Analysis
-
max time kernel
98s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 07:13
Behavioral task
behavioral1
Sample
193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe
-
Size
667KB
-
MD5
193ea6da81b5c7dd4ab6f8d75edacbad
-
SHA1
b7b8efc05cbd82a238230bd0ae424487b0e43df6
-
SHA256
300edf71749edacda3c092d9eb778673c9d7b1c49e215e3ea36ac22f80f74b07
-
SHA512
847c2feca8d9af6f35e93e13b549b1170e05ceb2d475a8496a0df586b8df1dd955ab3f230ad100c734834887256c09349a80a4b2ec34955919ec4b7846cac75a
-
SSDEEP
12288:WbMqmnEEb4E9F/ATyGv4XKGQi2lJLm1Giizl6oAlpxElrW1A:WI9EEb4Ev/ATEXKGVnGTzpA1Ec1A
Malware Config
Signatures
-
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
-
Modifies security service 2 TTPs 1 IoCs
Processes:
bohost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "3" bohost.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
Processes:
DV245F.execeaseum.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" DV245F.exe Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" ceaseum.exe -
ModiLoader Second Stage 10 IoCs
Processes:
resource yara_rule behavioral2/memory/4796-0-0x0000000000400000-0x000000000041F000-memory.dmp modiloader_stage2 behavioral2/memory/4796-6-0x0000000000400000-0x000000000041F000-memory.dmp modiloader_stage2 behavioral2/memory/532-9-0x0000000000400000-0x00000000004CF000-memory.dmp modiloader_stage2 behavioral2/memory/532-7-0x0000000000400000-0x00000000004CF000-memory.dmp modiloader_stage2 behavioral2/memory/532-8-0x0000000000400000-0x00000000004CF000-memory.dmp modiloader_stage2 behavioral2/memory/532-21-0x0000000000400000-0x00000000004CF000-memory.dmp modiloader_stage2 C:\Users\Admin\aohost.exe modiloader_stage2 behavioral2/memory/2340-40-0x0000000000400000-0x000000000041E000-memory.dmp modiloader_stage2 behavioral2/memory/2340-50-0x0000000000400000-0x000000000041E000-memory.dmp modiloader_stage2 behavioral2/memory/532-190-0x0000000000400000-0x00000000004CF000-memory.dmp modiloader_stage2 -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
explorer.exeexplorer.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables taskbar notifications via registry modification
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
DV245F.exe193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation DV245F.exe Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe -
Executes dropped EXE 8 IoCs
Processes:
DV245F.exeaohost.execeaseum.exeaohost.exebohost.exedohost.exebohost.exebohost.exepid process 1864 DV245F.exe 2340 aohost.exe 4680 ceaseum.exe 4472 aohost.exe 4104 bohost.exe 1300 dohost.exe 3588 bohost.exe 4952 bohost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/532-1-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral2/memory/532-2-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral2/memory/532-5-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral2/memory/532-9-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral2/memory/532-7-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral2/memory/532-8-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral2/memory/532-21-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral2/memory/4472-47-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4472-46-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4472-52-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4472-56-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4472-68-0x0000000000400000-0x0000000000427000-memory.dmp upx behavioral2/memory/4104-69-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/3588-79-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/4104-93-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/4952-156-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/532-190-0x0000000000400000-0x00000000004CF000-memory.dmp upx behavioral2/memory/4104-192-0x0000000000400000-0x0000000000452000-memory.dmp upx behavioral2/memory/4104-265-0x0000000000400000-0x0000000000452000-memory.dmp upx -
Adds Run key to start application 2 TTPs 41 IoCs
Processes:
ceaseum.exeDV245F.exebohost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /S" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /A" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /l" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /N" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /f" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /E" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /j" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /B" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /Z" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /z" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /W" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /H" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /d" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /L" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /k" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /x" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /r" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /G" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /T" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /F" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /g" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /h" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /u" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /a" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /P" DV245F.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /v" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /o" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /U" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /e" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /s" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /t" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /K" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /J" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /M" ceaseum.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\B17.exe = "C:\\Program Files (x86)\\LP\\7EB8\\B17.exe" bohost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /R" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /i" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /X" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /O" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /w" ceaseum.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ceaseum = "C:\\Users\\Admin\\ceaseum.exe /Q" ceaseum.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
explorer.exeexplorer.exedescription ioc process File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe File opened (read-only) \??\D: explorer.exe File opened (read-only) \??\F: explorer.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
aohost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum aohost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 aohost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exeaohost.exedescription pid process target process PID 4796 set thread context of 532 4796 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe PID 2340 set thread context of 4472 2340 aohost.exe aohost.exe -
Drops file in Program Files directory 3 IoCs
Processes:
bohost.exedescription ioc process File created C:\Program Files (x86)\LP\7EB8\B17.exe bohost.exe File opened for modification C:\Program Files (x86)\LP\7EB8\1D81.tmp bohost.exe File opened for modification C:\Program Files (x86)\LP\7EB8\B17.exe bohost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 36 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
explorer.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A explorer.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName explorer.exe -
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 4584 tasklist.exe 1628 tasklist.exe -
Modifies registry class 20 IoCs
Processes:
explorer.exeexplorer.exeStartMenuExperienceHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{F4E20596-D349-4CE4-BC8F-763250D97F11} explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{6D5046A0-E163-4FE3-BC93-3849D5FC5887} explorer.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHo = 6801000088020000 explorer.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
DV245F.execeaseum.exeaohost.exebohost.exepid process 1864 DV245F.exe 1864 DV245F.exe 1864 DV245F.exe 1864 DV245F.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4472 aohost.exe 4472 aohost.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4104 bohost.exe 4104 bohost.exe 4104 bohost.exe 4104 bohost.exe 4104 bohost.exe 4104 bohost.exe 4104 bohost.exe 4104 bohost.exe 4104 bohost.exe 4104 bohost.exe 4104 bohost.exe 4104 bohost.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe 4680 ceaseum.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
tasklist.exemsiexec.exeexplorer.exetasklist.exeexplorer.exedescription pid process Token: SeDebugPrivilege 4584 tasklist.exe Token: SeSecurityPrivilege 2860 msiexec.exe Token: SeShutdownPrivilege 2348 explorer.exe Token: SeCreatePagefilePrivilege 2348 explorer.exe Token: SeShutdownPrivilege 2348 explorer.exe Token: SeCreatePagefilePrivilege 2348 explorer.exe Token: SeShutdownPrivilege 2348 explorer.exe Token: SeCreatePagefilePrivilege 2348 explorer.exe Token: SeShutdownPrivilege 2348 explorer.exe Token: SeCreatePagefilePrivilege 2348 explorer.exe Token: SeShutdownPrivilege 2348 explorer.exe Token: SeCreatePagefilePrivilege 2348 explorer.exe Token: SeShutdownPrivilege 2348 explorer.exe Token: SeCreatePagefilePrivilege 2348 explorer.exe Token: SeShutdownPrivilege 2348 explorer.exe Token: SeCreatePagefilePrivilege 2348 explorer.exe Token: SeShutdownPrivilege 2348 explorer.exe Token: SeCreatePagefilePrivilege 2348 explorer.exe Token: SeShutdownPrivilege 2348 explorer.exe Token: SeCreatePagefilePrivilege 2348 explorer.exe Token: SeShutdownPrivilege 2348 explorer.exe Token: SeCreatePagefilePrivilege 2348 explorer.exe Token: SeShutdownPrivilege 2348 explorer.exe Token: SeCreatePagefilePrivilege 2348 explorer.exe Token: SeShutdownPrivilege 2348 explorer.exe Token: SeCreatePagefilePrivilege 2348 explorer.exe Token: SeShutdownPrivilege 2348 explorer.exe Token: SeCreatePagefilePrivilege 2348 explorer.exe Token: SeDebugPrivilege 1628 tasklist.exe Token: SeShutdownPrivilege 2348 explorer.exe Token: SeCreatePagefilePrivilege 2348 explorer.exe Token: SeShutdownPrivilege 2348 explorer.exe Token: SeCreatePagefilePrivilege 2348 explorer.exe Token: SeShutdownPrivilege 2348 explorer.exe Token: SeCreatePagefilePrivilege 2348 explorer.exe Token: SeShutdownPrivilege 2348 explorer.exe Token: SeCreatePagefilePrivilege 2348 explorer.exe Token: SeShutdownPrivilege 4300 explorer.exe Token: SeCreatePagefilePrivilege 4300 explorer.exe Token: SeShutdownPrivilege 4300 explorer.exe Token: SeCreatePagefilePrivilege 4300 explorer.exe Token: SeShutdownPrivilege 4300 explorer.exe Token: SeCreatePagefilePrivilege 4300 explorer.exe Token: SeShutdownPrivilege 4300 explorer.exe Token: SeCreatePagefilePrivilege 4300 explorer.exe Token: SeShutdownPrivilege 4300 explorer.exe Token: SeCreatePagefilePrivilege 4300 explorer.exe -
Suspicious use of FindShellTrayWindow 24 IoCs
Processes:
explorer.exeexplorer.exepid process 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 4300 explorer.exe 4300 explorer.exe 4300 explorer.exe 4300 explorer.exe 4300 explorer.exe 4300 explorer.exe 4300 explorer.exe -
Suspicious use of SendNotifyMessage 20 IoCs
Processes:
explorer.exeexplorer.exepid process 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 2348 explorer.exe 4300 explorer.exe 4300 explorer.exe 4300 explorer.exe 4300 explorer.exe 4300 explorer.exe 4300 explorer.exe 4300 explorer.exe 4300 explorer.exe 4300 explorer.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exeDV245F.execeaseum.exedohost.exeStartMenuExperienceHost.exepid process 532 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 1864 DV245F.exe 4680 ceaseum.exe 1300 dohost.exe 3428 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exeDV245F.execmd.execeaseum.exeaohost.exebohost.execmd.exedescription pid process target process PID 4796 wrote to memory of 532 4796 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe PID 4796 wrote to memory of 532 4796 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe PID 4796 wrote to memory of 532 4796 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe PID 4796 wrote to memory of 532 4796 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe PID 4796 wrote to memory of 532 4796 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe PID 4796 wrote to memory of 532 4796 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe PID 4796 wrote to memory of 532 4796 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe PID 4796 wrote to memory of 532 4796 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe PID 4796 wrote to memory of 532 4796 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe PID 532 wrote to memory of 1864 532 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe DV245F.exe PID 532 wrote to memory of 1864 532 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe DV245F.exe PID 532 wrote to memory of 1864 532 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe DV245F.exe PID 532 wrote to memory of 2340 532 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe aohost.exe PID 532 wrote to memory of 2340 532 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe aohost.exe PID 532 wrote to memory of 2340 532 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe aohost.exe PID 1864 wrote to memory of 4680 1864 DV245F.exe ceaseum.exe PID 1864 wrote to memory of 4680 1864 DV245F.exe ceaseum.exe PID 1864 wrote to memory of 4680 1864 DV245F.exe ceaseum.exe PID 1864 wrote to memory of 808 1864 DV245F.exe cmd.exe PID 1864 wrote to memory of 808 1864 DV245F.exe cmd.exe PID 1864 wrote to memory of 808 1864 DV245F.exe cmd.exe PID 808 wrote to memory of 4584 808 cmd.exe tasklist.exe PID 808 wrote to memory of 4584 808 cmd.exe tasklist.exe PID 808 wrote to memory of 4584 808 cmd.exe tasklist.exe PID 4680 wrote to memory of 4584 4680 ceaseum.exe tasklist.exe PID 4680 wrote to memory of 4584 4680 ceaseum.exe tasklist.exe PID 4680 wrote to memory of 4584 4680 ceaseum.exe tasklist.exe PID 4680 wrote to memory of 4584 4680 ceaseum.exe tasklist.exe PID 4680 wrote to memory of 4584 4680 ceaseum.exe tasklist.exe PID 4680 wrote to memory of 4584 4680 ceaseum.exe tasklist.exe PID 2340 wrote to memory of 4472 2340 aohost.exe aohost.exe PID 2340 wrote to memory of 4472 2340 aohost.exe aohost.exe PID 2340 wrote to memory of 4472 2340 aohost.exe aohost.exe PID 2340 wrote to memory of 4472 2340 aohost.exe aohost.exe PID 2340 wrote to memory of 4472 2340 aohost.exe aohost.exe PID 2340 wrote to memory of 4472 2340 aohost.exe aohost.exe PID 2340 wrote to memory of 4472 2340 aohost.exe aohost.exe PID 2340 wrote to memory of 4472 2340 aohost.exe aohost.exe PID 2340 wrote to memory of 4472 2340 aohost.exe aohost.exe PID 4680 wrote to memory of 4584 4680 ceaseum.exe tasklist.exe PID 4680 wrote to memory of 4584 4680 ceaseum.exe tasklist.exe PID 532 wrote to memory of 4104 532 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe bohost.exe PID 532 wrote to memory of 4104 532 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe bohost.exe PID 532 wrote to memory of 4104 532 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe bohost.exe PID 4680 wrote to memory of 4584 4680 ceaseum.exe tasklist.exe PID 4680 wrote to memory of 4584 4680 ceaseum.exe tasklist.exe PID 4680 wrote to memory of 4584 4680 ceaseum.exe tasklist.exe PID 4680 wrote to memory of 4584 4680 ceaseum.exe tasklist.exe PID 532 wrote to memory of 1300 532 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe dohost.exe PID 532 wrote to memory of 1300 532 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe dohost.exe PID 532 wrote to memory of 1300 532 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe dohost.exe PID 4104 wrote to memory of 3588 4104 bohost.exe bohost.exe PID 4104 wrote to memory of 3588 4104 bohost.exe bohost.exe PID 4104 wrote to memory of 3588 4104 bohost.exe bohost.exe PID 4104 wrote to memory of 4952 4104 bohost.exe bohost.exe PID 4104 wrote to memory of 4952 4104 bohost.exe bohost.exe PID 4104 wrote to memory of 4952 4104 bohost.exe bohost.exe PID 532 wrote to memory of 4944 532 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe cmd.exe PID 532 wrote to memory of 4944 532 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe cmd.exe PID 532 wrote to memory of 4944 532 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe cmd.exe PID 4944 wrote to memory of 1628 4944 cmd.exe tasklist.exe PID 4944 wrote to memory of 1628 4944 cmd.exe tasklist.exe PID 4944 wrote to memory of 1628 4944 cmd.exe tasklist.exe PID 4680 wrote to memory of 1628 4680 ceaseum.exe tasklist.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
bohost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer bohost.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\HideSCAHealth = "1" bohost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe2⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\DV245F.exeC:\Users\Admin\DV245F.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\ceaseum.exe"C:\Users\Admin\ceaseum.exe"4⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del DV245F.exe4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\aohost.exeC:\Users\Admin\aohost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\aohost.exeaohost.exe4⤵
- Executes dropped EXE
- Maps connected drives based on registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\bohost.exeC:\Users\Admin\bohost.exe3⤵
- Modifies security service
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Users\Admin\bohost.exeC:\Users\Admin\bohost.exe startC:\Users\Admin\AppData\Roaming\85D9D\CC47E.exe%C:\Users\Admin\AppData\Roaming\85D9D4⤵
- Executes dropped EXE
-
C:\Users\Admin\bohost.exeC:\Users\Admin\bohost.exe startC:\Program Files (x86)\9D1C8\lvvm.exe%C:\Program Files (x86)\9D1C84⤵
- Executes dropped EXE
-
C:\Users\Admin\dohost.exeC:\Users\Admin\dohost.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c tasklist&&del 193ea6da81b5c7dd4ab6f8d75edacbad_JaffaCakes118.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4612 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Active Setup
1Defense Evasion
Modify Registry
5Hide Artifacts
1Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9Filesize
471B
MD5b4b19f96a22192db9a83ba8a65a2e8d1
SHA1e50926c1b3d5390c2489e1f1c000654bf2c773ff
SHA25691ee46abed31c2de11cdf68d792ef2c6f188ce82edc28bd4eb702c56167c7a7d
SHA5125166f784b73b0f83a0bd9b02cdb89ee560b69b0eff9afff8601edd301ce409a1f42b586c68d4f34b291797527bba6f092777e2e17131b0766a1f93121045331b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9Filesize
420B
MD5cac4b7d2c6b21f11e9e77a4221669cb2
SHA18953c40b90ddbd5a8c553f5541b657eed03f6c3e
SHA25695d2b410357d747480e14b6e506db50598ef1d8cf9f8c070f6b6a845a8e15cd4
SHA512e0474e440b39f8d2de0b5596845c4b2eb572ec5779a8f2f9954e0c3df188ce791024aa9041b3ba67de3c26f13e0f28df32616e757406795db4033b2cecd3c40c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbresFilesize
2KB
MD588293a4f71c73cbaa508a620900da46a
SHA10b45d5ca0e3b9a4662be347a6049d3f693b7f834
SHA256b6c88b71e99d28bae5f55899f51d32d53da175b40c834a4e6e428e095069eecb
SHA5120dcf1a47cf59b1ce42ab059ad5af99e103125f410fafdf8e081d33358daa13af0a63cb35adeb14ceccb54ace63b4cdf75a2b5bcb6a62646327e18f67690ffe1c
-
C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5MIHM5LV\microsoft.windows[1].xmlFilesize
96B
MD584209e171da10686915fe7efcd51552d
SHA16bf96e86a533a68eba4d703833de374e18ce6113
SHA25604d6050009ea3c99cc718ad1c07c5d15268b459fcfb63fcb990bc9761738907b
SHA51248d2524000911cfb68ef866dedac78ee430d79aa3f4b68399f645dc2066841e6962e11a3362cbcec46680357dcd3e58cfef9994450fed1d8af04df44f76b0dfd
-
C:\Users\Admin\AppData\Roaming\85D9D\D1C8.5D9Filesize
1KB
MD5c018fcc18cac0062dfb8d3102ceec587
SHA17f3dc25399892559b85bff7fed2ac8f249c39aec
SHA256ed101344de04fcff72a12608330c71b63996b91461685ee3126bf3dc85af0409
SHA512c833dc28a4155f283759a5d18be08bc863430ac4bda626842ab0e8bec145a513a500b56dd44171a62f97a28ef5861e8187f61465b174a054fb45121ef6b51110
-
C:\Users\Admin\AppData\Roaming\85D9D\D1C8.5D9Filesize
600B
MD5e18fcd9bfd1916e45a10101aa460094a
SHA102d137760faa4963133c684740a82a0b04b93686
SHA2561f4f958550076b8f58f83059f24b0727e4ef63b1c4a263ef64d31d8e9e686c57
SHA5127dd1d1d42c4a920b099386bdbdf0e8dfc0cb40f2d376b9766707741d25ba2e504f41b40ba5ce793ce9afa9b7b84c112d2b356722f67aeae95a03bb0b226ef16d
-
C:\Users\Admin\AppData\Roaming\85D9D\D1C8.5D9Filesize
897B
MD5696fb9dc92d3d57ad324e8f0d1ca28e1
SHA1c7ff515f4658200b4698d3e77d318f684c20b045
SHA256cf5d8efe75c3fd0e71e07cedd6cd69260fa4f2089fa1eb417c1c4541c7979948
SHA51223ca85a36eaf660a26207b86cd13a6902b5b522c1d00d7f82960bb06b4700d7ac2e72fc8c65468089a1b7d20aca91236567b39822ce434abd7defbe31b94f1f3
-
C:\Users\Admin\DV245F.exeFilesize
216KB
MD500b1af88e176b5fdb1b82a38cfdce35b
SHA1c0f77262df92698911e0ac2f7774e93fc6b06280
SHA25650f026d57fea9c00d49629484442ea59cccc0053d7db73168d68544a3bbf6f59
SHA5129e55e7c440af901f9c6d0cdae619f6e964b9b75c9351c76ea64362ff161c150b12a1caabb3d2eb63353a59ae70e7159ca6b3793ed0cc11994766846ac316107f
-
C:\Users\Admin\aohost.exeFilesize
152KB
