Analysis
-
max time kernel
8s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
03-07-2024 13:00
Behavioral task
behavioral1
Sample
22734185ef6b7e63867812097af90491_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
22734185ef6b7e63867812097af90491_JaffaCakes118.exe
-
Size
781KB
-
MD5
22734185ef6b7e63867812097af90491
-
SHA1
0d951fc18d489a15099375e2953c44cd47fd11ba
-
SHA256
889068df52de03555ce97cf810e7569358551ca89ff92ab6f96f53f7a82b8d47
-
SHA512
e5bbf1deb040b20ed65cbb9ededaca57d13c355f177289647dfdaff18cf18aeccb002ad5c6ff428fa6644c60be3f0ca685076cc9ab8e084e5e41a7d3477de472
-
SSDEEP
24576:Dsth3qgzXd4o8Yfpq1161DRutrS9eAM85V0981:D6NqSuo8ep4S1MKeAh5u981
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Extracted
cybergate
2.6
Server
maske.no-ip.biz:81
***MUTEX***
-
enable_keylogger
true
-
enable_message_box
false
-
ftp_directory
./logs/
-
ftp_interval
30
-
injected_process
explorer.exe
-
install_dir
spynet
-
install_file
server.exe
-
install_flag
true
-
keylogger_enable_ftp
false
-
message_box_caption
texto da mensagem
-
message_box_title
tÃtulo da mensagem
-
password
abcd1234
-
regkey_hkcu
HKCU
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" server.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" server.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe" 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Policies = "C:\\Windows\\system32\\spynet\\server.exe" 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run 22734185ef6b7e63867812097af90491_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 1816 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 2940 server.exe -
Loads dropped DLL 3 IoCs
pid Process 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 1816 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 1816 22734185ef6b7e63867812097af90491_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2052-0-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2052-4-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/2052-6-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/2052-8-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/2052-3-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/2052-25-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/2052-27-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/2052-24-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/2052-7-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/2052-5-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/2052-31-0x0000000024010000-0x0000000024072000-memory.dmp upx behavioral1/files/0x00350000000141aa-586.dat upx behavioral1/memory/1816-632-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2052-939-0x0000000001D90000-0x0000000002E1E000-memory.dmp upx behavioral1/memory/2052-935-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2940-960-0x0000000000400000-0x000000000046A000-memory.dmp upx behavioral1/memory/2940-1002-0x0000000000400000-0x000000000046A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" server.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" server.