Analysis
-
max time kernel
147s -
max time network
141s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 10:16
Static task
static1
Behavioral task
behavioral1
Sample
159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
-
Size
600KB
-
MD5
159f90d0509b218f3d15d1d5fb32385e
-
SHA1
94768dcaee022019f876293a222eaa57d7e9d4a6
-
SHA256
c825a1cac47c348f08ffbcb4f10c3d5a1f3505d1c97245c3b2808b4ff3ec0a7f
-
SHA512
444e5ed931f538311a347b469930fa9c3fedc75ee37affc855df09a96ed3bf0d48371aa34a2ac87a6bd309f84d9e968577b2cb9d7c8b7607153fafa9178f1123
-
SSDEEP
12288:T31YUfnn4/2Ywhh5tH6Q4CvPybjdFoDI86tABMr:OAjHH2CvPynPt8H
Malware Config
Extracted
latentbot
nyandcompany.zapto.org
1nyandcompany.zapto.org
2nyandcompany.zapto.org
3nyandcompany.zapto.org
4nyandcompany.zapto.org
5nyandcompany.zapto.org
6nyandcompany.zapto.org
7nyandcompany.zapto.org
8nyandcompany.zapto.org
Signatures
-
Modifies firewall policy service 3 TTPs 8 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\A116.exe = "C:\\Users\\Admin\\AppData\\Roaming\\A116.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Microsoft Intell Management = "C:\\Users\\Admin\\AppData\\Roaming\\A116.exe" 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{41DBAF0C-2D41-BEFF-EFDA-1B7FD6BECECF} 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Active Setup\Installed Components\{41DBAF0C-2D41-BEFF-EFDA-1B7FD6BECECF}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\A116.exe" 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41DBAF0C-2D41-BEFF-EFDA-1B7FD6BECECF} 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{41DBAF0C-2D41-BEFF-EFDA-1B7FD6BECECF}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\A116.exe" 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Intell Management = "C:\\Users\\Admin\\AppData\\Roaming\\A116.exe" 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Intell Management = "C:\\Users\\Admin\\AppData\\Roaming\\A116.exe" 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exedescription ioc process File opened for modification \??\PhysicalDrive0 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exedescription pid process target process PID 1560 set thread context of 2232 1560 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2232 set thread context of 2860 2232 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe -
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 2888 reg.exe 2556 reg.exe 3044 reg.exe 2892 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exedescription pid process Token: 1 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeCreateTokenPrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeLockMemoryPrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeMachineAccountPrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeTcbPrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeSecurityPrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeSystemtimePrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeCreatePermanentPrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeBackupPrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeRestorePrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeShutdownPrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeDebugPrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeAuditPrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeUndockPrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeSyncAgentPrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeEnableDelegationPrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeManageVolumePrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeImpersonatePrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: 31 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: 32 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: 33 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: 34 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: 35 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeDebugPrivilege 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exepid process 1560 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 2232 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.execmd.execmd.execmd.execmd.exedescription pid process target process PID 1560 wrote to memory of 2232 1560 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 1560 wrote to memory of 2232 1560 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 1560 wrote to memory of 2232 1560 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 1560 wrote to memory of 2232 1560 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 1560 wrote to memory of 2232 1560 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 1560 wrote to memory of 2232 1560 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 1560 wrote to memory of 2232 1560 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 1560 wrote to memory of 2232 1560 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 1560 wrote to memory of 2232 1560 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2232 wrote to memory of 2860 2232 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2232 wrote to memory of 2860 2232 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2232 wrote to memory of 2860 2232 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2232 wrote to memory of 2860 2232 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2232 wrote to memory of 2860 2232 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2232 wrote to memory of 2860 2232 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2232 wrote to memory of 2860 2232 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2232 wrote to memory of 2860 2232 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2860 wrote to memory of 2820 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 2860 wrote to memory of 2820 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 2860 wrote to memory of 2820 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 2860 wrote to memory of 2820 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 2860 wrote to memory of 2932 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 2860 wrote to memory of 2932 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 2860 wrote to memory of 2932 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 2860 wrote to memory of 2932 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 2860 wrote to memory of 2924 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 2860 wrote to memory of 2924 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 2860 wrote to memory of 2924 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 2860 wrote to memory of 2924 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 2860 wrote to memory of 2856 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 2860 wrote to memory of 2856 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 2860 wrote to memory of 2856 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 2860 wrote to memory of 2856 2860 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 2820 wrote to memory of 2888 2820 cmd.exe reg.exe PID 2820 wrote to memory of 2888 2820 cmd.exe reg.exe PID 2820 wrote to memory of 2888 2820 cmd.exe reg.exe PID 2820 wrote to memory of 2888 2820 cmd.exe reg.exe PID 2932 wrote to memory of 2892 2932 cmd.exe reg.exe PID 2932 wrote to memory of 2892 2932 cmd.exe reg.exe PID 2932 wrote to memory of 2892 2932 cmd.exe reg.exe PID 2932 wrote to memory of 2892 2932 cmd.exe reg.exe PID 2924 wrote to memory of 2556 2924 cmd.exe reg.exe PID 2924 wrote to memory of 2556 2924 cmd.exe reg.exe PID 2924 wrote to memory of 2556 2924 cmd.exe reg.exe PID 2924 wrote to memory of 2556 2924 cmd.exe reg.exe PID 2856 wrote to memory of 3044 2856 cmd.exe reg.exe PID 2856 wrote to memory of 3044 2856 cmd.exe reg.exe PID 2856 wrote to memory of 3044 2856 cmd.exe reg.exe PID 2856 wrote to memory of 3044 2856 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe"3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\A116.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\A116.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\A116.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\A116.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\A116.exeFilesize
600KB
MD5159f90d0509b218f3d15d1d5fb32385e
SHA194768dcaee022019f876293a222eaa57d7e9d4a6
SHA256c825a1cac47c348f08ffbcb4f10c3d5a1f3505d1c97245c3b2808b4ff3ec0a7f
SHA512444e5ed931f538311a347b469930fa9c3fedc75ee37affc855df09a96ed3bf0d48371aa34a2ac87a6bd309f84d9e968577b2cb9d7c8b7607153fafa9178f1123
-
memory/2232-12-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB
-
memory/2232-14-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB
-
memory/2232-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2232-6-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB
-
memory/2232-4-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB
-
memory/2232-37-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB
-
memory/2232-2-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB
-
memory/2860-40-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2860-44-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2860-19-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2860-30-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2860-25-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2860-39-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2860-17-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2860-41-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2860-43-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2860-21-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2860-46-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2860-48-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2860-50-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2860-52-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2860-54-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2860-60-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2860-64-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB