Malware Analysis Report

2025-01-03 08:21

Sample ID 240706-fygl6awfjr
Target 275e4fb802670ac45647885f0cff516b_JaffaCakes118
SHA256 720c224ea9fa4ba58d5d35dbe67fc6f3e2e084361a926fcca92e41bdc04760af
Tags
metasploit backdoor evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

720c224ea9fa4ba58d5d35dbe67fc6f3e2e084361a926fcca92e41bdc04760af

Threat Level: Known bad

The file 275e4fb802670ac45647885f0cff516b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

metasploit backdoor evasion persistence privilege_escalation trojan

Modifies firewall policy service

MetaSploit

Windows security bypass

Modifies Windows Firewall

Executes dropped EXE

Windows security modification

Deletes itself

Drops file in System32 directory

Drops file in Windows directory

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-06 05:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-06 05:16

Reported

2024-07-06 05:19

Platform

win7-20240704-en

Max time kernel

141s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\275e4fb802670ac45647885f0cff516b_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Windows\Fonts\unwise_.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" C:\Windows\Fonts\unwise_.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\Fonts\unwise_.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\Fonts\unwise_.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\unwise_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\unwise_.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\Fonts\unwise_.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\Fonts\unwise_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\unwise_.exe C:\Users\Admin\AppData\Local\Temp\275e4fb802670ac45647885f0cff516b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Fonts\unwise_.exe C:\Users\Admin\AppData\Local\Temp\275e4fb802670ac45647885f0cff516b_JaffaCakes118.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\Fonts\unwise_.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\Fonts\unwise_.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server = "65534" C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer = "65534" C:\Windows\Fonts\unwise_.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Fonts\unwise_.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Fonts\unwise_.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\Fonts\unwise_.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\Fonts\unwise_.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\SysWOW64\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\Fonts\unwise_.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies." C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0" C:\Windows\SysWOW64\netsh.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\Fonts\unwise_.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation" C:\Windows\SysWOW64\netsh.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\275e4fb802670ac45647885f0cff516b_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\275e4fb802670ac45647885f0cff516b_JaffaCakes118.exe N/A
Token: 33 N/A C:\Windows\Fonts\unwise_.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Fonts\unwise_.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Fonts\unwise_.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Fonts\unwise_.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Fonts\unwise_.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Fonts\unwise_.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Fonts\unwise_.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Fonts\unwise_.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Fonts\unwise_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1908 wrote to memory of 2104 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2104 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2104 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2104 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2652 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2652 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2652 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2652 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2784 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2784 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2784 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2784 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2700 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2700 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2700 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2700 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2776 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2776 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2776 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2776 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2136 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2136 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2136 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2136 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2788 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2788 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2788 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 1908 wrote to memory of 2788 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\275e4fb802670ac45647885f0cff516b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\275e4fb802670ac45647885f0cff516b_JaffaCakes118.exe"

C:\Windows\Fonts\unwise_.exe

"C:\Windows\Fonts\unwise_.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set portopening TCP 445 NB

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set portopening TCP 139 NB

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set portopening TCP 1013 BS

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set portopening TCP 9999 PORT1

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set portopening TCP 9991 PORT2

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Windows\Fonts\unwise_.exe" workstation ENABLE ALL

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set allowedprogram "C:\Windows\Fonts\unwise_.exe" workstation ENABLE ALL

Network

Country Destination Domain Proto
US 8.8.8.8:53 cx10man.weedns.com udp
US 8.8.8.8:53 fx010413.whyI.org udp
US 8.8.8.8:53 gynoman.weedns.com udp
US 8.8.8.8:53 g.0x20.biz udp
US 104.251.223.162:3305 g.0x20.biz tcp
US 8.8.8.8:53 c010x1.co.cc udp
KR 175.126.123.219:3305 c010x1.co.cc tcp
US 8.8.8.8:53 commgr.co.cc udp
KR 175.126.123.219:3305 commgr.co.cc tcp
US 8.8.8.8:53 telephone.dd.blueline.be udp
US 8.8.8.8:53 phonewire.dd.blueline.be udp
US 8.8.8.8:53 phonelogin.dd.blueline.be udp
US 8.8.8.8:53 ufospace.etowns.net udp
LT 93.115.28.104:3305 ufospace.etowns.net tcp
US 8.8.8.8:53 theforums.bbsindex.com udp
US 3.94.41.167:3305 theforums.bbsindex.com tcp
US 8.8.8.8:53 cx10man.weedns.com udp
US 8.8.8.8:53 fx010413.whyI.org udp
US 8.8.8.8:53 gynoman.weedns.com udp
US 8.8.8.8:53 g.0x20.biz udp
US 104.251.223.162:3308 g.0x20.biz tcp
US 8.8.8.8:53 c010x1.co.cc udp
KR 175.126.123.219:3308 c010x1.co.cc tcp
US 8.8.8.8:53 commgr.co.cc udp
KR 175.126.123.219:3308 commgr.co.cc tcp
US 8.8.8.8:53 telephone.dd.blueline.be udp
US 8.8.8.8:53 phonewire.dd.blueline.be udp
US 8.8.8.8:53 phonelogin.dd.blueline.be udp
US 8.8.8.8:53 ufospace.etowns.net udp
LT 93.115.28.104:3308 ufospace.etowns.net tcp
US 8.8.8.8:53 theforums.bbsindex.com udp
US 34.205.242.146:3308 theforums.bbsindex.com tcp

Files

memory/1316-1-0x0000000000400000-0x00000000008E6000-memory.dmp

memory/1316-0-0x0000000000400000-0x00000000008E6000-memory.dmp

C:\Windows\Fonts\unwise_.exe

MD5 275e4fb802670ac45647885f0cff516b
SHA1 6a787ff47b390bd869ec3705941ec099d5e128ed
SHA256 720c224ea9fa4ba58d5d35dbe67fc6f3e2e084361a926fcca92e41bdc04760af
SHA512 e0e6448243cda05e0a4a1d868f29a0d7947bd8945dc88ac5aa9f8645f31b8b9374af59318fa6cca76ab7cc07d4cf5ba0101e98a15aebfdcbfb7863143a077e7c

memory/1908-5-0x0000000000400000-0x00000000008E6000-memory.dmp

memory/1908-7-0x0000000000400000-0x00000000008E6000-memory.dmp

memory/1316-8-0x0000000000400000-0x00000000008E6000-memory.dmp

memory/1908-9-0x0000000000400000-0x00000000008E6000-memory.dmp

memory/1908-11-0x0000000000400000-0x00000000008E6000-memory.dmp

memory/1908-12-0x0000000000400000-0x00000000008E6000-memory.dmp

memory/1908-15-0x0000000000400000-0x00000000008E6000-memory.dmp

memory/1908-18-0x0000000000400000-0x00000000008E6000-memory.dmp

memory/1908-20-0x0000000000400000-0x00000000008E6000-memory.dmp

memory/1908-21-0x0000000000400000-0x00000000008E6000-memory.dmp

memory/1908-23-0x0000000000400000-0x00000000008E6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-06 05:16

Reported

2024-07-06 05:19

Platform

win10v2004-20240704-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\275e4fb802670ac45647885f0cff516b_JaffaCakes118.exe"

Signatures

MetaSploit

trojan backdoor metasploit

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Windows\Fonts\unwise_.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall = "0" C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions = "0" C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications = "1" C:\Windows\Fonts\unwise_.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Windows\Fonts\unwise_.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\Fonts\unwise_.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\unwise_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\unwise_.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Windows\Fonts\unwise_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\unwise_.exe C:\Users\Admin\AppData\Local\Temp\275e4fb802670ac45647885f0cff516b_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Fonts\unwise_.exe C:\Users\Admin\AppData\Local\Temp\275e4fb802670ac45647885f0cff516b_JaffaCakes118.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh C:\Windows\SysWOW64\netsh.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\Fonts\unwise_.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPer1_0Server = "65534" C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MaxConnectionsPerServer = "65534" C:\Windows\Fonts\unwise_.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\Fonts\unwise_.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\Fonts\unwise_.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\275e4fb802670ac45647885f0cff516b_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\275e4fb802670ac45647885f0cff516b_JaffaCakes118.exe N/A
Token: 33 N/A C:\Windows\Fonts\unwise_.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Fonts\unwise_.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Fonts\unwise_.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Fonts\unwise_.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Fonts\unwise_.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Fonts\unwise_.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Fonts\unwise_.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Fonts\unwise_.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Fonts\unwise_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4980 wrote to memory of 2240 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 4980 wrote to memory of 2240 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 4980 wrote to memory of 2240 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 4980 wrote to memory of 376 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 4980 wrote to memory of 376 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 4980 wrote to memory of 376 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 4980 wrote to memory of 3380 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 4980 wrote to memory of 3380 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 4980 wrote to memory of 3380 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 4980 wrote to memory of 4108 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 4980 wrote to memory of 4108 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 4980 wrote to memory of 4108 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 4980 wrote to memory of 3256 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 4980 wrote to memory of 3256 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 4980 wrote to memory of 3256 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 4980 wrote to memory of 4132 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 4980 wrote to memory of 4132 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 4980 wrote to memory of 4132 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 4980 wrote to memory of 1140 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 4980 wrote to memory of 1140 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe
PID 4980 wrote to memory of 1140 N/A C:\Windows\Fonts\unwise_.exe C:\Windows\SysWOW64\netsh.exe

Processes

C:\Users\Admin\AppData\Local\Temp\275e4fb802670ac45647885f0cff516b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\275e4fb802670ac45647885f0cff516b_JaffaCakes118.exe"

C:\Windows\Fonts\unwise_.exe

"C:\Windows\Fonts\unwise_.exe"

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set portopening TCP 445 NB

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set portopening TCP 139 NB

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set portopening TCP 1013 BS

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set portopening TCP 9999 PORT1

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set portopening TCP 9991 PORT2

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall add allowedprogram "C:\Windows\Fonts\unwise_.exe" workstation ENABLE ALL

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\System32\netsh.exe" firewall set allowedprogram "C:\Windows\Fonts\unwise_.exe" workstation ENABLE ALL

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 cx10man.weedns.com udp
US 8.8.8.8:53 fx010413.whyI.org udp
US 8.8.8.8:53 gynoman.weedns.com udp
US 8.8.8.8:53 g.0x20.biz udp
US 104.251.223.162:3305 g.0x20.biz tcp
US 8.8.8.8:53 c010x1.co.cc udp
KR 175.126.123.219:3305 c010x1.co.cc tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 commgr.co.cc udp
KR 175.126.123.219:3305 commgr.co.cc tcp
US 8.8.8.8:53 telephone.dd.blueline.be udp
US 8.8.8.8:53 phonewire.dd.blueline.be udp
US 8.8.8.8:53 phonelogin.dd.blueline.be udp
US 8.8.8.8:53 ufospace.etowns.net udp
US 172.98.192.35:3305 ufospace.etowns.net tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 theforums.bbsindex.com udp
US 34.205.242.146:3305 theforums.bbsindex.com tcp
US 8.8.8.8:53 cx10man.weedns.com udp
US 8.8.8.8:53 fx010413.whyI.org udp
US 8.8.8.8:53 gynoman.weedns.com udp
US 8.8.8.8:53 g.0x20.biz udp
US 104.251.223.162:3308 g.0x20.biz tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 c010x1.co.cc udp
KR 175.126.123.219:3308 c010x1.co.cc tcp
US 8.8.8.8:53 commgr.co.cc udp
KR 175.126.123.219:3308 commgr.co.cc tcp
US 8.8.8.8:53 telephone.dd.blueline.be udp
US 8.8.8.8:53 phonewire.dd.blueline.be udp
US 8.8.8.8:53 phonelogin.dd.blueline.be udp
US 8.8.8.8:53 ufospace.etowns.net udp
LT 93.115.28.104:3308 ufospace.etowns.net tcp
US 8.8.8.8:53 theforums.bbsindex.com udp
US 3.140.13.188:3308 theforums.bbsindex.com tcp

Files

memory/4648-0-0x0000000000400000-0x00000000008E6000-memory.dmp

memory/4648-1-0x00000000024F0000-0x00000000024F2000-memory.dmp

C:\Windows\Fonts\unwise_.exe

MD5 275e4fb802670ac45647885f0cff516b
SHA1 6a787ff47b390bd869ec3705941ec099d5e128ed
SHA256 720c224ea9fa4ba58d5d35dbe67fc6f3e2e084361a926fcca92e41bdc04760af
SHA512 e0e6448243cda05e0a4a1d868f29a0d7947bd8945dc88ac5aa9f8645f31b8b9374af59318fa6cca76ab7cc07d4cf5ba0101e98a15aebfdcbfb7863143a077e7c

memory/4980-6-0x0000000000400000-0x00000000008E6000-memory.dmp

memory/4980-7-0x0000000000C20000-0x0000000000C22000-memory.dmp

memory/4648-8-0x0000000000400000-0x00000000008E6000-memory.dmp

memory/4980-9-0x0000000000400000-0x00000000008E6000-memory.dmp

memory/4980-11-0x0000000000400000-0x00000000008E6000-memory.dmp

memory/4980-12-0x0000000000400000-0x00000000008E6000-memory.dmp

memory/4980-13-0x0000000000400000-0x00000000008E6000-memory.dmp

memory/4980-16-0x0000000000400000-0x00000000008E6000-memory.dmp

memory/4980-18-0x0000000000400000-0x00000000008E6000-memory.dmp

memory/4980-21-0x0000000000400000-0x00000000008E6000-memory.dmp

memory/4980-22-0x0000000000400000-0x00000000008E6000-memory.dmp