Analysis
-
max time kernel
94s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
03-07-2024 15:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
22e3ba427f72b889c04192665811db26_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
19 signatures
150 seconds
General
-
Target
22e3ba427f72b889c04192665811db26_JaffaCakes118.exe
-
Size
188KB
-
MD5
22e3ba427f72b889c04192665811db26
-
SHA1
dfc3194e1ee99a8709f8a1cecec9859362e38aaa
-
SHA256
06a7e14ac643090406c115d729ebf9a6749b195eab695f61077f52a6db5b469e
-
SHA512
fa64ab9f4c19bdfd6eaa91539a1f3a20a7aa30e50e7745b11263c144fb02203f6fac59d8b60b451300ffa0823dc424f63e4dce4ec7c424bc1817e9424c2233f2
-
SSDEEP
3072:p3s1aEReBKD2SEKPWUDF7Wq6vYcOhbXmgHxguyQDwB/jVmqD+dXipNtzY8Bp0LPI:NsFOBUDF7CgcabXBh3DC/aipNta7xE5L
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Aqzzzz.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" Aqzzzz.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Aqzzzz.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Aqzzzz.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Aqzzzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Aqzzzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Aqzzzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Aqzzzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Aqzzzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Aqzzzz.exe -
Executes dropped EXE 2 IoCs
pid Process 5100 Aqzzzz.exe 1676 Aqzzzz.exe -
resource yara_rule behavioral2/memory/4804-1-0x0000000002240000-0x00000000032CE000-memory.dmp upx behavioral2/memory/4804-3-0x0000000002240000-0x00000000032CE000-memory.dmp upx behavioral2/memory/4804-6-0x0000000002240000-0x00000000032CE000-memory.dmp upx behavioral2/memory/4804-13-0x0000000002240000-0x00000000032CE000-memory.dmp upx behavioral2/memory/4804-10-0x0000000002240000-0x00000000032CE000-memory.dmp upx behavioral2/memory/4804-7-0x0000000002240000-0x00000000032CE000-memory.dmp upx behavioral2/memory/4804-4-0x0000000002240000-0x00000000032CE000-memory.dmp upx behavioral2/memory/4804-5-0x0000000002240000-0x00000000032CE000-memory.dmp upx behavioral2/memory/4804-23-0x0000000002240000-0x00000000032CE000-memory.dmp upx behavioral2/memory/5100-44-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/5100-43-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/5100-46-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/5100-47-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/5100-62-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/5100-45-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/5100-42-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/5100-41-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/5100-40-0x00000000021B0000-0x000000000323E000-memory.dmp upx behavioral2/memory/5100-37-0x00000000021B0000-0x000000000323E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Aqzzzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Aqzzzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Aqzzzz.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Aqzzzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Aqzzzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Aqzzzz.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Aqzzzz.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Aqzzzz = "C:\\Users\\Admin\\AppData\\Roaming\\Aqzzzz.exe" 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Aqzzzz.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 4804 set thread context of 3528 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 81 PID 5100 set thread context of 1676 5100 Aqzzzz.exe 83 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{AA4274EA-3952-11EF-BCA5-527CD1CC5F27} = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "426183146" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" IEXPLORE.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 3528 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 3528 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 5100 Aqzzzz.exe 5100 Aqzzzz.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Token: SeDebugPrivilege 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1744 IEXPLORE.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1744 IEXPLORE.EXE 1744 IEXPLORE.EXE 636 IEXPLORE.EXE 636 IEXPLORE.EXE 636 IEXPLORE.EXE 636 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 4804 wrote to memory of 800 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 9 PID 4804 wrote to memory of 804 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 10 PID 4804 wrote to memory of 380 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 13 PID 4804 wrote to memory of 2548 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 42 PID 4804 wrote to memory of 2580 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 43 PID 4804 wrote to memory of 2680 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 46 PID 4804 wrote to memory of 3540 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 56 PID 4804 wrote to memory of 3676 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 57 PID 4804 wrote to memory of 3848 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 58 PID 4804 wrote to memory of 3944 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 59 PID 4804 wrote to memory of 4012 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 60 PID 4804 wrote to memory of 660 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 61 PID 4804 wrote to memory of 