Analysis
-
max time kernel
140s -
max time network
110s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 21:27
Static task
static1
Behavioral task
behavioral1
Sample
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe
-
Size
622KB
-
MD5
0f96b0622e13675b9579d7e5cd12d4fc
-
SHA1
72f8b00e117ac4583b35e4cedeb36e995e98aa80
-
SHA256
ea7d0561a0d804309f42c23761caddf11eed8f97f0bc96a1647a2f344ae5da50
-
SHA512
460e3d57809c04d7165de9184fab41541c1807f46389d50593669c9dfda3b56c729f7481600e63b88909a3258ec3c7c36900add58789f719033ea1a45a51ccba
-
SSDEEP
12288:QMsVpt4raifZzpwX4GPNNNbKQyXcqzEBwIx3cLBiCz43uzdU2YHD:QXVQrVZz5GIQqgjx3xkUDj
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe -
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe -
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 1 IoCs
Processes:
update.exepid process 2772 update.exe -
Loads dropped DLL 3 IoCs
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exeupdate.exepid process 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe 2772 update.exe 2772 update.exe -
Processes:
resource yara_rule behavioral2/memory/1652-1-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-4-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-8-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-12-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-9-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-10-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-67-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-69-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-68-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-71-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-70-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-72-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-73-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-74-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-79-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-80-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-84-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-86-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-87-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-90-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-91-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-93-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-94-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-95-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-98-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-99-0x00000000024C0000-0x000000000354E000-memory.dmp upx behavioral2/memory/1652-113-0x00000000024C0000-0x000000000354E000-memory.dmp upx -
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe -
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 11 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exedescription ioc process File opened (read-only) \??\E: 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe File opened (read-only) \??\I: 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe File opened (read-only) \??\L: 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe File opened (read-only) \??\M: 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe File opened (read-only) \??\G: 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe File opened (read-only) \??\H: 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe File opened (read-only) \??\J: 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe File opened (read-only) \??\K: 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe File opened (read-only) \??\N: 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe File opened (read-only) \??\O: 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe File opened (read-only) \??\P: 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
Processes:
update.exe0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\setupapi.log update.exe File opened for modification \??\c:\windows\KB901105.log update.exe File opened for modification C:\Windows\SYSTEM.INI 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exepid process 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Token: SeDebugPrivilege 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exedescription pid process target process PID 1652 wrote to memory of 792 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe fontdrvhost.exe PID 1652 wrote to memory of 788 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe fontdrvhost.exe PID 1652 wrote to memory of 384 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe dwm.exe PID 1652 wrote to memory of 2252 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe sihost.exe PID 1652 wrote to memory of 2632 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe svchost.exe PID 1652 wrote to memory of 3124 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe taskhostw.exe PID 1652 wrote to memory of 3468 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Explorer.EXE PID 1652 wrote to memory of 3580 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe svchost.exe PID 1652 wrote to memory of 3760 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe DllHost.exe PID 1652 wrote to memory of 3852 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe StartMenuExperienceHost.exe PID 1652 wrote to memory of 3916 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe RuntimeBroker.exe PID 1652 wrote to memory of 3996 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe SearchApp.exe PID 1652 wrote to memory of 3624 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe RuntimeBroker.exe PID 1652 wrote to memory of 2012 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe TextInputHost.exe PID 1652 wrote to memory of 5048 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe RuntimeBroker.exe PID 1652 wrote to memory of 1732 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe backgroundTaskHost.exe PID 1652 wrote to memory of 5000 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe backgroundTaskHost.exe PID 1652 wrote to memory of 2772 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe update.exe PID 1652 wrote to memory of 2772 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe update.exe PID 1652 wrote to memory of 2772 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe update.exe PID 1652 wrote to memory of 792 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe fontdrvhost.exe PID 1652 wrote to memory of 788 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe fontdrvhost.exe PID 1652 wrote to memory of 384 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe dwm.exe PID 1652 wrote to memory of 2252 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe sihost.exe PID 1652 wrote to memory of 2632 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe svchost.exe PID 1652 wrote to memory of 3124 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe taskhostw.exe PID 1652 wrote to memory of 3468 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe Explorer.EXE PID 1652 wrote to memory of 3580 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe svchost.exe PID 1652 wrote to memory of 3760 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe DllHost.exe PID 1652 wrote to memory of 3852 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe StartMenuExperienceHost.exe PID 1652 wrote to memory of 3916 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe RuntimeBroker.exe PID 1652 wrote to memory of 3996 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe SearchApp.exe PID 1652 wrote to memory of 3624 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe RuntimeBroker.exe PID 1652 wrote to memory of 2012 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe TextInputHost.exe PID 1652 wrote to memory of 5048 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe RuntimeBroker.exe PID 1652 wrote to memory of 1732 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe backgroundTaskHost.exe PID 1652 wrote to memory of 5000 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe backgroundTaskHost.exe PID 1652 wrote to memory of 2772 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe update.exe PID 1652 wrote to memory of 2772 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe update.exe PID 1652 wrote to memory of 3412 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe RuntimeBroker.exe PID 1652 wrote to memory of 4916 1652 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe RuntimeBroker.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:384
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2252
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2632
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3124
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0f96b0622e13675b9579d7e5cd12d4fc_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1652 -
\??\c:\e650f9aa54d44debf22778940ebb13\update\update.exec:\e650f9aa54d44debf22778940ebb13\update\update.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
PID:2772
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3580
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3760
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3852
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3916
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3996
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3624
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2012
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:5048
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1732
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:5000
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3412
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4916
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
550KB
MD536be4921687bcafbbbe2ce6a7ed2a551
SHA18d7070a009fcde7c9961feb891c1116c5fc53fe0
SHA2566cb3dcd372892dca08a21491ee4d583d047144687c6ab80126119c4a0e921602
SHA5124db556d0e81c819054474e0dca0a1f415ccedeedea154ca52f887d62fdb6defc8977e211ca992cd92374fc32eb02b3f0aa3c377eecfc7d22770d260290809061
-
Filesize
30KB
MD5b9b02d97007953e74caaa38497e7278a
SHA13954391efec4615a597594b02ad755f539d2fa42
SHA256e4ecf14cf98b855642505802a04be2035db6e13600112c01632e2e600c8184cc
SHA51278f39f6c6167ba61f52501912b3c5fa6d8c0d594be9f9a5b888b2cb4e19c1d499328fe28a90cc1457e15b14f78ce5a3591b8ed1468afb8d5e944df07a7ae2c6e
-
Filesize
705KB
MD52082618918f003a5d8b84a7025265e13
SHA1a847ff56cf2de5f25bee270cba2e319b92f6ad09
SHA2569a6cf1f1acc4d539fde4b517f37f75df1b19d637309f3ee215944e1f9fccc552
SHA5123f8f2e73e7242d2edb871efe53af612497dbc7d7b3cab368880788e7675f390ea72699d2bf928e7bac88f6425b6503ff6c73720e7260ddc55ae49b642c5d5f60
-
Filesize
371KB
MD547222e529e7547d547d03938a1710ac8
SHA117cfa7b82d389c90c63e6541d9de1863777681d9
SHA256c56c7c105b9eff9a7e11db29483dc667f7e6a40eb1446a1e74604ae8cb978d61
SHA51261b58ac697702fdb270034c5ee92214d2bde7b23a829d7b975404bafa68a0c9b3959e32ccad2b5c2f04030eed73e5902921edfe9716939fda2ac5eccc10a83a9