Analysis
-
max time kernel
29s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
14-07-2024 16:49
Static task
static1
2 signatures
Behavioral task
behavioral1
Sample
46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
21 signatures
150 seconds
Behavioral task
behavioral2
Sample
46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
17 signatures
150 seconds
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240705-en
windows7-x64
2 signatures
150 seconds
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240709-en
windows10-2004-x64
2 signatures
150 seconds
General
-
Target
46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe
-
Size
205KB
-
MD5
46adca4a892dc48862ba393d45d27745
-
SHA1
2bb1fb8c9f907fdfaea108f5cec438a416c83a6e
-
SHA256
2466475118603cf9ac0f193d48a9971783b8911a50238c55894909d2e09cce75
-
SHA512
5fe136a3de59093670a838099ddb4e548afc69cfe61ec3c255c3a78088f06cae073de2b1e0fce829855a972a7149cf8a913d583ad001d918ee85f772384cdd85
-
SSDEEP
6144:ltZ9O0jcNFPwWW3V4gCrV8g88YMG9YccWpL80fj:7OacNFIFatrg9YccWpD
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Au_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" Au_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3340 Au_.exe -
resource yara_rule behavioral2/memory/1272-1-0x00000000023C0000-0x000000000347A000-memory.dmp upx behavioral2/memory/1272-3-0x00000000023C0000-0x000000000347A000-memory.dmp upx behavioral2/memory/1272-5-0x00000000023C0000-0x000000000347A000-memory.dmp upx behavioral2/memory/1272-8-0x00000000023C0000-0x000000000347A000-memory.dmp upx behavioral2/memory/1272-19-0x00000000023C0000-0x000000000347A000-memory.dmp upx behavioral2/memory/1272-21-0x00000000023C0000-0x000000000347A000-memory.dmp upx behavioral2/memory/1272-17-0x00000000023C0000-0x000000000347A000-memory.dmp upx behavioral2/memory/1272-7-0x00000000023C0000-0x000000000347A000-memory.dmp upx behavioral2/memory/1272-6-0x00000000023C0000-0x000000000347A000-memory.dmp upx behavioral2/memory/1272-11-0x00000000023C0000-0x000000000347A000-memory.dmp upx behavioral2/memory/1272-4-0x00000000023C0000-0x000000000347A000-memory.dmp upx behavioral2/memory/1272-37-0x00000000023C0000-0x000000000347A000-memory.dmp upx behavioral2/memory/3340-55-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-65-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-74-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-60-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-59-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-61-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-57-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-70-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-63-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-58-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-69-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-76-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-77-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-78-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-80-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-79-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-82-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-83-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-84-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-86-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-87-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-89-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-92-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-94-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-96-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-99-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx behavioral2/memory/3340-132-0x0000000004AC0000-0x0000000005B7A000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" Au_.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 10 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: Au_.exe File opened (read-only) \??\H: Au_.exe File opened (read-only) \??\J: Au_.exe File opened (read-only) \??\K: Au_.exe File opened (read-only) \??\O: Au_.exe File opened (read-only) \??\E: Au_.exe File opened (read-only) \??\I: Au_.exe File opened (read-only) \??\L: Au_.exe File opened (read-only) \??\M: Au_.exe File opened (read-only) \??\N: Au_.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe Au_.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe Au_.exe File opened for modification C:\Program Files\7-Zip\7zG.exe Au_.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\e5784df 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe File opened for modification C:\Windows\SYSTEM.INI 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe File created C:\Windows\e57b41d Au_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
resource yara_rule behavioral2/files/0x000800000002346e-48.dat nsis_installer_1 behavioral2/files/0x0007000000023470-32.dat nsis_installer_1 -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 3340 Au_.exe 3340 Au_.exe 3340 Au_.exe 3340 Au_.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Token: SeDebugPrivilege 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 57 IoCs
description pid Process procid_target PID 1272 wrote to memory of 772 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 8 PID 1272 wrote to memory of 780 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 9 PID 1272 wrote to memory of 336 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 13 PID 1272 wrote to memory of 2604 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 44 PID 1272 wrote to memory of 2628 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 45 PID 1272 wrote to memory of 2776 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 48 PID 1272 wrote to memory of 3580 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 56 PID 1272 wrote to memory of 3700 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 57 PID 1272 wrote to memory of 3888 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 58 PID 1272 wrote to memory of 3980 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 59 PID 1272 wrote to memory of 4044 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 60 PID 1272 wrote to memory of 664 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 61 PID 1272 wrote to memory of 4152 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 62 PID 1272 wrote to memory of 3536 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 75 PID 1272 wrote to memory of 4776 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 76 PID 1272 wrote to memory of 652 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 80 PID 1272 wrote to memory of 4120 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 81 PID 1272 wrote to memory of 2124 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 83 PID 1272 wrote to memory of 3340 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 85 PID 1272 wrote to memory of 3340 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 85 PID 1272 wrote to memory of 3340 1272 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe 85 PID 3340 wrote to memory of 772 3340 Au_.exe 8 PID 3340 wrote to memory of 780 3340 Au_.exe 9 PID 3340 wrote to memory of 336 3340 Au_.exe 13 PID 3340 wrote to memory of 2604 3340 Au_.exe 44 PID 3340 wrote to memory of 2628 3340 Au_.exe 45 PID 3340 wrote to memory of 2776 3340 Au_.exe 48 PID 3340 wrote to memory of 3580 3340 Au_.exe 56 PID 3340 wrote to memory of 3700 3340 Au_.exe 57 PID 3340 wrote to memory of 3888 3340 Au_.exe 58 PID 3340 wrote to memory of 3980 3340 Au_.exe 59 PID 3340 wrote to memory of 4044 3340 Au_.exe 60 PID 3340 wrote to memory of 664 3340 Au_.exe 61 PID 3340 wrote to memory of 4152 3340 Au_.exe 62 PID 3340 wrote to memory of 3536 3340 Au_.exe 75 PID 3340 wrote to memory of 4776 3340 Au_.exe 76 PID 3340 wrote to memory of 652 3340 Au_.exe 80 PID 3340 wrote to memory of 4032 3340 Au_.exe 84 PID 3340 wrote to memory of 4972 3340 Au_.exe 86 PID 3340 wrote to memory of 772 3340 Au_.exe 8 PID 3340 wrote to memory of 780 3340 Au_.exe 9 PID 3340 wrote to memory of 336 3340 Au_.exe 13 PID 3340 wrote to memory of 2604 3340 Au_.exe 44 PID 3340 wrote to memory of 2628 3340 Au_.exe 45 PID 3340 wrote to memory of 2776 3340 Au_.exe 48 PID 3340 wrote to memory of 3580 3340 Au_.exe 56 PID 3340 wrote to memory of 3700 3340 Au_.exe 57 PID 3340 wrote to memory of 3888 3340 Au_.exe 58 PID 3340 wrote to memory of 3980 3340 Au_.exe 59 PID 3340 wrote to memory of 4044 3340 Au_.exe 60 PID 3340 wrote to memory of 664 3340 Au_.exe 61 PID 3340 wrote to memory of 4152 3340 Au_.exe 62 PID 3340 wrote to memory of 3536 3340 Au_.exe 75 PID 3340 wrote to memory of 4776 3340 Au_.exe 76 PID 3340 wrote to memory of 652 3340 Au_.exe 80 PID 3340 wrote to memory of 4032 3340 Au_.exe 84 PID 3340 wrote to memory of 4972 3340 Au_.exe 86 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Au_.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2604
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2628
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2776
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3580
-
C:\Users\Admin\AppData\Local\Temp\46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\46adca4a892dc48862ba393d45d27745_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1272 -
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3340
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3700
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3888
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3980
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4044
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:664
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4152
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:3536
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4776
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:652
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4120
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:2124
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4032
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4972
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133KB
MD52051a9e046a3960a56283448f8e0938f
SHA124e09f7dcbff832c61698eab56dec42ba6f173e2
SHA2569b938cc81d62e435b3f244faec359e57dec68a6ab7c2661c6b86184902ebb6ec
SHA512eedd8468941fc7793861d56df6307922e405ea6653397f7a20199d310755ed1bbc914099c020bf7ed65530972d3f33f5a0b0e2563c604af699bfb483b4627788
-
Filesize
205KB
MD546adca4a892dc48862ba393d45d27745
SHA12bb1fb8c9f907fdfaea108f5cec438a416c83a6e
SHA2562466475118603cf9ac0f193d48a9971783b8911a50238c55894909d2e09cce75
SHA5125fe136a3de59093670a838099ddb4e548afc69cfe61ec3c255c3a78088f06cae073de2b1e0fce829855a972a7149cf8a913d583ad001d918ee85f772384cdd85
-
Filesize
257B
MD51a542f1b7de83e06c76cfd5e93989023
SHA1df5f95fd17097903d084cbdd144a173d4b8d201f
SHA25696fcd0fd0efb2ced29312b0045aa8587fa4c346a3b4db131b3f5dff3d1670431
SHA512c5d6109a08d1bc043c4eb9af1e4b6cd0d182ada8e2af91aa61cc55f24ada253619fd455d98ea10df6f4fbb11a4f1846fad563bacc60c482aec0ed59617a0d430
-
Filesize
97KB
MD55ac550f1ec815a3a48042653cfc2b037
SHA193f96c0f426b044adb1881de148904b2b6e2c1c9
SHA256625afa2aaf6244c8a28669c5056df014b1807f2b83298dcba14196ad75a8f515
SHA5120b5c0513292fc231181f51bcd15f42514270b1b42c1398161217010857ea49e6b8bf4242bf9ba9697f8a316087432211c507bd60c29c927daf739062a06a5fd9