Malware Analysis Report

2024-11-16 13:15

Sample ID 240625-3jmk7azhnb
Target 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118
SHA256 7435733affd75e2537138433aa382f7e1d3bb8c2dad4971d8893d29c4b1ba89c
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7435733affd75e2537138433aa382f7e1d3bb8c2dad4971d8893d29c4b1ba89c

Threat Level: Known bad

The file 0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

UAC bypass

Windows security bypass

Sality

Modifies firewall policy service

Executes dropped EXE

Loads dropped DLL

UPX packed file

Windows security modification

Checks whether UAC is enabled

Enumerates connected drives

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 23:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 23:32

Reported

2024-06-25 23:35

Platform

win7-20231129-en

Max time kernel

29s

Max time network

120s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\2A8A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\2DE5.tmp N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\2DE5.tmp N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\2A8A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\2A8A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\2DE5.tmp N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2A8A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2DE5.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2A8A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\2A8A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2A8A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2A8A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\2DE5.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2DE5.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\2DE5.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2A8A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\2A8A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2DE5.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2DE5.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2DE5.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2A8A.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2DE5.tmp N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\2A8A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2A8A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\2DE5.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\2DE5.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2A8A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2A8A.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\2A8A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2A8A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2DE5.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\2A8A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2DE5.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2DE5.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\2DE5.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\2DE5.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2A8A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2DE5.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\2A8A.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2A8A.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2DE5.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 2372 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 2372 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 2372 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 2372 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 2372 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 2372 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 2372 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 2372 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 2372 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 2372 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 2372 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 2372 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 2372 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 2820 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2A8A.tmp
PID 2820 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2A8A.tmp
PID 2820 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2A8A.tmp
PID 2820 wrote to memory of 2204 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2A8A.tmp
PID 2204 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2A8A.tmp C:\Windows\Explorer.EXE
PID 2204 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2A8A.tmp C:\Windows\Explorer.EXE
PID 2204 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2A8A.tmp C:\Windows\Explorer.EXE
PID 2204 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2A8A.tmp C:\Windows\system32\taskhost.exe
PID 2204 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\2A8A.tmp C:\Windows\system32\Dwm.exe
PID 2204 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2A8A.tmp C:\Windows\Explorer.EXE
PID 2204 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2A8A.tmp C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 2204 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\2A8A.tmp C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 2204 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2A8A.tmp C:\Windows\Explorer.EXE
PID 2204 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2A8A.tmp C:\Windows\Explorer.EXE
PID 2204 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2A8A.tmp C:\Windows\Explorer.EXE
PID 2820 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2DE5.tmp
PID 2820 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2DE5.tmp
PID 2820 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2DE5.tmp
PID 2820 wrote to memory of 2768 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\2DE5.tmp
PID 2768 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2DE5.tmp C:\Windows\Explorer.EXE
PID 2768 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2DE5.tmp C:\Windows\Explorer.EXE
PID 2768 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2DE5.tmp C:\Windows\Explorer.EXE
PID 2768 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\2DE5.tmp C:\Windows\system32\taskhost.exe
PID 2768 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\2DE5.tmp C:\Windows\system32\Dwm.exe
PID 2768 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2DE5.tmp C:\Windows\Explorer.EXE
PID 2768 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2DE5.tmp C:\Windows\Explorer.EXE
PID 2768 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2DE5.tmp C:\Windows\Explorer.EXE
PID 2768 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\2DE5.tmp C:\Windows\Explorer.EXE
PID 2820 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 2820 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 2820 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2820 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 2820 wrote to memory of 1296 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 2820 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2A8A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2DE5.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\2A8A.tmp

C:\Users\Admin\AppData\Local\Temp\2A8A.tmp

C:\Users\Admin\AppData\Local\Temp\2DE5.tmp

C:\Users\Admin\AppData\Local\Temp\2DE5.tmp

Network

N/A

Files

memory/2372-0-0x0000000074291000-0x0000000074292000-memory.dmp

memory/2372-1-0x0000000074290000-0x000000007483B000-memory.dmp

memory/2372-2-0x0000000074290000-0x000000007483B000-memory.dmp

memory/2820-3-0x0000000000400000-0x0000000000461000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2A8A.tmp

MD5 ef5ae3f1fb47449f7040a5140a9b20de
SHA1 d5573febcf6faeddf4afcce3e35f66c14ac0f4d5
SHA256 9761fb628c7dfbea690ea820fafb3a000f891cc97f20e11fdc39a70e87595d94
SHA512 ab27b3c8f74173ed24b74082eb1309f163a9e813a13dbc79d7b82811241ac31c0ed16479e2f9ef13e51ef3ecd8f849ddc7c6b25f5ff916f7d19c0028907a93bf

memory/2372-14-0x0000000074290000-0x000000007483B000-memory.dmp

memory/2204-18-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2820-17-0x0000000000220000-0x000000000023C000-memory.dmp

memory/2820-16-0x0000000000220000-0x000000000023C000-memory.dmp

memory/2820-15-0x0000000000400000-0x0000000000461000-memory.dmp

memory/2820-5-0x0000000000400000-0x0000000000461000-memory.dmp

memory/2204-20-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2204-25-0x0000000000620000-0x00000000016AE000-memory.dmp

memory/2204-19-0x0000000000620000-0x00000000016AE000-memory.dmp

memory/2204-26-0x0000000000620000-0x00000000016AE000-memory.dmp

memory/2204-24-0x0000000000620000-0x00000000016AE000-memory.dmp

memory/2204-28-0x0000000000620000-0x00000000016AE000-memory.dmp

memory/2204-29-0x0000000000620000-0x00000000016AE000-memory.dmp

memory/1340-31-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

memory/2204-30-0x0000000000620000-0x00000000016AE000-memory.dmp

memory/2204-23-0x0000000000620000-0x00000000016AE000-memory.dmp

memory/2204-22-0x0000000000620000-0x00000000016AE000-memory.dmp

memory/1340-37-0x000000007EFC0000-0x000000007EFC6000-memory.dmp

memory/2820-53-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2820-54-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2820-46-0x0000000000230000-0x0000000000231000-memory.dmp

memory/2820-44-0x0000000000220000-0x0000000000222000-memory.dmp

memory/1228-40-0x0000000000360000-0x0000000000362000-memory.dmp

memory/2768-78-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2204-61-0x0000000000620000-0x00000000016AE000-memory.dmp

memory/2768-87-0x0000000000590000-0x000000000161E000-memory.dmp

memory/2768-86-0x0000000000590000-0x000000000161E000-memory.dmp

memory/2768-93-0x0000000000590000-0x000000000161E000-memory.dmp

memory/2768-89-0x0000000000590000-0x000000000161E000-memory.dmp

memory/2768-88-0x0000000000590000-0x000000000161E000-memory.dmp

memory/2768-85-0x0000000000590000-0x000000000161E000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 c9c32376a614a18b4a14aa2a36c421eb
SHA1 416088ea4a318af733b058f0f6c6396534092705
SHA256 ff113065d49e78a73b026ae90d35f70cedaed1895ad83f865697d765366a388a
SHA512 597f2dbd5dd010bbd0ebea4dbbd0e7c347c0ec4aed3193d76cb335f405cfa8ca709d889613850b8ad74f09b0ca2787f9a286170ddab529092e7ff41fff4b2d86

memory/2768-80-0x0000000000590000-0x000000000161E000-memory.dmp

memory/2768-135-0x0000000000590000-0x000000000161E000-memory.dmp

memory/2768-133-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2820-177-0x0000000000400000-0x0000000000461000-memory.dmp

memory/2820-188-0x0000000000220000-0x0000000000222000-memory.dmp

C:\bsay.pif

MD5 4e2e92e9e3e37dc04bce1a78e9ee0ed5
SHA1 66babeb9c5125a92f6f350c172f4c80154aaaa0d
SHA256 c4f61809851de476aeb7d8fb062ec71124a28059200b2c33156fc56eb194fd01
SHA512 a7f8e6da6644f30583a45a3c8cf32c9babb6e3cdb672ed96dc5410a5739151318d77daacf2676639c82e0a83a270e7f040773370188a611509749f10154041a7

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 23:32

Reported

2024-06-25 23:35

Platform

win10v2004-20240508-en

Max time kernel

29s

Max time network

129s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 828 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 828 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 828 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 828 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 828 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 828 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 828 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 828 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 828 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 828 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 828 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 828 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 828 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 3492 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\598A.tmp
PID 3492 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\598A.tmp
PID 3492 wrote to memory of 3188 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\598A.tmp
PID 3188 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp C:\Windows\Explorer.EXE
PID 3188 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp C:\Windows\Explorer.EXE
PID 3188 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp C:\Windows\system32\fontdrvhost.exe
PID 3188 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp C:\Windows\system32\fontdrvhost.exe
PID 3188 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp C:\Windows\system32\dwm.exe
PID 3188 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp C:\Windows\system32\sihost.exe
PID 3188 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp C:\Windows\system32\svchost.exe
PID 3188 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp C:\Windows\system32\taskhostw.exe
PID 3188 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp C:\Windows\Explorer.EXE
PID 3188 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp C:\Windows\system32\svchost.exe
PID 3188 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp C:\Windows\Explorer.EXE
PID 3188 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp C:\Windows\system32\DllHost.exe
PID 3188 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3188 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp C:\Windows\System32\RuntimeBroker.exe
PID 3188 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3188 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp C:\Windows\System32\RuntimeBroker.exe
PID 3188 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3188 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp C:\Windows\System32\RuntimeBroker.exe
PID 3188 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 3188 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe
PID 3188 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp C:\Windows\Explorer.EXE
PID 3188 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp C:\Windows\Explorer.EXE
PID 3188 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\598A.tmp C:\Windows\Explorer.EXE
PID 3492 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\5CA8.tmp
PID 3492 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\5CA8.tmp
PID 3492 wrote to memory of 2516 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\5CA8.tmp
PID 2516 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp C:\Windows\Explorer.EXE
PID 2516 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp C:\Windows\Explorer.EXE
PID 2516 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp C:\Windows\system32\fontdrvhost.exe
PID 2516 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp C:\Windows\system32\fontdrvhost.exe
PID 2516 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp C:\Windows\system32\dwm.exe
PID 2516 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp C:\Windows\system32\sihost.exe
PID 2516 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp C:\Windows\system32\svchost.exe
PID 2516 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp C:\Windows\system32\taskhostw.exe
PID 2516 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp C:\Windows\Explorer.EXE
PID 2516 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp C:\Windows\system32\svchost.exe
PID 2516 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp C:\Windows\system32\DllHost.exe
PID 2516 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2516 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp C:\Windows\System32\RuntimeBroker.exe
PID 2516 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2516 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp C:\Windows\System32\RuntimeBroker.exe
PID 2516 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2516 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp C:\Windows\System32\RuntimeBroker.exe
PID 2516 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp C:\Windows\Explorer.EXE
PID 2516 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp C:\Windows\Explorer.EXE
PID 2516 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp C:\Windows\Explorer.EXE
PID 2516 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\5CA8.tmp C:\Windows\Explorer.EXE
PID 3492 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\598A.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5CA8.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0fef8b3ffe91ac29278c24d111ace7a2_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\598A.tmp

C:\Users\Admin\AppData\Local\Temp\598A.tmp

C:\Users\Admin\AppData\Local\Temp\5CA8.tmp

C:\Users\Admin\AppData\Local\Temp\5CA8.tmp

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

memory/828-0-0x00000000752D2000-0x00000000752D3000-memory.dmp

memory/828-1-0x00000000752D0000-0x0000000075881000-memory.dmp

memory/828-2-0x00000000752D0000-0x0000000075881000-memory.dmp

memory/3492-3-0x0000000000400000-0x0000000000461000-memory.dmp

memory/3492-6-0x0000000000400000-0x0000000000461000-memory.dmp

memory/3492-8-0x0000000000400000-0x0000000000461000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\598A.tmp

