metasploit | 3a69b8f8242cfdbfb8821b227bedfc06cd6ed0241a21ff22299ebeb46fdcdaf6

Analysis

max time kernel
140s
max time network
142s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28-06-2024 06:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1918a56e59c6fc0ef416c70d12a41066_JaffaCakes118.exe
Size

89KB
MD5

1918a56e59c6fc0ef416c70d12a41066
SHA1

ab0ce8ca2dc1f2ff513184d6b125db2a0bdd996e
SHA256

3a69b8f8242cfdbfb8821b227bedfc06cd6ed0241a21ff22299ebeb46fdcdaf6
SHA512

798be97f94fada43c5c438205de5dcf570d682906856a5fc0591546263c1af45a368c16ee8bf2ad977b8f8edc5fa5b81c83191f3768acf25d4a303f1ee1a9dcd
SSDEEP

1536:fzmGHl33AypA361pAN445Lslg1oTWlyrkR6WaUCyzwIG70XRCylYUXn0+rj:f6GHlnAZkpAN445Lslg1oEy4RXaUCmwE

Score

10^/10

metasploit backdoor evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

metasploit

Version

encoder/call4_dword_xor

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit

Modifies firewall policy service 3 TTPs 8 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

uninstall_.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile	uninstall_.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0"	uninstall_.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0"	uninstall_.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1"	uninstall_.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	uninstall_.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	uninstall_.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	uninstall_.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	uninstall_.exe

Windows security bypass 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

uninstall_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	uninstall_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	uninstall_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	uninstall_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	uninstall_.exe

Modifies Windows Firewall 2 TTPs 7 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

2504 netsh.exe
2804 netsh.exe
2632 netsh.exe
2660 netsh.exe
2532 netsh.exe
2560 netsh.exe
2652 netsh.exe
Deletes itself 1 IoCs

Processes:

uninstall_.exe

pid process

1816 uninstall_.exe
Executes dropped EXE 1 IoCs

Processes:

uninstall_.exe

pid process

1816 uninstall_.exe
Loads dropped DLL 3 IoCs

Processes:

uninstall_.exe

pid process

1816 uninstall_.exe
1816 uninstall_.exe
1816 uninstall_.exe

pid	process
2504	netsh.exe
2804	netsh.exe
2632	netsh.exe
2660	netsh.exe
2532	netsh.exe
2560	netsh.exe
2652	netsh.exe

pid	process
1816	uninstall_.exe

pid	process
1816	uninstall_.exe

pid	process
1816	uninstall_.exe
1816	uninstall_.exe
1816	uninstall_.exe

Windows security modification 2 TTPs 4 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

uninstall_.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	uninstall_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	uninstall_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	uninstall_.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	uninstall_.exe

Drops file in System32 directory 1 IoCs

Processes:

uninstall_.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat uninstall_.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat	uninstall_.exe

Drops file in Windows directory 2 IoCs

Processes:

1918a56e59c6fc0ef416c70d12a41066_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\Fonts\uninstall_.exe	1918a56e59c6fc0ef416c70d12a41066_JaffaCakes118.exe
File created	C:\Windows\Fonts\uninstall_.exe	1918a56e59c6fc0ef416c70d12a41066_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 21 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

uninstall_.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	uninstall_.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0"	uninstall_.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	uninstall_.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer = "65534"	uninstall_.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	uninstall_.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	uninstall_.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings	uninstall_.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	uninstall_.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server = "65534"	uninstall_.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	uninstall_.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

1918a56e59c6fc0ef416c70d12a41066_JaffaCakes118.exeuninstall_.exe

description	pid	process
Token: 33	2432	1918a56e59c6fc0ef416c70d12a41066_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2432	1918a56e59c6fc0ef416c70d12a41066_JaffaCakes118.exe
Token: 33	1816	uninstall_.exe
Token: SeIncBasePriorityPrivilege	1816	uninstall_.exe
Token: SeBackupPrivilege	1816	uninstall_.exe
Token: SeSecurityPrivilege	1816	uninstall_.exe
Token: SeSecurityPrivilege	1816	uninstall_.exe
Token: SeBackupPrivilege	1816	uninstall_.exe
Token: SeSecurityPrivilege	1816	uninstall_.exe
Token: SeBackupPrivilege	1816	uninstall_.exe
Token: SeSecurityPrivilege	1816	uninstall_.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

