Analysis
-
max time kernel
93s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
03-02-2025 10:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe
Resource
win7-20240903-en
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe
-
Size
322KB
-
MD5
876c42866076bf9f3450332e3dac80f0
-
SHA1
aa39d26fcf7a56971ddbd5779a5cbc4cd91999e0
-
SHA256
24f5ee91e74218a089b2516bcbbdc383f332daf65dfec4ea6e931b972f6b337f
-
SHA512
c4e71dac5125d19054f72052d371776693edfe8203f7b8a0f07fe199cdf1a6fcfa360a9e9fd546f821e5f6bce1ae42d07fe029eb2cfbdbd2ba2a31500c046a1f
-
SSDEEP
6144:YNYMViiff/JSTiTA5UqD107UQrCUN0VtQW0N/5SLUYT:O3RgiTceAhU8tWRILLT
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 63 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe -
Sality family
-
UAC bypass 3 TTPs 21 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe -
Windows security bypass 2 TTPs 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{T5TBB77L-4678-0MKC-421Q-14416031DYU6} JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{T5TBB77L-4678-0MKC-421Q-14416031DYU6}\StubPath = "C:\\Windows\\system32\\system32\\server.exe Restart" JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe -
Disables RegEdit via registry modification 21 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" server.exe Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" server.exe Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" server.exe Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" server.exe Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" server.exe Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" server.exe Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" server.exe Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" server.exe Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" server.exe Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" server.exe Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" server.exe Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" server.exe Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" server.exe Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" server.exe Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" server.exe Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" server.exe Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" server.exe Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" server.exe Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" server.exe Set value (int) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" server.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 20 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation server.exe Key value queried \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\Control Panel\International\Geo\Nation server.exe -
Executes dropped EXE 51 IoCs
pid Process 3688 server.exe 4700 server.exe 4224 server.exe 768 server.exe 1384 server.exe 4088 server.exe 4776 server.exe 1652 server.exe 1824 server.exe 1716 server.exe 5052 server.exe 4588 server.exe 3444 server.exe 3976 server.exe 3820 server.exe 3688 server.exe 4432 server.exe 1792 server.exe 1244 server.exe 3536 server.exe 1188 server.exe 2968 server.exe 1160 server.exe 1572 server.exe 400 server.exe 1576 server.exe 3180 server.exe 4176 server.exe 3344 server.exe 4680 server.exe 1904 server.exe 4896 server.exe 1744 server.exe 3756 server.exe 404 server.exe 4648 server.exe 3012 server.exe 1204 server.exe 2296 server.exe 2076 server.exe 2052 server.exe 2172 server.exe 1184 server.exe 2060 server.exe 3460 server.exe 2912 server.exe 4912 server.exe 3640 server.exe 2200 server.exe 5100 server.exe 2132 server.exe -
Loads dropped DLL 9 IoCs
pid Process 4928 server.exe 3656 server.exe 1084 server.exe 1824 server.exe 748 server.exe 3840 server.exe 920 server.exe 2012 server.exe 4508 server.exe -
Windows security modification 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\{T5TBB77L-4678-0MKC-421Q-14416031DYU6} = "C:\\Windows\\system32\\system32\\server.exe" JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Set value (str) \REGISTRY\USER\S-1-5-21-3625106387-4207083342-115176794-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{T5TBB77L-4678-0MKC-421Q-14416031DYU6} = "C:\\Windows\\system32\\system32\\server.exe" JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe -
Checks whether UAC is enabled 1 TTPs 21 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe -
Drops file in System32 directory 61 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\system32\plugin.dat server.exe File opened for modification C:\Windows\SysWOW64\system32\plugin.dat server.exe File opened for modification C:\Windows\SysWOW64\system32\plugin.dat server.exe File opened for modification C:\Windows\SysWOW64\system32\plugin.dat JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe File opened for modification C:\Windows\SysWOW64\system32\ server.exe File opened for modification C:\Windows\SysWOW64\system32\server.exe server.exe File opened for modification C:\Windows\SysWOW64\system32\server.exe server.exe File opened for modification C:\Windows\SysWOW64\system32\plugin.dat server.exe File opened for modification C:\Windows\SysWOW64\system32\server.exe server.exe File opened for modification C:\Windows\SysWOW64\system32\ JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe File opened for modification C:\Windows\SysWOW64\system32\server.exe server.exe File opened for modification C:\Windows\SysWOW64\system32\ server.exe File opened for modification C:\Windows\SysWOW64\system32\server.exe server.exe File opened for modification C:\Windows\SysWOW64\system32\server.exe server.exe File opened for modification C:\Windows\SysWOW64\system32\plugin.dat server.exe File opened for modification C:\Windows\SysWOW64\system32\ server.exe File created C:\Windows\SysWOW64\system32\server.exe JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe File opened for modification C:\Windows\SysWOW64\system32\plugin.dat server.exe File opened for modification C:\Windows\SysWOW64\system32\server.exe server.exe File opened for modification C:\Windows\SysWOW64\system32\ server.exe File opened for modification C:\Windows\SysWOW64\system32\server.exe server.exe File opened for modification C:\Windows\SysWOW64\system32\server.exe server.exe File opened for modification C:\Windows\SysWOW64\system32\ server.exe File opened for modification C:\Windows\SysWOW64\system32\plugin.dat server.exe File opened for modification C:\Windows\SysWOW64\system32\server.exe server.exe File opened for modification C:\Windows\SysWOW64\system32\server.exe server.exe File opened for modification C:\Windows\SysWOW64\system32\plugin.dat server.exe File opened for modification C:\Windows\SysWOW64\system32\server.exe server.exe File opened for modification C:\Windows\SysWOW64\system32\ server.exe File opened for modification C:\Windows\SysWOW64\system32\ server.exe File opened for modification C:\Windows\SysWOW64\system32\ server.exe File opened for modification C:\Windows\SysWOW64\system32\ server.exe File opened for modification C:\Windows\SysWOW64\system32\server.exe server.exe File opened for modification C:\Windows\SysWOW64\system32\plugin.dat server.exe File opened for modification C:\Windows\SysWOW64\system32\ server.exe File opened for modification C:\Windows\SysWOW64\system32\plugin.dat server.exe File opened for modification C:\Windows\SysWOW64\system32\server.exe server.exe File opened for modification C:\Windows\SysWOW64\system32\ server.exe File opened for modification C:\Windows\SysWOW64\system32\server.exe server.exe File opened for modification C:\Windows\SysWOW64\system32\ server.exe File opened for modification C:\Windows\SysWOW64\system32\plugin.dat server.exe File opened for modification C:\Windows\SysWOW64\system32\server.exe server.exe File opened for modification C:\Windows\SysWOW64\system32\ server.exe File opened for modification C:\Windows\SysWOW64\system32\plugin.dat server.exe File opened for modification C:\Windows\SysWOW64\system32\plugin.dat server.exe File opened for modification C:\Windows\SysWOW64\system32\plugin.dat server.exe File opened for modification C:\Windows\SysWOW64\system32\plugin.dat server.exe File opened for modification C:\Windows\SysWOW64\system32\ server.exe File opened for modification C:\Windows\SysWOW64\system32\plugin.dat server.exe File opened for modification C:\Windows\SysWOW64\system32\ server.exe File opened for modification C:\Windows\SysWOW64\system32\plugin.dat server.exe File opened for modification C:\Windows\SysWOW64\system32\server.exe server.exe File opened for modification C:\Windows\SysWOW64\system32\ server.exe File opened for modification C:\Windows\SysWOW64\system32\server.exe server.exe File opened for modification C:\Windows\SysWOW64\system32\server.exe JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe File opened for modification C:\Windows\SysWOW64\system32\server.exe server.exe File opened for modification C:\Windows\SysWOW64\system32\ server.exe File opened for modification C:\Windows\SysWOW64\system32\plugin.dat server.exe File opened for modification C:\Windows\SysWOW64\system32\ server.exe File opened for modification C:\Windows\SysWOW64\system32\plugin.dat server.exe File opened for modification C:\Windows\SysWOW64\system32\ server.exe -
Suspicious use of SetThreadContext 21 IoCs
description pid Process procid_target PID 1244 set thread context of 3500 1244 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 84 PID 3688 set thread context of 4700 3688 server.exe 90 PID 768 set thread context of 1384 768 server.exe 94 PID 4088 set thread context of 4776 4088 server.exe 97 PID 1824 set thread context of 1716 1824 server.exe 100 PID 4588 set thread context of 3444 4588 server.exe 103 PID 3820 set thread context of 3688 3820 server.exe 106 PID 4432 set thread context of 1792 4432 server.exe 109 PID 3536 set thread context of 1188 3536 server.exe 112 PID 2968 set thread context of 1160 2968 server.exe 115 PID 1572 set thread context of 400 1572 server.exe 120 PID 1576 set thread context of 3180 1576 server.exe 123 PID 3344 set thread context of 4680 3344 server.exe 126 PID 1904 set thread context of 4896 1904 server.exe 129 PID 1744 set thread context of 3756 1744 server.exe 132 PID 404 set thread context of 4648 404 server.exe 135 PID 1204 set thread context of 2296 1204 server.exe 139 PID 2052 set thread context of 2172 2052 server.exe 142 PID 2060 set thread context of 3460 2060 server.exe 145 PID 4912 set thread context of 3640 4912 server.exe 148 PID 2200 set thread context of 5100 2200 server.exe 151 -
resource yara_rule behavioral2/memory/3500-2-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/3500-7-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/3500-6-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/3500-5-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/3500-9-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/3500-10-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/3500-8-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/3500-14-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/3500-16-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/3500-15-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/3500-20-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/3500-13-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/3500-12-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/3500-21-0x0000000010410000-0x0000000010459000-memory.dmp upx behavioral2/memory/3500-32-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/3500-41-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/3500-74-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/3500-70-0x0000000010410000-0x0000000010459000-memory.dmp upx behavioral2/memory/4700-167-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/4700-166-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/4700-248-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/1384-268-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/1384-348-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/4776-447-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/1716-547-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/3444-646-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/3688-745-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/1792-844-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/1188-943-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/1160-964-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/1160-1043-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/400-1142-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/3180-1241-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/4680-1341-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/4896-1440-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/3756-1539-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/4648-1560-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/4648-1639-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/2296-1659-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/2296-1739-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/2172-1836-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/3460-1932-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/3640-2028-0x0000000000400000-0x000000000044B000-memory.dmp upx behavioral2/memory/5100-2082-0x0000000000400000-0x000000000044B000-memory.dmp upx -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 3316 2132 WerFault.exe 152 -
System Location Discovery: System Language Discovery 1 TTPs 62 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe -
Modifies registry class 20 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 4700 server.exe 4700 server.exe 4700 server.exe 4700 server.exe 1384 server.exe 1384 server.exe 1384 server.exe 1384 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 4776 server.exe 1716 server.exe 1716 server.exe 1716 server.exe 1716 server.exe 3444 server.exe 3444 server.exe 3444 server.exe 3444 server.exe 3688 server.exe 3688 server.exe 3688 server.exe 3688 server.exe 1792 server.exe 1792 server.exe 1792 server.exe 1792 server.exe 1188 server.exe 1188 server.exe 1188 server.exe 1188 server.exe 1160 server.exe 1160 server.exe 1160 server.exe 1160 server.exe 400 server.exe 400 server.exe 400 server.exe 400 server.exe 3180 server.exe 3180 server.exe 3180 server.exe 3180 server.exe 4680 server.exe 4680 server.exe 4680 server.exe 4680 server.exe 4896 server.exe 4896 server.exe 4896 server.exe 4896 server.exe 3756 server.exe 3756 server.exe 3756 server.exe 3756 server.exe 4648 server.exe 4648 server.exe 4648 server.exe 4648 server.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Token: SeDebugPrivilege 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Token: SeDebugPrivilege 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Token: SeDebugPrivilege 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Token: SeDebugPrivilege 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Token: SeDebugPrivilege 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Token: SeDebugPrivilege 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Token: SeDebugPrivilege 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Token: SeDebugPrivilege 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Token: SeDebugPrivilege 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Token: SeDebugPrivilege 