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\HKCU = "C:\\Windows\\system32\\spynet\\server.exe" 22734185ef6b7e63867812097af90491_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File created C:\Windows\SysWOW64\spynet\server.exe 22734185ef6b7e63867812097af90491_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\spynet\server.exe 22734185ef6b7e63867812097af90491_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\spynet\server.exe 22734185ef6b7e63867812097af90491_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\spynet\ 22734185ef6b7e63867812097af90491_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 22734185ef6b7e63867812097af90491_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1816 22734185ef6b7e63867812097af90491_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 22 IoCs
description pid Process Token: SeDebugPrivilege 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Token: SeDebugPrivilege 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Token: SeDebugPrivilege 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Token: SeDebugPrivilege 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Token: SeDebugPrivilege 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Token: SeDebugPrivilege 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Token: SeDebugPrivilege 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Token: SeDebugPrivilege 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Token: SeDebugPrivilege 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Token: SeDebugPrivilege 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Token: SeDebugPrivilege 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Token: SeDebugPrivilege 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Token: SeDebugPrivilege 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Token: SeDebugPrivilege 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Token: SeDebugPrivilege 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Token: SeDebugPrivilege 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Token: SeDebugPrivilege 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Token: SeDebugPrivilege 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Token: SeDebugPrivilege 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Token: SeDebugPrivilege 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Token: SeDebugPrivilege 1816 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Token: SeDebugPrivilege 1816 22734185ef6b7e63867812097af90491_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2052 wrote to memory of 1112 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 19 PID 2052 wrote to memory of 1172 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 20 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1760 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 23 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 PID 2052 wrote to memory of 1212 2052 22734185ef6b7e63867812097af90491_JaffaCakes118.exe 21 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 22734185ef6b7e63867812097af90491_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" server.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1212
-
C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Adds policy Run key to start application
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2052 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵PID:1032
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵PID:1744
-
-
C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\22734185ef6b7e63867812097af90491_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1816 -
C:\Windows\SysWOW64\spynet\server.exe"C:\Windows\system32\spynet\server.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System policy modification
PID:2940
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1760
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
229KB
MD5e9fbe7ec9d02221731ca2fc99026a0e2
SHA133a7a01b17ab72428c7ed4b5930fd313dd257eb6
SHA2569df31f8949f24692c9226e3dc125897ab6087be7a24b673fee42bfb46281d4ef
SHA512e0a28f3f0eb35f4fe4df306f5fd2a2318587c028ae3b9f7a48553be181fb888d0abba9d632418adba3714fe070749fa079d86852f6381a909199a18b8abb8397
-
Filesize
8B
MD58809db84c4430ab581ad35afcb151607
SHA160402156b4fe65a5f4c3be8a92994942aa24b932
SHA256f1bf1cf506704dcb5890187a937afeaf9292556069e018c7c04d9e0053215157
SHA5126cdd9561b06c230f4783c628d127c551085f1978afeaadcd58f82934c1847cc3699105327dbcdcaeb4c9cf61ae88f45b9a61aca6c3898a63eeddfbd2572da0ff
-
Filesize
8B
MD507c3bb63b743819f6d8c42c02ed0f5c5
SHA1dbd5bb08dfba8c41718ef401f943693a072b90be
SHA256b4c5fa8f6cd326e30928e27e2a8c274819844930f7bb2f66c2976755c552a18c
SHA512ec70d169a53db544239dc56de7a88876745e373e6c66423b5e0262db61a0bb9c137953e006b5cb1e8bfbc19076e3d2956c4f54e6811e21f81d401348bff1bcd5
-
Filesize
8B
MD5d9d50f8ac5e7e3f4ba70607951a49c42
SHA157d3cee4a8a8d0cf8d1ff35246a246d6da920a7d
SHA256f49b127c2786d37c68d349572ea9e6a00bb41822cc7aa6b71733bb35df8b0912
SHA512d0e69411fe0780db032a5dd11da3021088c5e81099c104b754202dfc4569f88fd5f6dfe09d7fc9255df3c01d292f1b75b8173cc6f0b143d4f85cbe48a17b1c11
-
Filesize
8B
MD5ddc9ddccfd960a7adc56af82e14447c1
SHA1f7d0c951f9a2807874891bc9f61b058a0175c588
SHA256ed54e6e1ba246e6e69af8f213b0ecdd37124b7561c60bb99391703b340110e7c
SHA5129c32e9d59dee5f247e5122f3e8a4c1930fc1f6ed38f5cb7c022525f9a642683431dcdf8c0da1017b069a4208d22ab1db023030a54894b98530362dbb4b54e546
-
Filesize
8B
MD55e7e97e93d5a2d449623c92d4ef18ec4
SHA195d89f6f8896196562c56644ac4c0adfad007a29
SHA256ee8f2fa91a5522fbb50fa1f36b613939bc3f840644993d72d0f52516b0c8d345
SHA5128e5075910df01f2e099b9aa4eaeb685d2c15feca9dcb916d0bcb9efb221daddde12efcda96df5bc505ffc921cfdb2ee1c4ed86b27ca7de9c567201fc5e2b3b91
-
Filesize
8B
MD5fff90d773695d7bb78916199786451ef
SHA136d33a5d5073289057dbf5af3bb210c7c43f8dde
SHA256cad8d895bd4be4a3c9285cc0af11fb96e4d0fef3ea5e9a20355f96fa9ec65a7f
SHA51294f3caefe8e8abe4f88470aba65a2f80d07c0fbe3bb465d89066c30a341d1cfee79a963e20ec9ac6d6e492c7eb7c87ddbb9165ceb27e89c394a495b8f01e5b0f
-
Filesize
8B
MD54106be2a3bcb0625a2738ac34dc5fb6a
SHA1d14819c2009cc2357a678d5d61289150e21c83c3
SHA2562d8f1ce7bcea695f8c03e85f1ed52f7d8ecb7ba6ad535314f9129694f15467db
SHA512f497a77d443d27250ed3387b281334ebb88e534bb035ac67c0fda666dcdee6484948afc59aed61c44dbff9832e84b46f4d22c7cce8e33b3399d141e3be16c77a
-
Filesize
8B
MD5821d12b51832acfa3742c09be58889e8
SHA1f3efafa9b047f814079112d3abc68242e48b98e3
SHA256fc3f27f7c5e2d38f87c5557969397b8da752fd108856f907e164ede9aa78d31b
SHA512b1da915d5f59233bbdfff2790e81f1664ee173219ed1dff72828ffc490b29f2cdfbb2ff97cd40c982fa6f59f173d91929536beba1df9855fb0b0be4418cf93ae
-
Filesize
8B
MD5d60951f32eb6357bbd29a09c6528c31e
SHA1d8352d55c74881a1183e73247e37d361fdb73b0c
SHA256f44bec15a669ba3af5968dfd1b3fb0ba6c7e7c671a2f04d2f30d5a9edd3bb6c0
SHA5120a6ad4a0416d9b484a0f0085eaef9df66eb9abb350a0ab6e24f6f16c769a3cd6cfce4eed10d3222682b77130272e5854a1c380be997441353bfdeb57d880432c
-
Filesize
8B
MD5462b5366ff9f51d5a8f5580199cd4baa
SHA19f8d584b38b80d6ccb389557adbda2d00e88ce13
SHA2566e690e38cc8596ff5713e0a2c62e427ef814973c73d0d32efb5993b421e36298
SHA512817d9b6d5655ea4ff626f56c6818ce43cd86d8432b6f2cc04ac8f7fdce169d8dd187be54cbeef49c737d23182700e13688fe5af2806f0b288a2f0cce488e4123
-
Filesize
8B
MD5440279dbb26df16d9b7d6f8888fddbe2
SHA1ac951d0b36fac90c3573af1c4fcd3a509b3074c8
SHA25615c4e8696a603fc4fcfbdf7bc1bd7531b1064f706ecd60e666b29c7258267f2a
SHA51273be8d0543459455107db4ac00c08bfdf1403d265a7233e2d2ed7f56c443ffbb4b4063168985b2c12c5faebf2a5a53d986a34038fb7e94a7e6d87cac8abb1cbb
-
Filesize
8B
MD55316088391d840138fcf999a46e6edc7
SHA1232a44aea627a39d7e14330e06f41dfc1d5eabdd
SHA256b5cf13dace21aeafcea97066c91042f75168f5dbb3417694ad550582c3b8d1b7
SHA51215bdf7cee37ef490f13e3b2a6685d2752f761414cd4bcdb0630a31cad2c826f6f35cf6fde18550e98f751e67bc935bea0f4439f0637a0de48bdbb877abd02592
-
Filesize
8B
MD5c7815494aca5b6b5d8fc6b9182e52f9e
SHA1554d74b7de9f637cc065a1728bc27fc28a763301
SHA256808e6647327820c48cdcb2dda0c4be21011314d62b35616833d391f7b8039f96
SHA51216712d1009b593d53bcbc3b6ec007a2b753ac509d820f216a4be35270d4826624f365b73d3832f3f768dd0752fbce8ed2ccbe5d2f2072591f3d2a11aa38f1d44
-
Filesize
8B
MD525e9b7b304727efb449be79d706fd48f
SHA16371fc1c6c830d3bb5e68fac9b1b312b72a5bf26
SHA2567b73c000072e4d05e2d74fec94489e155ab21f82443e62dfc44c377ddb9c9810
SHA5121cfa20ed006c33106321d7beff56e4a4d22bd13336afe4a12f03577876152fe5c7d504c22e2e6869125ae4381b2079041fe886a7b876b6bc77c42bf3a2e87c41
-
Filesize
8B
MD5cf7ab68f1e3e3495b96590dfa33f51ae
SHA1db0285d2bd254bcc35ccfe0070be29cc8df83a60
SHA2567aa59dead148a3ad07137afa9d416f0ae232a8bf6f23fda160cc57a312062061
SHA5129aa236fa2faa09011333e4e9c08c1e958c4c9cbfa4e6467b8e90f926a4b6cceef93d49e46ae024e882eaa7560410d1c5d357e8b7e71e24268b2de29ab1364f4d
-
Filesize
8B
MD5f3dab819696b1f1568b76859fb1e74e2
SHA101d578a10a9c4df9e87f28a1310b7dd6e1e45a35
SHA256cc9f8eeeefa4e3ac543cad9393985ec9aed8a1a15f59162f0501123e1a944f45
SHA5122812a3a1daa8b1ce533f34d6efbe302e674778a8dfc681137f7d4a2355cceed168c56dc8120f8081ffc5fcffc8e27f99f8b8f66c0bbe2a39e9cca759e4c14025
-
Filesize
8B
MD5409e6010fd596259e1cfb3b463b71dee
SHA146d2f4ade24b4b49b4c3505f88d31df26e3a6b32
SHA256249ad2d1c3ba4ec0350dd2539a227192dcf19f6b1f9dfc397e1c4acfb71adac8
SHA5122f4945691e4660912f4dc74464a519b25e73960e4ad61e69d250b01015803992f6d514931b051cb8adce6f9203c0d6093a54bf6a154ad70fbdbaf76174b41a2e
-
Filesize
8B
MD541c437053102b7a4a3859113c224e018
SHA1c0dbb236baeb2278c4e775cd7a9a9a4e9de4395e
SHA2568cb7407fcb11e42d1ebe64f0cf3213b1652dc5c2ab35d7405c34622c3b559af1
SHA5128c6f60a5ecbd44491154b4f2ec98aa56569fb78d120bf41ea6627adb86151304007dbe59f68b33d96bb5b6ff80af6493d3f95529c3e7c39a7d1ed3d84922ff75
-
Filesize
8B
MD597a1e6c2ad77afa7b1490ea26236c265
SHA13ed075c9908215802572728584ea739252772763
SHA256bebeda0ca2f8b1e7cdc96274b7d361ceb02eec2b6ae2fb648efc7db4f243f31f
SHA512cae609a616c2f5f363a74fae9594dafdee91fa778e54b85a663e2a5d8cdb2db3da8364a2873fe3376e9490ea6a3d31f4fc6c2951027b7c8f5bcc8d5e272baf06
-
Filesize
8B
MD525a039a9812e4d8b627c4f49147d0dbe
SHA10d4069fc3c868759a263dd721c97ddfc8a85b4fe
SHA25697bb3e55626c2ab2ef1db10896e90343fc482a206acf4697c2092e754f7cfa54
SHA5128cffc67b0c1893dad07d70ed6666efc3125166258829de00f649e17b4f494aafef8aa13ce339913d5ef10f4d1897ad0ddfb17769d89d17de6608035bffb8e7ab
-
Filesize
8B
MD5a68e514b12a4e998692e3a0bf9bcd192
SHA15c0f8e3f152881f799f9af9856c7486747e3ec25
SHA2564d97f0af946db8230493cc2f57e971c6e7b430815feeb729bd021be117afceb4
SHA51247924d6e13b6ca9891bcf10f3d6790c3012ad83c8615e9996283b9cf3e6f8b0109a28ef77f514d797a8034878b09441f525a59d0264b7f67b69ec8e57d03a93a
-
Filesize
8B
MD5787336ebee22abe42cd0de0a54e779cf
SHA1b993694bc3c774f44fe1320e9bb7390521515700
SHA2566baae3db93a0e8b6baf16c1fa8d923422082c1ad712fbabe62de401a31a99968
SHA512a6c061870dfcc9335d13cb37b98038fbfbed3278d207857aad1daf35e2342e14084d0634b25dcfac802b61f3e2f6fe19fee5a9fd802093eb195a4784fa4f0a87
-
Filesize
8B
MD527c4391ef62de105c6ae442fd375ed88
SHA12f064e9e870ab91603094833586a2a70844e381c
SHA2561251c0128a5e8212ecad8be8074c8a0e57c7f9aa512fa588cd49af55a9f74a92
SHA51276e6266178d396e5e55aae7f78103945b2535c0c4a43952dff4186ffc9f41c19aa968983f95463a77c59fc3696cdf0a583d07cc1842a0a167601c0aeb498cb67
-
Filesize
8B
MD502d4c2fdd441651f5aa4eaea31be2792
SHA1b463a31b0e2597172a8655d73587c91b7fad6a24
SHA2560de6bc2ebd4dbdfde16f93b08fd4517fcfa8122e941ce107cd62df241557ac77
SHA512323d5d632eee3022c78792e3631e5bc901f6ab52a20d7b4ae246d5ae3df495853fc0624559103dcfb8826eb94eb2364425b5bbcc499001617a2a1db75282c3b8
-
Filesize
8B
MD50d9cd10aa730e159cb6df2c4f89064f2
SHA15bf084f2078a59c041260d6da0989308ac2e6c47
SHA256d37ee5d85a17fd1b72dae8187f29c199adfd6f47b456eed56b2d1638d7ac48aa
SHA51258514a7904af015ab2442f7c8fc2d13895908264525548af9f40261e18e5808cca803f8ed2c68f9fa6c1c9c8841d91831e614e7edf2f419342585e347e68b437
-
Filesize
8B
MD5b7475673bf7121279a1ec6d5fd077bce
SHA13392aa5aa5fc372716e5e1614b2ad1216a54126a
SHA256989153dfdafa82bfae565f83b35a321fdc7cefa5d521cee5dd32b28abec7290f
SHA512f040331cd72126ac91814c227d5b485f5de93e84cc6259e3937942d79f8aebf1556c00806875b2713808473a8cf6500ee2e5cbb15255c9ba8747ce1b49fa0a01
-
Filesize
8B
MD5669e29c60dd5da3570ec5eb53660b143
SHA154a64604dbe8b218d60a70a8cacdd8530084317f
SHA25665a8f11f1dfdaaf1889572991060eb897b754b9e6bfcd9863fbe8a45326a9dbe
SHA512d9ec0bff267e3445435fd9bb8a2b91c2ba77b34e4e428e7b2fbb118105e0ae09fa9b0284cf125c16c31ef9fb13cc67a3da490c475040e06ed2a3791dd9dd8c7e
-
Filesize
8B
MD5b3448010e591aaef2279f5ce3edbeeaf
SHA1b762fd4688b3e8f0fac9a54bd4c6d53d7efa2cf7
SHA256780e6d4c0374ae7b33d75455393ed668ffbede08e08b53d30047e7fdf905a64e
SHA512985a1a586c77f9191c6c41e7907f0ac3ae807bcb5edc757e53dc397a33aee330e591da8008576b10c8ad6b374b9fa0e6ae8e58585b1af04bfb4b5ac0d741b4fb
-
Filesize
8B
MD5f36b30cc958e10708300c1589cb96af7
SHA1d13177a0d93ee182d5196af8d9bd72cff1fb4300
SHA2568def2b2b5abda38bcf8987571a9e6ea60be765f77af821c5873f808d4032f33c