uninstall_.exe

description	pid	process	target process
PID 1816 wrote to memory of 2660	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2660	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2660	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2660	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2660	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2660	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2660	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2632	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2632	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2632	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2632	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2632	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2632	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2632	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2804	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2804	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2804	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2804	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2804	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2804	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2804	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2532	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2532	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2532	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2532	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2532	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2532	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2532	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2652	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2652	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2652	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2652	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2652	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2652	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2652	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2560	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2560	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2560	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2560	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2560	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2560	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2560	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2504	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2504	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2504	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2504	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2504	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2504	1816	uninstall_.exe	netsh.exe
PID 1816 wrote to memory of 2504	1816	uninstall_.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\1918a56e59c6fc0ef416c70d12a41066_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1918a56e59c6fc0ef416c70d12a41066_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2432

C:\Windows\Fonts\uninstall_.exe
"C:\Windows\Fonts\uninstall_.exe"
1⤵
- Modifies firewall policy service
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall set portopening TCP 445 NB
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:2660

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall set portopening TCP 139 NB
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:2632

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall set portopening TCP 1013 BS
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:2804

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall set portopening TCP 9999 PORT1
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:2532

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall set portopening TCP 9991 PORT2
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:2652

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Windows\Fonts\uninstall_.exe" workstation ENABLE ALL
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:2560

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\System32\netsh.exe" firewall set allowedprogram "C:\Windows\Fonts\uninstall_.exe" workstation ENABLE ALL
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
PID:2504

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Fonts\uninstall_.exe
Filesize
89KB

MD5
1918a56e59c6fc0ef416c70d12a41066

SHA1
ab0ce8ca2dc1f2ff513184d6b125db2a0bdd996e

SHA256
3a69b8f8242cfdbfb8821b227bedfc06cd6ed0241a21ff22299ebeb46fdcdaf6

SHA512
798be97f94fada43c5c438205de5dcf570d682906856a5fc0591546263c1af45a368c16ee8bf2ad977b8f8edc5fa5b81c83191f3768acf25d4a303f1ee1a9dcd

Download Submit
memory/1816-21-0x0000000000400000-0x00000000008A7000-memory.dmp

Filesize
4.7MB

Download
memory/1816-10-0x0000000000EE0000-0x0000000001387000-memory.dmp

Filesize
4.7MB

Download
memory/1816-13-0x0000000000892000-0x0000000000893000-memory.dmp

Filesize
4KB

Download
memory/1816-12-0x0000000000EE0000-0x0000000001387000-memory.dmp

Filesize
4.7MB

Download
memory/1816-17-0x0000000000400000-0x00000000008A7000-memory.dmp

Filesize
4.7MB

Download
memory/1816-16-0x0000000000EE0000-0x0000000001387000-memory.dmp

Filesize
4.7MB

Download
memory/1816-15-0x0000000000400000-0x00000000008A7000-memory.dmp

Filesize
4.7MB

Download
memory/1816-19-0x0000000000400000-0x00000000008A7000-memory.dmp

Filesize
4.7MB

Download
memory/1816-9-0x0000000000400000-0x00000000008A7000-memory.dmp

Filesize
4.7MB

Download
memory/1816-31-0x0000000000400000-0x00000000008A7000-memory.dmp

Filesize
4.7MB

Download
memory/1816-29-0x0000000000400000-0x00000000008A7000-memory.dmp

Filesize
4.7MB

Download
memory/1816-28-0x0000000000400000-0x00000000008A7000-memory.dmp

Filesize
4.7MB

Download
memory/1816-23-0x0000000000400000-0x00000000008A7000-memory.dmp

Filesize
4.7MB

Download
memory/1816-25-0x0000000000400000-0x00000000008A7000-memory.dmp

Filesize
4.7MB

Download
memory/2432-1-0x0000000000020000-0x0000000000022000-memory.dmp

Filesize
8KB

Download
memory/2432-14-0x0000000000400000-0x00000000008A7000-memory.dmp

Filesize
4.7MB

Download
memory/2432-0-0x0000000000400000-0x00000000008A7000-memory.dmp

Filesize
4.7MB

Download