Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
126s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
11/08/2024, 23:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
17 signatures
150 seconds
General
-
Target
8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe
-
Size
100KB
-
MD5
8c5aba2468c0407e10d685178b8a9955
-
SHA1
a62dc986113da484bc29ff3d706438d1d84c8783
-
SHA256
45a388fcd3232331aa629fd23a5657162336a79b3a9c5c0af345b9a95d56c826
-
SHA512
664d9592b6d6537518121777366e3d411edbfe719c4999ea9bbfed3cc780f9b0395da388e4289e94efa2523a0fb9ff30979460ad4d24882e7496a2e5d331e4c0
-
SSDEEP
3072:p8rYUCvj0RDw7R34Q3tyIMgQrjC7RBOaZN59:MYWK5OP0Gabj
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2808-4-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx behavioral1/memory/2808-8-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx behavioral1/memory/2808-25-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx behavioral1/memory/2808-7-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx behavioral1/memory/2808-9-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx behavioral1/memory/2808-6-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx behavioral1/memory/2808-5-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx behavioral1/memory/2808-3-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx behavioral1/memory/2808-10-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx behavioral1/memory/2808-28-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx behavioral1/memory/2808-29-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx behavioral1/memory/2808-30-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx behavioral1/memory/2808-32-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx behavioral1/memory/2808-31-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx behavioral1/memory/2808-34-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx behavioral1/memory/2808-35-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx behavioral1/memory/2808-37-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx behavioral1/memory/2808-38-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx behavioral1/memory/2808-41-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx behavioral1/memory/2808-59-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx behavioral1/memory/2808-61-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx behavioral1/memory/2808-63-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx behavioral1/memory/2808-65-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx behavioral1/memory/2808-66-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx behavioral1/memory/2808-68-0x0000000001D60000-0x0000000002DEE000-memory.dmp upx -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened (read-only) \??\Q: 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened (read-only) \??\V: 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened (read-only) \??\X: 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened (read-only) \??\Y: 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened (read-only) \??\R: 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened (read-only) \??\T: 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened (read-only) \??\Z: 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened (read-only) \??\H: 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened (read-only) \??\I: 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened (read-only) \??\K: 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened (read-only) \??\L: 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened (read-only) \??\N: 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened (read-only) \??\E: 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened (read-only) \??\G: 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened (read-only) \??\M: 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened (read-only) \??\J: 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened (read-only) \??\O: 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened (read-only) \??\S: 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened (read-only) \??\U: 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened (read-only) \??\W: 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened for modification F:\autorun.inf 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe -
Drops file in Program Files directory 5 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
pid Process 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 28 IoCs
description pid Process Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe Token: SeDebugPrivilege 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 52 IoCs
description pid Process procid_target PID 2808 wrote to memory of 1108 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 19 PID 2808 wrote to memory of 1172 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 20 PID 2808 wrote to memory of 1220 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 21 PID 2808 wrote to memory of 1920 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 25 PID 2808 wrote to memory of 1108 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 19 PID 2808 wrote to memory of 1172 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 20 PID 2808 wrote to memory of 1220 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 21 PID 2808 wrote to memory of 1920 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 25 PID 2808 wrote to memory of 1108 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 19 PID 2808 wrote to memory of 1172 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 20 PID 2808 wrote to memory of 1220 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 21 PID 2808 wrote to memory of 1920 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 25 PID 2808 wrote to memory of 1108 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 19 PID 2808 wrote to memory of 1172 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 20 PID 2808 wrote to memory of 1220 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 21 PID 2808 wrote to memory of 1920 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 25 PID 2808 wrote to memory of 1108 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 19 PID 2808 wrote to memory of 1172 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 20 PID 2808 wrote to memory of 1220 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 21 PID 2808 wrote to memory of 1920 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 25 PID 2808 wrote to memory of 1108 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 19 PID 2808 wrote to memory of 1172 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 20 PID 2808 wrote to memory of 1220 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 21 PID 2808 wrote to memory of 1920 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 25 PID 2808 wrote to memory of 1108 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 19 PID 2808 wrote to memory of 1172 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 20 PID 2808 wrote to memory of 1220 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 21 PID 2808 wrote to memory of 1920 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 25 PID 2808 wrote to memory of 1108 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 19 PID 2808 wrote to memory of 1172 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 20 PID 2808 wrote to memory of 1220 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 21 PID 2808 wrote to memory of 1920 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 25 PID 2808 wrote to memory of 1108 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 19 PID 2808 wrote to memory of 1172 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 20 PID 2808 wrote to memory of 1220 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 21 PID 2808 wrote to memory of 1920 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 25 PID 2808 wrote to memory of 1108 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 19 PID 2808 wrote to memory of 1172 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 20 PID 2808 wrote to memory of 1220 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 21 PID 2808 wrote to memory of 1920 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 25 PID 2808 wrote to memory of 1108 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 19 PID 2808 wrote to memory of 1172 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 20 PID 2808 wrote to memory of 1220 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 21 PID 2808 wrote to memory of 1920 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 25 PID 2808 wrote to memory of 1108 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 19 PID 2808 wrote to memory of 1172 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 20 PID 2808 wrote to memory of 1220 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 21 PID 2808 wrote to memory of 1920 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 25 PID 2808 wrote to memory of 1108 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 19 PID 2808 wrote to memory of 1172 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 20 PID 2808 wrote to memory of 1220 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 21 PID 2808 wrote to memory of 1920 2808 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe 25 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵PID:1108
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵PID:1172
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1220
-
C:\Users\Admin\AppData\Local\Temp\8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8c5aba2468c0407e10d685178b8a9955_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2808
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:1920
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
100KB
MD51b61a91ca23731fa9d990c5fd26bcb51
SHA19edc1069ccabc8e47335c0b051f19d902be989e8
SHA2568df49a6509cfb3341ca5db4c4135f0252e64afbdce1e8ed5cab4165040fb533f
SHA512fc7a4213fcec19e4f0bb849e11c9ac135dad458a80069f07ba474e1e9f3a2a07d7f43e1d17eb5d6e931c6d22a537d71b011701cf0c79f09b5fef40fffb6e7838