Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
124s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
27/07/2024, 09:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
19 signatures
150 seconds
General
-
Target
77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe
-
Size
738KB
-
MD5
77c0e09dbf9560e1d6d3f7ed1c95ce6c
-
SHA1
d578ed64e92f6b7e8504353c9018718e5c29feba
-
SHA256
a591148247381051970f0cc5f74d71da2dc2bfe84e1d3d24c5fd83947349d954
-
SHA512
e9d621e92abf3225eb604e666fb67ef1def60c847cf9e0b0d3e1f5080a5c6e5265e9b8d8875d31ee5f0a3b9183a6f7179a159af4d2aa995cf5a13241f5e5be79
-
SSDEEP
12288:5BS9eZX9w2/8UcH03a5atfXrDhQkMEkf13pXSpAjRbAbfidNuvW5pYLhRqfs1gY:DSkZ+a8UcHJ5IrDh8E+5pCCjhArbQyLn
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
Loads dropped DLL 3 IoCs
pid Process 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2668-8-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-7-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-6-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-5-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-4-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-11-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-10-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-9-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-13-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-37-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-36-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-38-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-40-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-39-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-42-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-43-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-44-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-46-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-49-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-51-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-52-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-67-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-68-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-71-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-74-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-75-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-76-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-83-0x00000000007E0000-0x000000000186E000-memory.dmp upx behavioral1/memory/2668-98-0x00000000007E0000-0x000000000186E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 20 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\H: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\J: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\K: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\Z: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\E: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\I: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\L: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\P: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\Q: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\T: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\Y: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\N: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\R: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\S: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\U: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\V: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\X: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\M: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\O: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened for modification F:\autorun.inf 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 2668 wrote to memory of 1104 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 19 PID 2668 wrote to memory of 1168 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 20 PID 2668 wrote to memory of 1232 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 21 PID 2668 wrote to memory of 864 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 23 PID 2668 wrote to memory of 1104 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 19 PID 2668 wrote to memory of 1168 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 20 PID 2668 wrote to memory of 1232 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 21 PID 2668 wrote to memory of 864 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 23 PID 2668 wrote to memory of 1104 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 19 PID 2668 wrote to memory of 1168 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 20 PID 2668 wrote to memory of 1232 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 21 PID 2668 wrote to memory of 864 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 23 PID 2668 wrote to memory of 1104 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 19 PID 2668 wrote to memory of 1168 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 20 PID 2668 wrote to memory of 1232 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 21 PID 2668 wrote to memory of 864 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 23 PID 2668 wrote to memory of 1104 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 19 PID 2668 wrote to memory of 1168 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 20 PID 2668 wrote to memory of 1232 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 21 PID 2668 wrote to memory of 864 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 23 PID 2668 wrote to memory of 1104 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 19 PID 2668 wrote to memory of 1168 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 20 PID 2668 wrote to memory of 1232 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 21 PID 2668 wrote to memory of 864 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 23 PID 2668 wrote to memory of 1104 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 19 PID 2668 wrote to memory of 1168 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 20 PID 2668 wrote to memory of 1232 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 21 PID 2668 wrote to memory of 864 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 23 PID 2668 wrote to memory of 1104 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 19 PID 2668 wrote to memory of 1168 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 20 PID 2668 wrote to memory of 1232 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 21 PID 2668 wrote to memory of 864 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 23 PID 2668 wrote to memory of 1104 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 19 PID 2668 wrote to memory of 1168 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 20 PID 2668 wrote to memory of 1232 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 21 PID 2668 wrote to memory of 864 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 23 PID 2668 wrote to memory of 1104 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 19 PID 2668 wrote to memory of 1168 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 20 PID 2668 wrote to memory of 1232 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 21 PID 2668 wrote to memory of 864 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 23 PID 2668 wrote to memory of 1104 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 19 PID 2668 wrote to memory of 1168 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 20 PID 2668 wrote to memory of 1232 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 21 PID 2668 wrote to memory of 864 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 23 PID 2668 wrote to memory of 1104 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 19 PID 2668 wrote to memory of 1168 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 20 PID 2668 wrote to memory of 1232 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 21 PID 2668 wrote to memory of 864 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 23 PID 2668 wrote to memory of 1104 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 19 PID 2668 wrote to memory of 1168 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 20 PID 2668 wrote to memory of 1232 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 21 PID 2668 wrote to memory of 864 2668 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 23 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1104
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1168
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1232
-
C:\Users\Admin\AppData\Local\Temp\77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2668
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:864
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD5a4738300abbc2e3176385b9d8ee4424d
SHA1488ab0302168570a902c5e44bc18e9bf6a8152ef
SHA25611f82a413554ce558daa864a4d36affd862f1fffcb9b8436e7755024e9d3a5e7
SHA512c6280124f8bfbade8be0024224db344ebf6845d3cedf31de5aeaa3f188833ef6b2ccdfdfc328524c32e1f3a495a6c209df8315d7aee79d7cda941c91901222a2
-
Filesize
92KB
MD563ad88df5036ac12e85f630112977800
SHA16ba524432828ee3e75f8d5a98f72c5e63f87fd8c
SHA256988ef5f461d9aa63d4151f8a1624a850b82c5340d862f1cc26e3fc4c70ea6396
SHA512bbc87476989f50991f48d6a9ef125ee4f858bbaad5bdfc3e9c2649657ae4d5a40a782a52832e582cb27ecbfb0e7333af1fbe99d248643dfd3baea9102899a0a9
-
Filesize
92KB
MD5a39eb399c8fb6117ef4911a5d549b4af
SHA1e00d7891a90a7059eea775eea517a7fb57a5b529
SHA256541ab7ef638a46f48071e7f73f06494aadd3805760074b09fdffbdc2c56d6a4f
SHA512d5de5891ea9dae2f43ceff1d4f0218726a1493dad51281f773eb2c6cc88d1bfbceb0b41f1bd3816b9ebe28804b50aee5c3547ec7faf1940a71f96299a9943a51
-
Filesize
92KB
MD52d09f02fdb72c558d31814f73fa90aad
SHA104ccc47884bd2ea7afae868d3118c80b1fb68b06
SHA256694d760d3aac4eaeb7c9793d7c25e44ca65f846e25518f8bad24d22eafb55d8d
SHA51285dabd0119e4d7a4cc3993cda6fc1783b19ded12272f171d070e7b3c5e206c83ef2e3849f2a231c00c78921dd5c3615eb9488782b43eb56e9cb18e862ed294bb