Malware Analysis Report

2024-11-16 13:14

Sample ID 240625-zgcfna1hqg
Target 0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118
SHA256 bf0ba638e0d04ee95923ac4f8ef1b465914fae2a9af4b15dcc902dd334239d04
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf0ba638e0d04ee95923ac4f8ef1b465914fae2a9af4b15dcc902dd334239d04

Threat Level: Known bad

The file 0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Windows security bypass

Modifies firewall policy service

UAC bypass

Sality

Loads dropped DLL

Deletes itself

Executes dropped EXE

UPX packed file

Windows security modification

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 20:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 20:40

Reported

2024-06-25 20:43

Platform

win7-20240508-en

Max time kernel

14s

Max time network

118s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2424 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Windows\system32\taskhost.exe
PID 2424 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Windows\system32\Dwm.exe
PID 2424 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 2424 wrote to memory of 1560 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Windows\System32\hccjfr.exe
PID 2424 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 2424 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2424 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2424 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2424 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2896 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\system32\taskhost.exe
PID 2896 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\system32\Dwm.exe
PID 2896 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\Explorer.EXE
PID 2896 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\system32\DllHost.exe
PID 2896 wrote to memory of 1100 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\system32\taskhost.exe
PID 2896 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\system32\Dwm.exe
PID 2896 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe C:\Windows\Explorer.EXE

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\System32\hccjfr.exe

"C:\Windows\System32\hccjfr.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

memory/2424-0-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2424-1-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2424-3-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2424-4-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2424-7-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2424-23-0x0000000003160000-0x0000000003162000-memory.dmp

memory/2424-22-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2424-5-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2424-25-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2424-26-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2424-6-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2424-27-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2424-24-0x0000000003160000-0x0000000003162000-memory.dmp

memory/2424-21-0x00000000040D0000-0x00000000040D1000-memory.dmp

memory/2424-19-0x00000000040D0000-0x00000000040D1000-memory.dmp

memory/2424-18-0x0000000003160000-0x0000000003162000-memory.dmp

memory/1100-8-0x0000000002070000-0x0000000002072000-memory.dmp

memory/2424-28-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2424-29-0x0000000001F50000-0x0000000002FDE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 0f7450e7497d1318dfbe4a85e2534612
SHA1 c1c8d7e44f6f274fc581f7f8f4816d41e79acba8
SHA256 bf0ba638e0d04ee95923ac4f8ef1b465914fae2a9af4b15dcc902dd334239d04
SHA512 ac4fba6001485dd8e4acd7ceddeef2702831edbd5f59cbfed73badb0f85aadf30695dc88221b7e6c1b637ea0cb48df72851e47fd4c1e70180afbd21ee04dcfdb

memory/2896-61-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

memory/2896-62-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

memory/2896-74-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

memory/2896-75-0x00000000002B0000-0x00000000002B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0F762896_Rar\Au_.exe

MD5 c36e02b8b4b8895f83b505445354e72f
SHA1 30d1a2e8a1f97f585727fc1d7b8cd4a59b379f0c
SHA256 8051bf33b481ad52a4515d6c03c5782f663f855a0ff35dafb30efd1bec3b166b
SHA512 0f6d91ddb93ab81507ef1789faf99b5f3fd3914c57ab1a84593364e04fdcc631eb6eb2cc53afdc519862326bd8f5b9ae1272af4c92e20cfa35a30b0b72cb398d

memory/2896-73-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/2896-79-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

memory/2896-80-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

memory/2896-81-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

memory/2896-60-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

memory/2896-59-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

memory/2896-56-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

memory/2896-58-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 575904e2581895e163186461cc33ab5a
SHA1 4af59d866bf75a732ea2c0e73843fb64a16ee42c
SHA256 dd289f879f54ec275735346871b9c902c2232acec5fdaee9cc2cfe173e77a1c8
SHA512 a353fa9230e564731d58ea671b079e384c2d7bfabbb9c68181a0edcfb7d4e24ae20b055a16232c0c3db24cc694fe171742b37c8eed7d6abc14248de76c4028be

memory/2424-55-0x0000000001F50000-0x0000000002FDE000-memory.dmp

memory/2896-54-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2424-53-0x0000000000400000-0x0000000000451000-memory.dmp

memory/2896-83-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

memory/2896-82-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

memory/2896-84-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

memory/2896-86-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsd3C47.tmp\InstallOptions.dll

MD5 0dc0cc7a6d9db685bf05a7e5f3ea4781
SHA1 5d8b6268eeec9d8d904bc9d988a4b588b392213f
SHA256 8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c
SHA512 814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0

C:\Users\Admin\AppData\Local\Temp\nsd3C47.tmp\UninCfg.ini

MD5 950606fd8b26dba64b423298fdeea295
SHA1 8310ca44bdf2a26c210e4578ccab522b329b3c1b
SHA256 2b8cc43d1408c40258c180998084a92255751c13979b629f64616c04721af6b4
SHA512 c6d9e774a63e98a4a744e2373beba5f2dd398e86596de06f9957225b064f26da975436aebccd73051438191baef0470e3e14614098726373ca68a29dbcde9033

memory/2896-243-0x0000000001DA0000-0x0000000002E2E000-memory.dmp

memory/2896-250-0x00000000002B0000-0x00000000002B2000-memory.dmp

C:\jrhrp.exe

MD5 f188d2e6a6d9aacff03995dd19ac349b
SHA1 b77c3a912795e4de10cf7a399b04850a07f16133
SHA256 529066e77aa4fa099d5ff45d0738a0da1de7d30a8aa2c4d8dc60c66e58adc348
SHA512 5952315d03f9d3c623b620b63b50f40b1d2f56f07a5f8748a38b2cdff41ca2106171695c6a29b5366147411dcb873bab5d5305ed24182b1bf9220363c74f5be3

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 20:40

Reported

2024-06-25 20:43

Platform

win10v2004-20240508-en

Max time kernel

94s

Max time network

95s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3216 wrote to memory of 776 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 3216 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Windows\system32\fontdrvhost.exe
PID 3216 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Windows\system32\dwm.exe
PID 3216 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Windows\system32\sihost.exe
PID 3216 wrote to memory of 2716 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 3216 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Windows\system32\taskhostw.exe
PID 3216 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Windows\Explorer.EXE
PID 3216 wrote to memory of 3668 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Windows\system32\svchost.exe
PID 3216 wrote to memory of 3864 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Windows\system32\DllHost.exe
PID 3216 wrote to memory of 3956 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 3216 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 3216 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 3216 wrote to memory of 3920 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 3216 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 3216 wrote to memory of 4836 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Windows\System32\RuntimeBroker.exe
PID 3216 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 3216 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 3216 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/3216-0-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3216-7-0x0000000002260000-0x00000000032EE000-memory.dmp

memory/3216-3-0x0000000002260000-0x00000000032EE000-memory.dmp

memory/3216-11-0x0000000002230000-0x0000000002232000-memory.dmp

memory/3216-12-0x0000000002230000-0x0000000002232000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 0f7450e7497d1318dfbe4a85e2534612
SHA1 c1c8d7e44f6f274fc581f7f8f4816d41e79acba8
SHA256 bf0ba638e0d04ee95923ac4f8ef1b465914fae2a9af4b15dcc902dd334239d04
SHA512 ac4fba6001485dd8e4acd7ceddeef2702831edbd5f59cbfed73badb0f85aadf30695dc88221b7e6c1b637ea0cb48df72851e47fd4c1e70180afbd21ee04dcfdb

memory/2340-30-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3216-26-0x0000000002260000-0x00000000032EE000-memory.dmp

memory/3216-31-0x0000000000400000-0x0000000000451000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0E573DE4_Rar\Au_.exe

MD5 c36e02b8b4b8895f83b505445354e72f
SHA1 30d1a2e8a1f97f585727fc1d7b8cd4a59b379f0c
SHA256 8051bf33b481ad52a4515d6c03c5782f663f855a0ff35dafb30efd1bec3b166b
SHA512 0f6d91ddb93ab81507ef1789faf99b5f3fd3914c57ab1a84593364e04fdcc631eb6eb2cc53afdc519862326bd8f5b9ae1272af4c92e20cfa35a30b0b72cb398d

memory/2340-36-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3216-22-0x0000000002230000-0x0000000002232000-memory.dmp

memory/3216-10-0x0000000002260000-0x00000000032EE000-memory.dmp

memory/3216-6-0x0000000002260000-0x00000000032EE000-memory.dmp

memory/3216-5-0x0000000002260000-0x00000000032EE000-memory.dmp

memory/3216-9-0x0000000002240000-0x0000000002241000-memory.dmp

memory/3216-8-0x0000000002230000-0x0000000002232000-memory.dmp

memory/3216-1-0x0000000002260000-0x00000000032EE000-memory.dmp