641ea9b83ed7b5ddb6f56069c4507c19b71071b7ba851a495f9986d78765c3e7

Analysis

max time kernel
147s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2025, 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe
Size

62KB
MD5

99a7a6f69d36dd597ffb59d98dd10b59
SHA1

1ce3239828ec80d634f50460ee455f19b4d33aaa
SHA256

641ea9b83ed7b5ddb6f56069c4507c19b71071b7ba851a495f9986d78765c3e7
SHA512

fc1923a82d7b53e70bfda69aec64fb80f0f27928a6ea702e3bca730dcccf6a3c6914dc4b9a050883067e170bb514bb50f7e253da7825ef58e62068c2a4161f24
SSDEEP

768:oBoZKpLJWwyGpAr1DW+o41Sl2khnfZRV2k4RCBdapcZc1pbtQN:OospfpAJWACz0kXBTc7tQN

Score

10^/10

defense_evasion discovery persistence

Malware Config

Signatures

Modifies firewall policy service 3 TTPs 30 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\mstdcs.exe = "C:\\Windows\\system32\\mstdcs.exe"	msasp.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\mstdcs.exe = "C:\\Windows\\system32\\mstdcs.exe"	msasp.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	msasp.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	msasp.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\mstdcs.exe = "C:\\Windows\\system32\\mstdcs.exe"	msasp.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	msasp.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	msasp.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\mstdcs.exe = "C:\\Windows\\system32\\mstdcs.exe"	msasp.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	msasp.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	msasp.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\mstdcs.exe = "C:\\Windows\\system32\\mstdcs.exe"	msasp.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	msasp.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\mstdcs.exe = "C:\\Windows\\system32\\mstdcs.exe"	msasp.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	msasp.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\mstdcs.exe = "C:\\Windows\\system32\\mstdcs.exe"	msasp.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\mstdcs.exe = "C:\\Windows\\system32\\mstdcs.exe"	msasp.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\mstdcs.exe = "C:\\Windows\\system32\\mstdcs.exe"	msasp.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\mstdcs.exe = "C:\\Windows\\system32\\mstdcs.exe"	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	msasp.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	msasp.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	msasp.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	msasp.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	msasp.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\mstdcs.exe = "C:\\Windows\\system32\\mstdcs.exe"	msasp.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\mstdcs.exe = "C:\\Windows\\system32\\mstdcs.exe"	msasp.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\mstdcs.exe = "C:\\Windows\\system32\\mstdcs.exe"	msasp.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Windows\system32\mstdcs.exe = "C:\\Windows\\system32\\mstdcs.exe"	msasp.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 15 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}\StubPath = "C:\\Windows\\system32\\msasp.exe -start"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}	reg.exe

Checks computer location settings 2 TTPs 13 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	msasp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	msasp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	msasp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	msasp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	msasp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	msasp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	msasp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	msasp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	msasp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	msasp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	msasp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation	msasp.exe

Executes dropped EXE 13 IoCs

pid	Process
3032	msasp.exe
2616	msasp.exe
3180	msasp.exe
3868	msasp.exe
4260	msasp.exe
3048	msasp.exe
4660	msasp.exe
3144	msasp.exe
100	msasp.exe
2484	msasp.exe
5288	msasp.exe
4860	msasp.exe
4504	msasp.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in System32 directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\msasp.exe	msasp.exe
File opened for modification	C:\Windows\SysWOW64\msasp.exe	msasp.exe
File opened for modification	C:\Windows\SysWOW64\msasp.exe	msasp.exe
File opened for modification	C:\Windows\SysWOW64\msasp.exe	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe
File opened for modification	C:\Windows\SysWOW64\msasp.exe	msasp.exe
File opened for modification	C:\Windows\SysWOW64\msasp.exe	msasp.exe
File opened for modification	C:\Windows\SysWOW64\msasp.exe	msasp.exe
File opened for modification	C:\Windows\SysWOW64\msasp.exe	msasp.exe
File opened for modification	C:\Windows\SysWOW64\msasp.exe	msasp.exe
File opened for modification	C:\Windows\SysWOW64\msasp.exe	msasp.exe
File opened for modification	C:\Windows\SysWOW64\msasp.exe	msasp.exe
File opened for modification	C:\Windows\SysWOW64\msasp.exe	msasp.exe
File opened for modification	C:\Windows\SysWOW64\msasp.exe	msasp.exe
File opened for modification	C:\Windows\SysWOW64\msasp.exe	msasp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msasp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msasp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msasp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msasp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msasp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msasp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msasp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msasp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msasp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msasp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msasp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
644	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe
644	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe
3032	msasp.exe
3032	msasp.exe
2616	msasp.exe
2616	msasp.exe
3180	msasp.exe
3180	msasp.exe
3868	msasp.exe
3868	msasp.exe
4260	msasp.exe
4260	msasp.exe
3048	msasp.exe
3048	msasp.exe
4660	msasp.exe
4660	msasp.exe
3144	msasp.exe
3144	msasp.exe
100	msasp.exe
100	msasp.exe
2484	msasp.exe
2484	msasp.exe
5288	msasp.exe
5288	msasp.exe
4860	msasp.exe
4860	msasp.exe
4504	msasp.exe
4504	msasp.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	644	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe
Token: SeDebugPrivilege	3032	msasp.exe
Token: SeIncBasePriorityPrivilege	644	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe
Token: SeDebugPrivilege	2616	msasp.exe
Token: SeIncBasePriorityPrivilege	3032	msasp.exe
Token: SeDebugPrivilege	3180	msasp.exe
Token: SeIncBasePriorityPrivilege	2616	msasp.exe
Token: SeDebugPrivilege	3868	msasp.exe
Token: SeIncBasePriorityPrivilege	3180	msasp.exe
Token: SeDebugPrivilege	4260	msasp.exe
Token: SeIncBasePriorityPrivilege	3868	msasp.exe
Token: SeDebugPrivilege	3048	msasp.exe
Token: SeIncBasePriorityPrivilege	4260	msasp.exe
Token: SeDebugPrivilege	4660	msasp.exe
Token: SeIncBasePriorityPrivilege	3048	msasp.exe
Token: SeDebugPrivilege	3144	msasp.exe
Token: SeIncBasePriorityPrivilege	4660	msasp.exe
Token: SeDebugPrivilege	100	msasp.exe
Token: SeIncBasePriorityPrivilege	3144	msasp.exe
Token: SeDebugPrivilege	2484	msasp.exe
Token: SeIncBasePriorityPrivilege	100	msasp.exe
Token: SeDebugPrivilege	5288	msasp.exe
Token: SeIncBasePriorityPrivilege	2484	msasp.exe
Token: SeDebugPrivilege	4860	msasp.exe
Token: SeIncBasePriorityPrivilege	5288	msasp.exe

