Analysis
-
max time kernel
29s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
25-06-2024 23:32
Static task
static1
Behavioral task
behavioral1
Sample
0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
-
Size
569KB
-
MD5
0fef8b3ffe91ac29278c24d111ace7a2
-
SHA1
db04a427ea8edbd11d3989a4ac7832fd013b9baa
-
SHA256
7435733affd75e2537138433aa382f7e1d3bb8c2dad4971d8893d29c4b1ba89c
-
SHA512
4e3c82df09307c91c1d41bfae835128bccbeabccb5bb9546805c3ca74077eb6f74c8850a995ff574daf9cc7f7e61e37022ab2c4edd7479f8728bae1142ed412a
-
SSDEEP
12288:J/IwFd+4DG5zP8dxslXI7DVqySi7P4PIXgB+OG8FG:ZG5zPqMXIPVq0j47wO
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
Processes:
2A8A.tmp2DE5.tmp0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 2A8A.tmp Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 2DE5.tmp Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 2DE5.tmp Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 2A8A.tmp Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 2A8A.tmp Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 2DE5.tmp -
Processes:
2A8A.tmp2DE5.tmp0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2A8A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2DE5.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe -
Processes:
2A8A.tmp0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe2DE5.tmpdescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2A8A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2A8A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2A8A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2A8A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2DE5.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2DE5.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 2DE5.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2A8A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 2A8A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2DE5.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2DE5.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2DE5.tmp -
Executes dropped EXE 2 IoCs
Processes:
2A8A.tmp2DE5.tmppid process 2204 2A8A.tmp 2768 2DE5.tmp -
Loads dropped DLL 4 IoCs
Processes:
0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exepid process 2820 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 2820 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 2820 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 2820 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral1/memory/2204-25-0x0000000000620000-0x00000000016AE000-memory.dmp upx behavioral1/memory/2204-19-0x0000000000620000-0x00000000016AE000-memory.dmp upx behavioral1/memory/2204-26-0x0000000000620000-0x00000000016AE000-memory.dmp upx behavioral1/memory/2204-24-0x0000000000620000-0x00000000016AE000-memory.dmp upx behavioral1/memory/2204-28-0x0000000000620000-0x00000000016AE000-memory.dmp upx behavioral1/memory/2204-29-0x0000000000620000-0x00000000016AE000-memory.dmp upx behavioral1/memory/2204-30-0x0000000000620000-0x00000000016AE000-memory.dmp upx behavioral1/memory/2204-23-0x0000000000620000-0x00000000016AE000-memory.dmp upx behavioral1/memory/2204-22-0x0000000000620000-0x00000000016AE000-memory.dmp upx behavioral1/memory/2204-61-0x0000000000620000-0x00000000016AE000-memory.dmp upx behavioral1/memory/2768-87-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2768-86-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2768-93-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2768-89-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2768-88-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2768-85-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2768-80-0x0000000000590000-0x000000000161E000-memory.dmp upx behavioral1/memory/2768-135-0x0000000000590000-0x000000000161E000-memory.dmp upx -
Processes:
0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe2A8A.tmp2DE5.tmpdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 2A8A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2A8A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2DE5.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 2DE5.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2A8A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2A8A.tmp Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 2A8A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2A8A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2DE5.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2A8A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2DE5.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2DE5.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 2DE5.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2DE5.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe -
Processes:
2A8A.tmp2DE5.tmp0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2A8A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2DE5.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 13 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exedescription ioc process File opened (read-only) \??\L: 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe File opened (read-only) \??\R: 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe File opened (read-only) \??\I: 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe File opened (read-only) \??\J: 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe File opened (read-only) \??\P: 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe File opened (read-only) \??\Q: 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe File opened (read-only) \??\E: 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe File opened (read-only) \??\O: 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe File opened (read-only) \??\K: 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe File opened (read-only) \??\M: 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe File opened (read-only) \??\N: 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe File opened (read-only) \??\G: 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe File opened (read-only) \??\H: 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exedescription pid process target process PID 2372 set thread context of 2820 2372 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
Processes:
2A8A.tmpdescription ioc process File opened for modification C:\Windows\SYSTEM.INI 2A8A.tmp -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
