Analysis
-
max time kernel
122s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
15-07-2024 08:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
20 signatures
150 seconds
General
-
Target
4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe
-
Size
744KB
-
MD5
4900842bba4e74fb20c432aeb289acee
-
SHA1
c0faed52a4dbf94583959d552a7c0a65900a5468
-
SHA256
9d9a649a9bd1ab1a03920628aa9a3d0c0811766ad6d0c3e8f406370eb918c0c0
-
SHA512
70e6b9167572547ce552c49e00e851417783907da245aee38c421f811fe55b2c890bbeb147512e8d8bba44db87b1c3ea645d70a6a0309aabb69cc8233559daf6
-
SSDEEP
12288:Yz+hvz7spbME8rgLGUbx3YgYU+1ImJ9j5rZeeMMlxE+ge8rWjr3NnGii6YT37lHm:i+hvXwME8rbUbF9t+1dQMcWns6YflH5Q
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2312 rnsetup0.exe -
Loads dropped DLL 11 IoCs
pid Process 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 2848 WerFault.exe 2848 WerFault.exe 2848 WerFault.exe 2848 WerFault.exe 2848 WerFault.exe 2848 WerFault.exe 2848 WerFault.exe -
resource yara_rule behavioral1/memory/3040-11-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/3040-9-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/3040-7-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/3040-12-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/3040-10-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/3040-8-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/3040-41-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/3040-40-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/3040-42-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/3040-45-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/3040-46-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/3040-48-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/3040-74-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/3040-73-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/3040-77-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/3040-93-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/3040-124-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/3040-125-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/3040-127-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/3040-131-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx behavioral1/memory/3040-160-0x0000000001E10000-0x0000000002E9E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened (read-only) \??\K: 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened (read-only) \??\M: 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened (read-only) \??\U: 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened (read-only) \??\T: 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened (read-only) \??\X: 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened (read-only) \??\Y: 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened (read-only) \??\Z: 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened (read-only) \??\E: 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened (read-only) \??\N: 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened (read-only) \??\Q: 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened (read-only) \??\S: 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened (read-only) \??\O: 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened (read-only) \??\P: 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened (read-only) \??\R: 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened (read-only) \??\V: 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened (read-only) \??\G: 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened (read-only) \??\I: 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened (read-only) \??\J: 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened (read-only) \??\L: 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened (read-only) \??\W: 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened for modification F:\autorun.inf 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
pid pid_target Process procid_target 2848 2312 WerFault.exe 30 -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2848 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
description pid Process Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe Token: SeDebugPrivilege 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3040 wrote to memory of 1112 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 19 PID 3040 wrote to memory of 1172 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 20 PID 3040 wrote to memory of 1260 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 21 PID 3040 wrote to memory of 820 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 25 PID 3040 wrote to memory of 2312 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 30 PID 3040 wrote to memory of 2312 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 30 PID 3040 wrote to memory of 2312 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 30 PID 3040 wrote to memory of 2312 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 30 PID 3040 wrote to memory of 2312 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 30 PID 3040 wrote to memory of 2312 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 30 PID 3040 wrote to memory of 2312 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 30 PID 2312 wrote to memory of 2848 2312 rnsetup0.exe 32 PID 2312 wrote to memory of 2848 2312 rnsetup0.exe 32 PID 2312 wrote to memory of 2848 2312 rnsetup0.exe 32 PID 2312 wrote to memory of 2848 2312 rnsetup0.exe 32 PID 3040 wrote to memory of 1112 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 19 PID 3040 wrote to memory of 1172 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 20 PID 3040 wrote to memory of 1260 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 21 PID 3040 wrote to memory of 820 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 25 PID 3040 wrote to memory of 2312 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 30 PID 3040 wrote to memory of 2312 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 30 PID 3040 wrote to memory of 1624 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 31 PID 3040 wrote to memory of 2848 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 32 PID 3040 wrote to memory of 2848 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 32 PID 3040 wrote to memory of 1112 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 19 PID 3040 wrote to memory of 1172 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 20 PID 3040 wrote to memory of 1260 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 21 PID 3040 wrote to memory of 820 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 25 PID 3040 wrote to memory of 1112 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 19 PID 3040 wrote to memory of 1172 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 20 PID 3040 wrote to memory of 1260 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 21 PID 3040 wrote to memory of 820 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 25 PID 3040 wrote to memory of 1112 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 19 PID 3040 wrote to memory of 1172 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 20 PID 3040 wrote to memory of 1260 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 21 PID 3040 wrote to memory of 820 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 25 PID 3040 wrote to memory of 1112 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 19 PID 3040 wrote to memory of 1172 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 20 PID 3040 wrote to memory of 1260 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 21 PID 3040 wrote to memory of 820 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 25 PID 3040 wrote to memory of 1112 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 19 PID 3040 wrote to memory of 1172 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 20 PID 3040 wrote to memory of 1260 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 21 PID 3040 wrote to memory of 820 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 25 PID 3040 wrote to memory of 1112 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 19 PID 3040 wrote to memory of 1172 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 20 PID 3040 wrote to memory of 1260 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 21 PID 3040 wrote to memory of 820 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 25 PID 3040 wrote to memory of 1112 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 19 PID 3040 wrote to memory of 1172 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 20 PID 3040 wrote to memory of 1260 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 21 PID 3040 wrote to memory of 820 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 25 PID 3040 wrote to memory of 1112 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 19 PID 3040 wrote to memory of 1172 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 20 PID 3040 wrote to memory of 1260 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 21 PID 3040 wrote to memory of 820 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 25 PID 3040 wrote to memory of 1112 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 19 PID 3040 wrote to memory of 1172 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 20 PID 3040 wrote to memory of 1260 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 21 PID 3040 wrote to memory of 820 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 25 PID 3040 wrote to memory of 1112 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 19 PID 3040 wrote to memory of 1172 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 20 PID 3040 wrote to memory of 1260 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 21 PID 3040 wrote to memory of 820 3040 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe 25 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1112
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1260
-
C:\Users\Admin\AppData\Local\Temp\4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4900842bba4e74fb20c432aeb289acee_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\rnsetup0.exe"C:\Users\Admin\AppData\Local\Temp\rnsetup0.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 10204⤵
- Loads dropped DLL
- Program crash
- Suspicious behavior: GetForegroundWindowSpam
PID:2848
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:820
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}1⤵PID:1624
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
100KB
MD5a1144c99f9eaa7e388f0690463d53e06
SHA1c153eb266f49e8567e5e135cc259a2276ac9a5c6
SHA2563145857202cf52cbe8c89d8bd32e61da3dd791ec51c5b18b59772992f0277905
SHA512dda9304222358883a050aacd1ed84ae346affe415489a0932c3702b75379938fa171de2ef434e9e7087e929eaa75b5dad44fc811819420c6e56ecf45c3c55426
-
Filesize
568KB
MD5a7cf259561f5dcc717e4b028f99cbfb8
SHA138f6948f53f2d08e80912f4ff3c313a61a59a2bf
SHA256f6b2dab01ad619fd3bb79bf559233685ee2fdb2041d74e7803378a2306bc99c1
SHA51271530900ee55a429f135d361855e72a7e1cae2d47262c4b7258e13f3602ff5ef5ece76f0c7fc116bc212d14afe1df342c9ff6227802b5c28d4846cdb28815e75