Malware Analysis Report

2024-11-16 13:15

Sample ID 240625-kxmh8stbql
Target 0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118
SHA256 775fbb95f0fbffbe8e8ba8add37ce1dec23661270054deff27f4b97a98c9c1bb
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

775fbb95f0fbffbe8e8ba8add37ce1dec23661270054deff27f4b97a98c9c1bb

Threat Level: Known bad

The file 0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

UAC bypass

Modifies firewall policy service

Sality

Windows security bypass

UPX packed file

Windows security modification

Enumerates connected drives

Checks whether UAC is enabled

Drops autorun.inf file

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 08:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 08:58

Reported

2024-06-25 09:01

Platform

win7-20240508-en

Max time kernel

123s

Max time network

118s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1672 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1672 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1672 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1672 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 1672 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1672 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1672 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1672 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1672 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1672 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1672 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1672 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1672 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1672 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1672 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1672 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1672 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1672 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1672 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1672 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1672 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1672 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1672 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1672 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1672 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1672 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1672 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1672 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1672 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1672 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1672 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1672 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1672 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1672 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1672 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1672 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1672 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 1672 wrote to memory of 1108 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 1672 wrote to memory of 1180 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 1672 wrote to memory of 1224 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe"

Network

N/A

Files

memory/1672-0-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1672-6-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-9-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-3-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-1-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-4-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-8-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-7-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-5-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-24-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/1672-23-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/1672-22-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-19-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/1672-18-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/1108-11-0x00000000002A0000-0x00000000002A2000-memory.dmp

memory/1672-25-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/1672-10-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-26-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-27-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-28-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-29-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-30-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-32-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-33-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-34-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-37-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-49-0x0000000002E40000-0x0000000002E42000-memory.dmp

memory/1672-48-0x00000000049C0000-0x00000000049C1000-memory.dmp

memory/1672-47-0x0000000002E40000-0x0000000002E42000-memory.dmp

memory/1672-51-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-52-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-54-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-55-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-59-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-60-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-62-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-64-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-65-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-68-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-69-0x0000000001D20000-0x0000000002DAE000-memory.dmp

memory/1672-82-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/1672-102-0x0000000002E40000-0x0000000002E42000-memory.dmp

F:\hpgktp.exe

MD5 c7e19a1a23dc8d7e9e3bfeff9eeb438f
SHA1 764beef76b33b50614e0c81521f135637941ca04
SHA256 973b26441192628c1ce889690ba6ef068129df79169241225fabd1091ee72eca
SHA512 746982d242952afe376d69d91a5d9393caf387796a90c0fc5c9a25dd36fb1ce5cb0636a127647881c4d40efabcddbd70b34a114d5168620d0d1b0126a46a2ca2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 08:58

Reported

2024-06-25 09:01

Platform

win10v2004-20240508-en

Max time kernel

122s

Max time network

52s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 2028 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 2028 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\dwm.exe
PID 2028 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\sihost.exe
PID 2028 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\taskhostw.exe
PID 2028 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 2028 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2028 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 2028 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2028 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 2028 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2028 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 2028 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 2028 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 2028 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\dwm.exe
PID 2028 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\sihost.exe
PID 2028 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\taskhostw.exe
PID 2028 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 2028 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2028 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 2028 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2028 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 2028 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2028 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 2028 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 2028 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 2028 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\dwm.exe
PID 2028 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\sihost.exe
PID 2028 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\taskhostw.exe
PID 2028 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 2028 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2028 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 2028 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2028 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 2028 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2028 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 2028 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 2028 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 2028 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\dwm.exe
PID 2028 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\sihost.exe
PID 2028 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\taskhostw.exe
PID 2028 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2028 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 2028 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 2028 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 2028 wrote to memory of 4012 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 2028 wrote to memory of 1048 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 2028 wrote to memory of 3700 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 2028 wrote to memory of 880 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 2028 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 2028 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 2028 wrote to memory of 796 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 2028 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\dwm.exe
PID 2028 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe C:\Windows\system32\sihost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0d76c3158ea2843a1fdf05857c6a7ec4_JaffaCakes118.exe"

Network

Files

memory/2028-0-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2028-1-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-9-0x0000000000600000-0x0000000000601000-memory.dmp

memory/2028-5-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-6-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-12-0x00000000005F0000-0x00000000005F2000-memory.dmp

memory/2028-13-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-15-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-10-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-11-0x00000000005F0000-0x00000000005F2000-memory.dmp

memory/2028-4-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-14-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-7-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-8-0x00000000005F0000-0x00000000005F2000-memory.dmp

memory/2028-16-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-17-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-18-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-19-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-20-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-22-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-23-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-24-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-26-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-27-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-29-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-31-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-34-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-36-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-38-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-45-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-47-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-49-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-51-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-53-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-55-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-57-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-59-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-63-0x00000000005F0000-0x00000000005F2000-memory.dmp

memory/2028-61-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-64-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-66-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-68-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-69-0x00000000021B0000-0x000000000323E000-memory.dmp

memory/2028-70-0x00000000021B0000-0x000000000323E000-memory.dmp

F:\lffqx.pif

MD5 5a01cf303f691efb2b82bda5a9e73784
SHA1 e112e2c9492ed9b6d7f2b8697dad400761c46d81
SHA256 f356e7efd62347fa94ca0cf5aba56945d54907870d10a4fe138ce0f3cba7bf65
SHA512 b5b4781f98aa69588bb20662a9e10549681d13da9cf3b1bf870b743034bb95437025eb3ebd9bff5fad5f5e0940193407fe223f898a7fc331146bc411004704b7