Suspicious use of SetWindowsHookEx 28 IoCs

pid	Process
644	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe
644	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe
3032	msasp.exe
3032	msasp.exe
2616	msasp.exe
2616	msasp.exe
3180	msasp.exe
3180	msasp.exe
3868	msasp.exe
3868	msasp.exe
4260	msasp.exe
4260	msasp.exe
3048	msasp.exe
3048	msasp.exe
4660	msasp.exe
4660	msasp.exe
3144	msasp.exe
3144	msasp.exe
100	msasp.exe
100	msasp.exe
2484	msasp.exe
2484	msasp.exe
5288	msasp.exe
5288	msasp.exe
4860	msasp.exe
4860	msasp.exe
4504	msasp.exe
4504	msasp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 644 wrote to memory of 2764	644	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe	88
PID 644 wrote to memory of 2764	644	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe	88
PID 644 wrote to memory of 2764	644	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe	88
PID 644 wrote to memory of 5344	644	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe	94
PID 644 wrote to memory of 5344	644	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe	94
PID 644 wrote to memory of 5344	644	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe	94
PID 644 wrote to memory of 4648	644	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe	100
PID 644 wrote to memory of 4648	644	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe	100
PID 644 wrote to memory of 4648	644	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe	100
PID 4648 wrote to memory of 5108	4648	net.exe	102
PID 4648 wrote to memory of 5108	4648	net.exe	102
PID 4648 wrote to memory of 5108	4648	net.exe	102
PID 644 wrote to memory of 3032	644	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe	106
PID 644 wrote to memory of 3032	644	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe	106
PID 644 wrote to memory of 3032	644	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe	106
PID 3032 wrote to memory of 1684	3032	msasp.exe	107
PID 3032 wrote to memory of 1684	3032	msasp.exe	107
PID 3032 wrote to memory of 1684	3032	msasp.exe	107
PID 3032 wrote to memory of 2128	3032	msasp.exe	109
PID 3032 wrote to memory of 2128	3032	msasp.exe	109
PID 3032 wrote to memory of 2128	3032	msasp.exe	109
PID 3032 wrote to memory of 1044	3032	msasp.exe	111
PID 3032 wrote to memory of 1044	3032	msasp.exe	111
PID 3032 wrote to memory of 1044	3032	msasp.exe	111
PID 1044 wrote to memory of 5136	1044	net.exe	113
PID 1044 wrote to memory of 5136	1044	net.exe	113
PID 1044 wrote to memory of 5136	1044	net.exe	113
PID 644 wrote to memory of 4144	644	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe	114
PID 644 wrote to memory of 4144	644	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe	114
PID 644 wrote to memory of 4144	644	JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe	114
PID 3032 wrote to memory of 2616	3032	msasp.exe	115
PID 3032 wrote to memory of 2616	3032	msasp.exe	115
PID 3032 wrote to memory of 2616	3032	msasp.exe	115
PID 2616 wrote to memory of 548	2616	msasp.exe	116
PID 2616 wrote to memory of 548	2616	msasp.exe	116
PID 2616 wrote to memory of 548	2616	msasp.exe	116
PID 2616 wrote to memory of 2256	2616	msasp.exe	118
PID 2616 wrote to memory of 2256	2616	msasp.exe	118
PID 2616 wrote to memory of 2256	2616	msasp.exe	118
PID 2616 wrote to memory of 3472	2616	msasp.exe	120
PID 2616 wrote to memory of 3472	2616	msasp.exe	120
PID 2616 wrote to memory of 3472	2616	msasp.exe	120
PID 3472 wrote to memory of 4540	3472	net.exe	122
PID 3472 wrote to memory of 4540	3472	net.exe	122
PID 3472 wrote to memory of 4540	3472	net.exe	122
PID 3032 wrote to memory of 760	3032	msasp.exe	129
PID 3032 wrote to memory of 760	3032	msasp.exe	129
PID 3032 wrote to memory of 760	3032	msasp.exe	129
PID 2616 wrote to memory of 3180	2616	msasp.exe	130
PID 2616 wrote to memory of 3180	2616	msasp.exe	130
PID 2616 wrote to memory of 3180	2616	msasp.exe	130
PID 3180 wrote to memory of 5432	3180	msasp.exe	131
PID 3180 wrote to memory of 5432	3180	msasp.exe	131
PID 3180 wrote to memory of 5432	3180	msasp.exe	131
PID 3180 wrote to memory of 4100	3180	msasp.exe	133
PID 3180 wrote to memory of 4100	3180	msasp.exe	133
PID 3180 wrote to memory of 4100	3180	msasp.exe	133
PID 3180 wrote to memory of 2732	3180	msasp.exe	136
PID 3180 wrote to memory of 2732	3180	msasp.exe	136
PID 3180 wrote to memory of 2732	3180	msasp.exe	136
PID 2732 wrote to memory of 2004	2732	net.exe	138
PID 2732 wrote to memory of 2004	2732	net.exe	138
PID 2732 wrote to memory of 2004	2732	net.exe	138
PID 2616 wrote to memory of 4856	2616	msasp.exe	139

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_99a7a6f69d36dd597ffb59d98dd10b59.exe"
1⤵
- Modifies firewall policy service
- Checks computer location settings
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c move c:\msasp.exe C:\Windows\system32
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2764
- C:\Windows\SysWOW64\reg.exe
  reg add "hklm\SOFTWARE\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}" /v StubPath /t REG_SZ /d "C:\Windows\system32\msasp.exe -start"
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - System Location Discovery: System Language Discovery
  PID:5344
- C:\Windows\SysWOW64\net.exe
  "C:\Windows\System32\net.exe" stop sharedaccess
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop sharedaccess
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5108
- C:\Windows\SysWOW64\msasp.exe
  C:\Windows\system32\msasp.exe -start
  2⤵
  - Modifies firewall policy service
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3032
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c move c:\msasp.exe C:\Windows\system32
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1684
- - C:\Windows\SysWOW64\reg.exe
    reg add "hklm\SOFTWARE\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}" /v StubPath /t REG_SZ /d "C:\Windows\system32\msasp.exe -start"
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - System Location Discovery: System Language Discovery
    PID:2128
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\System32\net.exe" stop sharedaccess
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1044
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop sharedaccess
      4⤵
      PID:5136
- - C:\Windows\SysWOW64\msasp.exe
    C:\Windows\system32\msasp.exe -start
    3⤵
    - Modifies firewall policy service
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2616
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c move c:\msasp.exe C:\Windows\system32
      4⤵
      System Location Discovery: System Language Discovery
      PID:548
  - - C:\Windows\SysWOW64\reg.exe
      reg add "hklm\SOFTWARE\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}" /v StubPath /t REG_SZ /d "C:\Windows\system32\msasp.exe -start"
      4⤵
      Boot or Logon Autostart Execution: Active Setup
      System Location Discovery: System Language Discovery
      PID:2256
  - - C:\Windows\SysWOW64\net.exe
      "C:\Windows\System32\net.exe" stop sharedaccess
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3472
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4540
  - - C:\Windows\SysWOW64\msasp.exe
      C:\Windows\system32\msasp.exe -start
      4⤵
      Modifies firewall policy service
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3180
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c move c:\msasp.exe C:\Windows\system32
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5432
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\SOFTWARE\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}" /v StubPath /t REG_SZ /d "C:\Windows\system32\msasp.exe -start"
        5⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:4100
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop sharedaccess
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2732
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        6⤵
        
        PID:2004
    - - C:\Windows\SysWOW64\msasp.exe
        
        C:\Windows\system32\msasp.exe -start
        5⤵
        Modifies firewall policy service
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3868
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c move c:\msasp.exe C:\Windows\system32
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5436
      - C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\SOFTWARE\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}" /v StubPath /t REG_SZ /d "C:\Windows\system32\msasp.exe -start"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:4772
      - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop sharedaccess
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4648
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
      - C:\Windows\SysWOW64\msasp.exe
        
        C:\Windows\system32\msasp.exe -start
        6⤵
        Modifies firewall policy service
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c move c:\msasp.exe C:\Windows\system32
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5864
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\SOFTWARE\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}" /v StubPath /t REG_SZ /d "C:\Windows\system32\msasp.exe -start"
        7⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:952
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop sharedaccess
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4944
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5988
        
        C:\Windows\SysWOW64\msasp.exe
        
        C:\Windows\system32\msasp.exe -start
        7⤵
        Modifies firewall policy service
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3048
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c move c:\msasp.exe C:\Windows\system32
        8⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\SOFTWARE\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}" /v StubPath /t REG_SZ /d "C:\Windows\system32\msasp.exe -start"
        8⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:2644
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop sharedaccess
        8⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:5140
        
        C:\Windows\SysWOW64\msasp.exe
        
        C:\Windows\system32\msasp.exe -start
        8⤵
        Modifies firewall policy service
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c move c:\msasp.exe C:\Windows\system32
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\SOFTWARE\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}" /v StubPath /t REG_SZ /d "C:\Windows\system32\msasp.exe -start"
        9⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:3672
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop sharedaccess
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        10⤵
        
        PID:1384
        
        C:\Windows\SysWOW64\msasp.exe
        
        C:\Windows\system32\msasp.exe -start
        9⤵
        Modifies firewall policy service
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c move c:\msasp.exe C:\Windows\system32
        10⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\SOFTWARE\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}" /v StubPath /t REG_SZ /d "C:\Windows\system32\msasp.exe -start"
        10⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop sharedaccess
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2820
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\msasp.exe
        
        C:\Windows\system32\msasp.exe -start
        10⤵
        Modifies firewall policy service
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:100
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c move c:\msasp.exe C:\Windows\system32
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\SOFTWARE\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}" /v StubPath /t REG_SZ /d "C:\Windows\system32\msasp.exe -start"
        11⤵
        Boot or Logon Autostart Execution: Active Setup
        
        PID:3200
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop sharedaccess
        11⤵
        
        PID:3696
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        12⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\msasp.exe
        
        C:\Windows\system32\msasp.exe -start
        11⤵
        Modifies firewall policy service
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c move c:\msasp.exe C:\Windows\system32
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\SOFTWARE\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}" /v StubPath /t REG_SZ /d "C:\Windows\system32\msasp.exe -start"
        12⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:4212
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop sharedaccess
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5688
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\SysWOW64\msasp.exe
        
        C:\Windows\system32\msasp.exe -start
        12⤵
        Modifies firewall policy service
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:5288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c move c:\msasp.exe C:\Windows\system32
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\SOFTWARE\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}" /v StubPath /t REG_SZ /d "C:\Windows\system32\msasp.exe -start"
        13⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:5132
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop sharedaccess
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4708
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        14⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\msasp.exe
        
        C:\Windows\system32\msasp.exe -start
        13⤵
        Modifies firewall policy service
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4860
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c move c:\msasp.exe C:\Windows\system32
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\SOFTWARE\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}" /v StubPath /t REG_SZ /d "C:\Windows\system32\msasp.exe -start"
        14⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:3784
        
        C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\System32\net.exe" stop sharedaccess
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:5988
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop sharedaccess
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\msasp.exe
        
        C:\Windows\system32\msasp.exe -start
        14⤵
        Modifies firewall policy service
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4504
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd /c move c:\msasp.exe C:\Windows\system32
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:5464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add "hklm\SOFTWARE\Microsoft\Active Setup\Installed Components\{6968FE3E_01E1_4E7D_B2EA_58051F165658}" /v StubPath /t REG_SZ /d "C:\Windows\system32\msasp.exe -start"
        15⤵
        Boot or Logon Autostart Execution: Active Setup
        System Location Discovery: System Language Discovery
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\msasp.exe > nul
        13⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\msasp.exe > nul
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:5788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\msasp.exe > nul
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\msasp.exe > nul
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\msasp.exe > nul
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\msasp.exe > nul
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\msasp.exe > nul
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4012
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\msasp.exe > nul
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\msasp.exe > nul
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\msasp.exe > nul
      4⤵
      System Location Discovery: System Language Discovery
      PID:4856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c del C:\Windows\SysWOW64\msasp.exe > nul
    3⤵
    PID:760
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c del C:\Users\Admin\AppData\Local\Temp\JAFFAC~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\msasp.exe

Filesize
62KB

MD5
99a7a6f69d36dd597ffb59d98dd10b59

SHA1
1ce3239828ec80d634f50460ee455f19b4d33aaa

SHA256
641ea9b83ed7b5ddb6f56069c4507c19b71071b7ba851a495f9986d78765c3e7

SHA512
fc1923a82d7b53e70bfda69aec64fb80f0f27928a6ea702e3bca730dcccf6a3c6914dc4b9a050883067e170bb514bb50f7e253da7825ef58e62068c2a4161f24

Download Submit