1c9fccf7955654c4f890ce64b33833d22258035f82131e26dc6fd3f4c7ef9df9

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3aec816eed6ce0553e21084d0f5d216a_JaffaCakes118.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	3aec816eed6ce0553e21084d0f5d216a_JaffaCakes118.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	3aec816eed6ce0553e21084d0f5d216a_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4064	2680	WerFault.exe	82

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2716	schtasks.exe
1980	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2716	2680	3aec816eed6ce0553e21084d0f5d216a_JaffaCakes118.exe	84
PID 2680 wrote to memory of 2716	2680	3aec816eed6ce0553e21084d0f5d216a_JaffaCakes118.exe	84
PID 2680 wrote to memory of 2716	2680	3aec816eed6ce0553e21084d0f5d216a_JaffaCakes118.exe	84
PID 2680 wrote to memory of 1980	2680	3aec816eed6ce0553e21084d0f5d216a_JaffaCakes118.exe	85
PID 2680 wrote to memory of 1980	2680	3aec816eed6ce0553e21084d0f5d216a_JaffaCakes118.exe	85
PID 2680 wrote to memory of 1980	2680	3aec816eed6ce0553e21084d0f5d216a_JaffaCakes118.exe	85

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	3aec816eed6ce0553e21084d0f5d216a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\3aec816eed6ce0553e21084d0f5d216a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3aec816eed6ce0553e21084d0f5d216a_JaffaCakes118.exe"
1⤵
- UAC bypass
- Windows security bypass
- Windows security modification
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2680
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn alg /tr C:\Users\Admin\AppData\Roaming\sys\alg.exe /sc onlogon /ru "NT AUTHORITY\SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2716
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /create /tn store /tr C:\Users\Admin\AppData\Roaming\sys\store.exe /sc onlogon /ru "NT AUTHORITY\SYSTEM"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 1864
  2⤵
  - Program crash
  PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2680 -ip 2680
1⤵
PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry