Analysis
-
max time kernel
122s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
27-07-2024 09:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
19 signatures
150 seconds
General
-
Target
77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe
-
Size
738KB
-
MD5
77c0e09dbf9560e1d6d3f7ed1c95ce6c
-
SHA1
d578ed64e92f6b7e8504353c9018718e5c29feba
-
SHA256
a591148247381051970f0cc5f74d71da2dc2bfe84e1d3d24c5fd83947349d954
-
SHA512
e9d621e92abf3225eb604e666fb67ef1def60c847cf9e0b0d3e1f5080a5c6e5265e9b8d8875d31ee5f0a3b9183a6f7179a159af4d2aa995cf5a13241f5e5be79
-
SSDEEP
12288:5BS9eZX9w2/8UcH03a5atfXrDhQkMEkf13pXSpAjRbAbfidNuvW5pYLhRqfs1gY:DSkZ+a8UcHJ5IrDh8E+5pCCjhArbQyLn
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
Loads dropped DLL 5 IoCs
pid Process 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/3168-4-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-2-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-6-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-27-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-12-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-26-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-5-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-33-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-32-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-34-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-35-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-36-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-37-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-39-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-38-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-41-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-42-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-43-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-45-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-46-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-48-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-51-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-54-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-57-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-58-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-60-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-63-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-64-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-72-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-74-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-74-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-76-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-77-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-79-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-81-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-84-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-87-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx behavioral2/memory/3168-88-0x0000000000A10000-0x0000000001A9E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\T: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\G: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\N: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\I: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\K: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\R: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\X: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\E: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\H: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\O: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\P: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\S: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\W: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\J: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\M: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\V: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\Y: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\Z: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\L: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened (read-only) \??\U: 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened for modification F:\autorun.inf 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe Token: SeDebugPrivilege 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3168 wrote to memory of 796 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 9 PID 3168 wrote to memory of 804 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 10 PID 3168 wrote to memory of 1020 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 13 PID 3168 wrote to memory of 2640 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 44 PID 3168 wrote to memory of 2676 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 45 PID 3168 wrote to memory of 2848 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 47 PID 3168 wrote to memory of 3580 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 56 PID 3168 wrote to memory of 3712 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 57 PID 3168 wrote to memory of 3912 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 58 PID 3168 wrote to memory of 4008 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 59 PID 3168 wrote to memory of 4076 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 60 PID 3168 wrote to memory of 2820 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 61 PID 3168 wrote to memory of 4196 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 62 PID 3168 wrote to memory of 4900 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 64 PID 3168 wrote to memory of 1612 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 76 PID 3168 wrote to memory of 4468 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 81 PID 3168 wrote to memory of 2336 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 82 PID 3168 wrote to memory of 796 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 9 PID 3168 wrote to memory of 804 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 10 PID 3168 wrote to memory of 1020 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 13 PID 3168 wrote to memory of 2640 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 44 PID 3168 wrote to memory of 2676 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 45 PID 3168 wrote to memory of 2848 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 47 PID 3168 wrote to memory of 3580 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 56 PID 3168 wrote to memory of 3712 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 57 PID 3168 wrote to memory of 3912 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 58 PID 3168 wrote to memory of 4008 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 59 PID 3168 wrote to memory of 4076 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 60 PID 3168 wrote to memory of 2820 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 61 PID 3168 wrote to memory of 4196 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 62 PID 3168 wrote to memory of 4900 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 64 PID 3168 wrote to memory of 1612 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 76 PID 3168 wrote to memory of 4468 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 81 PID 3168 wrote to memory of 2336 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 82 PID 3168 wrote to memory of 244 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 85 PID 3168 wrote to memory of 4688 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 86 PID 3168 wrote to memory of 796 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 9 PID 3168 wrote to memory of 804 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 10 PID 3168 wrote to memory of 1020 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 13 PID 3168 wrote to memory of 2640 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 44 PID 3168 wrote to memory of 2676 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 45 PID 3168 wrote to memory of 2848 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 47 PID 3168 wrote to memory of 3580 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 56 PID 3168 wrote to memory of 3712 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 57 PID 3168 wrote to memory of 3912 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 58 PID 3168 wrote to memory of 4008 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 59 PID 3168 wrote to memory of 4076 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 60 PID 3168 wrote to memory of 2820 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 61 PID 3168 wrote to memory of 4196 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 62 PID 3168 wrote to memory of 4900 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 64 PID 3168 wrote to memory of 1612 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 76 PID 3168 wrote to memory of 4468 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 81 PID 3168 wrote to memory of 244 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 85 PID 3168 wrote to memory of 4688 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 86 PID 3168 wrote to memory of 796 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 9 PID 3168 wrote to memory of 804 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 10 PID 3168 wrote to memory of 1020 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 13 PID 3168 wrote to memory of 2640 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 44 PID 3168 wrote to memory of 2676 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 45 PID 3168 wrote to memory of 2848 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 47 PID 3168 wrote to memory of 3580 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 56 PID 3168 wrote to memory of 3712 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 57 PID 3168 wrote to memory of 3912 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 58 PID 3168 wrote to memory of 4008 3168 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe 59 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:796
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:804
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2640
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2676
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2848
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3580
-
C:\Users\Admin\AppData\Local\Temp\77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\77c0e09dbf9560e1d6d3f7ed1c95ce6c_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3168
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3712
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3912
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4008
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4076
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2820
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4196
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4900
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1612
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4468
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2336
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:244
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4688
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵PID:4956
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD563ad88df5036ac12e85f630112977800
SHA16ba524432828ee3e75f8d5a98f72c5e63f87fd8c
SHA256988ef5f461d9aa63d4151f8a1624a850b82c5340d862f1cc26e3fc4c70ea6396
SHA512bbc87476989f50991f48d6a9ef125ee4f858bbaad5bdfc3e9c2649657ae4d5a40a782a52832e582cb27ecbfb0e7333af1fbe99d248643dfd3baea9102899a0a9
-
Filesize
92KB
MD5a39eb399c8fb6117ef4911a5d549b4af
SHA1e00d7891a90a7059eea775eea517a7fb57a5b529
SHA256541ab7ef638a46f48071e7f73f06494aadd3805760074b09fdffbdc2c56d6a4f
SHA512d5de5891ea9dae2f43ceff1d4f0218726a1493dad51281f773eb2c6cc88d1bfbceb0b41f1bd3816b9ebe28804b50aee5c3547ec7faf1940a71f96299a9943a51
-
Filesize
92KB
MD52d09f02fdb72c558d31814f73fa90aad
SHA104ccc47884bd2ea7afae868d3118c80b1fb68b06
SHA256694d760d3aac4eaeb7c9793d7c25e44ca65f846e25518f8bad24d22eafb55d8d
SHA51285dabd0119e4d7a4cc3993cda6fc1783b19ded12272f171d070e7b3c5e206c83ef2e3849f2a231c00c78921dd5c3615eb9488782b43eb56e9cb18e862ed294bb
-
Filesize
100KB
MD51837ba376c88fa92b4e1d69856b04c91
SHA1ee7ce4d027643f7ac451f3829fe0a403b2a3c4c2
SHA256801e8c28dfb526158a1843a0b5d0a7e9b9a71cfdf842686ae60f5b196bca99a3
SHA512c2b56644af455a92ca35e0331b6a802c1ba913835bb2133e4cc9aeed5682ab2f0207295d1d61e46588f86b6fc955b941e28dccef7cdb841cc5876718d2ac9dea