MD54401958b004eb197d4f0c0aaccee9a18
SHA150e600f7c5c918145c5a270b472b114faa72a971
SHA2564c477ed134bc76fa7b912f1aad5e59d4f56f993baa16646e25fec2fdeed3bd8b
SHA512f0548bdaafce2cde2f9d3bd1c26ed3c8e9321ef6d706bd372e18886d834828e5bb54ae44f19764e94574ceb4a1a2a99bdd8476e174b05114fcac9a6d4a2d58e6
-
C:\Users\Admin\bohost.exeFilesize
173KB
MD50578a41258df62b7b4320ceaafedde53
SHA150e7c0b00f8f1e5355423893f10ae8ee844d70f4
SHA25618941e3030ef70437a5330e4689ec262f887f6f6f1da1cd66c0cbae2a76e75bf
SHA5125870a73798bad1f92b4d79f20bf618112ec8917574f6b25ab968c47afff419a829eef57b0282fb4c53e6e636436c8cf52a01426c46bdd4a0ea948d371f0feb09
-
C:\Users\Admin\ceaseum.exeFilesize
216KB
MD522ecf10bcbacf958cfa9f3155fb91f91
SHA129ed397b7c84e885efbd9fd40705b3361ed696fd
SHA256cf0c2ec5dbf194fe18038e5e8b52492b573cd46bce9d224629fb4db52f71956d
SHA512b0320be395e06aec9058ecec8b144f0421a7c4a0784685c3359c577ff440620bc7f1cc4e61a38331f22cec1383b0fc7ad2d18bcde591ed9f1fef7a6a528e65b5
-
C:\Users\Admin\dohost.exeFilesize
24KB
MD5d7390e209a42ea46d9cbfc5177b8324e
SHA1eff57330de49be19d2514dd08e614afc97b061d2
SHA256d2d49c37bdf2313756897245c3050494b39e824af448450eca1c0e83cf95b1e5
SHA512de0eb11dd20cd9d74f47b138fb4189a299a57173fe2635150045b01629354f35b26e0575acd25501403af0db238a123b2e5a79582b47aee1d6e786f5eec1929d
-
memory/60-274-0x000001E3E36C0000-0x000001E3E36E0000-memory.dmpFilesize
128KB
-
memory/60-305-0x000001E3E3CA0000-0x000001E3E3CC0000-memory.dmpFilesize
128KB
-
memory/60-290-0x000001E3E3680000-0x000001E3E36A0000-memory.dmpFilesize
128KB
-
memory/60-269-0x000001DBE1760000-0x000001DBE1860000-memory.dmpFilesize
1024KB
-
memory/380-267-0x00000000041D0000-0x00000000041D1000-memory.dmpFilesize
4KB
-
memory/532-21-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/532-8-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/532-7-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/532-9-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/532-5-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/532-190-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/532-2-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/532-1-0x0000000000400000-0x00000000004CF000-memory.dmpFilesize
828KB
-
memory/568-424-0x00000000048E0000-0x00000000048E1000-memory.dmpFilesize
4KB
-
memory/1388-463-0x000002189F650000-0x000002189F670000-memory.dmpFilesize
128KB
-
memory/1388-432-0x000002189F280000-0x000002189F2A0000-memory.dmpFilesize
128KB
-
memory/1388-453-0x000002189F240000-0x000002189F260000-memory.dmpFilesize
128KB
-
memory/1652-713-0x00000207B7100000-0x00000207B7200000-memory.dmpFilesize
1024KB
-
memory/1652-715-0x00000207B7100000-0x00000207B7200000-memory.dmpFilesize
1024KB
-
memory/2340-40-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2340-50-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/3588-79-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/3800-573-0x00000000047A0000-0x00000000047A1000-memory.dmpFilesize
4KB
-
memory/4000-711-0x0000000004DF0000-0x0000000004DF1000-memory.dmpFilesize
4KB
-
memory/4104-192-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4104-265-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4104-69-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4104-93-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/4472-56-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/4472-47-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/4472-46-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/4472-68-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/4472-52-0x0000000000400000-0x0000000000427000-memory.dmpFilesize
156KB
-
memory/4796-0-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4796-6-0x0000000000400000-0x000000000041F000-memory.dmpFilesize
124KB
-
memory/4812-576-0x000001B8E8900000-0x000001B8E8A00000-memory.dmpFilesize
1024KB
-
memory/4812-581-0x000001C0EA960000-0x000001C0EA980000-memory.dmpFilesize
128KB
-
memory/4812-611-0x000001C0EA920000-0x000001C0EA940000-memory.dmpFilesize
128KB
-
memory/4812-612-0x000001C0EAD40000-0x000001C0EAD60000-memory.dmpFilesize
128KB
-
memory/4812-577-0x000001B8E8900000-0x000001B8E8A00000-memory.dmpFilesize
1024KB
-
memory/4812-575-0x000001B8E8900000-0x000001B8E8A00000-memory.dmpFilesize
1024KB
-
memory/4952-156-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB