sality | 99ff73151898cc42c19763f0d47466b427ffceeec44c91839928de46c05687f3

Analysis

max time kernel
25s
max time network
85s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
12/07/2024, 09:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Size

216KB
MD5

3cc83805387c96c629e92882e5880fa9
SHA1

34e0a3a0b9570becf84ea9e60d2c584145f0fff1
SHA256

99ff73151898cc42c19763f0d47466b427ffceeec44c91839928de46c05687f3
SHA512

e6ff8e1b8ca061561ead97944ad185654ccb12a88e8a08ebc4b3b8515146153e6fae1e596dff7375cb40195b67b8d13aa6a42b81ea6e6ae28ff46ed78a674078
SSDEEP

3072:iagmvJfdXVCki7Ga4xFJjNvQYFG9+ceI/4Q6BczP+5rQF8IVSY93NiUL9hpE9:ifCdlKN4xFEY/ceI/04206JdURY9

Score

10^/10

sality backdoor evasion persistence trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

http://klkjwre77638dfqwieuoi888.info/

Signatures

Modifies firewall policy service 3 TTPs 6 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	winlogon.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Windows security bypass 2 TTPs 12 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe

Disables RegEdit via registry modification 12 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	winlogon.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0"	inetinfo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0"	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	inetinfo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0"	lsass.exe

Disables Task Manager via registry modification
evasion

Disables cmd.exe use via registry modification 6 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableCMD = "0"	services.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableCMD = "0"	lsass.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableCMD = "0"	inetinfo.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableCMD = "0"	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableCMD = "0"	smss.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\system\DisableCMD = "0"	winlogon.exe

Deletes itself 1 IoCs

pid	Process
2588	winlogon.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif	smss.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif	smss.exe

Executes dropped EXE 5 IoCs

pid	Process
2216	smss.exe
2588	winlogon.exe
1056	services.exe
1672	lsass.exe
2572	inetinfo.exe

Loads dropped DLL 10 IoCs

pid	Process
2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
2216	smss.exe
2216	smss.exe
2216	smss.exe
2216	smss.exe
2216	smss.exe
2216	smss.exe
2216	smss.exe
2216	smss.exe

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2468-1-0x00000000027A0000-0x000000000382E000-memory.dmp	upx
behavioral1/memory/2468-11-0x00000000027A0000-0x000000000382E000-memory.dmp	upx
behavioral1/memory/2468-6-0x00000000027A0000-0x000000000382E000-memory.dmp	upx
behavioral1/memory/2468-3-0x00000000027A0000-0x000000000382E000-memory.dmp	upx
behavioral1/memory/2468-9-0x00000000027A0000-0x000000000382E000-memory.dmp	upx
behavioral1/memory/2468-4-0x00000000027A0000-0x000000000382E000-memory.dmp	upx
behavioral1/memory/2468-10-0x00000000027A0000-0x000000000382E000-memory.dmp	upx
behavioral1/memory/2468-8-0x00000000027A0000-0x000000000382E000-memory.dmp	upx
behavioral1/memory/2468-7-0x00000000027A0000-0x000000000382E000-memory.dmp	upx
behavioral1/memory/2468-5-0x00000000027A0000-0x000000000382E000-memory.dmp	upx
behavioral1/memory/2468-42-0x00000000027A0000-0x000000000382E000-memory.dmp	upx
behavioral1/memory/2468-43-0x00000000027A0000-0x000000000382E000-memory.dmp	upx
behavioral1/memory/2468-44-0x00000000027A0000-0x000000000382E000-memory.dmp	upx
behavioral1/memory/2468-55-0x00000000027A0000-0x000000000382E000-memory.dmp	upx
behavioral1/memory/2468-108-0x00000000027A0000-0x000000000382E000-memory.dmp	upx
behavioral1/memory/2468-115-0x00000000027A0000-0x000000000382E000-memory.dmp	upx
behavioral1/memory/2468-117-0x00000000027A0000-0x000000000382E000-memory.dmp	upx
behavioral1/memory/2468-157-0x00000000027A0000-0x000000000382E000-memory.dmp	upx
behavioral1/memory/2468-256-0x00000000027A0000-0x000000000382E000-memory.dmp	upx

