Analysis Overview
SHA256
bf0ba638e0d04ee95923ac4f8ef1b465914fae2a9af4b15dcc902dd334239d04
Threat Level: Known bad
The file 0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Windows security bypass
Modifies firewall policy service
UAC bypass
Sality
Loads dropped DLL
Deletes itself
Executes dropped EXE
UPX packed file
Windows security modification
Checks whether UAC is enabled
Enumerates connected drives
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
NSIS installer
Suspicious behavior: EnumeratesProcesses
System policy modification
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-25 20:40
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-25 20:40
Reported
2024-06-25 20:43
Platform
win7-20240508-en
Max time kernel
14s
Max time network
118s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Sality
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\I: | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| File opened (read-only) | \??\J: | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| File opened (read-only) | \??\K: | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| File opened (read-only) | \??\L: | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| File opened (read-only) | \??\E: | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| File opened (read-only) | \??\G: | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| File opened (read-only) | \??\H: | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SYSTEM.INI | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Processes
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\hccjfr.exe
"C:\Windows\System32\hccjfr.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
Network
Files
memory/2424-0-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2424-1-0x0000000001F50000-0x0000000002FDE000-memory.dmp
memory/2424-3-0x0000000001F50000-0x0000000002FDE000-memory.dmp
memory/2424-4-0x0000000001F50000-0x0000000002FDE000-memory.dmp
memory/2424-7-0x0000000001F50000-0x0000000002FDE000-memory.dmp
memory/2424-23-0x0000000003160000-0x0000000003162000-memory.dmp
memory/2424-22-0x0000000001F50000-0x0000000002FDE000-memory.dmp
memory/2424-5-0x0000000001F50000-0x0000000002FDE000-memory.dmp
memory/2424-25-0x0000000001F50000-0x0000000002FDE000-memory.dmp
memory/2424-26-0x0000000001F50000-0x0000000002FDE000-memory.dmp
memory/2424-6-0x0000000001F50000-0x0000000002FDE000-memory.dmp
memory/2424-27-0x0000000001F50000-0x0000000002FDE000-memory.dmp
memory/2424-24-0x0000000003160000-0x0000000003162000-memory.dmp
memory/2424-21-0x00000000040D0000-0x00000000040D1000-memory.dmp
memory/2424-19-0x00000000040D0000-0x00000000040D1000-memory.dmp
memory/2424-18-0x0000000003160000-0x0000000003162000-memory.dmp
memory/1100-8-0x0000000002070000-0x0000000002072000-memory.dmp
memory/2424-28-0x0000000001F50000-0x0000000002FDE000-memory.dmp
memory/2424-29-0x0000000001F50000-0x0000000002FDE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
| MD5 | 0f7450e7497d1318dfbe4a85e2534612 |
| SHA1 | c1c8d7e44f6f274fc581f7f8f4816d41e79acba8 |
| SHA256 | bf0ba638e0d04ee95923ac4f8ef1b465914fae2a9af4b15dcc902dd334239d04 |
| SHA512 | ac4fba6001485dd8e4acd7ceddeef2702831edbd5f59cbfed73badb0f85aadf30695dc88221b7e6c1b637ea0cb48df72851e47fd4c1e70180afbd21ee04dcfdb |
memory/2896-61-0x0000000001DA0000-0x0000000002E2E000-memory.dmp
memory/2896-62-0x0000000001DA0000-0x0000000002E2E000-memory.dmp
memory/2896-74-0x0000000001DA0000-0x0000000002E2E000-memory.dmp
memory/2896-75-0x00000000002B0000-0x00000000002B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0F762896_Rar\Au_.exe
| MD5 | c36e02b8b4b8895f83b505445354e72f |
| SHA1 | 30d1a2e8a1f97f585727fc1d7b8cd4a59b379f0c |
| SHA256 | 8051bf33b481ad52a4515d6c03c5782f663f855a0ff35dafb30efd1bec3b166b |
| SHA512 | 0f6d91ddb93ab81507ef1789faf99b5f3fd3914c57ab1a84593364e04fdcc631eb6eb2cc53afdc519862326bd8f5b9ae1272af4c92e20cfa35a30b0b72cb398d |
memory/2896-73-0x00000000002C0000-0x00000000002C1000-memory.dmp
memory/2896-79-0x0000000001DA0000-0x0000000002E2E000-memory.dmp
memory/2896-80-0x0000000001DA0000-0x0000000002E2E000-memory.dmp
memory/2896-81-0x0000000001DA0000-0x0000000002E2E000-memory.dmp
memory/2896-60-0x0000000001DA0000-0x0000000002E2E000-memory.dmp
memory/2896-59-0x0000000001DA0000-0x0000000002E2E000-memory.dmp
memory/2896-56-0x0000000001DA0000-0x0000000002E2E000-memory.dmp
