Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
122s -
max time network
49s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
20/06/2024, 08:33 UTC
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe
Resource
win7-20231129-en
windows7-x64
16 signatures
150 seconds
General
-
Target
0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe
-
Size
100KB
-
MD5
0461883e6e2c3ff8795c042dfaae7ae9
-
SHA1
811e50f926d6d5a0a5fa0aba498835f01fc6d410
-
SHA256
32bcfbafc087bd71c5087c447facbda8d98bc780a701bffc36170b40382f13a9
-
SHA512
f87d42152b930b388a7fbcc903b488ffbe356b7b4ef988306b242cb920f2112843bc4292a3876d23ecbe493902b3a6989dc6142721b123efd19b8d33fc63301d
-
SSDEEP
1536:UkB2FcIuvmp/8Mkdr5tuQ06FJ4x3YbxDEHI1pWqAk1Im:UPc1Opc8q8uDxWhk1I
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/3000-7-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-3-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-5-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-11-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-6-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-1-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-15-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-14-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-13-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-16-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-17-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-18-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-19-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-20-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-22-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-23-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-24-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-26-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-28-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-29-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-31-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-33-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-36-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-38-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-40-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-41-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-43-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-44-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-52-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-53-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-55-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-56-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-57-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-58-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-60-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-64-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-65-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-66-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-68-0x00000000020F0000-0x000000000317E000-memory.dmp upx behavioral2/memory/3000-70-0x00000000020F0000-0x000000000317E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened (read-only) \??\X: 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened (read-only) \??\Y: 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened (read-only) \??\Z: 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened (read-only) \??\H: 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened (read-only) \??\J: 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened (read-only) \??\O: 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened (read-only) \??\K: 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened (read-only) \??\L: 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened (read-only) \??\Q: 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened (read-only) \??\V: 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened (read-only) \??\W: 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened (read-only) \??\E: 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened (read-only) \??\G: 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened (read-only) \??\T: 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened (read-only) \??\P: 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened (read-only) \??\S: 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened (read-only) \??\U: 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened (read-only) \??\I: 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened (read-only) \??\M: 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened (read-only) \??\N: 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened for modification F:\autorun.inf 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe -
Drops file in Program Files directory 12 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe Token: SeDebugPrivilege 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3000 wrote to memory of 772 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 8 PID 3000 wrote to memory of 776 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 9 PID 3000 wrote to memory of 336 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 13 PID 3000 wrote to memory of 1080 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 50 PID 3000 wrote to memory of 2476 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 51 PID 3000 wrote to memory of 3108 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 52 PID 3000 wrote to memory of 3424 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 56 PID 3000 wrote to memory of 3568 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 57 PID 3000 wrote to memory of 3776 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 58 PID 3000 wrote to memory of 3924 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 59 PID 3000 wrote to memory of 3984 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 60 PID 3000 wrote to memory of 4076 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 61 PID 3000 wrote to memory of 4168 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 62 PID 3000 wrote to memory of 4468 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 64 PID 3000 wrote to memory of 4052 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 75 PID 3000 wrote to memory of 1816 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 80 PID 3000 wrote to memory of 772 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 8 PID 3000 wrote to memory of 776 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 9 PID 3000 wrote to memory of 336 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 13 PID 3000 wrote to memory of 1080 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 50 PID 3000 wrote to memory of 2476 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 51 PID 3000 wrote to memory of 3108 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 52 PID 3000 wrote to memory of 3424 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 56 PID 3000 wrote to memory of 3568 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 57 PID 3000 wrote to memory of 3776 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 58 PID 3000 wrote to memory of 3924 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 59 PID 3000 wrote to memory of 3984 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 60 PID 3000 wrote to memory of 4076 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 61 PID 3000 wrote to memory of 4168 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 62 PID 3000 wrote to memory of 4468 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 64 PID 3000 wrote to memory of 4052 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 75 PID 3000 wrote to memory of 2812 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 83 PID 3000 wrote to memory of 4548 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 84 PID 3000 wrote to memory of 772 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 8 PID 3000 wrote to memory of 776 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 9 PID 3000 wrote to memory of 336 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 13 PID 3000 wrote to memory of 1080 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 50 PID 3000 wrote to memory of 2476 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 51 PID 3000 wrote to memory of 3108 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 52 PID 3000 wrote to memory of 3424 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 56 PID 3000 wrote to memory of 3568 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 57 PID 3000 wrote to memory of 3776 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 58 PID 3000 wrote to memory of 3924 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 59 PID 3000 wrote to memory of 3984 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 60 PID 3000 wrote to memory of 4076 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 61 PID 3000 wrote to memory of 4168 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 62 PID 3000 wrote to memory of 4468 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 64 PID 3000 wrote to memory of 4052 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 75 PID 3000 wrote to memory of 2812 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 83 PID 3000 wrote to memory of 4548 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 84 PID 3000 wrote to memory of 772 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 8 PID 3000 wrote to memory of 776 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 9 PID 3000 wrote to memory of 336 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 13 PID 3000 wrote to memory of 1080 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 50 PID 3000 wrote to memory of 2476 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 51 PID 3000 wrote to memory of 3108 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 52 PID 3000 wrote to memory of 3424 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 56 PID 3000 wrote to memory of 3568 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 57 PID 3000 wrote to memory of 3776 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 58 PID 3000 wrote to memory of 3924 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 59 PID 3000 wrote to memory of 3984 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 60 PID 3000 wrote to memory of 4076 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 61 PID 3000 wrote to memory of 4168 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 62 PID 3000 wrote to memory of 4468 3000 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe 64 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:1080
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2476
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3108
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0461883e6e2c3ff8795c042dfaae7ae9_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3000
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3776
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3924
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3984
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4076
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4168
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4468
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4052
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1816
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2812
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4548
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD534740cd5e43a13b61dffd970d8fc1e19
SHA1d0aedc2b29fb778248af6a5abdf48f73ec11ea13
SHA25674552d4ab904c4a44c8d5c2559c325130ac2fe73fed8fe7d434c2bb7c9740daa
SHA5126c809ba2ca2d8a65cae53c301755841d974280639e79269cacc7f58541027198b7cdf8d3c785cd366d8c203a2aa9f9ebdc3810ee9e814541b8551771c518cdc1