Windows security modification 2 TTPs 14 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1"	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1"	winlogon.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	winlogon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\INF\\norBtok.exe\""	inetinfo.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	inetinfo.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\INF\\norBtok.exe\""	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\INF\\norBtok.exe\""	winlogon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\INF\\norBtok.exe\""	services.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\INF\\norBtok.exe\""	lsass.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\""	lsass.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\INF\\norBtok.exe\""	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\3D Animation.scr	smss.exe
File opened for modification	C:\Windows\SysWOW64\3D Animation.scr	smss.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\norBtok.exe	lsass.exe
File opened for modification	C:\Windows\INF\norBtok.exe	inetinfo.exe
File opened for modification	C:\Windows\SYSTEM.INI	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
File created	C:\Windows\INF\norBtok.exe	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
File opened for modification	C:\Windows\INF\norBtok.exe	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
File opened for modification	C:\Windows\INF\norBtok.exe	smss.exe
File opened for modification	C:\Windows\INF\norBtok.exe	winlogon.exe
File opened for modification	C:\Windows\INF\norBtok.exe	services.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
2588	winlogon.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Token: SeDebugPrivilege	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Token: SeDebugPrivilege	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Token: SeDebugPrivilege	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Token: SeDebugPrivilege	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Token: SeDebugPrivilege	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Token: SeDebugPrivilege	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Token: SeDebugPrivilege	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Token: SeDebugPrivilege	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Token: SeDebugPrivilege	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Token: SeDebugPrivilege	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Token: SeDebugPrivilege	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Token: SeDebugPrivilege	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Token: SeDebugPrivilege	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Token: SeDebugPrivilege	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Token: SeDebugPrivilege	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Token: SeDebugPrivilege	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Token: SeDebugPrivilege	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Token: SeDebugPrivilege	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Token: SeDebugPrivilege	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Token: SeDebugPrivilege	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Token: SeDebugPrivilege	2588	winlogon.exe
Token: SeDebugPrivilege	2588	winlogon.exe
Token: SeDebugPrivilege	2588	winlogon.exe
Token: SeDebugPrivilege	2588	winlogon.exe
Token: SeDebugPrivilege	2588	winlogon.exe
Token: SeDebugPrivilege	2588	winlogon.exe
Token: SeDebugPrivilege	2588	winlogon.exe
Token: SeDebugPrivilege	2588	winlogon.exe
Token: SeDebugPrivilege	2588	winlogon.exe
Token: SeDebugPrivilege	2588	winlogon.exe
Token: SeDebugPrivilege	2588	winlogon.exe
Token: SeDebugPrivilege	2588	winlogon.exe
Token: SeDebugPrivilege	2588	winlogon.exe
Token: SeDebugPrivilege	2588	winlogon.exe
Token: SeDebugPrivilege	2588	winlogon.exe
Token: SeDebugPrivilege	2588	winlogon.exe
Token: SeDebugPrivilege	2588	winlogon.exe
Token: SeDebugPrivilege	2588	winlogon.exe
Token: SeDebugPrivilege	2588	winlogon.exe
Token: SeDebugPrivilege	2588	winlogon.exe
Token: SeDebugPrivilege	2588	winlogon.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
2216	smss.exe
2588	winlogon.exe
1056	services.exe
1672	lsass.exe
2572	inetinfo.exe

Suspicious use of WriteProcessMemory 57 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 1120	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	18
PID 2468 wrote to memory of 1188	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	19
PID 2468 wrote to memory of 1252	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	20
PID 2468 wrote to memory of 1464	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	22
PID 2468 wrote to memory of 2868	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	29
PID 2468 wrote to memory of 2868	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	29
PID 2468 wrote to memory of 2868	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	29
PID 2468 wrote to memory of 2868	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	29
PID 2468 wrote to memory of 2216	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	31
PID 2468 wrote to memory of 2216	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	31
PID 2468 wrote to memory of 2216	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	31
PID 2468 wrote to memory of 2216	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	31
PID 2216 wrote to memory of 2588	2216	smss.exe	32
PID 2216 wrote to memory of 2588	2216	smss.exe	32
PID 2216 wrote to memory of 2588	2216	smss.exe	32
PID 2216 wrote to memory of 2588	2216	smss.exe	32
PID 2216 wrote to memory of 1628	2216	smss.exe	33
PID 2216 wrote to memory of 1628	2216	smss.exe	33
PID 2216 wrote to memory of 1628	2216	smss.exe	33
PID 2216 wrote to memory of 1628	2216	smss.exe	33
PID 2216 wrote to memory of 1472	2216	smss.exe	35
PID 2216 wrote to memory of 1472	2216	smss.exe	35
PID 2216 wrote to memory of 1472	2216	smss.exe	35
PID 2216 wrote to memory of 1472	2216	smss.exe	35
PID 2216 wrote to memory of 1056	2216	smss.exe	37
PID 2216 wrote to memory of 1056	2216	smss.exe	37
PID 2216 wrote to memory of 1056	2216	smss.exe	37
PID 2216 wrote to memory of 1056	2216	smss.exe	37
PID 2468 wrote to memory of 1120	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	18
PID 2468 wrote to memory of 1188	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	19
PID 2468 wrote to memory of 1252	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	20
PID 2468 wrote to memory of 1464	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	22
PID 2468 wrote to memory of 2216	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	31
PID 2468 wrote to memory of 2216	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	31
PID 2468 wrote to memory of 2588	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	32
PID 2468 wrote to memory of 2588	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	32
PID 2468 wrote to memory of 1472	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	35
PID 2468 wrote to memory of 1472	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	35
PID 2468 wrote to memory of 684	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	36
PID 2468 wrote to memory of 1056	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	37
PID 2468 wrote to memory of 1056	2468	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe	37
PID 2216 wrote to memory of 1672	2216	smss.exe	38
PID 2216 wrote to memory of 1672	2216	smss.exe	38
PID 2216 wrote to memory of 1672	2216	smss.exe	38
PID 2216 wrote to memory of 1672	2216	smss.exe	38
PID 2216 wrote to memory of 2572	2216	smss.exe	39
PID 2216 wrote to memory of 2572	2216	smss.exe	39
PID 2216 wrote to memory of 2572	2216	smss.exe	39
PID 2216 wrote to memory of 2572	2216	smss.exe	39
PID 2588 wrote to memory of 1120	2588	winlogon.exe	18
PID 2588 wrote to memory of 1188	2588	winlogon.exe	19
PID 2588 wrote to memory of 1252	2588	winlogon.exe	20
PID 2588 wrote to memory of 1464	2588	winlogon.exe	22
PID 2588 wrote to memory of 1672	2588	winlogon.exe	38
PID 2588 wrote to memory of 1672	2588	winlogon.exe	38
PID 2588 wrote to memory of 2572	2588	winlogon.exe	39
PID 2588 wrote to memory of 2572	2588	winlogon.exe	39

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	winlogon.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1120

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1188

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1252
- C:\Users\Admin\AppData\Local\Temp\3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe"
  2⤵
  - Modifies firewall policy service
  - UAC bypass
  - Windows security bypass
  - Disables RegEdit via registry modification
  - Disables cmd.exe use via registry modification
  - Loads dropped DLL
  - Windows security modification
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2468
- - C:\Windows\SysWOW64\explorer.exe
    explorer.exe
    3⤵
    PID:2868
- - C:\Users\Admin\AppData\Local\smss.exe
    C:\Users\Admin\AppData\Local\smss.exe
    3⤵
    - Disables RegEdit via registry modification
    - Disables cmd.exe use via registry modification
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Users\Admin\AppData\Local\winlogon.exe
      C:\Users\Admin\AppData\Local\winlogon.exe
      4⤵
      Modifies firewall policy service
      UAC bypass
      Windows security bypass
      Disables RegEdit via registry modification
      Disables cmd.exe use via registry modification
      Deletes itself
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Checks whether UAC is enabled
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2588
  - - C:\Windows\SysWOW64\at.exe
      at /delete /y
      4⤵
      PID:1628
  - - C:\Windows\SysWOW64\at.exe
      at 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\A.kotnorB.com"
      4⤵
      PID:1472
  - - C:\Users\Admin\AppData\Local\services.exe
      C:\Users\Admin\AppData\Local\services.exe
      4⤵
      Disables RegEdit via registry modification
      Disables cmd.exe use via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1056
  - - C:\Users\Admin\AppData\Local\lsass.exe
      C:\Users\Admin\AppData\Local\lsass.exe
      4⤵
      Disables RegEdit via registry modification
      Disables cmd.exe use via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:1672
  - - C:\Users\Admin\AppData\Local\inetinfo.exe
      C:\Users\Admin\AppData\Local\inetinfo.exe
      4⤵
      Disables RegEdit via registry modification
      Disables cmd.exe use via registry modification
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:2572

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1464

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-802403634741366992-169002876918887047711498465701440507459-10876470621599000661"
1⤵
PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCACHE\ALL USERS\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.exe

Filesize
213KB

MD5
e389d09f2632e6ff05c1836ff1ce2bfe

SHA1
4cb7c8c19dd09bc48dcbedfcc008c657cac0051d

SHA256
7e3cbe7bc06a87d57ab3085077115c1e785c1ad560c90e67ea4e1c9055668000

SHA512
3c1f472b318148b8d5e27662c339641618bcec244f774b3ab641a124dd610aa40d01a0d16ad31de54767a23ad688b791ace28eec4e0e75c166133fa0695c94e5

Download Submit
C:\MSOCACHE\ALL USERS\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.1MB

MD5
39eff72e4c7cf5a31130341c266410a7

SHA1
1cd2d4ff76696f919094f7c2cc87d7835a495918

SHA256
4e9f34b729a366a9a0c7c097bfd47624591bae3835643beb14ad156ed71040e7

SHA512
68b6014b94265057069602742717049555cd382b6bafc58ae1e0da5844017bdd946ccee365be12cc7e2c8b432c12bf931635b8f01de7309ea6364eccc51b429b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9790.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar97D2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\smss.exe

Filesize
216KB

MD5
3cc83805387c96c629e92882e5880fa9

SHA1
34e0a3a0b9570becf84ea9e60d2c584145f0fff1

SHA256
99ff73151898cc42c19763f0d47466b427ffceeec44c91839928de46c05687f3

SHA512
e6ff8e1b8ca061561ead97944ad185654ccb12a88e8a08ebc4b3b8515146153e6fae1e596dff7375cb40195b67b8d13aa6a42b81ea6e6ae28ff46ed78a674078

Download Submit
C:\Windows\SYSTEM.INI

Filesize
257B

MD5
a2f5645bbacf939d377bbfb22044b6b8

SHA1
eb6a5e60858bdcf65ec34fbb190f0345809b89ce

SHA256
b45aac479bfbda21ab9327e1a94e17c0eeea3acf2fe079fedda7c5a09edc2a5d

SHA512
e979bde394ffe9945830b849e1f49324fd94934ff32a90d195225d5e01207dffd7e201a68fc01fc6258d7ce5b8734882e5d3f48341232f1dc9bab3cab66700fe

