tcp | |
| US | 68.110.199.9:25700 | tcp | |
| KZ | 84.240.207.176:25700 | tcp | |
| US | 68.92.112.237:25700 | tcp | |
| US | 71.74.1.168:25700 | tcp | |
| ES | 79.117.78.238:25700 | tcp | |
| US | 98.180.21.161:25700 | tcp | |
| US | 69.142.187.67:25700 | tcp | |
| DE | 24.40.144.134:25700 | tcp | |
| PT | 62.169.120.205:25700 | tcp | |
| US | 99.64.192.239:25700 | tcp | |
| US | 70.113.206.81:25700 | tcp | |
| US | 76.27.59.89:25700 | tcp | |
| US | 69.180.38.221:25700 | tcp | |
| US | 67.184.24.170:25700 | tcp | |
| US | 71.95.157.6:25700 | tcp | |
| US | 128.36.54.183:25700 | tcp | |
| US | 76.107.104.13:25700 | tcp | |
| US | 71.86.99.90:25700 | tcp | |
| US | 50.88.221.71:25700 | tcp | |
| US | 76.181.141.94:25700 | tcp | |
| US | 24.126.187.34:25700 | tcp | |
| US | 18.245.7.14:25700 | tcp | |
| US | 75.73.60.153:25700 | tcp | |
| SG | 119.234.154.170:25700 | tcp | |
| FR | 82.234.113.202:25700 | tcp | |
| US | 24.12.204.68:25700 | tcp | |
| US | 98.231.208.73:25700 | tcp | |
| US | 71.236.155.16:25700 | tcp | |
| IT | 151.31.96.116:25700 | tcp | |
| DE | 178.200.126.51:25700 | tcp | |
| SE | 213.112.235.194:25700 | tcp | |
| PT | 79.168.109.47:25700 | tcp | |
| CA | 24.226.241.71:25700 | tcp | |
| US | 24.90.27.57:25700 | tcp | |
| US | 68.1.115.188:25700 | tcp | |
| US | 72.198.82.70:25700 | tcp | |
| US | 76.179.103.0:25700 | tcp | |
| US | 76.183.0.208:25700 | tcp | |
| US | 96.38.57.251:25700 | tcp | |
| US | 70.132.200.253:25700 | tcp | |
| US | 71.23.43.138:25700 | tcp | |
| DE | 217.13.173.105:25700 | tcp | |
| DE | 95.88.168.246:25700 | tcp | |
| GB | 92.236.32.199:25700 | tcp | |
| US | 173.175.167.134:25700 | tcp | |
| US | 69.132.184.166:25700 | tcp | |
| US | 98.217.15.123:25700 | tcp | |
| US | 24.131.109.230:25700 | tcp | |
| RO | 89.42.36.38:25700 | tcp | |
| US | 97.89.228.148:25700 | tcp | |
| IN | 223.29.199.151:25700 | tcp | |
| KZ | 87.247.42.163:25700 | tcp | |
| US | 69.113.16.97:25700 | tcp | |
| US | 68.11.134.106:25700 | tcp | |
| US | 66.56.32.93:25700 | tcp | |
| CA | 173.230.173.59:25700 | tcp | |
| DZ | 41.107.70.89:25700 | tcp | |
| US | 68.199.124.4:25700 | tcp | |
| US | 68.103.79.198:25700 | tcp | |
| US | 174.64.30.198:25700 | tcp | |
| US | 68.3.248.223:25700 | tcp | |
| CA | 74.12.234.101:25700 | tcp | |
| DE | 86.56.15.251:25700 | tcp | |
| US | 97.102.37.94:25700 | tcp | |
| US | 24.31.184.124:25700 | tcp | |
| US | 66.190.220.48:25700 | tcp | |
| US | 24.253.208.76:25700 | tcp | |
| US | 75.66.39.93:25700 | tcp | |
| IT | 151.81.146.112:25700 | tcp | |
| ES | 85.219.20.126:25700 | tcp | |
| US | 68.39.127.163:25700 | tcp | |
| US | 173.3.143.226:25700 | tcp | |
| US | 24.126.8.252:25700 | tcp | |
| US | 71.195.62.171:25700 | tcp | |
| US | 76.116.104.184:25700 | tcp | |
| US | 98.196.30.132:25700 | tcp | |
| US | 66.25.247.230:25700 | tcp | |
| US | 24.14.49.4:25700 | tcp | |
| US | 67.60.244.54:25700 | tcp | |
| PL | 91.207.60.22:25700 | tcp | |
| US | 24.99.224.18:25700 | tcp | |
| US | 71.194.116.155:25700 | tcp | |
| NL | 98.64.60.8:25700 | tcp | |
| DE | 78.43.118.192:25700 | tcp | |
| US | 67.162.64.31:25700 | tcp | |
| US | 75.108.60.107:25700 | tcp | |
| US | 76.115.46.206:25700 | tcp | |
| DK | 212.10.97.79:25700 | tcp | |
| BE | 84.195.107.140:25700 | tcp | |
| US | 67.172.173.99:25700 | tcp | |
| US | 76.169.142.205:25700 | tcp | |
| US | 69.204.107.254:25700 | tcp | |
| US | 98.26.36.207:25700 | tcp | |
| IT | 82.55.209.61:25700 | tcp | |
| US | 71.45.142.31:25700 | tcp | |
| FR | 81.51.40.68:25700 | tcp | |
| US | 24.18.125.203:25700 | tcp | |
| US | 68.37.37.133:25700 | tcp | |
| US | 69.76.179.226:25700 | tcp | |
| US | 69.205.231.132:25700 | tcp | |
| US | 67.85.181.95:25700 | tcp | |
| US | 76.105.72.3:25700 | tcp | |
| US | 24.228.5.130:25700 | tcp | |
| PL | 87.116.205.54:25700 | tcp | |
| US | 76.119.15.140:25700 | tcp | |
| US | 71.203.154.25:25700 | tcp | |
| US | 174.70.136.28:25700 | tcp | |
| US | 24.178.86.126:25700 | tcp | |
| US | 108.106.109.107:25700 | tcp | |
| US | 50.136.114.82:25700 | tcp | |
| US | 24.146.171.229:25700 | tcp | |
| CA | 74.59.63.112:25700 | tcp | |
| US | 71.68.97.7:25700 | tcp | |
| US | 24.91.136.219:25700 | tcp | |
| US | 24.245.2.5:25700 | tcp | |
| US | 71.95.34.209:25700 | tcp | |
| US | 68.62.166.162:25700 | tcp | |
| US | 216.26.97.151:25700 | tcp | |
| US | 69.113.201.236:25700 | tcp | |
| US | 65.185.120.89:25700 | tcp | |
| US | 174.57.113.217:25700 | tcp | |
| US | 69.143.8.209:25700 | tcp | |
| US | 71.77.72.78:25700 | tcp | |
| US | 74.196.169.67:25700 | tcp | |
| US | 76.31.37.100:25700 | tcp | |
| US | 96.18.183.250:25700 | tcp | |
| US | 98.214.78.126:25700 | tcp | |
| CA | 69.156.160.226:25700 | tcp | |
| US | 98.194.201.41:25700 | tcp | |
| US | 75.66.128.197:25700 | tcp | |
| US | 74.64.85.127:25700 | tcp | |
| US | 98.193.89.231:25700 | tcp | |
| DE | 91.64.176.203:25700 | tcp | |
| US | 24.250.24.134:25700 | tcp | |
| US | 107.8.75.96:25700 | tcp | |
| RU | 91.79.143.168:25700 | tcp | |
| US | 72.135.14.49:25700 | tcp | |
| US | 68.54.184.7:25700 | tcp | |
| US | 71.76.58.50:25700 | tcp | |
| US | 72.249.44.79:25700 | tcp | |
| US | 98.204.110.177:25700 | tcp | |
| US | 75.73.45.126:25700 | tcp | |
| US | 66.168.25.248:25700 | tcp | |
| US | 107.41.156.180:25700 | tcp | |
| US | 184.59.86.72:25700 | tcp | |
| US | 71.234.195.93:25700 | tcp | |
| US | 64.53.184.103:25700 | tcp | |
| IT | 151.81.79.182:25700 | tcp | |
| US | 69.122.91.56:25700 | tcp | |
| US | 24.27.176.91:25700 | tcp | |
| US | 76.190.213.150:25700 | tcp | |
| US | 76.118.218.158:25700 | tcp | |
| US | 24.158.142.102:25700 | tcp | |
| US | 65.185.76.30:25700 | tcp | |
| ES | 79.108.2.152:25700 | tcp | |
| US | 24.30.7.62:25700 | tcp | |
| RU | 94.180.203.48:25700 | tcp | |
| US | 75.66.198.134:25700 | tcp | |
| US | 66.169.32.66:25700 | tcp | |
| US | 24.217.238.43:25700 | tcp | |
| US | 50.12.174.124:25700 | tcp | |
| US | 97.106.237.122:25700 | tcp | |
| US | 68.58.196.120:25700 | tcp | |
| US | 67.169.67.143:25700 | tcp | |
| KZ | 95.56.27.119:25700 | tcp | |
| US | 107.2.144.105:25700 | tcp | |
| US | 68.3.244.77:25700 | tcp | |
| US | 76.186.89.77:25700 | tcp | |
| US | 76.116.86.5:25700 | tcp | |
| US | 76.170.106.209:25700 | tcp | |
| US | 184.201.93.26:25700 | tcp | |
| US | 24.217.82.195:25700 | tcp | |
| US | 24.46.123.214:25700 | tcp | |
| CZ | 213.211.60.35:25700 | tcp | |
| US | 75.177.162.9:25700 | tcp | |
| US | 71.62.150.167:25700 | tcp | |
| US | 67.249.111.108:25700 | tcp | |
| US | 24.197.112.102:25700 | tcp |
Files
\Users\Admin\srRTMxaDv9.exe
| MD5 | 57a5743f47b3a874773041195600909c |
| SHA1 | 74f5c16a6ca03baea7c684e40d351f1ec484a70d |
| SHA256 | eecfb7541cf571d34882ebeb19c3c396ed53243e23060d45e1f1b033e061da90 |
| SHA512 | 66c4621663db921b7a18b843197ea6611e9473abca6b2a653d1f228146129434a7f643f598e0fdfbe300f2ea91168135de59a69f02f52245c71f12e4364e2954 |
\Users\Admin\woauy.exe
| MD5 | 07fde06b6fa5b5aac1b1f829f239c149 |
| SHA1 | 493ea55103ec11486e424ce65b18b0b1627cc704 |
| SHA256 | 3f3810d49d52695fb564da70161034b5c433804288ca6dd1fe2220fd60722e10 |
| SHA512 | b7c2f8aef0cdac030c4c7f8f1f80ffdf777472e70f885ba3709076703095fabd7fd3a9c2d9121ad31922d402cb418f6d95a0933c53b7f0638750c75e354a6368 |
