Analysis
-
max time kernel
23s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23-07-2024 08:37
Behavioral task
behavioral1
Sample
66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe
-
Size
179KB
-
MD5
66db3eb38271283d7ee2e8c8f905ce1f
-
SHA1
495984dcedea40926ccb36f9a43efc6ee1fe2794
-
SHA256
bbad8fd7c0a54f402994ecd8f7a25426bd17df03f984b77f50fbec87e53747c9
-
SHA512
6da9799f0691d6569b16201c004e21f04251a0b238f72bd1905849bb51d4d4862d9bd302679de06b9002a6044c5c03083951c5233e1faa186c74581f905d1bd8
-
SSDEEP
3072:sr85C+i1oJLdV1fP9q+jUeux0pw2irbXBOh+FewMDKkJo5:k9+iiZB30+AiWqeX
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Detect Neshta payload 3 IoCs
Processes:
resource yara_rule C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE family_neshta behavioral2/memory/872-148-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta behavioral2/memory/872-166-0x0000000000400000-0x000000000041B000-memory.dmp family_neshta -
Modifies firewall policy service 3 TTPs 6 IoCs
Processes:
66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe -
Neshta
Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.
-
Processes:
66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe -
Processes:
66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exepid process 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe -
Modifies system executable filetype association 2 TTPs 1 IoCs
Processes:
66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule behavioral2/memory/3068-12-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3068-10-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3068-14-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3068-13-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3068-26-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3068-27-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3068-22-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3068-15-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3068-23-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3068-21-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3068-30-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3068-31-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3068-108-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3068-118-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3068-119-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3068-121-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/3068-129-0x00000000022F0000-0x000000000337E000-memory.dmp upx behavioral2/memory/872-141-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/872-145-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/872-150-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/872-151-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/872-147-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/872-149-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/872-152-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/872-146-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/872-144-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/872-143-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/872-153-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/872-154-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/872-155-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/872-156-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/872-157-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/872-159-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/872-160-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/872-161-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/872-162-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/872-164-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/872-211-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx behavioral2/memory/872-229-0x0000000003C70000-0x0000000004CFE000-memory.dmp upx -
Processes:
66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe -
Processes:
66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 7 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exedescription ioc process File opened (read-only) \??\E: 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened (read-only) \??\E: 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened (read-only) \??\G: 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened (read-only) \??\H: 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened (read-only) \??\I: 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened (read-only) \??\J: 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened (read-only) \??\K: 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe -
Drops file in Program Files directory 64 IoCs
Processes:
66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exedescription ioc process File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~2.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\IDENTI~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MIA062~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF5AF~1\WINDOW~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13147~1.37\MICROS~4.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOF5E2~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{D87AE~1\WINDOW~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\msedge.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOOGLE~3.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GO664E~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\ADOBEA~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Google\Update\1336~1.371\GOBD5D~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\BHO\IE_TO_~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\COOKIE~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe -
Drops file in Windows directory 2 IoCs
Processes:
66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SYSTEM.INI 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe File opened for modification C:\Windows\svchost.com 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exepid process 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Token: SeDebugPrivilege 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 61 IoCs
Processes:
66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exedescription pid process target process PID 872 wrote to memory of 3068 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe PID 872 wrote to memory of 3068 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe PID 872 wrote to memory of 3068 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe PID 3068 wrote to memory of 772 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe fontdrvhost.exe PID 3068 wrote to memory of 776 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe fontdrvhost.exe PID 3068 wrote to memory of 1012 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe dwm.exe PID 3068 wrote to memory of 3024 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe sihost.exe PID 3068 wrote to memory of 3052 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe svchost.exe PID 3068 wrote to memory of 3160 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe taskhostw.exe PID 3068 wrote to memory of 3468 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Explorer.EXE PID 3068 wrote to memory of 3632 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe svchost.exe PID 3068 wrote to memory of 3828 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe DllHost.exe PID 3068 wrote to memory of 3920 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe StartMenuExperienceHost.exe PID 3068 wrote to memory of 3984 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe RuntimeBroker.exe PID 3068 wrote to memory of 1952 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe SearchApp.exe PID 3068 wrote to memory of 4232 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe RuntimeBroker.exe PID 3068 wrote to memory of 4384 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe TextInputHost.exe PID 3068 wrote to memory of 3672 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe RuntimeBroker.exe PID 3068 wrote to memory of 2348 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe backgroundTaskHost.exe PID 3068 wrote to memory of 1068 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe backgroundTaskHost.exe PID 3068 wrote to memory of 872 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe PID 3068 wrote to memory of 872 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe PID 3068 wrote to memory of 3660 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe BackgroundTaskHost.exe PID 3068 wrote to memory of 1816 3068 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe RuntimeBroker.exe PID 872 wrote to memory of 772 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe fontdrvhost.exe PID 872 wrote to memory of 776 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe fontdrvhost.exe PID 872 wrote to memory of 1012 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe dwm.exe PID 872 wrote to memory of 3024 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe sihost.exe PID 872 wrote to memory of 3052 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe svchost.exe PID 872 wrote to memory of 3160 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe taskhostw.exe PID 872 wrote to memory of 3468 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Explorer.EXE PID 872 wrote to memory of 3632 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe svchost.exe PID 872 wrote to memory of 3828 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe DllHost.exe PID 872 wrote to memory of 3920 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe StartMenuExperienceHost.exe PID 872 wrote to memory of 3984 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe RuntimeBroker.exe PID 872 wrote to memory of 1952 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe SearchApp.exe PID 872 wrote to memory of 4232 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe RuntimeBroker.exe PID 872 wrote to memory of 4384 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe TextInputHost.exe PID 872 wrote to memory of 3672 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe RuntimeBroker.exe PID 872 wrote to memory of 2348 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe backgroundTaskHost.exe PID 872 wrote to memory of 1068 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe backgroundTaskHost.exe PID 872 wrote to memory of 1816 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe RuntimeBroker.exe PID 872 wrote to memory of 3604 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe RuntimeBroker.exe PID 872 wrote to memory of 772 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe fontdrvhost.exe PID 872 wrote to memory of 776 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe fontdrvhost.exe PID 872 wrote to memory of 1012 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe dwm.exe PID 872 wrote to memory of 3024 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe sihost.exe PID 872 wrote to memory of 3052 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe svchost.exe PID 872 wrote to memory of 3160 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe taskhostw.exe PID 872 wrote to memory of 3468 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Explorer.EXE PID 872 wrote to memory of 3632 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe svchost.exe PID 872 wrote to memory of 3828 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe DllHost.exe PID 872 wrote to memory of 3920 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe StartMenuExperienceHost.exe PID 872 wrote to memory of 3984 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe RuntimeBroker.exe PID 872 wrote to memory of 1952 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe SearchApp.exe PID 872 wrote to memory of 4232 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe RuntimeBroker.exe PID 872 wrote to memory of 4384 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe TextInputHost.exe PID 872 wrote to memory of 3672 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe RuntimeBroker.exe PID 872 wrote to memory of 2348 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe backgroundTaskHost.exe PID 872 wrote to memory of 1816 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe RuntimeBroker.exe PID 872 wrote to memory of 3604 872 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe RuntimeBroker.exe -
System policy modification 1 TTPs 2 IoCs
Processes:
66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:772
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1012
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:3024
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3052
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3160
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3468
-
C:\Users\Admin\AppData\Local\Temp\66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Modifies system executable filetype association
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:872 -
C:\Users\Admin\AppData\Local\Temp\3582-490\66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3582-490\66db3eb38271283d7ee2e8c8f905ce1f_JaffaCakes118.exe"3⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3068
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3632
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3828
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3920
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3984
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1952
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4232
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4384
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3672
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:2348
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1068
-
C:\Windows\system32\BackgroundTaskHost.exe"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider1⤵PID:3660
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1816
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3604
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
86KB
MD53b73078a714bf61d1c19ebc3afc0e454
SHA19abeabd74613a2f533e2244c9ee6f967188e4e7e
SHA256ded54d1fcca07b6bff2bc3b9a1131eac29ff1f836e5d7a7c5c325ec5abe96e29
SHA51275959d4e8a7649c3268b551a2a378e6d27c0bfb03d2422ebeeb67b0a3f78c079473214057518930f2d72773ce79b106fd2d78405e8e3d8883459dcbb49c163c4
-
Filesize
138KB
MD5fbd2f9ff96e5c7e336ae87ef00a97c67
SHA17f392c629af02777bc855f92b2c403022f9b2be6
SHA256ad30f6d12d87adc0ac24903663d8a82a9de349938a29c19d937b455fa05ec64b
SHA512601f1c62878a7f30371de16de0136d1c0d97acc89d9a9049fea27a52bd1bf81909e61b1e81e3eb6357b4e24fbb203cd27c988f3c49fc11a8ee8852db65629c08
-
Filesize
257B
MD54a760bdb1af029ba0db540ead1eaa343
SHA139de8235f96cc3a0081a04fc786401d3a6abce72
SHA2567e3cfb07a7752f791c3d198a3602da5f3a1f20d9480caa6ff2b6d3ed81e19088
SHA5124ec317e445ee96f24820156d5663b00b73a8d8b28ef46d7723e90a52965c513e2c349b2945bbf928c5de8c2244afcc0536151f4e0ecbba67a25aebd13840294c