Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 10:16
Static task
static1
Behavioral task
behavioral1
Sample
159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe
-
Size
600KB
-
MD5
159f90d0509b218f3d15d1d5fb32385e
-
SHA1
94768dcaee022019f876293a222eaa57d7e9d4a6
-
SHA256
c825a1cac47c348f08ffbcb4f10c3d5a1f3505d1c97245c3b2808b4ff3ec0a7f
-
SHA512
444e5ed931f538311a347b469930fa9c3fedc75ee37affc855df09a96ed3bf0d48371aa34a2ac87a6bd309f84d9e968577b2cb9d7c8b7607153fafa9178f1123
-
SSDEEP
12288:T31YUfnn4/2Ywhh5tH6Q4CvPybjdFoDI86tABMr:OAjHH2CvPynPt8H
Malware Config
Extracted
latentbot
nyandcompany.zapto.org
1nyandcompany.zapto.org
2nyandcompany.zapto.org
3nyandcompany.zapto.org
4nyandcompany.zapto.org
5nyandcompany.zapto.org
6nyandcompany.zapto.org
7nyandcompany.zapto.org
8nyandcompany.zapto.org
Signatures
-
Modifies firewall policy service 3 TTPs 10 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Roaming\A116.exe = "C:\\Users\\Admin\\AppData\\Roaming\\A116.exe:*:Enabled:Windows Messanger" reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications reg.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List reg.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe:*:Enabled:Windows Messanger" reg.exe -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\Microsoft Intell Management = "C:\\Users\\Admin\\AppData\\Roaming\\A116.exe" 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41DBAF0C-2D41-BEFF-EFDA-1B7FD6BECECF}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\A116.exe" 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{41DBAF0C-2D41-BEFF-EFDA-1B7FD6BECECF} 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{41DBAF0C-2D41-BEFF-EFDA-1B7FD6BECECF}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\A116.exe" 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{41DBAF0C-2D41-BEFF-EFDA-1B7FD6BECECF} 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Intell Management = "C:\\Users\\Admin\\AppData\\Roaming\\A116.exe" 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Intell Management = "C:\\Users\\Admin\\AppData\\Roaming\\A116.exe" 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exedescription ioc process File opened for modification \??\PhysicalDrive0 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exedescription pid process target process PID 2260 set thread context of 2440 2260 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2440 set thread context of 1224 2440 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe -
Modifies registry key 1 TTPs 4 IoCs
Processes:
reg.exereg.exereg.exereg.exepid process 1376 reg.exe 3700 reg.exe 2456 reg.exe 3212 reg.exe -
Suspicious use of AdjustPrivilegeToken 36 IoCs
Processes:
159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exedescription pid process Token: 1 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeCreateTokenPrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeAssignPrimaryTokenPrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeLockMemoryPrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeMachineAccountPrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeTcbPrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeSecurityPrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeSystemtimePrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeCreatePermanentPrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeBackupPrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeRestorePrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeShutdownPrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeDebugPrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeAuditPrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeUndockPrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeSyncAgentPrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeEnableDelegationPrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeManageVolumePrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeImpersonatePrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: 31 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: 32 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: 33 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: 34 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: 35 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe Token: SeDebugPrivilege 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exepid process 2260 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 2440 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.execmd.execmd.execmd.execmd.exedescription pid process target process PID 2260 wrote to memory of 2440 2260 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2260 wrote to memory of 2440 2260 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2260 wrote to memory of 2440 2260 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2260 wrote to memory of 2440 2260 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2260 wrote to memory of 2440 2260 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2260 wrote to memory of 2440 2260 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2260 wrote to memory of 2440 2260 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2260 wrote to memory of 2440 2260 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2440 wrote to memory of 1224 2440 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2440 wrote to memory of 1224 2440 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2440 wrote to memory of 1224 2440 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2440 wrote to memory of 1224 2440 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2440 wrote to memory of 1224 2440 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2440 wrote to memory of 1224 2440 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2440 wrote to memory of 1224 2440 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 2440 wrote to memory of 1224 2440 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe PID 1224 wrote to memory of 1516 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 1224 wrote to memory of 1516 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 1224 wrote to memory of 1516 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 1224 wrote to memory of 3312 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 1224 wrote to memory of 3312 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 1224 wrote to memory of 3312 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 1224 wrote to memory of 3556 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 1224 wrote to memory of 3556 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 1224 wrote to memory of 3556 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 1224 wrote to memory of 532 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 1224 wrote to memory of 532 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 1224 wrote to memory of 532 1224 159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe cmd.exe PID 1516 wrote to memory of 1376 1516 cmd.exe reg.exe PID 1516 wrote to memory of 1376 1516 cmd.exe reg.exe PID 1516 wrote to memory of 1376 1516 cmd.exe reg.exe PID 3556 wrote to memory of 3700 3556 cmd.exe reg.exe PID 3556 wrote to memory of 3700 3556 cmd.exe reg.exe PID 3556 wrote to memory of 3700 3556 cmd.exe reg.exe PID 532 wrote to memory of 2456 532 cmd.exe reg.exe PID 532 wrote to memory of 2456 532 cmd.exe reg.exe PID 532 wrote to memory of 2456 532 cmd.exe reg.exe PID 3312 wrote to memory of 3212 3312 cmd.exe reg.exe PID 3312 wrote to memory of 3212 3312 cmd.exe reg.exe PID 3312 wrote to memory of 3212 3312 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe"2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe"3⤵
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\159f90d0509b218f3d15d1d5fb32385e_JaffaCakes118.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v "DoNotAllowExceptions" /t REG_DWORD /d "0" /f5⤵
- Modifies firewall policy service
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.execmd /c REG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\A116.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\A116.exe:*:Enabled:Windows Messanger" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List /v "C:\Users\Admin\AppData\Roaming\A116.exe" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\A116.exe:*:Enabled:Windows Messanger" /f5⤵
- Modifies firewall policy service
- Modifies registry key
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Active Setup
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\A116.exeFilesize
600KB
MD5159f90d0509b218f3d15d1d5fb32385e
SHA194768dcaee022019f876293a222eaa57d7e9d4a6
SHA256c825a1cac47c348f08ffbcb4f10c3d5a1f3505d1c97245c3b2808b4ff3ec0a7f
SHA512444e5ed931f538311a347b469930fa9c3fedc75ee37affc855df09a96ed3bf0d48371aa34a2ac87a6bd309f84d9e968577b2cb9d7c8b7607153fafa9178f1123
-
memory/1224-25-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1224-45-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1224-29-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1224-30-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1224-26-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1224-23-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1224-24-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1224-54-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1224-57-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1224-51-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1224-12-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1224-33-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1224-39-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1224-8-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/1224-48-0x0000000000400000-0x0000000000470000-memory.dmpFilesize
448KB
-
memory/2440-14-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB
-
memory/2440-2-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB
-
memory/2440-5-0x0000000000400000-0x0000000000475000-memory.dmpFilesize
468KB