Malware Analysis Report

2024-09-11 12:17

Sample ID 240617-3ts6qayhkf
Target ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118
SHA256 55819061820b24c4e0f6845d20e02d872993bc88821be47fd5d1543297266a07
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

55819061820b24c4e0f6845d20e02d872993bc88821be47fd5d1543297266a07

Threat Level: Known bad

The file ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Modifies firewall policy service

Sality

Windows security bypass

UAC bypass

Executes dropped EXE

Windows security modification

UPX packed file

Enumerates connected drives

Checks whether UAC is enabled

Drops autorun.inf file

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

System policy modification

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Replication Through Removable Media
T1091
Execution
TA0002
Persistence
TA0003
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Create or Modify System Process
T1543
Windows Service
T1543.003
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Defense Evasion
TA0005
Modify Registry
T1112
Abuse Elevation Control Mechanism
T1548
Bypass User Account Control
T1548.002
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Replication Through Removable Media
T1091
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-17 23:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 23:48

Reported

2024-06-17 23:51

Platform

win7-20240508-en

Max time kernel

122s

Max time network

149s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Windows\svchost.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\svchost.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" C:\Windows\svchost.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\svchost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened for modification C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_22 = "1059695906" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_24 = "3889186066" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_30 = "3787749306" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_15 = "4164244369" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_18 = "3974049279" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_26 = "3005291579" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_35 = "2271548562" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_52 = "552484441" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_16 = "1161134918" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_29 = "2372996024" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_39 = "3635578722" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_39 = "3652317580" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_49 = "1473328314" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_20 = "2541850709" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_45 = "3550861758" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_5 = "2778771304" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_8 = "3010704065" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_21 = "3939914703" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_51 = "3432701184" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_27 = "3838471105" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_32 = "2338865225" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_60 = "1738307629" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_3 = "4260979152" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_4 = "1410191389" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_17 = "2559280298" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_21 = "1513940894" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_39 = "3635583909" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_41 = "2153391202" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_50 = "2034505759" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_51 = "3449397664" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_61 = "400312519" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_65 = "1764339219" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_17 = "2115347458" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_35 = "2271557209" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_53 = "1967226415" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_43 = "137961784" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_45 = "3534136432" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_55 = "1918201984" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_58 = "467752679" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_10 = "1262576541" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_58 = "3629359254" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\1460008425\-1465470298 = "0" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_12 = "2966119081" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_22 = "1059697325" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_24 = "3872601569" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_36 = "3669747077" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_48 = "3566131142" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_53 = "1950487558" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_12 = "4092080100" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_34 = "856808710" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\1460008425\1364026700 = "35" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_3 = "4244254259" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_28 = "941535037" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_64 = "3575565756" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_15 = "4058075636" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_49 = "603199715" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_51 = "2934229835" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S3_44 = "2135961709" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_50 = "2017948214" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_62 = "1815052719" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S1_20 = "2694291522" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S4_51 = "3432696713" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_4 = "1364030153" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Aoqcbk\S2_7 = "1313303640" C:\Windows\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1740 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1740 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1740 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 2652 wrote to memory of 1108 N/A C:\Windows\svchost.exe C:\Windows\system32\taskhost.exe
PID 2652 wrote to memory of 1176 N/A C:\Windows\svchost.exe C:\Windows\system32\Dwm.exe
PID 2652 wrote to memory of 1236 N/A C:\Windows\svchost.exe C:\Windows\Explorer.EXE
PID 2652 wrote to memory of 2232 N/A C:\Windows\svchost.exe C:\Windows\system32\DllHost.exe
PID 2652 wrote to memory of 1740 N/A C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe
PID 2652 wrote to memory of 2672 N/A C:\Windows\svchost.exe C:\Windows\svchost.exe
PID 2652 wrote to memory of 2672 N/A C:\Windows\svchost.exe C:\Windows\svchost.exe
PID 2652 wrote to memory of 2672 N/A C:\Windows\svchost.exe C:\Windows\svchost.exe
PID 2652 wrote to memory of 2672 N/A C:\Windows\svchost.exe C:\Windows\svchost.exe
PID 1740 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1740 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1740 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1740 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1740 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1740 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1740 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1740 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1740 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1740 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1740 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1740 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1740 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1740 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1740 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1740 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1740 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1740 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1740 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1740 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1740 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1740 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1740 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1740 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\svchost.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe"

