Analysis
-
max time kernel
140s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 06:22
Static task
static1
Behavioral task
behavioral1
Sample
1918a56e59c6fc0ef416c70d12a41066_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
1918a56e59c6fc0ef416c70d12a41066_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
1918a56e59c6fc0ef416c70d12a41066_JaffaCakes118.exe
-
Size
89KB
-
MD5
1918a56e59c6fc0ef416c70d12a41066
-
SHA1
ab0ce8ca2dc1f2ff513184d6b125db2a0bdd996e
-
SHA256
3a69b8f8242cfdbfb8821b227bedfc06cd6ed0241a21ff22299ebeb46fdcdaf6
-
SHA512
798be97f94fada43c5c438205de5dcf570d682906856a5fc0591546263c1af45a368c16ee8bf2ad977b8f8edc5fa5b81c83191f3768acf25d4a303f1ee1a9dcd
-
SSDEEP
1536:fzmGHl33AypA361pAN445Lslg1oTWlyrkR6WaUCyzwIG70XRCylYUXn0+rj:f6GHlnAZkpAN445Lslg1oEy4RXaUCmwE
Malware Config
Extracted
metasploit
encoder/call4_dword_xor
Signatures
-
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
-
Modifies firewall policy service 3 TTPs 8 IoCs
Processes:
uninstall_.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile uninstall_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" uninstall_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" uninstall_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" uninstall_.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile uninstall_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" uninstall_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" uninstall_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" uninstall_.exe -
Processes:
uninstall_.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" uninstall_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" uninstall_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" uninstall_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" uninstall_.exe -
Modifies Windows Firewall 2 TTPs 7 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 2504 netsh.exe 2804 netsh.exe 2632 netsh.exe 2660 netsh.exe 2532 netsh.exe 2560 netsh.exe 2652 netsh.exe -
Deletes itself 1 IoCs
Processes:
uninstall_.exepid process 1816 uninstall_.exe -
Executes dropped EXE 1 IoCs
Processes:
uninstall_.exepid process 1816 uninstall_.exe -
Loads dropped DLL 3 IoCs
Processes:
uninstall_.exepid process 1816 uninstall_.exe 1816 uninstall_.exe 1816 uninstall_.exe -
Processes:
uninstall_.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" uninstall_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" uninstall_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" uninstall_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" uninstall_.exe -
Drops file in System32 directory 1 IoCs
Processes:
uninstall_.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat uninstall_.exe -
Drops file in Windows directory 2 IoCs
Processes:
1918a56e59c6fc0ef416c70d12a41066_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\Fonts\uninstall_.exe 1918a56e59c6fc0ef416c70d12a41066_JaffaCakes118.exe File created C:\Windows\Fonts\uninstall_.exe 1918a56e59c6fc0ef416c70d12a41066_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 21 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
uninstall_.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections uninstall_.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" uninstall_.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 uninstall_.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer = "65534" uninstall_.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" uninstall_.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" uninstall_.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings uninstall_.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 uninstall_.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" netsh.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server = "65534" uninstall_.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" netsh.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ uninstall_.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" netsh.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." netsh.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
1918a56e59c6fc0ef416c70d12a41066_JaffaCakes118.exeuninstall_.exedescription pid process Token: 33 2432 1918a56e59c6fc0ef416c70d12a41066_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2432 1918a56e59c6fc0ef416c70d12a41066_JaffaCakes118.exe Token: 33 1816 uninstall_.exe Token: SeIncBasePriorityPrivilege 1816 uninstall_.exe Token: SeBackupPrivilege 1816 uninstall_.exe Token: SeSecurityPrivilege 1816 uninstall_.exe Token: SeSecurityPrivilege 1816 uninstall_.exe Token: SeBackupPrivilege 1816 uninstall_.exe Token: SeSecurityPrivilege 1816 uninstall_.exe Token: SeBackupPrivilege 1816 uninstall_.exe Token: SeSecurityPrivilege 1816 uninstall_.exe -
Suspicious use of WriteProcessMemory 49 IoCs
Processes:
uninstall_.exedescription pid process target process PID 1816 wrote to memory of 2660 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2660 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2660 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2660 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2660 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2660 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2660 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2632 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2632 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2632 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2632 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2632 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2632 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2632 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2804 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2804 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2804 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2804 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2804 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2804 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2804 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2532 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2532 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2532 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2532 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2532 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2532 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2532 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2652 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2652 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2652 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2652 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2652 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2652 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2652 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2560 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2560 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2560 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2560 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2560 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2560 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2560 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2504 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2504 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2504 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2504 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2504 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2504 1816 uninstall_.exe netsh.exe PID 1816 wrote to memory of 2504 1816 uninstall_.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1918a56e59c6fc0ef416c70d12a41066_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1918a56e59c6fc0ef416c70d12a41066_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Fonts\uninstall_.exe"C:\Windows\Fonts\uninstall_.exe"1⤵
- Modifies firewall policy service
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall set portopening TCP 445 NB2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall set portopening TCP 139 NB2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall set portopening TCP 1013 BS2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall set portopening TCP 9999 PORT12⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall set portopening TCP 9991 PORT22⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Windows\Fonts\uninstall_.exe" workstation ENABLE ALL2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\System32\netsh.exe" firewall set allowedprogram "C:\Windows\Fonts\uninstall_.exe" workstation ENABLE ALL2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Fonts\uninstall_.exeFilesize
89KB
MD51918a56e59c6fc0ef416c70d12a41066
SHA1ab0ce8ca2dc1f2ff513184d6b125db2a0bdd996e
SHA2563a69b8f8242cfdbfb8821b227bedfc06cd6ed0241a21ff22299ebeb46fdcdaf6
SHA512798be97f94fada43c5c438205de5dcf570d682906856a5fc0591546263c1af45a368c16ee8bf2ad977b8f8edc5fa5b81c83191f3768acf25d4a303f1ee1a9dcd
-
memory/1816-21-0x0000000000400000-0x00000000008A7000-memory.dmpFilesize
4.7MB
-
memory/1816-10-0x0000000000EE0000-0x0000000001387000-memory.dmpFilesize
4.7MB
-
memory/1816-13-0x0000000000892000-0x0000000000893000-memory.dmpFilesize
4KB
-
memory/1816-12-0x0000000000EE0000-0x0000000001387000-memory.dmpFilesize
4.7MB
-
memory/1816-17-0x0000000000400000-0x00000000008A7000-memory.dmpFilesize
4.7MB
-
memory/1816-16-0x0000000000EE0000-0x0000000001387000-memory.dmpFilesize
4.7MB
-
memory/1816-15-0x0000000000400000-0x00000000008A7000-memory.dmpFilesize
4.7MB
-
memory/1816-19-0x0000000000400000-0x00000000008A7000-memory.dmpFilesize
4.7MB
-
memory/1816-9-0x0000000000400000-0x00000000008A7000-memory.dmpFilesize
4.7MB
-
memory/1816-31-0x0000000000400000-0x00000000008A7000-memory.dmpFilesize
4.7MB
-
memory/1816-29-0x0000000000400000-0x00000000008A7000-memory.dmpFilesize
4.7MB
-
memory/1816-28-0x0000000000400000-0x00000000008A7000-memory.dmpFilesize
4.7MB
-
memory/1816-23-0x0000000000400000-0x00000000008A7000-memory.dmpFilesize
4.7MB
-
memory/1816-25-0x0000000000400000-0x00000000008A7000-memory.dmpFilesize
4.7MB
-
memory/2432-1-0x0000000000020000-0x0000000000022000-memory.dmpFilesize
8KB
-
memory/2432-14-0x0000000000400000-0x00000000008A7000-memory.dmpFilesize
4.7MB
-
memory/2432-0-0x0000000000400000-0x00000000008A7000-memory.dmpFilesize
4.7MB