\Users\Admin\amhost.exe
| MD5 | 8ccbe4f27f9710f3e7f75e1d1de57e49 |
| SHA1 | 272e95e476477cd4a1715ee0bcf32318e0351718 |
| SHA256 | 3d36ee15c25b2308f8552e121d885c26b46b4e7fc6dbb41a684bec53e0ae3b5d |
| SHA512 | 334f56b5158839f521513aff9de334536c86da633bf1a3b78592529275457973ed67fd55a54bef8f88ce918c2863c365cababfbd0ef888a27272906e281105d0 |
memory/2780-40-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2780-47-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2640-46-0x0000000000400000-0x0000000000417000-memory.dmp
memory/2780-43-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2780-38-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2780-36-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2780-50-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2780-52-0x0000000000400000-0x000000000040E000-memory.dmp
memory/2780-51-0x0000000000400000-0x000000000040E000-memory.dmp
\Users\Admin\bmhost.exe
| MD5 | 2da0070a7c50f3a078b73b4fb7ee7c02 |
| SHA1 | 999b4860a80b908622fadfc8fae27db66b200932 |
| SHA256 | f8a0f1b5b3f320f01173f151305dc780eac51bf78e7405fd2c0b9b3ba58945bf |
| SHA512 | 2d488508e785d92c5cf9f0abee8153d984d8dd8f1d59880643764f499e151fccc9572a9ad1fe0a82412b8ed230d25bd849a0beeded12325dc21839ed53512630 |
memory/2412-64-0x0000000000360000-0x00000000003A1000-memory.dmp
memory/2412-68-0x0000000000360000-0x00000000003A1000-memory.dmp
memory/2412-60-0x0000000000360000-0x00000000003A1000-memory.dmp
memory/2412-69-0x0000000000360000-0x00000000003A1000-memory.dmp
memory/2412-70-0x0000000000360000-0x00000000003A1000-memory.dmp
memory/2412-72-0x0000000000360000-0x00000000003A1000-memory.dmp
memory/1124-73-0x0000000002520000-0x0000000002526000-memory.dmp
memory/1124-77-0x0000000002520000-0x0000000002526000-memory.dmp
memory/1124-81-0x0000000002520000-0x0000000002526000-memory.dmp
C:\Windows\system32\consrv.dll
| MD5 | 4d7cde615a0f534bd5e359951829554b |
| SHA1 | c885d00d9000f2a5dbc78f6193a052b36f4fe968 |
| SHA256 | 414fdf9bdcae5136c1295d6d24740c50a484acd81f1f7d0fb5d5c138607cb80a |
| SHA512 | 33d632f9fbb694440a1ca568c90518784278efd1dc9ee2b57028149d56ebe1f7346d5b59dcfafee2eeaa10091dda05f48958e909d6bfc891e037ae1cfbd048d4 |
memory/336-87-0x0000000002540000-0x0000000002552000-memory.dmp
memory/2412-91-0x0000000000400000-0x0000000000446000-memory.dmp
\Users\Admin\cmhost.exe
| MD5 | 03102e4338eb16e0c4dfe106830557e3 |
| SHA1 | 4fdb5baf0900e44e95acdeee1c947be3b0518b39 |
| SHA256 | 7dd28bddc46daddc8f7e14906f50ef991d3d7f1ffb785388fb5c42be9e162139 |
| SHA512 | c7d4b4b3766c0b4cdc3d16f56effe1b36cacd4a48f728cf1a33360eb6c48362587186dc0be45f098cd3117bc10c7113d51262939bfe018c6f963b36d59cd97c9 |
\Windows\assembly\GAC_32\Desktop.ini
| MD5 | 878f9b6da85cb98fcbdf6abd1730a32f |
| SHA1 | 343007e658ea541f4680b4edf4513e69e1cc18a6 |
| SHA256 | 75b5a460ed6f47fca8ec1bcd8a11b22f24fb33de4d5f307b851ad20c7f831b7d |
| SHA512 | 5425844e34ad5e717b08830020526f5c9465f654f3e9e29967b2983d5cb8dc225be2b89cd29a8e4cc99fcfc99e05556f66eefa0539283ab4569e603413a37293 |
\Users\Admin\AppData\Local\1be398f8\X
| MD5 | be40a2578e862f1cecc9b9194f524201 |
| SHA1 | 0c379f375f9bcfab2e8d86161cec07fe4a7dbc12 |
| SHA256 | 2c0f19272baa42d1af85a395fe8cd687c50e91450abc5911f6806c317a25b6a6 |
| SHA512 | 25fbee1dce99c0ca80cd11bbe0d9fceaa07bf8a8b9b3ebc04e55645c0a733dafc83a7922975c31bc9fdff6f413257ac8b9ff72628c78b48a5b7ab669eab369f8 |
\Windows\assembly\GAC_64\Desktop.ini
| MD5 | 9d7ec1e355ac35cbe6991721ef5ae3b8 |
| SHA1 | c35a00bd35c6e4a7516b93947be08ead966347e8 |
| SHA256 | 68a3cec42215323100398a8eb2cbb37da7d58fe0fa9c6312e954e0f50a95ca98 |
| SHA512 | b7c4be28d8e179974672205a50e72fa1ec9e2e8170b3b8ee763e1751a3397c35afec7a72c88f0a79a8566749b2af1ff054660a96c3a6d6508c545d316a035dc0 |
