Analysis
-
max time kernel
20s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
18-07-2024 11:14
Behavioral task
behavioral1
Sample
571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
20 signatures
150 seconds
Behavioral task
behavioral2
Sample
571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe
-
Size
777KB
-
MD5
571fd53c9573642e3397c1bc7913be59
-
SHA1
09e4a0d7d252a82ab449873ef14e64abd9c3e5c4
-
SHA256
143cf25d7afbe29915bb43fd9cdfe4ffe90054ad29ecd646a8770b612ea30ade
-
SHA512
9c2f181d6ad80ad1c9b7337ea23c20b1ab21eeef618ed32919590fe989cb47d5b0fac4507489f8e950236534f70aea71ad9074768e536213306f5245930f895e
-
SSDEEP
24576:WqeOs7C840n9lpG1Rtb938KZtf/1ZkHhWv:WqeOhL0nDEXxt9
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Ammyy Admin
Remote admin tool with various capabilities.
-
AmmyyAdmin payload 5 IoCs
resource yara_rule behavioral2/memory/1492-0-0x0000000000400000-0x00000000004C8000-memory.dmp family_ammyyadmin behavioral2/memory/1772-33-0x0000000000400000-0x00000000004C8000-memory.dmp family_ammyyadmin behavioral2/memory/1844-36-0x0000000000400000-0x00000000004C8000-memory.dmp family_ammyyadmin behavioral2/memory/1492-34-0x0000000000400000-0x00000000004C8000-memory.dmp family_ammyyadmin behavioral2/memory/1844-15-0x0000000000400000-0x00000000004C8000-memory.dmp family_ammyyadmin -
FlawedAmmyy RAT
Remote-access trojan based on leaked code for the Ammyy remote admin software.
-
Modifies firewall policy service 3 TTPs 9 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/1492-1-0x0000000002480000-0x000000000350E000-memory.dmp upx behavioral2/memory/1492-2-0x0000000002480000-0x000000000350E000-memory.dmp upx behavioral2/memory/1492-5-0x0000000002480000-0x000000000350E000-memory.dmp upx behavioral2/memory/1492-7-0x0000000002480000-0x000000000350E000-memory.dmp upx behavioral2/memory/1492-4-0x0000000002480000-0x000000000350E000-memory.dmp upx behavioral2/memory/1844-17-0x0000000001070000-0x00000000020FE000-memory.dmp upx behavioral2/memory/1844-19-0x0000000001070000-0x00000000020FE000-memory.dmp upx behavioral2/memory/1844-20-0x0000000001070000-0x00000000020FE000-memory.dmp upx behavioral2/memory/1492-30-0x0000000002480000-0x000000000350E000-memory.dmp upx behavioral2/memory/1844-21-0x0000000001070000-0x00000000020FE000-memory.dmp upx behavioral2/memory/1844-23-0x0000000001070000-0x00000000020FE000-memory.dmp upx behavioral2/memory/1844-22-0x0000000001070000-0x00000000020FE000-memory.dmp upx behavioral2/memory/1492-13-0x0000000002480000-0x000000000350E000-memory.dmp upx behavioral2/memory/1492-8-0x0000000002480000-0x000000000350E000-memory.dmp upx behavioral2/memory/1772-42-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-47-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-48-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-45-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-46-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-44-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-43-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-50-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-49-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-51-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-52-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-53-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-54-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-55-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-57-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-58-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-59-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-61-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-62-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-65-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-66-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-69-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-71-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-72-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-73-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-75-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-77-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-79-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx behavioral2/memory/1772-87-0x0000000004BC0000-0x0000000005C4E000-memory.dmp upx -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusOverride = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UpdatesDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\UacDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallOverride = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\AntiVirusDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc\FirewallDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 4 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe File opened (read-only) \??\G: 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe File opened (read-only) \??\H: 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe File opened (read-only) \??\I: 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe -
Modifies data under HKEY_USERS 25 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Ammyy\Admin 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\1364026700 = "35" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-101443598 = "0400687474703A2F2F3138342E3137332E3233382E3134302F6C6F676F2E67696600687474703A2F2F35302E32332E3234362E3138312F6C6F676F2E67696600687474703A2F2F3138342E3137332E3233382E3134302F6C6F676F2E67696600687474703A2F2F3231362E31322E3231392E35382F6C6F676F2E676966" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\1313304901 = "1D871A696EEE8AC56F63CE2EBB23BA3471EF18EB1AA3AB551FF3A8B9F9C54AE9431FACFD2B3D2E7A746A1A9876DCFBDD7893F06B7D08BBD7EEB6BC659DA39F212059974A104C0E2FD36C5C5FA138C2A156496BA865106B76FF46E58563580A15F9928C36BA1D4CA04C4CBEC667525967886DE75CC2A91418D983CFE25BC2E3CC" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-1465470298 = "0" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-50721799 = "0" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-1465470298 = "0" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-50721799 = "0" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-1516192097 = "126" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\1313304901 = "1D871A696EEE8AC56F63CE2EBB23BA3471EF18EB1AA3AB551FF3A8B9F9C54AE9431FACFD2B3D2E7A746A1A9876DCFBDD7893F06B7D08BBD7EEB6BC659DA39F212059974A104C0E2FD36C5C5FA138C2A156496BA865106B76FF46E58563580A15F9928C36BA1D4CA04C4CBEC667525967886DE75CC2A91418D983CFE25BC2E3CC" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\1414748499 = "164" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-1516192097 = "126" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline = "0" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\1414748499 = "164" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr = 537d567366087c69585c401452537286d5924b86b26b 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline = "0" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\Software\Aoqcbk 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\1364026700 = "35" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425\-101443598 = "0400687474703A2F2F3138342E3137332E3233382E3134302F6C6F676F2E67696600687474703A2F2F35302E32332E3234362E3138312F6C6F676F2E67696600687474703A2F2F3138342E3137332E3233382E3134302F6C6F676F2E67696600687474703A2F2F3231362E31322E3231392E35382F6C6F676F2E676966" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\Software\Ammyy 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\Software\Aoqcbk\1460008425 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Key created \REGISTRY\USER\.DEFAULT\Software 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Ammyy\Admin\hr3 = 53ed35e66d40c5156c95a0beba15505981c233471cad43cfd2c50f1243de9f0d6fa431528e994f5a1f0febfe6dee498a196adf6fb57b24c38f7cede3303f2818b0063755 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 1844 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 1844 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 1772 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 1772 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Token: SeDebugPrivilege 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1772 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1772 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 39 IoCs
description pid Process procid_target PID 1492 wrote to memory of 768 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 8 PID 1492 wrote to memory of 772 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 9 PID 1492 wrote to memory of 64 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 13 PID 1492 wrote to memory of 2668 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 44 PID 1492 wrote to memory of 2688 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 45 PID 1492 wrote to memory of 2776 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 47 PID 1492 wrote to memory of 3528 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 56 PID 1492 wrote to memory of 3660 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 57 PID 1492 wrote to memory of 3852 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 58 PID 1492 wrote to memory of 4024 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 59 PID 1492 wrote to memory of 4088 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 60 PID 1492 wrote to memory of 764 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 61 PID 1492 wrote to memory of 1976 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 62 PID 1492 wrote to memory of 3972 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 64 PID 1492 wrote to memory of 1228 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 76 PID 1492 wrote to memory of 4752 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 81 PID 1492 wrote to memory of 2296 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 82 PID 1492 wrote to memory of 5104 1492 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 84 PID 1844 