MD5 ef5ae3f1fb47449f7040a5140a9b20de
SHA1 d5573febcf6faeddf4afcce3e35f66c14ac0f4d5
SHA256 9761fb628c7dfbea690ea820fafb3a000f891cc97f20e11fdc39a70e87595d94
SHA512 ab27b3c8f74173ed24b74082eb1309f163a9e813a13dbc79d7b82811241ac31c0ed16479e2f9ef13e51ef3ecd8f849ddc7c6b25f5ff916f7d19c0028907a93bf

memory/828-10-0x00000000752D0000-0x0000000075881000-memory.dmp

memory/3188-13-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3188-14-0x0000000000840000-0x00000000018CE000-memory.dmp

memory/3188-17-0x0000000000840000-0x00000000018CE000-memory.dmp

memory/3188-19-0x0000000000840000-0x00000000018CE000-memory.dmp

memory/3188-20-0x0000000000840000-0x00000000018CE000-memory.dmp

memory/3508-24-0x000000007FFC0000-0x000000007FFC6000-memory.dmp

memory/3188-28-0x0000000003E40000-0x0000000003E41000-memory.dmp

memory/3188-21-0x0000000000840000-0x00000000018CE000-memory.dmp

memory/3188-32-0x0000000000730000-0x0000000000732000-memory.dmp

memory/3492-31-0x00000000005D0000-0x00000000005D2000-memory.dmp

memory/3188-30-0x0000000000730000-0x0000000000732000-memory.dmp

memory/3188-23-0x0000000000840000-0x00000000018CE000-memory.dmp

memory/3492-29-0x00000000005D0000-0x00000000005D2000-memory.dmp

memory/3492-25-0x00000000005D0000-0x00000000005D2000-memory.dmp

memory/3492-26-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/3508-18-0x000000007FFF0000-0x000000007FFF1000-memory.dmp

memory/3188-15-0x0000000000400000-0x000000000041C000-memory.dmp

memory/3188-36-0x0000000000730000-0x0000000000732000-memory.dmp

memory/3188-41-0x0000000000840000-0x00000000018CE000-memory.dmp

memory/2516-48-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2516-49-0x0000000000830000-0x00000000018BE000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 714943c6644b0cbaa4cacb6dde6ab581
SHA1 1a166ef9a0cad0d919605547a9ec91e12897e071
SHA256 4acf9893b00d23463511710b2a0c42f4690378e5a247b8b9f6fbfe2fb1efffff
SHA512 0213b27008c0ea0056e29fa81c3dfbe184bf7f63dba852da3b93a3c1b757782d16190d7ece6fb7eebf7a8d913356fb07d9544ff83567179004629f87a6fb3ef6

memory/2516-53-0x0000000000830000-0x00000000018BE000-memory.dmp

memory/2516-51-0x0000000000830000-0x00000000018BE000-memory.dmp

memory/2516-54-0x0000000000830000-0x00000000018BE000-memory.dmp

memory/2516-57-0x0000000000830000-0x00000000018BE000-memory.dmp

memory/2516-55-0x0000000000830000-0x00000000018BE000-memory.dmp

memory/2516-60-0x0000000003E40000-0x0000000003E41000-memory.dmp

memory/2516-62-0x0000000003CF0000-0x0000000003CF2000-memory.dmp

memory/2516-58-0x0000000000830000-0x00000000018BE000-memory.dmp

memory/2516-65-0x0000000000830000-0x00000000018BE000-memory.dmp

memory/2516-66-0x0000000000830000-0x00000000018BE000-memory.dmp

memory/3492-81-0x0000000000400000-0x0000000000461000-memory.dmp

memory/2516-80-0x0000000000400000-0x000000000041C000-memory.dmp

memory/2516-70-0x0000000000830000-0x00000000018BE000-memory.dmp

memory/2516-71-0x0000000003CF0000-0x0000000003CF2000-memory.dmp

memory/3492-89-0x0000000005570000-0x00000000065FE000-memory.dmp

memory/3492-84-0x0000000005570000-0x00000000065FE000-memory.dmp

memory/3492-87-0x0000000005570000-0x00000000065FE000-memory.dmp

memory/3492-85-0x0000000005570000-0x00000000065FE000-memory.dmp

memory/3492-86-0x0000000005570000-0x00000000065FE000-memory.dmp

memory/3492-99-0x0000000000400000-0x0000000000461000-memory.dmp

memory/3492-116-0x00000000005D0000-0x00000000005D2000-memory.dmp