2A8A.tmp2DE5.tmp0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exepid process 2204 2A8A.tmp 2204 2A8A.tmp 2204 2A8A.tmp 2768 2DE5.tmp 2768 2DE5.tmp 2768 2DE5.tmp 2820 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 2820 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe2A8A.tmp2DE5.tmp0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 2372 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Token: SeDebugPrivilege 2204 2A8A.tmp Token: SeDebugPrivilege 2768 2DE5.tmp Token: SeDebugPrivilege 2820 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Token: SeDebugPrivilege 2820 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exepid process 2820 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 48 IoCs
Processes:
0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe2A8A.tmp2DE5.tmpdescription pid process target process PID 2372 wrote to memory of 2820 2372 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 2372 wrote to memory of 2820 2372 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 2372 wrote to memory of 2820 2372 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 2372 wrote to memory of 2820 2372 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 2372 wrote to memory of 2820 2372 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 2372 wrote to memory of 2820 2372 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 2372 wrote to memory of 2820 2372 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 2372 wrote to memory of 2820 2372 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 2372 wrote to memory of 2820 2372 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 2372 wrote to memory of 2820 2372 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 2372 wrote to memory of 2820 2372 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 2372 wrote to memory of 2820 2372 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 2372 wrote to memory of 2820 2372 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 2372 wrote to memory of 2820 2372 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 2820 wrote to memory of 2204 2820 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 2A8A.tmp PID 2820 wrote to memory of 2204 2820 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 2A8A.tmp PID 2820 wrote to memory of 2204 2820 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 2A8A.tmp PID 2820 wrote to memory of 2204 2820 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 2A8A.tmp PID 2204 wrote to memory of 1340 2204 2A8A.tmp Explorer.EXE PID 2204 wrote to memory of 1340 2204 2A8A.tmp Explorer.EXE PID 2204 wrote to memory of 1340 2204 2A8A.tmp Explorer.EXE PID 2204 wrote to memory of 1228 2204 2A8A.tmp taskhost.exe PID 2204 wrote to memory of 1296 2204 2A8A.tmp Dwm.exe PID 2204 wrote to memory of 1340 2204 2A8A.tmp Explorer.EXE PID 2204 wrote to memory of 2820 2204 2A8A.tmp 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 2204 wrote to memory of 2820 2204 2A8A.tmp 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 2204 wrote to memory of 1340 2204 2A8A.tmp Explorer.EXE PID 2204 wrote to memory of 1340 2204 2A8A.tmp Explorer.EXE PID 2204 wrote to memory of 1340 2204 2A8A.tmp Explorer.EXE PID 2820 wrote to memory of 2768 2820 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 2DE5.tmp PID 2820 wrote to memory of 2768 2820 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 2DE5.tmp PID 2820 wrote to memory of 2768 2820 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 2DE5.tmp PID 2820 wrote to memory of 2768 2820 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 2DE5.tmp PID 2768 wrote to memory of 1340 2768 2DE5.tmp Explorer.EXE PID 2768 wrote to memory of 1340 2768 2DE5.tmp Explorer.EXE PID 2768 wrote to memory of 1340 2768 2DE5.tmp Explorer.EXE PID 2768 wrote to memory of 1228 2768 2DE5.tmp taskhost.exe PID 2768 wrote to memory of 1296 2768 2DE5.tmp Dwm.exe PID 2768 wrote to memory of 1340 2768 2DE5.tmp Explorer.EXE PID 2768 wrote to memory of 1340 2768 2DE5.tmp Explorer.EXE PID 2768 wrote to memory of 1340 2768 2DE5.tmp Explorer.EXE PID 2768 wrote to memory of 1340 2768 2DE5.tmp Explorer.EXE PID 2820 wrote to memory of 1228 2820 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe taskhost.exe PID 2820 wrote to memory of 1296 2820 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Dwm.exe PID 2820 wrote to memory of 1340 2820 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Explorer.EXE PID 2820 wrote to memory of 1228 2820 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe taskhost.exe PID 2820 wrote to memory of 1296 2820 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Dwm.exe PID 2820 wrote to memory of 1340 2820 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Explorer.EXE -
System policy modification 1 TTPs 3 IoCs
Processes:
2A8A.tmp2DE5.tmp0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2A8A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2DE5.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1228
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1296
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1340
-
C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2820 -
C:\Users\Admin\AppData\Local\Temp\2A8A.tmpC:\Users\Admin\AppData\Local\Temp\2A8A.tmp4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2204
-
-
C:\Users\Admin\AppData\Local\Temp\2DE5.tmpC:\Users\Admin\AppData\Local\Temp\2DE5.tmp4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2768
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
104KB
MD5ef5ae3f1fb47449f7040a5140a9b20de
SHA1d5573febcf6faeddf4afcce3e35f66c14ac0f4d5
SHA2569761fb628c7dfbea690ea820fafb3a000f891cc97f20e11fdc39a70e87595d94
SHA512ab27b3c8f74173ed24b74082eb1309f163a9e813a13dbc79d7b82811241ac31c0ed16479e2f9ef13e51ef3ecd8f849ddc7c6b25f5ff916f7d19c0028907a93bf
-
Filesize
257B
MD5c9c32376a614a18b4a14aa2a36c421eb
SHA1416088ea4a318af733b058f0f6c6396534092705
SHA256ff113065d49e78a73b026ae90d35f70cedaed1895ad83f865697d765366a388a
SHA512597f2dbd5dd010bbd0ebea4dbbd0e7c347c0ec4aed3193d76cb335f405cfa8ca709d889613850b8ad74f09b0ca2787f9a286170ddab529092e7ff41fff4b2d86
-
Filesize
100KB
MD54e2e92e9e3e37dc04bce1a78e9ee0ed5
SHA166babeb9c5125a92f6f350c172f4c80154aaaa0d
SHA256c4f61809851de476aeb7d8fb062ec71124a28059200b2c33156fc56eb194fd01
SHA512a7f8e6da6644f30583a45a3c8cf32c9babb6e3cdb672ed96dc5410a5739151318d77daacf2676639c82e0a83a270e7f040773370188a611509749f10154041a7