latentbot | c825a1cac47c348f08ffbcb4f10c3d5a1f3505d1c97245c3b2808b4ff3ec0a7f

Analysis

max time kernel
147s
max time network
141s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Size

600KB
MD5

159f90d0509b218f3d15d1d5fb32385e
SHA1

94768dcaee022019f876293a222eaa57d7e9d4a6
SHA256

c825a1cac47c348f08ffbcb4f10c3d5a1f3505d1c97245c3b2808b4ff3ec0a7f
SHA512

444e5ed931f538311a347b469930fa9c3fedc75ee37affc855df09a96ed3bf0d48371aa34a2ac87a6bd309f84d9e968577b2cb9d7c8b7607153fafa9178f1123
SSDEEP

12288:T31YUfnn4/2Ywhh5tH6Q4CvPybjdFoDI86tABMr:OAjHH2CvPynPt8H

Score

10^/10

latentbot bootkit evasion persistence trojan

Malware Config

Extracted

Family

latentbot

nyandcompany.zapto.org

1nyandcompany.zapto.org

2nyandcompany.zapto.org

3nyandcompany.zapto.org

4nyandcompany.zapto.org

5nyandcompany.zapto.org

6nyandcompany.zapto.org

7nyandcompany.zapto.org

8nyandcompany.zapto.org

Signatures

LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\A116.exe = "C:\\Users\\Admin\\AppData\\Roaming\\A116.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	reg.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe:*:Enabled:Windows Messanger"	reg.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	reg.exe

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Microsoft Intell Management = "C:\\Users\\Admin\\AppData\\Roaming\\A116.exe"	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

Processes:

159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{41DBAF0C-2D41-BEFF-EFDA-1B7FD6BECECF}	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Active Setup\Installed Components\{41DBAF0C-2D41-BEFF-EFDA-1B7FD6BECECF}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\A116.exe"	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41DBAF0C-2D41-BEFF-EFDA-1B7FD6BECECF}	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41DBAF0C-2D41-BEFF-EFDA-1B7FD6BECECF}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\A116.exe"	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Intell Management = "C:\\Users\\Admin\\AppData\\Roaming\\A116.exe"	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Intell Management = "C:\\Users\\Admin\\AppData\\Roaming\\A116.exe"	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe

description ioc process

File opened for modification \??\PhysicalDrive0 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe

description	pid	process	target process
PID 1560 set thread context of 2232	1560	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
PID 2232 set thread context of 2860	2232	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

2888 reg.exe
2556 reg.exe
3044 reg.exe
2892 reg.exe

pid	process
2888	reg.exe
2556	reg.exe
3044	reg.exe
2892	reg.exe

Suspicious use of AdjustPrivilegeToken 36 IoCs

Processes:

159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe

description	pid	process
Token: 1	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeCreateTokenPrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeAssignPrimaryTokenPrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeTcbPrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeSecurityPrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeCreatePermanentPrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeBackupPrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeRestorePrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeShutdownPrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeDebugPrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeAuditPrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeUndockPrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeSyncAgentPrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeEnableDelegationPrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: 31	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: 32	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: 33	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: 34	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: 35	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Token: SeDebugPrivilege	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe

pid	process
1560	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
2232	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1560 wrote to memory of 2232	1560	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
PID 1560 wrote to memory of 2232	1560	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
PID 1560 wrote to memory of 2232	1560	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
PID 1560 wrote to memory of 2232	1560	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
PID 1560 wrote to memory of 2232	1560	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
PID 1560 wrote to memory of 2232	1560	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
PID 1560 wrote to memory of 2232	1560	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
PID 1560 wrote to memory of 2232	1560	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
PID 1560 wrote to memory of 2232	1560	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
PID 2232 wrote to memory of 2860	2232	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
PID 2232 wrote to memory of 2860	2232	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
PID 2232 wrote to memory of 2860	2232	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
PID 2232 wrote to memory of 2860	2232	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
PID 2232 wrote to memory of 2860	2232	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
PID 2232 wrote to memory of 2860	2232	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
PID 2232 wrote to memory of 2860	2232	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
PID 2232 wrote to memory of 2860	2232	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
PID 2860 wrote to memory of 2820	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	cmd.exe
PID 2860 wrote to memory of 2820	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	cmd.exe
PID 2860 wrote to memory of 2820	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	cmd.exe
PID 2860 wrote to memory of 2820	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	cmd.exe
PID 2860 wrote to memory of 2932	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	cmd.exe
PID 2860 wrote to memory of 2932	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	cmd.exe
PID 2860 wrote to memory of 2932	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	cmd.exe
PID 2860 wrote to memory of 2932	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	cmd.exe
PID 2860 wrote to memory of 2924	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	cmd.exe
PID 2860 wrote to memory of 2924	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	cmd.exe
PID 2860 wrote to memory of 2924	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	cmd.exe
PID 2860 wrote to memory of 2924	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	cmd.exe
PID 2860 wrote to memory of 2856	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	cmd.exe
PID 2860 wrote to memory of 2856	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	cmd.exe
PID 2860 wrote to memory of 2856	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	cmd.exe
PID 2860 wrote to memory of 2856	2860	159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe	cmd.exe
PID 2820 wrote to memory of 2888	2820	cmd.exe	reg.exe
PID 2820 wrote to memory of 2888	2820	cmd.exe	reg.exe
PID 2820 wrote to memory of 2888	2820	cmd.exe	reg.exe
PID 2820 wrote to memory of 2888	2820	cmd.exe	reg.exe
PID 2932 wrote to memory of 2892	2932	cmd.exe	reg.exe
PID 2932 wrote to memory of 2892	2932	cmd.exe	reg.exe
PID 2932 wrote to memory of 2892	2932	cmd.exe	reg.exe
PID 2932 wrote to memory of 2892	2932	cmd.exe	reg.exe
PID 2924 wrote to memory of 2556	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 2556	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 2556	2924	cmd.exe	reg.exe
PID 2924 wrote to memory of 2556	2924	cmd.exe	reg.exe
PID 2856 wrote to memory of 3044	2856	cmd.exe	reg.exe
PID 2856 wrote to memory of 3044	2856	cmd.exe	reg.exe
PID 2856 wrote to memory of 3044	2856	cmd.exe	reg.exe
PID 2856 wrote to memory of 3044	2856	cmd.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1560

C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe"
2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2232

C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe"
3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:2888

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:2932

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:2892

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:2556

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\A116.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\A116.exe:*:Enabled:Windows Messanger" /f
4⤵
- Suspicious use of WriteProcessMemory
PID:2856

C:\Windows\SysWOW64\reg.exe
REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\A116.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\A116.exe:*:Enabled:Windows Messanger" /f
5⤵
- Modifies firewall policy service
- Modifies registry key
PID:3044

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\A116.exe
Filesize
600KB

MD5
159f90d0509b218f3d15d1d5fb32385e

SHA1
94768dcaee022019f876293a222eaa57d7e9d4a6

SHA256
c825a1cac47c348f08ffbcb4f10c3d5a1f3505d1c97245c3b2808b4ff3ec0a7f

SHA512
444e5ed931f538311a347b469930fa9c3fedc75ee37affc855df09a96ed3bf0d48371aa34a2ac87a6bd309f84d9e968577b2cb9d7c8b7607153fafa9178f1123

Download Submit
memory/2232-12-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2232-14-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2232-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2232-6-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2232-4-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2232-37-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2232-2-0x0000000000400000-0x0000000000475000-memory.dmp

Filesize
468KB

Download
memory/2860-40-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2860-44-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2860-19-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2860-30-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2860-25-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2860-39-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2860-17-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2860-41-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2860-43-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2860-21-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2860-46-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2860-48-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2860-50-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2860-52-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2860-54-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2860-60-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2860-64-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download