C:\Windows\svchost.exe

C:\Windows\svchost.exe

C:\Windows\svchost.exe

C:\Windows\svchost.exe Win7

Network

Country Destination Domain Proto
US 8.8.8.8:53 kk.whsjms.cn udp
US 8.8.8.8:53 kk.whsjms.cn udp
US 8.8.8.8:53 kk.whsjms.cn udp
US 8.8.8.8:53 kk.whsjms.cn udp
US 8.8.8.8:53 kk.whsjms.cn udp
US 8.8.8.8:53 kk.whsjms.cn udp

Files

memory/1740-0-0x0000000000400000-0x00000000004D1000-memory.dmp

memory/1740-6-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

memory/1108-13-0x0000000001FB0000-0x0000000001FB2000-memory.dmp

memory/1740-3-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

memory/1740-25-0x0000000000200000-0x0000000000201000-memory.dmp

memory/1740-7-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

memory/1740-8-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

memory/1740-10-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

memory/1740-9-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

memory/2652-30-0x0000000001ED0000-0x0000000002F5E000-memory.dmp

memory/2652-35-0x0000000001ED0000-0x0000000002F5E000-memory.dmp

memory/2652-39-0x0000000001ED0000-0x0000000002F5E000-memory.dmp

memory/2652-50-0x0000000001ED0000-0x0000000002F5E000-memory.dmp

memory/2652-38-0x0000000001ED0000-0x0000000002F5E000-memory.dmp

memory/2652-40-0x0000000001ED0000-0x0000000002F5E000-memory.dmp

memory/2652-37-0x0000000001ED0000-0x0000000002F5E000-memory.dmp

memory/1740-49-0x0000000000590000-0x0000000000592000-memory.dmp

memory/2652-36-0x0000000001ED0000-0x0000000002F5E000-memory.dmp

memory/2652-33-0x0000000001ED0000-0x0000000002F5E000-memory.dmp

memory/2652-34-0x0000000001ED0000-0x0000000002F5E000-memory.dmp

memory/2652-32-0x0000000001ED0000-0x0000000002F5E000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 c872bd1c702cc93480c03ea324b1b3e1
SHA1 8d2bd9b7e07c188107824baba6e9792567789cdb
SHA256 5c54b89a1087d7857cb3fabccef495c08d03474c7f6b54ae43ef01ca49b16e0c
SHA512 dcfad0b26693f3cb3c0fd0d8298dd262bb6051e9d11513c2b2fcb85f393d270f3e2b0f65420690663075c2f3b4fbf4f1b92dea6d68a4330983f4574d6ca790c8

memory/1740-26-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1740-5-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

memory/2652-29-0x0000000000400000-0x00000000004D1000-memory.dmp

memory/1740-4-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

C:\Windows\svchost.exe

MD5 ba2bbf9c7809297a2ee1baba58c55e81
SHA1 b62317610a8d1f33cb566f40efbf0fd35954d5c8
SHA256 55819061820b24c4e0f6845d20e02d872993bc88821be47fd5d1543297266a07
SHA512 87dcf3494c094bcb2d527dd0d4fd170dd580f9ba36fbb7196deaab7629faf2c646aa69ad8278758d9d291528d468e2287f4f1ba1a86ec1d43f83bc17eb8fe54e

memory/2652-56-0x0000000003D70000-0x0000000003E41000-memory.dmp

memory/2672-66-0x0000000000400000-0x00000000004D1000-memory.dmp

memory/1740-64-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

memory/1740-65-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

memory/2672-63-0x0000000000400000-0x00000000004D1000-memory.dmp

memory/2652-61-0x0000000000400000-0x00000000004D1000-memory.dmp

memory/1740-27-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1740-23-0x0000000000200000-0x0000000000201000-memory.dmp

memory/1740-22-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/1740-12-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

memory/1740-67-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

memory/1740-69-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

memory/1740-68-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

memory/1740-71-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

memory/1740-72-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

memory/1740-73-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

memory/1740-75-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

memory/1740-77-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

memory/1740-90-0x0000000001DE0000-0x0000000002E6E000-memory.dmp

memory/1740-95-0x00000000001F0000-0x00000000001F2000-memory.dmp

F:\qrnnnm.exe

MD5 34b150400d5a08c9a82c786659d31b96
SHA1 6bbdfa7703acf20e3048b9236b2b35640c2ea69a
SHA256 dc3c00cb7f1406b7f572b050dc121ed55424a9911c9c081a0b7b1fa100e3bab1
SHA512 87a3ec717f36610abc82106a5cdf7bcfe69d2f3416b1ada9c294212899a64794ea379fdbe3dca850395459bc3f0ba3e17b52b0c5a71d1f844cfb2fdc2c0f1fd9

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 23:48

Reported

2024-06-17 23:51

Platform

win10v2004-20240508-en

Max time kernel

122s

Max time network

133s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\svchost.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\svchost.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" C:\Windows\svchost.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A
N/A N/A C:\Windows\svchost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Windows\svchost.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened for modification C:\Windows\svchost.exe C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425 C:\Windows\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Aoqcbk C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\1414748499 = "124" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-1465470298 = "0" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-1516192097 = "397" C:\Windows\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-101443598 = "0A00687474703A2F2F70656C63706177656C2E666D2E696E74657269612E706C2F6C6F676F732E67696600687474703A2F2F636869636F73746172612E636F6D2F6C6F676F662E67696600687474703A2F2F73756577796C6C69652E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F646577706F696E742D65672E636F6D2F696D616765732F6C6F676F73612E67696600687474703A2F2F7777772E6365796C616E6F67756C6C6172692E636F6D2F6C6F676F662E67696600687474703A2F2F7777772E626C7565637562656372656174697665732E636F6D2F6C6F676F732E67696600687474703A2F2F37323468697A6D6574677275702E636F6D2F696D616765732F6C6F676F73612E67696600687474703A2F2F796176757A74756E63696C2E79612E66756E7069632E64652F696D616765732F6C6F676F732E67696600687474703A2F2F6365766174706173612E636F6D2F696D616765732F6C6F676F732E67696600687474703A2F2F3137332E3139332E31392E31342F6C6F676F2E676966" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline = "0" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-50721799 = "0" C:\Windows\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\1364026700 = "35" C:\Windows\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\1313304901 = "06A8BB1AD2BF41C19C957B4CFBEDFF1EF2E3DBE4DA4CD047EAD75E66990059CCABC859A6F25DCE12C46ACFD1231BE43A44AD47CB2CB3B9B6631773B6B0B554211CAC18062A3268B25D9944460116DE02E91BDD350C12D825D2A50CC8D8C43714ED90C6C665B92D768DAC66752F17E51E8C3DDE8BAFA8C6BE3B1DD99913135E28" C:\Windows\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4000 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 4000 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 4000 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\dwm.exe
PID 4000 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 4000 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\sihost.exe
PID 4000 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\taskhostw.exe
PID 4000 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4000 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 4000 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 4000 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4000 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4000 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4000 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4000 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4000 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4000 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1116 wrote to memory of 2348 N/A C:\Windows\svchost.exe C:\Windows\svchost.exe
PID 1116 wrote to memory of 2348 N/A C:\Windows\svchost.exe C:\Windows\svchost.exe
PID 1116 wrote to memory of 2348 N/A C:\Windows\svchost.exe C:\Windows\svchost.exe
PID 1116 wrote to memory of 4784 N/A C:\Windows\svchost.exe C:\Windows\svchost.exe
PID 1116 wrote to memory of 4784 N/A C:\Windows\svchost.exe C:\Windows\svchost.exe
PID 1116 wrote to memory of 4784 N/A C:\Windows\svchost.exe C:\Windows\svchost.exe
PID 4000 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 4000 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 4000 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\dwm.exe
PID 4000 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 4000 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\sihost.exe
PID 4000 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\taskhostw.exe
PID 4000 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4000 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 4000 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 4000 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4000 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4000 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4000 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4000 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4000 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4000 wrote to memory of 836 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\backgroundTaskHost.exe
PID 4000 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4000 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4000 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 4000 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 4000 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\dwm.exe
PID 4000 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 4000 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\sihost.exe
PID 4000 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\taskhostw.exe
PID 4000 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 4000 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 4000 wrote to memory of 3780 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 4000 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 4000 wrote to memory of 3936 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4000 wrote to memory of 4016 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 4000 wrote to memory of 3408 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4000 wrote to memory of 3624 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 4000 wrote to memory of 3116 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4000 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4000 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 4000 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 4000 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 4000 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\dwm.exe
PID 4000 wrote to memory of 2568 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 4000 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\sihost.exe
PID 4000 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\system32\taskhostw.exe
PID 4000 wrote to memory of 3388 N/A C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\svchost.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\ba2bbf9c7809297a2ee1baba58c55e81_JaffaCakes118.exe"

C:\Windows\svchost.exe

C:\Windows\svchost.exe

C:\Windows\svchost.exe

C:\Windows\svchost.exe Win7

C:\Windows\svchost.exe

C:\Windows\svchost.exe Win7

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 kk.whsjms.cn udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 kk.whsjms.cn udp
US 8.8.8.8:53 kk.whsjms.cn udp
US 8.8.8.8:53 kk.whsjms.cn udp
US 8.8.8.8:53 kk.whsjms.cn udp
US 8.8.8.8:53 kk.whsjms.cn udp

Files

memory/4000-0-0x0000000000400000-0x00000000004D1000-memory.dmp

memory/4000-1-0x0000000002290000-0x000000000331E000-memory.dmp

C:\Windows\svchost.exe

MD5 ba2bbf9c7809297a2ee1baba58c55e81
SHA1 b62317610a8d1f33cb566f40efbf0fd35954d5c8
SHA256 55819061820b24c4e0f6845d20e02d872993bc88821be47fd5d1543297266a07
SHA512 87dcf3494c094bcb2d527dd0d4fd170dd580f9ba36fbb7196deaab7629faf2c646aa69ad8278758d9d291528d468e2287f4f1ba1a86ec1d43f83bc17eb8fe54e

memory/4000-6-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-15-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-19-0x0000000002150000-0x0000000002152000-memory.dmp

memory/4000-17-0x0000000002290000-0x000000000331E000-memory.dmp

memory/2348-25-0x0000000000400000-0x00000000004D1000-memory.dmp

memory/4784-29-0x0000000000400000-0x00000000004D1000-memory.dmp

memory/2348-28-0x0000000000400000-0x00000000004D1000-memory.dmp

memory/4784-27-0x0000000000400000-0x00000000004D1000-memory.dmp

memory/1116-24-0x0000000000400000-0x00000000004D1000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 d2842e2cd63fed7f4ce7746f8f911e86
SHA1 734487ca11e2012a1b4e964537c7567a7fd3729e
SHA256 a45985257d7f56da67f876889a9d0b7ccae82eedb19883e5c93f122a125a43f5
SHA512 e78e1ec78abf54dbd142e2e635d6b9558eee7a737f822d71ef7bbe34a1d405ed6a41ee8078a7394fd96322fd6b389e96eaabdbefbd4e0a3dff7abf0753ad1bf9

memory/1116-18-0x0000000001240000-0x00000000022CE000-memory.dmp

memory/4000-16-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-13-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-7-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-8-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-14-0x0000000002150000-0x0000000002152000-memory.dmp

memory/4000-12-0x0000000002160000-0x0000000002161000-memory.dmp

memory/4000-11-0x0000000002150000-0x0000000002152000-memory.dmp

memory/4000-4-0x0000000002290000-0x000000000331E000-memory.dmp

memory/1116-30-0x0000000001240000-0x00000000022CE000-memory.dmp

memory/4000-31-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-32-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-33-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-34-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-35-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-37-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-38-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-39-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-41-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-43-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-44-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-45-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-48-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-51-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-53-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-54-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-56-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-58-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-64-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-66-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-67-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-69-0x0000000002150000-0x0000000002152000-memory.dmp

memory/4000-71-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-72-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-73-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-76-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-78-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-80-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-81-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-83-0x0000000002290000-0x000000000331E000-memory.dmp

memory/4000-86-0x0000000002290000-0x000000000331E000-memory.dmp

C:\kflf.exe

MD5 8ec844d8d81d0352a14fe342d8a0e98b
SHA1 f2496c48cf97649a982234a88e1698212fd14c0a
SHA256 dd229dc2331198ede4d171435e32b61a819f197c7af5a2ffa349eef818e0ff83
SHA512 900be890489bdec5c1ae1f67a8e8ce215aaff15507e1c21feae309a74f624434cf38973d8b593914eb45b89a4369670ba503036b643733bf7d271f5f44293b2e