4072 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 62 PID 4804 wrote to memory of 2152 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 64 PID 4804 wrote to memory of 4604 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 75 PID 4804 wrote to memory of 3528 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 81 PID 4804 wrote to memory of 3528 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 81 PID 4804 wrote to memory of 3528 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 81 PID 4804 wrote to memory of 3528 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 81 PID 4804 wrote to memory of 3528 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 81 PID 4804 wrote to memory of 3528 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 81 PID 4804 wrote to memory of 3528 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 81 PID 4804 wrote to memory of 3528 4804 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 81 PID 3528 wrote to memory of 5100 3528 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 82 PID 3528 wrote to memory of 5100 3528 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 82 PID 3528 wrote to memory of 5100 3528 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe 82 PID 5100 wrote to memory of 800 5100 Aqzzzz.exe 9 PID 5100 wrote to memory of 804 5100 Aqzzzz.exe 10 PID 5100 wrote to memory of 380 5100 Aqzzzz.exe 13 PID 5100 wrote to memory of 2548 5100 Aqzzzz.exe 42 PID 5100 wrote to memory of 2580 5100 Aqzzzz.exe 43 PID 5100 wrote to memory of 2680 5100 Aqzzzz.exe 46 PID 5100 wrote to memory of 3540 5100 Aqzzzz.exe 56 PID 5100 wrote to memory of 3676 5100 Aqzzzz.exe 57 PID 5100 wrote to memory of 3848 5100 Aqzzzz.exe 58 PID 5100 wrote to memory of 3944 5100 Aqzzzz.exe 59 PID 5100 wrote to memory of 4012 5100 Aqzzzz.exe 60 PID 5100 wrote to memory of 660 5100 Aqzzzz.exe 61 PID 5100 wrote to memory of 4072 5100 Aqzzzz.exe 62 PID 5100 wrote to memory of 2152 5100 Aqzzzz.exe 64 PID 5100 wrote to memory of 4604 5100 Aqzzzz.exe 75 PID 5100 wrote to memory of 1676 5100 Aqzzzz.exe 83 PID 5100 wrote to memory of 1676 5100 Aqzzzz.exe 83 PID 5100 wrote to memory of 1676 5100 Aqzzzz.exe 83 PID 5100 wrote to memory of 1676 5100 Aqzzzz.exe 83 PID 5100 wrote to memory of 1676 5100 Aqzzzz.exe 83 PID 5100 wrote to memory of 1676 5100 Aqzzzz.exe 83 PID 5100 wrote to memory of 1676 5100 Aqzzzz.exe 83 PID 5100 wrote to memory of 1676 5100 Aqzzzz.exe 83 PID 1676 wrote to memory of 1624 1676 Aqzzzz.exe 84 PID 1676 wrote to memory of 1624 1676 Aqzzzz.exe 84 PID 1676 wrote to memory of 1624 1676 Aqzzzz.exe 84 PID 1624 wrote to memory of 1744 1624 iexplore.exe 85 PID 1624 wrote to memory of 1744 1624 iexplore.exe 85 PID 1744 wrote to memory of 636 1744 IEXPLORE.EXE 86 PID 1744 wrote to memory of 636 1744 IEXPLORE.EXE 86 PID 1744 wrote to memory of 636 1744 IEXPLORE.EXE 86 PID 1676 wrote to memory of 636 1676 Aqzzzz.exe 86 PID 1676 wrote to memory of 636 1676 Aqzzzz.exe 86 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 22e3ba427f72b889c04192665811db26_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Aqzzzz.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:380
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2548
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2580
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2680
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\22e3ba427f72b889c04192665811db26_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\22e3ba427f72b889c04192665811db26_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4804 -
C:\Users\Admin\AppData\Local\Temp\22e3ba427f72b889c04192665811db26_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\22e3ba427f72b889c04192665811db26_JaffaCakes118.exe3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3528 -
C:\Users\Admin\AppData\Roaming\Aqzzzz.exe"C:\Users\Admin\AppData\Roaming\Aqzzzz.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5100 -
C:\Users\Admin\AppData\Roaming\Aqzzzz.exeC:\Users\Admin\AppData\Roaming\Aqzzzz.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Program Files\Internet Explorer\IEXPLORE.EXE"C:\Program Files\Internet Explorer\IEXPLORE.EXE"7⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1744 CREDAT:17410 /prefetch:28⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:636
-
-
-
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3676
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3848
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3944
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4012
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:660
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4072
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2152
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4604
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
188KB
MD522e3ba427f72b889c04192665811db26
SHA1dfc3194e1ee99a8709f8a1cecec9859362e38aaa
SHA25606a7e14ac643090406c115d729ebf9a6749b195eab695f61077f52a6db5b469e
SHA512fa64ab9f4c19bdfd6eaa91539a1f3a20a7aa30e50e7745b11263c144fb02203f6fac59d8b60b451300ffa0823dc424f63e4dce4ec7c424bc1817e9424c2233f2
-
Filesize
257B
MD5d4b7d3741fa803ea351a0956f8ba0e5b
SHA1261ae3421caa15b2b2397481e1aff4fe49ae7397
SHA25623f85275856f56de3361a1684e100fe6fa5f04a32a042efdd47c1dbbc4090ed0
SHA512cc224fa9de469e6806ea2fd428e1874b7fe901028878049c40861a2b0dc007fdeb78820a2fcbfe583f211a5edcc5833234cc3d135e93fd3924c6322939016b66