wrote to memory of 1772 1844 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 86 PID 1844 wrote to memory of 1772 1844 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 86 PID 1844 wrote to memory of 1772 1844 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 86 PID 1772 wrote to memory of 768 1772 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 8 PID 1772 wrote to memory of 772 1772 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 9 PID 1772 wrote to memory of 64 1772 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 13 PID 1772 wrote to memory of 2668 1772 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 44 PID 1772 wrote to memory of 2688 1772 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 45 PID 1772 wrote to memory of 2776 1772 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 47 PID 1772 wrote to memory of 3528 1772 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 56 PID 1772 wrote to memory of 3660 1772 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 57 PID 1772 wrote to memory of 3852 1772 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 58 PID 1772 wrote to memory of 4024 1772 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 59 PID 1772 wrote to memory of 4088 1772 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 60 PID 1772 wrote to memory of 764 1772 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 61 PID 1772 wrote to memory of 1976 1772 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 62 PID 1772 wrote to memory of 3972 1772 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 64 PID 1772 wrote to memory of 1228 1772 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 76 PID 1772 wrote to memory of 4752 1772 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 81 PID 1772 wrote to memory of 1572 1772 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 87 PID 1772 wrote to memory of 1472 1772 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe 88 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:768
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2668
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2688
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2776
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3528
-
C:\Users\Admin\AppData\Local\Temp\571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1492
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3660
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3852
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4024
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4088
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:764
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1976
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3972
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1228
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4752
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2296
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:5104
-
C:\Users\Admin\AppData\Local\Temp\571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe" -service -lunch1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1844 -
C:\Users\Admin\AppData\Local\Temp\571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\571fd53c9573642e3397c1bc7913be59_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1772
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1572
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1472
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
22B
MD544347afe93f02f070c405dae6022c8cc
SHA11085378f398c9f52e92dff0a61a19a58c0ffd3d7
SHA2566431143faa8534c6ad92181b15f0b94099b1a254d0292f86c4a49a169c5db825
SHA5121a6991854201ba42cc2c93c46a98817d7447e67ee739f46a090e512c573930ca1ca246620e54dced712b991c1ddc7e7fb295f02e864a897841bb3a3d24590426
-
Filesize
68B
MD5a521b07177e22f0268aa30969d09c718
SHA1589fe1e5e0c837157dba38ce198dc2b47f2e248e
SHA2568eecfed05a9d41a3a7ae5748016ce2a4292b4950b128fc9e8c8ac2ce36a6d65b
SHA512ae9e7573eac13c24eb6f06a3095167be8764da4f53ad3094609bc65d8e3413e8c1c88c366fbb4fee4bec1554d44e048f7d689de7370ddde95e6bf33a6bc2f2c7
-
Filesize
269B
MD5097a18ed7b31114c7ef39ef06eff02f0
SHA1276bb5fc8ab72ed3a447dd57be668ace8f75a7c1
SHA256985b458559939244b777d09d71d6192a13f693b88b046ca904012603a5582812
SHA512168ef05ddb434dd4003748c7cd6ea9ed5c8280506de4473c3b193fffc314b469e85e2474f919f189c9b7ffb16aa741d75900341a9802dae175ad185e1fea3e96
-
Filesize
257B
MD5f18b9b22a8be7df2c32ff53adfdb03db
SHA1335750181ee0cf31dc4d01bc66e36ff23825ee98
SHA256b6eb15e2d35bf8840d1880bcf658d032d7d6ebc27191d18aede931c93da7bc4f
SHA51212ed2e35b15211f07ef684fa4e89dbd3935bb0932bf9705ab2977b9b62b61b6ceaf3290915094d69370e1d36e5c02032512de44446f8243808096e4b86eb4083
-
Filesize
100KB
MD5a19359b995042e5c85dfd1747c4ed339
SHA1fccce37d37a487b434cbdf18eb8fab05e1b66429
SHA256a9b80d6ea729dbb6538cfce007617bfe7015d1c82971f56c07f0acae503d525a
SHA51211e46f1aca7ef33fc8306f17b26181b44ff87cd98835c0dae16f83f7d58cee8fc14908eb687c0cbc006bab751f1c4b441004e92f690a937be74bdd74fad9562f