memory/2896-58-0x0000000001DA0000-0x0000000002E2E000-memory.dmp
C:\Windows\SYSTEM.INI
| MD5 | 575904e2581895e163186461cc33ab5a |
| SHA1 | 4af59d866bf75a732ea2c0e73843fb64a16ee42c |
| SHA256 | dd289f879f54ec275735346871b9c902c2232acec5fdaee9cc2cfe173e77a1c8 |
| SHA512 | a353fa9230e564731d58ea671b079e384c2d7bfabbb9c68181a0edcfb7d4e24ae20b055a16232c0c3db24cc694fe171742b37c8eed7d6abc14248de76c4028be |
memory/2424-55-0x0000000001F50000-0x0000000002FDE000-memory.dmp
memory/2896-54-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2424-53-0x0000000000400000-0x0000000000451000-memory.dmp
memory/2896-83-0x0000000001DA0000-0x0000000002E2E000-memory.dmp
memory/2896-82-0x0000000001DA0000-0x0000000002E2E000-memory.dmp
memory/2896-84-0x0000000001DA0000-0x0000000002E2E000-memory.dmp
memory/2896-86-0x0000000001DA0000-0x0000000002E2E000-memory.dmp
\Users\Admin\AppData\Local\Temp\nsd3C47.tmp\InstallOptions.dll
| MD5 | 0dc0cc7a6d9db685bf05a7e5f3ea4781 |
| SHA1 | 5d8b6268eeec9d8d904bc9d988a4b588b392213f |
| SHA256 | 8e287326f1cdd5ef2dcd7a72537c68cbe4299ceb1f820707c5820f3aa6d8206c |
| SHA512 | 814dd17ebb434f4a3356f716c783ab7f569f9ee34ce5274fa50392526925f044798f8006198ac7afe3d1c2ca83a2ca8c472ca53fec5f12bbfbbe0707abacd6b0 |
C:\Users\Admin\AppData\Local\Temp\nsd3C47.tmp\UninCfg.ini
| MD5 | 950606fd8b26dba64b423298fdeea295 |
| SHA1 | 8310ca44bdf2a26c210e4578ccab522b329b3c1b |
| SHA256 | 2b8cc43d1408c40258c180998084a92255751c13979b629f64616c04721af6b4 |
| SHA512 | c6d9e774a63e98a4a744e2373beba5f2dd398e86596de06f9957225b064f26da975436aebccd73051438191baef0470e3e14614098726373ca68a29dbcde9033 |
memory/2896-243-0x0000000001DA0000-0x0000000002E2E000-memory.dmp
memory/2896-250-0x00000000002B0000-0x00000000002B2000-memory.dmp
C:\jrhrp.exe
| MD5 | f188d2e6a6d9aacff03995dd19ac349b |
| SHA1 | b77c3a912795e4de10cf7a399b04850a07f16133 |
| SHA256 | 529066e77aa4fa099d5ff45d0738a0da1de7d30a8aa2c4d8dc60c66e58adc348 |
| SHA512 | 5952315d03f9d3c623b620b63b50f40b1d2f56f07a5f8748a38b2cdff41ca2106171695c6a29b5366147411dcb873bab5d5305ed24182b1bf9220363c74f5be3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-25 20:40
Reported
2024-06-25 20:43
Platform
win10v2004-20240508-en
Max time kernel
94s
Max time network
95s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
Sality
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SYSTEM.INI | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe | N/A |
Processes
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0f7450e7497d1318dfbe4a85e2534612_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
Files
memory/3216-0-0x0000000000400000-0x0000000000451000-memory.dmp
memory/3216-7-0x0000000002260000-0x00000000032EE000-memory.dmp
memory/3216-3-0x0000000002260000-0x00000000032EE000-memory.dmp
memory/3216-11-0x0000000002230000-0x0000000002232000-memory.dmp
memory/3216-12-0x0000000002230000-0x0000000002232000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
| MD5 | 0f7450e7497d1318dfbe4a85e2534612 |
| SHA1 | c1c8d7e44f6f274fc581f7f8f4816d41e79acba8 |
| SHA256 | bf0ba638e0d04ee95923ac4f8ef1b465914fae2a9af4b15dcc902dd334239d04 |
| SHA512 | ac4fba6001485dd8e4acd7ceddeef2702831edbd5f59cbfed73badb0f85aadf30695dc88221b7e6c1b637ea0cb48df72851e47fd4c1e70180afbd21ee04dcfdb |
memory/2340-30-0x0000000000400000-0x0000000000451000-memory.dmp
memory/3216-26-0x0000000002260000-0x00000000032EE000-memory.dmp
memory/3216-31-0x0000000000400000-0x0000000000451000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\0E573DE4_Rar\Au_.exe
| MD5 | c36e02b8b4b8895f83b505445354e72f |
| SHA1 | 30d1a2e8a1f97f585727fc1d7b8cd4a59b379f0c |
| SHA256 | 8051bf33b481ad52a4515d6c03c5782f663f855a0ff35dafb30efd1bec3b166b |
| SHA512 | 0f6d91ddb93ab81507ef1789faf99b5f3fd3914c57ab1a84593364e04fdcc631eb6eb2cc53afdc519862326bd8f5b9ae1272af4c92e20cfa35a30b0b72cb398d |
memory/2340-36-0x0000000000400000-0x0000000000451000-memory.dmp
memory/3216-22-0x0000000002230000-0x0000000002232000-memory.dmp
memory/3216-10-0x0000000002260000-0x00000000032EE000-memory.dmp
memory/3216-6-0x0000000002260000-0x00000000032EE000-memory.dmp
memory/3216-5-0x0000000002260000-0x00000000032EE000-memory.dmp
memory/3216-9-0x0000000002240000-0x0000000002241000-memory.dmp
memory/3216-8-0x0000000002230000-0x0000000002232000-memory.dmp
memory/3216-1-0x0000000002260000-0x00000000032EE000-memory.dmp