Malware Analysis Report

2024-11-16 13:15

Sample ID 240625-jfwvxazenm
Target 0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118
SHA256 2366171a8e7b66e7525c67ccaf473e506e3624f67dd90d61aa1feb46f2761d3e
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2366171a8e7b66e7525c67ccaf473e506e3624f67dd90d61aa1feb46f2761d3e

Threat Level: Known bad

The file 0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Modifies visiblity of hidden/system files in Explorer

Modifies firewall policy service

Sality

Modifies visibility of file extensions in Explorer

Windows security bypass

UAC bypass

UPX packed file

Windows security modification

Enumerates connected drives

Checks whether UAC is enabled

Drops autorun.inf file

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 07:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 07:37

Reported

2024-06-25 07:39

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES (X86)\ADOBE\ACROBAT READER DC\READER\ACRORD32.EXE C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1948 wrote to memory of 772 N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 1948 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 1948 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe C:\Windows\system32\dwm.exe
PID 1948 wrote to memory of 2528 N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe C:\Windows\system32\sihost.exe
PID 1948 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 1948 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe C:\Windows\system32\taskhostw.exe
PID 1948 wrote to memory of 3360 N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1948 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 1948 wrote to memory of 3844 N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 1948 wrote to memory of 3940 N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1948 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 1948 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1948 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 1948 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 1948 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1948 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe C:\Windows\system32\backgroundTaskHost.exe
PID 1948 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe C:\Windows\system32\backgroundTaskHost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca

C:\Windows\system32\backgroundTaskHost.exe

"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca

C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.203:443 www.bing.com tcp
US 8.8.8.8:53 203.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

memory/1948-0-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1948-6-0x0000000002270000-0x00000000032FE000-memory.dmp

memory/1948-1-0x0000000002270000-0x00000000032FE000-memory.dmp

memory/1948-5-0x0000000002270000-0x00000000032FE000-memory.dmp

memory/1948-7-0x0000000002270000-0x00000000032FE000-memory.dmp

memory/1948-13-0x0000000002270000-0x00000000032FE000-memory.dmp

memory/1948-15-0x0000000000A30000-0x0000000000A32000-memory.dmp

memory/1948-14-0x0000000000A30000-0x0000000000A32000-memory.dmp

memory/1948-3-0x0000000002270000-0x00000000032FE000-memory.dmp

memory/1948-9-0x0000000000A40000-0x0000000000A41000-memory.dmp

memory/1948-8-0x0000000000A30000-0x0000000000A32000-memory.dmp

C:\autorun.inf

MD5 163e20cbccefcdd42f46e43a94173c46
SHA1 4c7b5048e8608e2a75799e00ecf1bbb4773279ae
SHA256 7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e
SHA512 e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

C:\zPharaoh.exe

MD5 905f9f0746ed6da1ed642aacca71a2a6
SHA1 09bb775f470237322a8c7cf14fc8d40c8e5508c4
SHA256 8ce2b1db33b0aac0bca176788d185a649df4e7a55e1770d5289ba283532b31e1
SHA512 2fde8751480973df7125465d0623a935ffe8cdb4bb77d1441e2ee5366062ce4ca1d0edaa9c23d8e4c9225336505e18116fd94dd693957f9363865e0da0e08039

F:\zPharaoh.exe

MD5 366ea936320d92d2b95671aaeea9eadd
SHA1 4b30ecdafeceb399e663991542f1ea2f4e1a11c2
SHA256 228ca0cd1ac4c595c8e6659362c665426f8d4aa067c90a15669f166a48474613
SHA512 f4f5c20b78f7f001da937c8112c0359a526c3c72acc6f38ed610c7d4c34db4f38db3cf3beca5100e320a35454c2df2ae2917db9a2ca0fd29feed2733113b0911

memory/1948-46-0x0000000002270000-0x00000000032FE000-memory.dmp

memory/1948-51-0x0000000000400000-0x000000000042A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 07:37

Reported

2024-06-25 07:39

Platform

win7-20231129-en

Max time kernel

121s

Max time network

122s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened for modification C:\Documents and Settings\Admin\Local Settings\Application Data\Microsoft\CD Burning\autorun.inf C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\OUTLOOK.EXE C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\EXCEL.EXE C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\GROOVE.EXE C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\INFOPATH.EXE C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\MSACCESS.EXE C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\OFFICE14\MSPUB.EXE C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0d3a935edaa43b3ef9c6c92b7c516a0b_JaffaCakes118.exe"

Network

N/A

Files

memory/2012-0-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2012-1-0x0000000001D70000-0x0000000002DFE000-memory.dmp

memory/2012-25-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2012-24-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2012-7-0x0000000001D70000-0x0000000002DFE000-memory.dmp

memory/2012-20-0x0000000000600000-0x0000000000601000-memory.dmp

memory/2012-6-0x0000000001D70000-0x0000000002DFE000-memory.dmp

memory/2012-5-0x0000000001D70000-0x0000000002DFE000-memory.dmp

memory/2012-17-0x0000000000600000-0x0000000000601000-memory.dmp

memory/2012-16-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/1288-8-0x0000000001F90000-0x0000000001F92000-memory.dmp

memory/2012-4-0x0000000001D70000-0x0000000002DFE000-memory.dmp

memory/2012-3-0x0000000001D70000-0x0000000002DFE000-memory.dmp

memory/2012-28-0x0000000001D70000-0x0000000002DFE000-memory.dmp

memory/2012-27-0x0000000001D70000-0x0000000002DFE000-memory.dmp

memory/2012-26-0x0000000001D70000-0x0000000002DFE000-memory.dmp

C:\autorun.inf

MD5 163e20cbccefcdd42f46e43a94173c46
SHA1 4c7b5048e8608e2a75799e00ecf1bbb4773279ae
SHA256 7780bee9df142a17e0457f3dcb2788b50fc2792370089335597d33719126fb7e
SHA512 e5ac0ff6b087857799ab70f68067c9dc73eeb93ccfcad87047052380b95ade3e6eb2a7d01a0f850d548a39f4b1ebb60e299d603dbe25c31b9a3585b34a0c65a8

C:\zPharaoh.exe

MD5 84b163f78631c841981d3bd4a2951fa4
SHA1 c427ebe6ca24a31435df204a0a909ba250097622
SHA256 8c9c55b8c9d03b3e7b8597bfb5c6978619ec1339937dbe379137106fe3ea18ea
SHA512 224cb03a69104321fd7f86840e02f6dbda79dc2d7c7329dafa13600d0c5604fbf0e9efe240cf049145e7cc1d395ae2e5e50ee9fc39f7079f0f5c188c39aa7dc8

F:\zPharaoh.exe

MD5 e815127d82c1fe9aed8adfb9711739d7
SHA1 3e5c8bb0a582016d688e81ec55db10187bb55261
SHA256 5132190303582416d437738eb0502026bd07e2f5557e83458f3e72cd524a64df
SHA512 b3fd5c73d1e561870282048945e7e2a177b3742b9be4e470866fb8d5f3386df000767f5bc229c4eb831761375e4c09ca9083fdfdcd995d517d36a9460505e47f

memory/2012-75-0x0000000001D70000-0x0000000002DFE000-memory.dmp

memory/2012-74-0x0000000000400000-0x000000000042A000-memory.dmp