Download Submit
memory/1056-123-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/1120-12-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/1672-212-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2216-54-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2216-211-0x0000000003EF0000-0x0000000003F27000-memory.dmp

Filesize
220KB

Download
memory/2216-210-0x0000000003EF0000-0x0000000003F27000-memory.dmp

Filesize
220KB

Download
memory/2216-161-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2216-121-0x00000000028A0000-0x00000000028D7000-memory.dmp

Filesize
220KB

Download
memory/2216-254-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2216-85-0x00000000028A0000-0x00000000028D7000-memory.dmp

Filesize
220KB

Download
memory/2216-86-0x00000000028A0000-0x00000000028D7000-memory.dmp

Filesize
220KB

Download
memory/2468-55-0x00000000027A0000-0x000000000382E000-memory.dmp

Filesize
16.6MB

Download
memory/2468-41-0x00000000003D0000-0x00000000003D2000-memory.dmp

Filesize
8KB

Download
memory/2468-43-0x00000000027A0000-0x000000000382E000-memory.dmp

Filesize
16.6MB

Download
memory/2468-44-0x00000000027A0000-0x000000000382E000-memory.dmp

Filesize
16.6MB

Download
memory/2468-5-0x00000000027A0000-0x000000000382E000-memory.dmp

Filesize
16.6MB

Download
memory/2468-53-0x0000000005DF0000-0x0000000005E27000-memory.dmp

Filesize
220KB

Download
memory/2468-52-0x0000000005DF0000-0x0000000005E27000-memory.dmp

Filesize
220KB

Download
memory/2468-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2468-1-0x00000000027A0000-0x000000000382E000-memory.dmp

Filesize
16.6MB

Download
memory/2468-7-0x00000000027A0000-0x000000000382E000-memory.dmp

Filesize
16.6MB

Download
memory/2468-8-0x00000000027A0000-0x000000000382E000-memory.dmp

Filesize
16.6MB

Download
memory/2468-108-0x00000000027A0000-0x000000000382E000-memory.dmp

Filesize
16.6MB

Download
memory/2468-115-0x00000000027A0000-0x000000000382E000-memory.dmp

Filesize
16.6MB

Download
memory/2468-10-0x00000000027A0000-0x000000000382E000-memory.dmp

Filesize
16.6MB

Download
memory/2468-117-0x00000000027A0000-0x000000000382E000-memory.dmp

Filesize
16.6MB

Download
memory/2468-26-0x00000000003D0000-0x00000000003D2000-memory.dmp

Filesize
8KB

Download
memory/2468-158-0x0000000003BA0000-0x0000000003BA2000-memory.dmp

Filesize
8KB

Download
memory/2468-42-0x00000000027A0000-0x000000000382E000-memory.dmp

Filesize
16.6MB

Download
memory/2468-11-0x00000000027A0000-0x000000000382E000-memory.dmp

Filesize
16.6MB

Download
memory/2468-157-0x00000000027A0000-0x000000000382E000-memory.dmp

Filesize
16.6MB

Download
memory/2468-153-0x0000000003BB0000-0x0000000003BB1000-memory.dmp

Filesize
4KB

Download
memory/2468-24-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2468-4-0x00000000027A0000-0x000000000382E000-memory.dmp

Filesize
16.6MB

Download
memory/2468-20-0x00000000003D0000-0x00000000003D2000-memory.dmp

Filesize
8KB

Download
memory/2468-6-0x00000000027A0000-0x000000000382E000-memory.dmp

Filesize
16.6MB

Download
memory/2468-21-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/2468-255-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2468-256-0x00000000027A0000-0x000000000382E000-memory.dmp

Filesize
16.6MB

Download
memory/2468-9-0x00000000027A0000-0x000000000382E000-memory.dmp

Filesize
16.6MB

Download
memory/2468-3-0x00000000027A0000-0x000000000382E000-memory.dmp

Filesize
16.6MB

Download
memory/2572-221-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2572-401-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2588-167-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/2588-87-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download