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Token: SeDebugPrivilege 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Token: SeDebugPrivilege 4700 server.exe Token: SeDebugPrivilege 4700 server.exe Token: SeDebugPrivilege 4700 server.exe Token: SeDebugPrivilege 4700 server.exe Token: SeDebugPrivilege 4700 server.exe Token: SeDebugPrivilege 4700 server.exe Token: SeDebugPrivilege 4700 server.exe Token: SeDebugPrivilege 4700 server.exe Token: SeDebugPrivilege 4700 server.exe Token: SeDebugPrivilege 4700 server.exe Token: SeDebugPrivilege 4700 server.exe Token: SeDebugPrivilege 4700 server.exe Token: SeDebugPrivilege 1384 server.exe Token: SeDebugPrivilege 1384 server.exe Token: SeDebugPrivilege 1384 server.exe Token: SeDebugPrivilege 1384 server.exe Token: SeDebugPrivilege 1384 server.exe Token: SeDebugPrivilege 1384 server.exe Token: SeDebugPrivilege 1384 server.exe Token: SeDebugPrivilege 1384 server.exe Token: SeDebugPrivilege 1384 server.exe Token: SeDebugPrivilege 1384 server.exe Token: SeDebugPrivilege 1384 server.exe Token: SeDebugPrivilege 1384 server.exe Token: SeDebugPrivilege 4776 server.exe Token: SeDebugPrivilege 4776 server.exe Token: SeDebugPrivilege 4776 server.exe Token: SeDebugPrivilege 4776 server.exe Token: SeDebugPrivilege 4776 server.exe Token: SeDebugPrivilege 4776 server.exe Token: SeDebugPrivilege 4776 server.exe Token: SeDebugPrivilege 4776 server.exe Token: SeDebugPrivilege 4776 server.exe Token: SeDebugPrivilege 4776 server.exe Token: SeDebugPrivilege 4776 server.exe Token: SeDebugPrivilege 4776 server.exe Token: SeDebugPrivilege 1716 server.exe Token: SeDebugPrivilege 1716 server.exe Token: SeDebugPrivilege 1716 server.exe Token: SeDebugPrivilege 1716 server.exe Token: SeDebugPrivilege 1716 server.exe Token: SeDebugPrivilege 1716 server.exe Token: SeDebugPrivilege 1716 server.exe Token: SeDebugPrivilege 1716 server.exe Token: SeDebugPrivilege 1716 server.exe Token: SeDebugPrivilege 1716 server.exe Token: SeDebugPrivilege 1716 server.exe Token: SeDebugPrivilege 1716 server.exe Token: SeDebugPrivilege 3444 server.exe Token: SeDebugPrivilege 3444 server.exe Token: SeDebugPrivilege 3444 server.exe Token: SeDebugPrivilege 3444 server.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
pid Process 1244 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 3688 server.exe 768 server.exe 4088 server.exe 1824 server.exe 4588 server.exe 3820 server.exe 4432 server.exe 3536 server.exe 2968 server.exe 1572 server.exe 1576 server.exe 3344 server.exe 1904 server.exe 1744 server.exe 404 server.exe 1204 server.exe 2052 server.exe 2060 server.exe 4912 server.exe 2200 server.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1244 wrote to memory of 3500 1244 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 84 PID 1244 wrote to memory of 3500 1244 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 84 PID 1244 wrote to memory of 3500 1244 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 84 PID 1244 wrote to memory of 3500 1244 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 84 PID 1244 wrote to memory of 3500 1244 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 84 PID 1244 wrote to memory of 3500 1244 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 84 PID 1244 wrote to memory of 3500 1244 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 84 PID 1244 wrote to memory of 3500 1244 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 84 PID 3500 wrote to memory of 792 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 9 PID 3500 wrote to memory of 796 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 10 PID 3500 wrote to memory of 388 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 13 PID 3500 wrote to memory of 2904 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 50 PID 3500 wrote to memory of 2984 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 52 PID 3500 wrote to memory of 808 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 53 PID 3500 wrote to memory of 3452 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 56 PID 3500 wrote to memory of 3568 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 57 PID 3500 wrote to memory of 3736 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 58 PID 3500 wrote to memory of 3828 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 59 PID 3500 wrote to memory of 3908 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 60 PID 3500 wrote to memory of 4016 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 61 PID 3500 wrote to memory of 3860 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 62 PID 3500 wrote to memory of 4036 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 75 PID 3500 wrote to memory of 4996 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 76 PID 3500 wrote to memory of 3672 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 80 PID 3500 wrote to memory of 1256 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 81 PID 3500 wrote to memory of 5052 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 83 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 PID 3500 wrote to memory of 3628 3500 JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe 87 -
