Analysis
-
max time kernel
29s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-06-2024 23:32
Static task
static1
Behavioral task
behavioral1
Sample
0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
-
Size
569KB
-
MD5
0fef8b3ffe91ac29278c24d111ace7a2
-
SHA1
db04a427ea8edbd11d3989a4ac7832fd013b9baa
-
SHA256
7435733affd75e2537138433aa382f7e1d3bb8c2dad4971d8893d29c4b1ba89c
-
SHA512
4e3c82df09307c91c1d41bfae835128bccbeabccb5bb9546805c3ca74077eb6f74c8850a995ff574daf9cc7f7e61e37022ab2c4edd7479f8728bae1142ed412a
-
SSDEEP
12288:J/IwFd+4DG5zP8dxslXI7DVqySi7P4PIXgB+OG8FG:ZG5zPqMXIPVq0j47wO
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 9 IoCs
Processes:
0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe598A.tmp5CA8.tmpdescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 598A.tmp Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 5CA8.tmp Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 5CA8.tmp Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 5CA8.tmp Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 598A.tmp Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 598A.tmp Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe -
Processes:
598A.tmp5CA8.tmp0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 598A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5CA8.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe -
Processes:
598A.tmp5CA8.tmp0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 598A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 5CA8.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 5CA8.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 598A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 598A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 598A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 598A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 5CA8.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 5CA8.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 598A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 5CA8.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 5CA8.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
598A.tmp5CA8.tmppid process 3188 598A.tmp 2516 5CA8.tmp -
Processes:
resource yara_rule behavioral2/memory/3188-14-0x0000000000840000-0x00000000018CE000-memory.dmp upx behavioral2/memory/3188-17-0x0000000000840000-0x00000000018CE000-memory.dmp upx behavioral2/memory/3188-19-0x0000000000840000-0x00000000018CE000-memory.dmp upx behavioral2/memory/3188-20-0x0000000000840000-0x00000000018CE000-memory.dmp upx behavioral2/memory/3188-21-0x0000000000840000-0x00000000018CE000-memory.dmp upx behavioral2/memory/3188-23-0x0000000000840000-0x00000000018CE000-memory.dmp upx behavioral2/memory/3188-41-0x0000000000840000-0x00000000018CE000-memory.dmp upx behavioral2/memory/2516-49-0x0000000000830000-0x00000000018BE000-memory.dmp upx behavioral2/memory/2516-53-0x0000000000830000-0x00000000018BE000-memory.dmp upx behavioral2/memory/2516-51-0x0000000000830000-0x00000000018BE000-memory.dmp upx behavioral2/memory/2516-54-0x0000000000830000-0x00000000018BE000-memory.dmp upx behavioral2/memory/2516-57-0x0000000000830000-0x00000000018BE000-memory.dmp upx behavioral2/memory/2516-55-0x0000000000830000-0x00000000018BE000-memory.dmp upx behavioral2/memory/2516-58-0x0000000000830000-0x00000000018BE000-memory.dmp upx behavioral2/memory/2516-65-0x0000000000830000-0x00000000018BE000-memory.dmp upx behavioral2/memory/2516-66-0x0000000000830000-0x00000000018BE000-memory.dmp upx behavioral2/memory/2516-70-0x0000000000830000-0x00000000018BE000-memory.dmp upx behavioral2/memory/3492-89-0x0000000005570000-0x00000000065FE000-memory.dmp upx behavioral2/memory/3492-84-0x0000000005570000-0x00000000065FE000-memory.dmp upx behavioral2/memory/3492-87-0x0000000005570000-0x00000000065FE000-memory.dmp upx behavioral2/memory/3492-85-0x0000000005570000-0x00000000065FE000-memory.dmp upx behavioral2/memory/3492-86-0x0000000005570000-0x00000000065FE000-memory.dmp upx -
Processes:
598A.tmp5CA8.tmp0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 598A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 5CA8.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 5CA8.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 5CA8.tmp Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 5CA8.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 598A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 598A.tmp Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 598A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 5CA8.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 5CA8.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 598A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 598A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 598A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 5CA8.tmp -
Processes:
