betabot | 928d06ae692be5a216946aa53308e34b920cdd65eb1eb1f7aad9d4edf779c8b6

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13-06-2024 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Size

331KB
MD5

a41a425b9aa3dcb50ea244ff90cef59d
SHA1

2d1c8cfba8e5ef11a2a5144346f8102c3c9db805
SHA256

928d06ae692be5a216946aa53308e34b920cdd65eb1eb1f7aad9d4edf779c8b6
SHA512

6b82375eb4645cc8e615c4699fb4eeada8b4a0f50b89bd512810c9c1d643977ae1e5472ee2ea2d8cfb69133381120267db5cd863a10746843bed79e0d5a88334
SSDEEP

6144:R6tnHIghzbAam9iliAotWWfUwwQWzyq2L9OATfzSskQBi:+HrhzW3Jq49zfGQBi

Score

10^/10

betabot backdoor botnet evasion persistence trojan

Malware Config

Signatures

BetaBot
Beta Bot is a Trojan that infects computers and disables Antivirus.
trojan backdoor botnet betabot

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\PublicProfile\EnableFirewall = "0"	explorer.exe

Sets file execution options in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exeexplorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w3533i3ouou.exe	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\w3533i3ouou.exe\DisableExceptionChainValidation	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "gdruc.exe"	explorer.exe

Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion explorer.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	explorer.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\LayerAuthForm = "C:\\ProgramData\\LayerAuth\\w3533i3ouou.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\LayerAuthForm = "\"C:\\ProgramData\\LayerAuth\\w3533i3ouou.exe\""	explorer.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exeexplorer.exe

pid process

2100 a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
2236 explorer.exe
2236 explorer.exe
2236 explorer.exe
2236 explorer.exe
2236 explorer.exe
2236 explorer.exe
2236 explorer.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe

description pid process target process

PID 1932 set thread context of 2100 1932 a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe

pid	process
2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
2236	explorer.exe
2236	explorer.exe
2236	explorer.exe
2236	explorer.exe
2236	explorer.exe
2236	explorer.exe
2236	explorer.exe

description	pid	process	target process
PID 1932 set thread context of 2100	1932	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exeexplorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

explorer.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS explorer.exe
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer explorer.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	explorer.exe

Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4\2500 = "3"	explorer.exe

Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

explorer.exe

description ioc process

Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" explorer.exe
Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

explorer.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1"	explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main	explorer.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

explorer.exe

pid process

2236 explorer.exe
2236 explorer.exe
2236 explorer.exe
2236 explorer.exe
2236 explorer.exe
2236 explorer.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exeexplorer.exe

pid process

2100 a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
2100 a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
2236 explorer.exe
2236 explorer.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe

pid process

2100 a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe

pid	process
2236	explorer.exe
2236	explorer.exe
2236	explorer.exe
2236	explorer.exe
2236	explorer.exe
2236	explorer.exe

pid	process
2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
2236	explorer.exe
2236	explorer.exe

pid	process
2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

Processes:

a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exea41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	1932	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeDebugPrivilege	2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeRestorePrivilege	2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeBackupPrivilege	2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeShutdownPrivilege	2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeCreateTokenPrivilege	2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeSecurityPrivilege	2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: 33	2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
Token: SeDebugPrivilege	2236	explorer.exe
Token: SeRestorePrivilege	2236	explorer.exe
Token: SeBackupPrivilege	2236	explorer.exe
Token: SeLoadDriverPrivilege	2236	explorer.exe
Token: SeCreatePagefilePrivilege	2236	explorer.exe
Token: SeShutdownPrivilege	2236	explorer.exe
Token: SeTakeOwnershipPrivilege	2236	explorer.exe
Token: SeChangeNotifyPrivilege	2236	explorer.exe
Token: SeCreateTokenPrivilege	2236	explorer.exe
Token: SeMachineAccountPrivilege	2236	explorer.exe
Token: SeSecurityPrivilege	2236	explorer.exe
Token: SeAssignPrimaryTokenPrivilege	2236	explorer.exe
Token: SeCreateGlobalPrivilege	2236	explorer.exe
Token: 33	2236	explorer.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exea41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exeexplorer.exe

description	pid	process	target process
PID 1932 wrote to memory of 2100	1932	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
PID 1932 wrote to memory of 2100	1932	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
PID 1932 wrote to memory of 2100	1932	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
PID 1932 wrote to memory of 2100	1932	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
PID 1932 wrote to memory of 2100	1932	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
PID 1932 wrote to memory of 2100	1932	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
PID 1932 wrote to memory of 2100	1932	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
PID 1932 wrote to memory of 2100	1932	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
PID 1932 wrote to memory of 2100	1932	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
PID 1932 wrote to memory of 2100	1932	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
PID 1932 wrote to memory of 2100	1932	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
PID 2100 wrote to memory of 2236	2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	explorer.exe
PID 2100 wrote to memory of 2236	2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	explorer.exe
PID 2100 wrote to memory of 2236	2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	explorer.exe
PID 2100 wrote to memory of 2236	2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	explorer.exe
PID 2100 wrote to memory of 2236	2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	explorer.exe
PID 2100 wrote to memory of 2236	2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	explorer.exe
PID 2100 wrote to memory of 2236	2100	a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe	explorer.exe
PID 2236 wrote to memory of 1144	2236	explorer.exe	Dwm.exe
PID 2236 wrote to memory of 1144	2236	explorer.exe	Dwm.exe
PID 2236 wrote to memory of 1144	2236	explorer.exe	Dwm.exe
PID 2236 wrote to memory of 1144	2236	explorer.exe	Dwm.exe
PID 2236 wrote to memory of 1144	2236	explorer.exe	Dwm.exe
PID 2236 wrote to memory of 1144	2236	explorer.exe	Dwm.exe
PID 2236 wrote to memory of 1192	2236	explorer.exe	Explorer.EXE
PID 2236 wrote to memory of 1192	2236	explorer.exe	Explorer.EXE
PID 2236 wrote to memory of 1192	2236	explorer.exe	Explorer.EXE
PID 2236 wrote to memory of 1192	2236	explorer.exe	Explorer.EXE
PID 2236 wrote to memory of 1192	2236	explorer.exe	Explorer.EXE
PID 2236 wrote to memory of 1192	2236	explorer.exe	Explorer.EXE