memory/1124-121-0x0000000002550000-0x000000000255B000-memory.dmp
memory/1124-120-0x0000000002540000-0x000000000254B000-memory.dmp
memory/1124-115-0x0000000002540000-0x000000000254B000-memory.dmp
memory/1124-111-0x0000000002540000-0x000000000254B000-memory.dmp
C:\Users\Admin\AppData\Local\1be398f8\@
| MD5 | f5e66a93bc297ba83db0e7b5564ced3f |
| SHA1 | 863c519546cfba7531b8ecbf10ae5bede6d2193d |
| SHA256 | 94257ae4c040d8487cb44bc23030193944c72c12678dcd8b80684a3721b21231 |
| SHA512 | b7ee82bdc3057df90eed61a9d0d6d52420fb8baf6cc8f12f30144ecdd1f298f13d89e14bfa474ea939bd734440f185d7bba72d1140080a3ef975253191adaea3 |
memory/1188-128-0x0000000000400000-0x0000000000465C48-memory.dmp
memory/1188-135-0x0000000000400000-0x0000000000465C48-memory.dmp
\Users\Admin\dmhost.exe
| MD5 | e5a8cc5176a71d1fb82d8790db0c20f0 |
| SHA1 | 6d0c76a9e94151d84241bdf99033524daf4346ed |
| SHA256 | 3b324891d70636e38cfc4c080a91fc83b387013af03ef9d2d6aa36376e1d6c8c |
| SHA512 | ccbd5e3f98ff202c8a7753208d588bfef183eb37a6da3fbcf733dab0112408b1a05836ebbc24d6a17e9b72260ba9682e53628d20f130b10d8ec76cf9f1a51f9c |
\??\globalroot\systemroot\assembly\temp\@
| MD5 | c9c375e4592e4f72fc80d8673aa484e3 |
| SHA1 | 565b0a395671b12a77d006b7b17a54d20932f28a |
| SHA256 | f6b79b69ca9f5047bed4631c79b6ea737fb03125e185b2114f4986a366f8b9c2 |
| SHA512 | e412db5ec4003861a02e04b564e3f6ae6f93f2d052615fab96b4560ca74989891a610fd6062b14cef96785c9866b34c72470f158918af161870942fe5153ee65 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-01-27 20:35
Reported
2025-01-27 20:37
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
141s
Command Line
Signatures
ModiLoader, DBatLoader
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\srRTMxaDv9.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\sazab.exe | N/A |
Modiloader family
ModiLoader Second Stage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\srRTMxaDv9.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\srRTMxaDv9.exe | N/A |
| N/A | N/A | C:\Users\Admin\amhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\sazab.exe | N/A |
| N/A | N/A | C:\Users\Admin\amhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\bmhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\cmhost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\9a2c62aa\X | N/A |
| N/A | N/A | C:\Users\Admin\dmhost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /C" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /I" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /K" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /m" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /F" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /M" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /A" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /a" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /z" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /r" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /j" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /R" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /x" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /u" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /X" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /Y" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /Z" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /l" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /B" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /y" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /w" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /t" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /q" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /i" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /s" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /E" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /G" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /V" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /J" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /D" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /U" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /O" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /g" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /n" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /o" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /c" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /v" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /b" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /L" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /W" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /H" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /d" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /E" | C:\Users\Admin\srRTMxaDv9.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /N" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /e" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /k" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /T" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /Q" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /f" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /h" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /p" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /P" | C:\Users\Admin\sazab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sazab = "C:\\Users\\Admin\\sazab.exe /S" | C:\Users\Admin\sazab.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4676 set thread context of 1656 | N/A | C:\Users\Admin\amhost.exe | C:\Users\Admin\amhost.exe |
| PID 1788 set thread context of 3528 | N/A | C:\Users\Admin\bmhost.exe | C:\Windows\SysWOW64\cmd.exe |
| PID 1552 set thread context of 1976 | N/A | C:\Users\Admin\cmhost.exe | C:\Windows\SysWOW64\cmd.exe |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\cmhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\amhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\bmhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\dmhost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\srRTMxaDv9.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\sazab.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Windows\explorer.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\bmhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\cmhost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe | N/A |
| N/A | N/A | C:\Users\Admin\srRTMxaDv9.exe | N/A |
| N/A | N/A | C:\Users\Admin\sazab.exe | N/A |
| N/A | N/A | C:\Users\Admin\dmhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe"
C:\Users\Admin\srRTMxaDv9.exe
C:\Users\Admin\srRTMxaDv9.exe
C:\Users\Admin\sazab.exe
"C:\Users\Admin\sazab.exe"
C:\Users\Admin\amhost.exe
C:\Users\Admin\amhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del srRTMxaDv9.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Users\Admin\amhost.exe
amhost.exe
C:\Users\Admin\bmhost.exe
C:\Users\Admin\bmhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\cmhost.exe
C:\Users\Admin\cmhost.exe
C:\Users\Admin\AppData\Local\9a2c62aa\X
176.53.17.24:80
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
C:\Users\Admin\dmhost.exe
