Analysis
-
max time kernel
33s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
12/07/2024, 09:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
Resource
win7-20240704-en
windows7-x64
23 signatures
150 seconds
General
-
Target
3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe
-
Size
216KB
-
MD5
3cc83805387c96c629e92882e5880fa9
-
SHA1
34e0a3a0b9570becf84ea9e60d2c584145f0fff1
-
SHA256
99ff73151898cc42c19763f0d47466b427ffceeec44c91839928de46c05687f3
-
SHA512
e6ff8e1b8ca061561ead97944ad185654ccb12a88e8a08ebc4b3b8515146153e6fae1e596dff7375cb40195b67b8d13aa6a42b81ea6e6ae28ff46ed78a674078
-
SSDEEP
3072:iagmvJfdXVCki7Ga4xFJjNvQYFG9+ceI/4Q6BczP+5rQF8IVSY93NiUL9hpE9:ifCdlKN4xFEY/ceI/04206JdURY9
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
http://klkjwre77638dfqwieuoi888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winlogon.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe -
Disables RegEdit via registry modification 12 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" winlogon.exe Set value (int) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "0" inetinfo.exe Set value (int) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" inetinfo.exe -
Disables Task Manager via registry modification
-
Disables cmd.exe use via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableCMD = "0" services.exe Set value (int) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableCMD = "0" lsass.exe Set value (int) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableCMD = "0" inetinfo.exe Set value (int) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableCMD = "0" 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Set value (int) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableCMD = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableCMD = "0" winlogon.exe -
Deletes itself 1 IoCs
pid Process 1440 winlogon.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif smss.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Empty.pif smss.exe -
Executes dropped EXE 5 IoCs
pid Process 1988 smss.exe 1440 winlogon.exe 5096 services.exe 1544 lsass.exe 2660 inetinfo.exe -
resource yara_rule behavioral2/memory/1260-1-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-3-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-4-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-11-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-7-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-9-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-8-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-12-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-14-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-17-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-23-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-24-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-33-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-34-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-35-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-36-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-38-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-92-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-93-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-114-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-115-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-124-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-135-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-136-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-152-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1260-153-0x0000000002B90000-0x0000000003C1E000-memory.dmp upx behavioral2/memory/1440-186-0x0000000003520000-0x00000000045AE000-memory.dmp upx behavioral2/memory/1440-185-0x0000000003520000-0x00000000045AE000-memory.dmp upx behavioral2/memory/1440-173-0x0000000003520000-0x00000000045AE000-memory.dmp upx behavioral2/memory/1440-171-0x0000000003520000-0x00000000045AE000-memory.dmp upx behavioral2/memory/1440-184-0x0000000003520000-0x00000000045AE000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winlogon.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winlogon.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc winlogon.exe -
Adds Run key to start application 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\INF\\norBtok.exe\"" 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\INF\\norBtok.exe\"" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\"" lsass.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\INF\\norBtok.exe\"" inetinfo.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\"" inetinfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\INF\\norBtok.exe\"" lsass.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\"" 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\"" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\INF\\norBtok.exe\"" winlogon.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\"" winlogon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Bron-Spizaetus = "\"C:\\Windows\\INF\\norBtok.exe\"" services.exe Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Tok-Cirrhatus = "\"C:\\Users\\Admin\\AppData\\Local\\smss.exe\"" services.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\SysWOW64\3D Animation.scr smss.exe File opened for modification C:\Windows\SysWOW64\3D Animation.scr smss.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\INF\norBtok.exe inetinfo.exe File opened for modification C:\Windows\SYSTEM.INI 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe File created C:\Windows\INF\norBtok.exe 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe File opened for modification C:\Windows\INF\norBtok.exe 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe File opened for modification C:\Windows\INF\norBtok.exe smss.exe File opened for modification C:\Windows\INF\norBtok.exe winlogon.exe File opened for modification C:\Windows\INF\norBtok.exe services.exe File opened for modification C:\Windows\INF\norBtok.exe lsass.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings explorer.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 1440 winlogon.exe 1440 winlogon.exe 1440 winlogon.exe 1440 winlogon.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Token: SeDebugPrivilege 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 1988 smss.exe 1440 winlogon.exe 5096 services.exe 1544 lsass.exe 2660 inetinfo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1260 wrote to memory of 764 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 8 PID 1260 wrote to memory of 772 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 9 PID 1260 wrote to memory of 316 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 13 PID 1260 wrote to memory of 2564 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 44 PID 1260 wrote to memory of 2596 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 45 PID 1260 wrote to memory of 2820 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 48 PID 1260 wrote to memory of 3476 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 56 PID 1260 wrote to memory of 3588 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 57 PID 1260 wrote to memory of 3772 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 58 PID 1260 wrote to memory of 3868 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 59 PID 1260 wrote to memory of 3972 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 60 PID 1260 wrote to memory of 4072 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 61 PID 1260 wrote to memory of 3904 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 62 PID 1260 wrote to memory of 1944 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 64 PID 1260 wrote to memory of 2088 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 75 PID 1260 wrote to memory of 4180 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 80 PID 1260 wrote to memory of 2980 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 81 PID 1260 wrote to memory of 3216 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 83 PID 1260 wrote to memory of 1780 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 86 PID 1260 wrote to memory of 1780 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 86 PID 1260 wrote to memory of 1780 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 86 PID 1260 wrote to memory of 764 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 8 PID 1260 wrote to memory of 772 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 9 PID 1260 wrote to memory of 316 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 13 PID 1260 wrote to memory of 2564 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 44 PID 1260 wrote to memory of 2596 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 45 PID 1260 wrote to memory of 2820 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 48 PID 1260 wrote to memory of 3476 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 56 PID 1260 wrote to memory of 3588 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 57 PID 1260 wrote to memory of 3772 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 58 PID 1260 wrote to memory of 3868 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 59 PID 1260 wrote to memory of 3972 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 60 PID 1260 wrote to memory of 4072 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 61 PID 1260 wrote to memory of 3904 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 62 PID 1260 wrote to memory of 1944 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 64 PID 1260 wrote to memory of 2088 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 75 PID 1260 wrote to memory of 4180 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 80 PID 1260 wrote to memory of 2980 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 81 PID 1260 wrote to memory of 3928 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 84 PID 1260 wrote to memory of 3272 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 85 PID 1260 wrote to memory of 2216 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 87 PID 1260 wrote to memory of 1988 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 88 PID 1260 wrote to memory of 1988 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 88 PID 1260 wrote to memory of 1988 1260 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe 88 PID 1988 wrote to memory of 1440 1988 smss.exe 89 PID 1988 wrote to memory of 1440 1988 smss.exe 89 PID 1988 wrote to memory of 1440 1988 smss.exe 89 PID 1988 wrote to memory of 5064 1988 smss.exe 90 PID 1988 wrote to memory of 5064 1988 smss.exe 90 PID 1988 wrote to memory of 5064 1988 smss.exe 90 PID 1988 wrote to memory of 3804 1988 smss.exe 92 PID 1988 wrote to memory of 3804 1988 smss.exe 92 PID 1988 wrote to memory of 3804 1988 smss.exe 92 PID 1988 wrote to memory of 5096 1988 smss.exe 93 PID 1988 wrote to memory of 5096 1988 smss.exe 93 PID 1988 wrote to memory of 5096 1988 smss.exe 93 PID 1988 wrote to memory of 1544 1988 smss.exe 95 PID 1988 wrote to memory of 1544 1988 smss.exe 95 PID 1988 wrote to memory of 1544 1988 smss.exe 95 PID 1988 wrote to memory of 2660 1988 smss.exe 96 PID 1988 wrote to memory of 2660 1988 smss.exe 96 PID 1988 wrote to memory of 2660 1988 smss.exe 96 PID 1440 wrote to memory of 764 1440 winlogon.exe 8 PID 1440 wrote to memory of 772 1440 winlogon.exe 9 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winlogon.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:764
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:316
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2596
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2820
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3476
-
C:\Users\Admin\AppData\Local\Temp\3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3cc83805387c96c629e92882e5880fa9_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1260 -
C:\Windows\SysWOW64\explorer.exeexplorer.exe3⤵
- Modifies registry class
PID:1780
-
-
C:\Users\Admin\AppData\Local\smss.exeC:\Users\Admin\AppData\Local\smss.exe3⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Users\Admin\AppData\Local\winlogon.exeC:\Users\Admin\AppData\Local\winlogon.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1440
-
-
C:\Windows\SysWOW64\at.exeat /delete /y4⤵PID:5064
-
-
C:\Windows\SysWOW64\at.exeat 17:08 /every:M,T,W,Th,F,S,Su "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\A.kotnorB.com"4⤵PID:3804
-
-
C:\Users\Admin\AppData\Local\services.exeC:\Users\Admin\AppData\Local\services.exe4⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:5096
-
-
C:\Users\Admin\AppData\Local\lsass.exeC:\Users\Admin\AppData\Local\lsass.exe4⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1544
-
-
C:\Users\Admin\AppData\Local\inetinfo.exeC:\Users\Admin\AppData\Local\inetinfo.exe4⤵
- Disables RegEdit via registry modification
- Disables cmd.exe use via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2660
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3588
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3772
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3868
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3972
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4072
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3904
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1944
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2088
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4180
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2980
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:3216
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3928
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3272
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2216
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:2052
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
63KB
MD582099837e3fd7efcab34580ee3681a1b
SHA1e3bac4b93f39283dffbf05bb97a5b2a716c04231
SHA25657acfedb4bdc586b8fb93c8209d65a675fe646d3a56ebc104dbb896b0d523f83
SHA5120e347bf18cf4d471b8acc860c6574011ebcec46648b09897f583cea47373d6e9565a290a00914dd571e2f0f46c231eeb19d8a1158bbd4dc5361625fa8f3197d4
-
Filesize
216KB
MD53cc83805387c96c629e92882e5880fa9
SHA134e0a3a0b9570becf84ea9e60d2c584145f0fff1
SHA25699ff73151898cc42c19763f0d47466b427ffceeec44c91839928de46c05687f3
SHA512e6ff8e1b8ca061561ead97944ad185654ccb12a88e8a08ebc4b3b8515146153e6fae1e596dff7375cb40195b67b8d13aa6a42b81ea6e6ae28ff46ed78a674078
-
Filesize
257B
MD50dca22a36af98ebc430fbbbc7f637b83
SHA115a3b0a4bf8952fe950454f7ba58a6415a3429ee
SHA25699954a5d70773418477104ab6209b40c47a4fee450726fcbd402cffdf5358218
SHA512fb30428e27bd8e58d16215d97f1b3037994a1f4e8e06717b0a75edd579a03157b103a2db1bd3eec5e41789059f5ffc81b3f057dd171f9410ad6dcab4ba860314