598A.tmp5CA8.tmp0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 598A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5CA8.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 6 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exedescription ioc process File opened (read-only) \??\G: 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe File opened (read-only) \??\H: 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe File opened (read-only) \??\I: 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe File opened (read-only) \??\J: 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe File opened (read-only) \??\K: 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe File opened (read-only) \??\E: 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exedescription pid process target process PID 828 set thread context of 3492 828 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
Processes:
598A.tmpdescription ioc process File opened for modification C:\Windows\SYSTEM.INI 598A.tmp -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
598A.tmp5CA8.tmp0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exepid process 3188 598A.tmp 3188 598A.tmp 3188 598A.tmp 3188 598A.tmp 3188 598A.tmp 3188 598A.tmp 2516 5CA8.tmp 2516 5CA8.tmp 2516 5CA8.tmp 2516 5CA8.tmp 2516 5CA8.tmp 2516 5CA8.tmp 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
Processes:
0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe598A.tmp5CA8.tmp0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 828 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Token: SeDebugPrivilege 3188 598A.tmp Token: SeDebugPrivilege 3188 598A.tmp Token: SeDebugPrivilege 3188 598A.tmp Token: SeDebugPrivilege 3188 598A.tmp Token: SeDebugPrivilege 3188 598A.tmp Token: SeDebugPrivilege 3188 598A.tmp Token: SeDebugPrivilege 3188 598A.tmp Token: SeDebugPrivilege 3188 598A.tmp Token: SeDebugPrivilege 3188 598A.tmp Token: SeDebugPrivilege 3188 598A.tmp Token: SeDebugPrivilege 3188 598A.tmp Token: SeDebugPrivilege 2516 5CA8.tmp Token: SeDebugPrivilege 2516 5CA8.tmp Token: SeDebugPrivilege 2516 5CA8.tmp Token: SeDebugPrivilege 2516 5CA8.tmp Token: SeDebugPrivilege 2516 5CA8.tmp Token: SeDebugPrivilege 2516 5CA8.tmp Token: SeDebugPrivilege 2516 5CA8.tmp Token: SeDebugPrivilege 2516 5CA8.tmp Token: SeDebugPrivilege 2516 5CA8.tmp Token: SeDebugPrivilege 2516 5CA8.tmp Token: SeDebugPrivilege 2516 5CA8.tmp Token: SeDebugPrivilege 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Token: SeDebugPrivilege 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Token: SeDebugPrivilege 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Token: SeDebugPrivilege 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Token: SeDebugPrivilege 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Token: SeDebugPrivilege 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Token: SeDebugPrivilege 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Token: SeDebugPrivilege 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Token: SeDebugPrivilege 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Token: SeDebugPrivilege 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Token: SeDebugPrivilege 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Token: SeDebugPrivilege 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Token: SeDebugPrivilege 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Token: SeDebugPrivilege 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Token: SeDebugPrivilege 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Token: SeDebugPrivilege 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Token: SeDebugPrivilege 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Token: SeDebugPrivilege 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Token: SeDebugPrivilege 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Token: SeDebugPrivilege 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Token: SeDebugPrivilege 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe Token: SeDebugPrivilege 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exepid process 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe598A.tmp5CA8.tmpdescription pid process target process PID 828 wrote to memory of 3492 828 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 828 wrote to memory of 3492 828 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 828 wrote to memory of 3492 828 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 828 wrote to memory of 3492 828 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 828 wrote to memory of 3492 828 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 828 wrote to memory of 3492 828 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 828 wrote to memory of 3492 828 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 828 wrote to memory of 3492 828 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 828 wrote to memory of 3492 828 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 828 wrote to memory of 3492 828 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 828 wrote to memory of 3492 828 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 828 wrote to memory of 3492 828 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 828 wrote to memory of 3492 828 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 3492 wrote to memory of 3188 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 598A.tmp PID 3492 wrote to memory of 3188 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 598A.tmp PID 3492 wrote to memory of 3188 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 598A.tmp PID 3188 wrote to memory of 3508 3188 598A.tmp Explorer.EXE PID 3188 wrote to memory of 3508 3188 598A.tmp Explorer.EXE PID 3188 wrote to memory of 776 3188 598A.tmp fontdrvhost.exe PID 3188 wrote to memory of 780 3188 598A.tmp fontdrvhost.exe PID 3188 wrote to memory of 316 3188 598A.tmp dwm.exe PID 3188 wrote to memory of 2696 3188 598A.tmp sihost.exe PID 3188 wrote to memory of 2716 3188 598A.tmp svchost.exe PID 3188 wrote to memory of 3028 3188 598A.tmp taskhostw.exe PID 3188 wrote to memory of 3508 3188 598A.tmp Explorer.EXE PID 3188 wrote to memory of 3668 3188 598A.tmp svchost.exe PID 3188 wrote to memory of 3508 3188 598A.tmp Explorer.EXE PID 3188 wrote to memory of 3864 3188 598A.tmp DllHost.exe PID 3188 wrote to memory of 3956 3188 598A.tmp StartMenuExperienceHost.exe PID 3188 wrote to memory of 4020 3188 598A.tmp RuntimeBroker.exe PID 3188 wrote to memory of 732 3188 598A.tmp SearchApp.exe PID 3188 wrote to memory of 3920 3188 598A.tmp RuntimeBroker.exe PID 3188 wrote to memory of 4728 3188 598A.tmp TextInputHost.exe PID 3188 wrote to memory of 4836 3188 598A.tmp RuntimeBroker.exe PID 3188 wrote to memory of 3492 3188 598A.tmp 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 3188 wrote to memory of 3492 3188 598A.tmp 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe PID 3188 wrote to memory of 3508 3188 598A.tmp Explorer.EXE PID 3188 wrote to memory of 3508 3188 598A.tmp Explorer.EXE PID 3188 wrote to memory of 3508 3188 598A.tmp Explorer.EXE PID 3492 wrote to memory of 2516 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 5CA8.tmp PID 3492 wrote to memory of 2516 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 5CA8.tmp PID 3492 wrote to memory of 2516 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe 5CA8.tmp PID 2516 wrote to memory of 3508 2516 5CA8.tmp Explorer.EXE PID 2516 wrote to memory of 3508 2516 5CA8.tmp Explorer.EXE PID 2516 wrote to memory of 776 2516 5CA8.tmp fontdrvhost.exe PID 2516 wrote to memory of 780 2516 5CA8.tmp fontdrvhost.exe PID 2516 wrote to memory of 316 2516 5CA8.tmp dwm.exe PID 2516 wrote to memory of 2696 2516 5CA8.tmp sihost.exe PID 2516 wrote to memory of 2716 2516 5CA8.tmp svchost.exe PID 2516 wrote to memory of 3028 2516 5CA8.tmp taskhostw.exe PID 2516 wrote to memory of 3508 2516 5CA8.tmp Explorer.EXE PID 2516 wrote to memory of 3668 2516 5CA8.tmp svchost.exe PID 2516 wrote to memory of 3864 2516 5CA8.tmp DllHost.exe PID 2516 wrote to memory of 3956 2516 5CA8.tmp StartMenuExperienceHost.exe PID 2516 wrote to memory of 4020 2516 5CA8.tmp RuntimeBroker.exe PID 2516 wrote to memory of 732 2516 5CA8.tmp SearchApp.exe PID 2516 wrote to memory of 3920 2516 5CA8.tmp RuntimeBroker.exe PID 2516 wrote to memory of 4728 2516 5CA8.tmp TextInputHost.exe PID 2516 wrote to memory of 4836 2516 5CA8.tmp RuntimeBroker.exe PID 2516 wrote to memory of 3508 2516 5CA8.tmp Explorer.EXE PID 2516 wrote to memory of 3508 2516 5CA8.tmp Explorer.EXE PID 2516 wrote to memory of 3508 2516 5CA8.tmp Explorer.EXE PID 2516 wrote to memory of 3508 2516 5CA8.tmp Explorer.EXE PID 3492 wrote to memory of 776 3492 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe fontdrvhost.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
598A.tmp5CA8.tmp0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 598A.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 5CA8.tmp Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2716
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3028
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3508
-
C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3492 -
C:\Users\Admin\AppData\Local\Temp\598A.tmpC:\Users\Admin\AppData\Local\Temp\598A.tmp4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3188
-
-
C:\Users\Admin\AppData\Local\Temp\5CA8.tmpC:\Users\Admin\AppData\Local\Temp\5CA8.tmp4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2516
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3668
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3864
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3956
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4020
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:732
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3920
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4728
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4836
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
104KB
MD5ef5ae3f1fb47449f7040a5140a9b20de
SHA1d5573febcf6faeddf4afcce3e35f66c14ac0f4d5
SHA2569761fb628c7dfbea690ea820fafb3a000f891cc97f20e11fdc39a70e87595d94
SHA512ab27b3c8f74173ed24b74082eb1309f163a9e813a13dbc79d7b82811241ac31c0ed16479e2f9ef13e51ef3ecd8f849ddc7c6b25f5ff916f7d19c0028907a93bf
-
Filesize
257B
MD5714943c6644b0cbaa4cacb6dde6ab581
SHA11a166ef9a0cad0d919605547a9ec91e12897e071
SHA2564acf9893b00d23463511710b2a0c42f4690378e5a247b8b9f6fbfe2fb1efffff
SHA5120213b27008c0ea0056e29fa81c3dfbe184bf7f63dba852da3b93a3c1b757782d16190d7ece6fb7eebf7a8d913356fb07d9544ff83567179004629f87a6fb3ef6