C:\Users\Admin\dmhost.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c tasklist&&del JaffaCakes118_4374ffe3395196ca313993c5b6337d2e.exe
C:\Windows\SysWOW64\tasklist.exe
tasklist
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.153.16.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.114.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| N/A | 127.0.0.1:80 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| TR | 176.53.17.24:80 | tcp | |
| TR | 176.53.17.24:80 | tcp | |
| TR | 176.53.17.24:80 | tcp | |
| TR | 176.53.17.24:80 | tcp | |
| TR | 176.53.17.24:80 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.49.80.91.in-addr.arpa | udp |
Files
C:\Users\Admin\srRTMxaDv9.exe
| MD5 | 57a5743f47b3a874773041195600909c |
| SHA1 | 74f5c16a6ca03baea7c684e40d351f1ec484a70d |
| SHA256 | eecfb7541cf571d34882ebeb19c3c396ed53243e23060d45e1f1b033e061da90 |
| SHA512 | 66c4621663db921b7a18b843197ea6611e9473abca6b2a653d1f228146129434a7f643f598e0fdfbe300f2ea91168135de59a69f02f52245c71f12e4364e2954 |
C:\Users\Admin\sazab.exe
| MD5 | 15328499a2e83b063081d2cfd27faed6 |
| SHA1 | bf0a0fd4407935258ff9df51de7c1915901b92e2 |
| SHA256 | d4e38f4c3bd7b294298c4fda059da3035f2c3f9a5f59780d858fe666a2546b7b |
| SHA512 | 97c7fc7fadf0fa33ccce81bbc0662912bcfa0c75fee4b3f057bef602d7805e68835e13a9bb7c0befcabfbce2b8db7db5db3b2a47536c7559403db51f3fd30c84 |
C:\Users\Admin\amhost.exe
| MD5 | 8ccbe4f27f9710f3e7f75e1d1de57e49 |
| SHA1 | 272e95e476477cd4a1715ee0bcf32318e0351718 |
| SHA256 | 3d36ee15c25b2308f8552e121d885c26b46b4e7fc6dbb41a684bec53e0ae3b5d |
| SHA512 | 334f56b5158839f521513aff9de334536c86da633bf1a3b78592529275457973ed67fd55a54bef8f88ce918c2863c365cababfbd0ef888a27272906e281105d0 |
memory/1656-45-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1656-46-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1656-53-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1656-52-0x0000000000400000-0x000000000040E000-memory.dmp
memory/1656-51-0x0000000000400000-0x000000000040E000-memory.dmp
memory/4676-50-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Users\Admin\bmhost.exe
| MD5 | 2da0070a7c50f3a078b73b4fb7ee7c02 |
| SHA1 | 999b4860a80b908622fadfc8fae27db66b200932 |
| SHA256 | f8a0f1b5b3f320f01173f151305dc780eac51bf78e7405fd2c0b9b3ba58945bf |
| SHA512 | 2d488508e785d92c5cf9f0abee8153d984d8dd8f1d59880643764f499e151fccc9572a9ad1fe0a82412b8ed230d25bd849a0beeded12325dc21839ed53512630 |
memory/1788-58-0x0000000000400000-0x0000000000446000-memory.dmp
C:\Users\Admin\cmhost.exe
| MD5 | 03102e4338eb16e0c4dfe106830557e3 |
| SHA1 | 4fdb5baf0900e44e95acdeee1c947be3b0518b39 |
| SHA256 | 7dd28bddc46daddc8f7e14906f50ef991d3d7f1ffb785388fb5c42be9e162139 |
| SHA512 | c7d4b4b3766c0b4cdc3d16f56effe1b36cacd4a48f728cf1a33360eb6c48362587186dc0be45f098cd3117bc10c7113d51262939bfe018c6f963b36d59cd97c9 |
C:\Users\Admin\AppData\Local\9a2c62aa\X
| MD5 | be40a2578e862f1cecc9b9194f524201 |
| SHA1 | 0c379f375f9bcfab2e8d86161cec07fe4a7dbc12 |
| SHA256 | 2c0f19272baa42d1af85a395fe8cd687c50e91450abc5911f6806c317a25b6a6 |
| SHA512 | 25fbee1dce99c0ca80cd11bbe0d9fceaa07bf8a8b9b3ebc04e55645c0a733dafc83a7922975c31bc9fdff6f413257ac8b9ff72628c78b48a5b7ab669eab369f8 |
memory/1552-73-0x0000000000400000-0x0000000000465C48-memory.dmp
memory/1552-80-0x0000000000400000-0x0000000000465C48-memory.dmp
C:\Users\Admin\dmhost.exe
| MD5 | e5a8cc5176a71d1fb82d8790db0c20f0 |
| SHA1 | 6d0c76a9e94151d84241bdf99033524daf4346ed |
| SHA256 | 3b324891d70636e38cfc4c080a91fc83b387013af03ef9d2d6aa36376e1d6c8c |
| SHA512 | ccbd5e3f98ff202c8a7753208d588bfef183eb37a6da3fbcf733dab0112408b1a05836ebbc24d6a17e9b72260ba9682e53628d20f130b10d8ec76cf9f1a51f9c |