System policy modification 1 TTPs 21 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:388
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2984
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:808
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_876c42866076bf9f3450332e3dac80f0.exe4⤵
- Boot or Logon Autostart Execution: Active Setup
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3628 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\system32\system32\server.exe"5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3688 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\SysWOW64\system32\server.exe"6⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4700 -
C:\Windows\SysWOW64\system32\server.exeC:\Windows\SysWOW64\system32\server.exe7⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4224 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\system32\system32\server.exe"8⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:768 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\SysWOW64\system32\server.exe"9⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1384 -
C:\Windows\SysWOW64\system32\server.exeC:\Windows\SysWOW64\system32\server.exe10⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4928 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\system32\system32\server.exe"11⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4088 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\SysWOW64\system32\server.exe"12⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:4776 -
C:\Windows\SysWOW64\system32\server.exeC:\Windows\SysWOW64\system32\server.exe13⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\system32\system32\server.exe"14⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1824 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\SysWOW64\system32\server.exe"15⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:1716 -
C:\Windows\SysWOW64\system32\server.exeC:\Windows\SysWOW64\system32\server.exe16⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5052 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\system32\system32\server.exe"17⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4588 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\SysWOW64\system32\server.exe"18⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3444 -
C:\Windows\SysWOW64\system32\server.exeC:\Windows\SysWOW64\system32\server.exe19⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3976 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\system32\system32\server.exe"20⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3820 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\SysWOW64\system32\server.exe"21⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:3688 -
C:\Windows\SysWOW64\system32\server.exeC:\Windows\SysWOW64\system32\server.exe22⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3656 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\system32\system32\server.exe"23⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4432 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\SysWOW64\system32\server.exe"24⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1792 -
C:\Windows\SysWOW64\system32\server.exeC:\Windows\SysWOW64\system32\server.exe25⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\system32\system32\server.exe"26⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3536 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\SysWOW64\system32\server.exe"27⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1188 -
C:\Windows\SysWOW64\system32\server.exeC:\Windows\SysWOW64\system32\server.exe28⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\system32\system32\server.exe"29⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2968 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\SysWOW64\system32\server.exe"30⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:1160 -
C:\Windows\SysWOW64\system32\server.exeC:\Windows\SysWOW64\system32\server.exe31⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\system32\system32\server.exe"32⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1572 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\SysWOW64\system32\server.exe"33⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:400 -
C:\Windows\SysWOW64\system32\server.exeC:\Windows\SysWOW64\system32\server.exe34⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:748 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\system32\system32\server.exe"35⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1576 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\SysWOW64\system32\server.exe"36⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:3180 -
C:\Windows\SysWOW64\system32\server.exeC:\Windows\SysWOW64\system32\server.exe37⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4176 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\system32\system32\server.exe"38⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3344 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\SysWOW64\system32\server.exe"39⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:4680 -