SHA512a2140c9ffead4d56c37c161caa21d680b2ad4e1e3720666c8d28e8b005b3b1e13e2d33a031b8bd0e67fde6830da8b87b3376cee2e847620611cd1f10b4634ad1
-
Filesize
8B
MD5d8dcb42f104ff4c541f300d1d9953a24
SHA1c2a3df22765ccb6a04d3d2b108088ef4722eb5bd
SHA256647ef443457893aaef94487215e3eb7c94969e4d0e8f93600e038cbb0513bbae
SHA5127368729db0ae9bac8f61b1dd8892408d3cb0d059192800a5f60ebdfc9c8f17b0f531014ffce5c99ccc87993381fcf1135211ec7b40adaf3b946577f20f00df0e
-
Filesize
8B
MD5dbe1f98468fb89f0f6e18a6a40f60e9b
SHA1a40d7c6578fdd150e16aada79b2c5be320a205b2
SHA256ae96a66463e0cae070f840e5c9fdeadf29c423ca47095741335306fd40061c4d
SHA512a950ad414e40642f9ac7a8b212eec0f85aabbdfb7df242f73e82eb35e518c4bd6e1bfa1970b182322af81f04f21d8781b395b202cb85a782ea628534269fc1b9
-
Filesize
8B
MD596cbc12aa8c2f18387b5d473b1532626
SHA13507ffe9cb234d3d0972871a1e9a1043776b72e1
SHA256ae2f9a8de5253760b4bf0c18c149248c289fe160b357c09dc0f017436286a8fa
SHA5121adb12a3b5db65f3b2fabf629b417ad203fe0c68e02618f904d7f9f5b8d18b4cd6a7a19d981605c64d17b70fb4e8aa6f8540104b6db72fbd0a55e5a2b698a9cb
-
Filesize
8B
MD51d06469fd13dcad64f3a907603d5cce9
SHA1b6031a0ca8b19e91848ee8769fefe7964261cc41
SHA25611a50beb5b3e11042aecae944c4f944f4c70c9aec25137d01f9aa0248ad3776f
SHA5120fcfb3a45d9d17271f48c6ee1dec36f5d9b511ee6115c9ed4baf2d3eb2d00e9d66739b12124e081a8ccaefad0727eed3053f33f7b39894caab12da96e4c48da3
-
Filesize
8B
MD56bd490ba4a98397690bcf43e59f8d943
SHA1657baaaa676867ca5675032a7acc56816ba21c49
SHA256827693d65da87f04f39128eddd398c24b92ae969aaefb8df4b1ab56a7a656cf1
SHA512937f22ba20464b9dc38904436331d2c4116be3140fb55ef2afb89bcc7133ad94f6a2cb33f449fb9d38c8b14d754489606bbc553de2039d536580f56cf900510e
-
Filesize
8B
MD5022c0faca3bd1daafc8d63d822a1356f
SHA11cf079ea8cc8d524ed962e51cec56ee8fec383be
SHA256636bcfea421ac834ee06be51ef91cd18dc394143763130e72b4c42af2e39071f
SHA512754bceda2d82da8fbb24f703d260a0db3bddc81800fa9ca62a07b72fbc2d2ee4eade67559ef16aa9307153d78a8e59e4a9e0f84bb24bdda97638f659270d378e
-
Filesize
8B
MD51c92a0cbef59bebddaa7127e9c7e486d
SHA189bb55b7ffd0880706d63153f0b6ea13202764e1
SHA25622c8d1436141bafb794e712de9c6948983d5a0878a6d81b6dc37dfd1209aba92
SHA5127750db0c5ce0368ba4b60911f2036977a4a28f17f8199c84f52fd8ac6f23a1d606e5207bfc8ad5ffac1398dd71edd0a255c6d6661569831969f25ba913f116ae
-
Filesize
15B
MD5e21bd9604efe8ee9b59dc7605b927a2a
SHA13240ecc5ee459214344a1baac5c2a74046491104
SHA25651a3fe220229aa3fdddc909e20a4b107e7497320a00792a280a03389f2eacb46
SHA51242052ad5744ad76494bfa71d78578e545a3b39bfed4c4232592987bd28064b6366a423084f1193d137493c9b13d9ae1faac4cf9cc75eb715542fa56e13ca1493
-
Filesize
257B
MD5d650d688ee7f166bc2fa5ebddfe04449
SHA1f9a52bba916f81d4fea356d0d3c6683d595a86d8
SHA2565db995ef2a7f67fb066c23a88d57655dca86e70f38a332429aef7305bf9f8941
SHA512c4cedcb3880ab05f072d3930a1e8f94281f61c5a58dcc8e52c1e282e619597870a50f173422363892cd220c2444111f39e5fae1183c22b5249e1e6cbb93189f2
-
Filesize
781KB
MD522734185ef6b7e63867812097af90491
SHA10d951fc18d489a15099375e2953c44cd47fd11ba
SHA256889068df52de03555ce97cf810e7569358551ca89ff92ab6f96f53f7a82b8d47
SHA512e5bbf1deb040b20ed65cbb9ededaca57d13c355f177289647dfdaff18cf18aeccb002ad5c6ff428fa6644c60be3f0ca685076cc9ab8e084e5e41a7d3477de472