Analysis
-
max time kernel
126s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 01:18
Static task
static1
Behavioral task
behavioral1
Sample
103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe
-
Size
100KB
-
MD5
103a2ef3f8da36367ef946eebaab8160
-
SHA1
e35a4bdbcf2ce08ed929ff7043fdd14554145140
-
SHA256
b2013c245cd29a58cb65dee4fd13a454d80e0f1b8f41fd0a7db87260c901587f
-
SHA512
90aad37025b8df7e17e81724b65175da7f887a50c661293e050607fa5d9388743bc1c5c827fcaebf99ccb174b6d4a7181a586d218717dd12b1274378f8a67c95
-
SSDEEP
1536:ifQKjysh2tbudmQL+T8DTmJomykRoQNZ/yyBB4YwMF6NTSN8tlFOyp3wuA6u:ibyztZecoHiCkB4YFF6Jy8trp3TA/
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe -
Processes:
103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe -
Processes:
103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral1/memory/1080-7-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-9-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-6-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-5-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-4-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-3-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-10-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-8-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-11-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-27-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-28-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-29-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-30-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-31-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-33-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-34-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-36-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-35-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-38-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-41-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-42-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-51-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-52-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-54-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-55-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-56-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-59-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-60-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-62-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-64-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx behavioral1/memory/1080-66-0x0000000001DB0000-0x0000000002E3E000-memory.dmp upx -
Processes:
103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe -
Processes:
103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exedescription ioc process File opened (read-only) \??\G: 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened (read-only) \??\K: 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened (read-only) \??\T: 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened (read-only) \??\U: 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened (read-only) \??\X: 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened (read-only) \??\Y: 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened (read-only) \??\E: 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened (read-only) \??\L: 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened (read-only) \??\O: 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened (read-only) \??\W: 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened (read-only) \??\I: 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened (read-only) \??\N: 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened (read-only) \??\P: 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened (read-only) \??\S: 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened (read-only) \??\Z: 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened (read-only) \??\H: 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened (read-only) \??\J: 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened (read-only) \??\M: 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened (read-only) \??\Q: 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened (read-only) \??\R: 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened (read-only) \??\V: 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exedescription ioc process File opened for modification C:\autorun.inf 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened for modification F:\autorun.inf 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe -
Drops file in Program Files directory 5 IoCs
Processes:
103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exedescription ioc process File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
Processes:
103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exepid process 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Token: SeDebugPrivilege 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exedescription pid process target process PID 1080 wrote to memory of 1232 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe taskhost.exe PID 1080 wrote to memory of 1316 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Dwm.exe PID 1080 wrote to memory of 1364 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Explorer.EXE PID 1080 wrote to memory of 1256 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe DllHost.exe PID 1080 wrote to memory of 1232 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe taskhost.exe PID 1080 wrote to memory of 1316 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Dwm.exe PID 1080 wrote to memory of 1364 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Explorer.EXE PID 1080 wrote to memory of 1232 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe taskhost.exe PID 1080 wrote to memory of 1316 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Dwm.exe PID 1080 wrote to memory of 1364 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Explorer.EXE PID 1080 wrote to memory of 1232 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe taskhost.exe PID 1080 wrote to memory of 1316 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Dwm.exe PID 1080 wrote to memory of 1364 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Explorer.EXE PID 1080 wrote to memory of 1232 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe taskhost.exe PID 1080 wrote to memory of 1316 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Dwm.exe PID 1080 wrote to memory of 1364 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Explorer.EXE PID 1080 wrote to memory of 1232 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe taskhost.exe PID 1080 wrote to memory of 1316 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Dwm.exe PID 1080 wrote to memory of 1364 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Explorer.EXE PID 1080 wrote to memory of 1232 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe taskhost.exe PID 1080 wrote to memory of 1316 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Dwm.exe PID 1080 wrote to memory of 1364 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Explorer.EXE PID 1080 wrote to memory of 1232 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe taskhost.exe PID 1080 wrote to memory of 1316 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Dwm.exe PID 1080 wrote to memory of 1364 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Explorer.EXE PID 1080 wrote to memory of 1232 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe taskhost.exe PID 1080 wrote to memory of 1316 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Dwm.exe PID 1080 wrote to memory of 1364 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Explorer.EXE PID 1080 wrote to memory of 1232 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe taskhost.exe PID 1080 wrote to memory of 1316 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Dwm.exe PID 1080 wrote to memory of 1364 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Explorer.EXE PID 1080 wrote to memory of 1232 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe taskhost.exe PID 1080 wrote to memory of 1316 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Dwm.exe PID 1080 wrote to memory of 1364 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Explorer.EXE PID 1080 wrote to memory of 1232 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe taskhost.exe PID 1080 wrote to memory of 1316 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Dwm.exe PID 1080 wrote to memory of 1364 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Explorer.EXE PID 1080 wrote to memory of 1232 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe taskhost.exe PID 1080 wrote to memory of 1316 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Dwm.exe PID 1080 wrote to memory of 1364 1080 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe Explorer.EXE -
System policy modification 1 TTPs 1 IoCs
Processes:
103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1232
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1316
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1364
-
C:\Users\Admin\AppData\Local\Temp\103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\103a2ef3f8da36367ef946eebaab8160_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1080
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1256
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5a19facecdd85ca871c8f8e3772f0457b
SHA1ae98705c8c59e76dd3638648edf4ca21acb659a9
SHA2562a65be386de22bf10f092dc914e0f702492e098f7b56d2acc1369c8ca6bcb58a
SHA512a103b6c12a6fce0dba1997d5a87fe9c2c9f9ffbf90cd4781707ec5bd7da19e02294457570376372dabd8da6b4b347410930c93971a61ba5ee44350f80186223a