C:\Windows\SysWOW64\system32\server.exeC:\Windows\SysWOW64\system32\server.exe40⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3840 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\system32\system32\server.exe"41⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1904 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\SysWOW64\system32\server.exe"42⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:4896 -
C:\Windows\SysWOW64\system32\server.exeC:\Windows\SysWOW64\system32\server.exe43⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\system32\system32\server.exe"44⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1744 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\SysWOW64\system32\server.exe"45⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:3756 -
C:\Windows\SysWOW64\system32\server.exeC:\Windows\SysWOW64\system32\server.exe46⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\system32\system32\server.exe"47⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:404 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\SysWOW64\system32\server.exe"48⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- System policy modification
PID:4648 -
C:\Windows\SysWOW64\system32\server.exeC:\Windows\SysWOW64\system32\server.exe49⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\system32\system32\server.exe"50⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1204 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\SysWOW64\system32\server.exe"51⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- System policy modification
PID:2296 -
C:\Windows\SysWOW64\system32\server.exeC:\Windows\SysWOW64\system32\server.exe52⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\system32\system32\server.exe"53⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2052 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\SysWOW64\system32\server.exe"54⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- System policy modification
PID:2172 -
C:\Windows\SysWOW64\system32\server.exeC:\Windows\SysWOW64\system32\server.exe55⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1184 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\system32\system32\server.exe"56⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2060 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\SysWOW64\system32\server.exe"57⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- System policy modification
PID:3460 -
C:\Windows\SysWOW64\system32\server.exeC:\Windows\SysWOW64\system32\server.exe58⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\system32\system32\server.exe"59⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4912 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\SysWOW64\system32\server.exe"60⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- System policy modification
PID:3640 -
C:\Windows\SysWOW64\system32\server.exeC:\Windows\SysWOW64\system32\server.exe61⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4508 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\system32\system32\server.exe"62⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2200 -
C:\Windows\SysWOW64\system32\server.exe"C:\Windows\SysWOW64\system32\server.exe"63⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- System policy modification
PID:5100 -
C:\Windows\SysWOW64\system32\server.exeC:\Windows\SysWOW64\system32\server.exe64⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 7665⤵
- Program crash
PID:3316
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3736
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3828
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3908
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4016
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3860
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4036
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4996
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:3672
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1256
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:5052
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1620
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3204
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:1892
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2132 -ip 21321⤵PID:3624
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Active Setup
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257B
MD59921d234e2950949ed75364daf3201b0
SHA1b24429a6fc0f8feb212aa55f74046919c36b7381
SHA256253490c661cb3ff0b1cba018f5d43be47b5c9802085ed22446ad6b2b42a97865
SHA512f824b0e267e160580a489b3aa1d0dd88c7843e392bdf3ecc35f9dce5002bd5a4ca54d35c732b4c28c6a8179ef061b1dbae62d2eb1e833eb180873f445a3cdfb4
-
Filesize
322KB
MD5876c42866076bf9f3450332e3dac80f0
SHA1aa39d26fcf7a56971ddbd5779a5cbc4cd91999e0
SHA25624f5ee91e74218a089b2516bcbbdc383f332daf65dfec4ea6e931b972f6b337f
SHA512c4e71dac5125d19054f72052d371776693edfe8203f7b8a0f07fe199cdf1a6fcfa360a9e9fd546f821e5f6bce1ae42d07fe029eb2cfbdbd2ba2a31500c046a1f