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1144

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1932

C:\Users\Admin\AppData\Local\Temp\a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a41a425b9aa3dcb50ea244ff90cef59d_JaffaCakes118.exe"
3⤵
- Sets file execution options in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Modifies firewall policy service
- Sets file execution options in registry
- Checks BIOS information in registry
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer Protected Mode
- Modifies Internet Explorer Protected Mode Banner
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2236

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
344B

MD5
2a21ddc43e313d2b2807f103393d5048

SHA1
1eebdb62390d68955b7779c855759994201c0cea

SHA256
79752b4b92aa5d7109efe82c922bac396509e60e0847b686c98307341f3c5488

SHA512
b5575d0f1bb70cf4bdc66467dad025c1d527d7f33a3dc94b4ef9145cff9f8895ca4db0c843855388672bedf1e60a6dcb8804a5833ccf1b0e90eaae8c1f54d775

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4F6A.tmp
Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4F7C.tmp
Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/1932-64-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1932-1-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1932-2-0x0000000074DE0000-0x000000007538B000-memory.dmp

Filesize
5.7MB

Download
memory/1932-0-0x0000000074DE1000-0x0000000074DE2000-memory.dmp

Filesize
4KB

Download
memory/2100-55-0x0000000000260000-0x00000000002C6000-memory.dmp

Filesize
408KB

Download
memory/2100-63-0x0000000000260000-0x00000000002C6000-memory.dmp

Filesize
408KB

Download
memory/2100-56-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2100-74-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2100-57-0x00000000001A0000-0x00000000001AD000-memory.dmp

Filesize
52KB

Download
memory/2100-58-0x0000000077C90000-0x0000000077C91000-memory.dmp

Filesize
4KB

Download
memory/2100-59-0x0000000000260000-0x00000000002C6000-memory.dmp

Filesize
408KB

Download
memory/2100-53-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2100-62-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2100-61-0x0000000000440000-0x0000000000441000-memory.dmp

Filesize
4KB

Download
memory/2100-52-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2100-75-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2100-76-0x0000000000260000-0x00000000002C6000-memory.dmp

Filesize
408KB

Download
memory/2100-50-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2236-67-0x00000000000F0000-0x00000000001AC000-memory.dmp

Filesize
752KB

Download
memory/2236-68-0x0000000077C80000-0x0000000077E01000-memory.dmp

Filesize
1.5MB

Download
memory/2236-70-0x0000000077C80000-0x0000000077E01000-memory.dmp

Filesize
1.5MB

Download
memory/2236-72-0x00000000000F0000-0x00000000001AC000-memory.dmp

Filesize
752KB

Download
memory/2236-71-0x0000000077C80000-0x0000000077E01000-memory.dmp

Filesize
1.5MB

Download
memory/2236-69-0x0000000077C80000-0x0000000077E01000-memory.dmp

Filesize
1.5MB

Download
memory/2236-66-0x0000000077C80000-0x0000000077E01000-memory.dmp

Filesize
1.5MB

Download
memory/2236-65-0x0000000077C80000-0x0000000077E01000-memory.dmp

Filesize
1.5MB

Download
memory/2236-77-0x0000000077C80000-0x0000000077E01000-memory.dmp

Filesize
1.5MB

Download
memory/2236-78-0x0000000077C80000-0x0000000077E01000-memory.dmp

Filesize
1.5MB

Download
memory/2236-79-0x0000000077C80000-0x0000000077E01000-memory.dmp

Filesize
1.5MB

Download
memory/2236-80-0x0000000077C80000-0x0000000077E01000-memory.dmp

Filesize
1.5MB

Download
memory/2236-81-0x0000000077C80000-0x0000000077E01000-memory.dmp

Filesize
1.5MB

Download
memory/2236-82-0x0000000077C80000-0x0000000077E01000-memory.dmp

Filesize
1.5MB

Download
memory/2236-83-0x0000000077C80000-0x0000000077E01000-memory.dmp

Filesize
1.5MB

Download
memory/2236-84-0x0000000077C80000-0x0000000077E01000-memory.dmp

Filesize
1.5MB

Download
memory/2236-85-0x0000000077C80000-0x0000000077E01000-memory.dmp

Filesize
1.5MB

Download
memory/2236-86-0x00000000000F0000-0x00000000001AC000-memory.dmp

Filesize
752KB

Download
memory/2236-87-0x0000000077C80000-0x0000000077E01000-memory.dmp

Filesize
1.5MB

Download