Analysis
-
max time kernel
125s -
max time network
113s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
14/08/2024, 17:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
23 signatures
150 seconds
Behavioral task
behavioral2
Sample
96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
22 signatures
150 seconds
General
-
Target
96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe
-
Size
689KB
-
MD5
96faee621b3bd4b492fd7fe7656cab47
-
SHA1
ae86bcc70b10e6f5486c6582a3a052ce1bb0a26c
-
SHA256
3db3bdab9b5bb686e68c2c4697b3c24be21ea3d9584da3c171211aefd5a59751
-
SHA512
92a426b7c1477156bfe21dc9d169abe692736b5a648c9dee6c270c7cd7766bf0b96fc2c610785b6296002f175a7a9130b2c007f86b255707c043c5d3a8167b94
-
SSDEEP
12288:4aA8GifKcqKCoVxug3YC5fva3I/zLmt6is6jgCLpcres/NSWW24H6t:4aA8GifKc1CoVUufi3I/zCt7jFarfEjQ
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 3 IoCs
pid Process 2192 svchost.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 996 svchost.exe -
Loads dropped DLL 6 IoCs
pid Process 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe -
resource yara_rule behavioral2/memory/4708-16-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-14-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-17-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-18-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-20-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-23-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-27-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-24-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-28-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-19-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-54-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-60-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-156-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-157-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-158-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-160-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-161-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-163-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-164-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-167-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-169-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-170-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-172-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-175-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-178-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-180-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-181-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-183-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-186-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-188-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-190-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-197-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-199-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-200-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-201-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-203-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-205-0x0000000002220000-0x00000000032AE000-memory.dmp upx behavioral2/memory/4708-207-0x0000000002220000-0x00000000032AE000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened (read-only) \??\Q: 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened (read-only) \??\Y: 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened (read-only) \??\G: 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened (read-only) \??\J: 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened (read-only) \??\L: 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened (read-only) \??\E: 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened (read-only) \??\V: 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened (read-only) \??\T: 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened (read-only) \??\U: 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened (read-only) \??\X: 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened (read-only) \??\Z: 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened (read-only) \??\I: 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened (read-only) \??\M: 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened (read-only) \??\O: 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened (read-only) \??\R: 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened (read-only) \??\S: 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened (read-only) \??\W: 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened (read-only) \??\H: 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened (read-only) \??\K: 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened (read-only) \??\P: 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened for modification F:\autorun.inf 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe -
Drops file in Program Files directory 36 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE svchost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zG.exe svchost.exe File opened for modification C:\Program Files\dotnet\dotnet.exe svchost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7zFM.exe svchost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe svchost.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe svchost.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe svchost.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe svchost.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe svchost.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe svchost.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe svchost.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened for modification C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe svchost.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe svchost.exe File opened for modification C:\Program Files\7-Zip\7z.exe svchost.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\svchost.exe 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe File opened for modification C:\Windows\SYSTEM.INI 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394} 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\VersionIndependentProgID 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\ProxyStubClsid32 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\TypeLib\Version = "1.0" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\UnityWebPlayer.UnityWebPlayer.1 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\ = "_DUnityWebPlayerAXEvents" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0\HELPDIR 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\MiscStatus\1 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4} 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B} 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0\0 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\TypeLib\Version = "1.0" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\UnityWebPlayer.UnityWebPlayer\CLSID 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\TypeLib\ = "{75A564FE-95D1-41a9-B1D9-10D1E3CB502B}" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4} 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\TypeLib 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\TypeLib 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\TypeLib\Version = "1.0" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\ToolboxBitmap32 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\ = "_DUnityWebPlayerAX" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\UnityWebPlayer.UnityWebPlayer\CLSID\ = "{444785F1-DE89-4295-863A-D46C3A781394}" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\AppID = "{F008CD3D-7044-4CD4-BE14-BF3FCCF144F9}" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\MiscStatus 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0\ = "UnityWebPlayerAXLib" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\ = "_DUnityWebPlayerAXEvents" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5} 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\UnityWebPlayer.UnityWebPlayer 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\LocalLow\\Unity\\WebPlayer\\loader\\UnityWebPluginAX.ocx" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\MiscStatus\1\ = "131473" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\LocalLow\\Unity\\WebPlayer\\loader\\UnityWebPluginAX.ocx" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\TypeLib 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\UnityWebPlayer.UnityWebPlayer\ = "UnityWebPlayer Control" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\UnityWebPlayer.UnityWebPlayer.1\CLSID\ = "{444785F1-DE89-4295-863A-D46C3A781394}" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\Version\ = "1.0" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5} 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675} 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\ProxyStubClsid32 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\AppID\UnityWebPluginAX.ocx 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\VersionIndependentProgID\ = "UnityWebPlayer.UnityWebPlayer" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\ToolboxBitmap32\ = "C:\\Users\\Admin\\AppData\\LocalLow\\Unity\\WebPlayer\\loader\\UnityWebPluginAX.ocx, 102" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\Version 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0\FLAGS\ = "0" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\ProxyStubClsid32 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\ = "UnityWebPlayer Control" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\TypeLib 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\ProgID\ = "UnityWebPlayer.UnityWebPlayer.1" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\Programmable 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\TypeLib\Version = "1.0" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\TypeLib\ = "{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\ = "_DUnityWebPlayerAX" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\UnityWebPlayer.UnityWebPlayer.1\CLSID 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\MiscStatus\ = "0" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\TypeLib\{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}\1.0\FLAGS 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Interface\{D10F4BFD-C3ED-44B7-BD0D-83F05E4D52D5}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\AppID\UnityWebPluginAX.ocx\AppID = "{F008CD3D-7044-4CD4-BE14-BF3FCCF144F9}" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\Control 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\ProxyStubClsid32 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Interface\{6130BEAD-7375-4DB7-8B6D-7E41303CE675}\TypeLib\ = "{75A564FE-95D1-41A9-B1D9-10D1E3CB502B}" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\WOW6432Node\CLSID\{444785F1-DE89-4295-863A-D46C3A781394}\InprocServer32\ThreadingModel = "Apartment" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\UnityWebPlayer.UnityWebPlayer\CurVer 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
pid Process 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe Token: SeDebugPrivilege 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1524 wrote to memory of 2192 1524 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 84 PID 1524 wrote to memory of 2192 1524 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 84 PID 1524 wrote to memory of 2192 1524 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 84 PID 2192 wrote to memory of 4708 2192 svchost.exe 85 PID 2192 wrote to memory of 4708 2192 svchost.exe 85 PID 2192 wrote to memory of 4708 2192 svchost.exe 85 PID 4708 wrote to memory of 748 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 8 PID 4708 wrote to memory of 760 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 9 PID 4708 wrote to memory of 64 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 13 PID 4708 wrote to memory of 2600 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 44 PID 4708 wrote to memory of 2640 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 45 PID 4708 wrote to memory of 2900 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 52 PID 4708 wrote to memory of 3552 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 56 PID 4708 wrote to memory of 3684 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 57 PID 4708 wrote to memory of 3876 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 58 PID 4708 wrote to memory of 4028 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 59 PID 4708 wrote to memory of 4088 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 60 PID 4708 wrote to memory of 2764 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 61 PID 4708 wrote to memory of 4100 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 62 PID 4708 wrote to memory of 4988 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 74 PID 4708 wrote to memory of 848 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 76 PID 4708 wrote to memory of 5000 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 81 PID 4708 wrote to memory of 2864 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 82 PID 4708 wrote to memory of 748 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 8 PID 4708 wrote to memory of 760 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 9 PID 4708 wrote to memory of 64 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 13 PID 4708 wrote to memory of 2600 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 44 PID 4708 wrote to memory of 2640 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 45 PID 4708 wrote to memory of 2900 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 52 PID 4708 wrote to memory of 3552 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 56 PID 4708 wrote to memory of 3684 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 57 PID 4708 wrote to memory of 3876 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 58 PID 4708 wrote to memory of 4028 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 59 PID 4708 wrote to memory of 4088 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 60 PID 4708 wrote to memory of 2764 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 61 PID 4708 wrote to memory of 4100 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 62 PID 4708 wrote to memory of 4988 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 74 PID 4708 wrote to memory of 848 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 76 PID 4708 wrote to memory of 5000 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 81 PID 4708 wrote to memory of 2864 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 82 PID 4708 wrote to memory of 4580 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 88 PID 4708 wrote to memory of 2380 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 89 PID 4708 wrote to memory of 748 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 8 PID 4708 wrote to memory of 760 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 9 PID 4708 wrote to memory of 64 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 13 PID 4708 wrote to memory of 2600 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 44 PID 4708 wrote to memory of 2640 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 45 PID 4708 wrote to memory of 2900 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 52 PID 4708 wrote to memory of 3552 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 56 PID 4708 wrote to memory of 3684 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 57 PID 4708 wrote to memory of 3876 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 58 PID 4708 wrote to memory of 4028 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 59 PID 4708 wrote to memory of 4088 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 60 PID 4708 wrote to memory of 2764 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 61 PID 4708 wrote to memory of 4100 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 62 PID 4708 wrote to memory of 4988 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 74 PID 4708 wrote to memory of 848 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 76 PID 4708 wrote to memory of 5000 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 81 PID 4708 wrote to memory of 4580 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 88 PID 4708 wrote to memory of 2380 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 89 PID 4708 wrote to memory of 748 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 8 PID 4708 wrote to memory of 760 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 9 PID 4708 wrote to memory of 64 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 13 PID 4708 wrote to memory of 2600 4708 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe 44 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:748
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:760
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:64
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2600
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2640
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2900
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\svchost.exe"C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\AppData\Local\Temp\96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\96faee621b3bd4b492fd7fe7656cab47_JaffaCakes118.exe"4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4708
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3684
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3876
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:4028
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4088
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:2764
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4100
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4988
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:848
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:5000
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2864
-
C:\Windows\svchost.exeC:\Windows\svchost.exe1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:996
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4580
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2380
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:3952
Network
MITRE ATT&CK Enterprise v15
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5d5d0c10c9c7878af2a20846fd6955566
SHA1911484ac18f3da32f0efa2880514798176e70696
SHA256338be9454bc89fc432f66dea12d6ed0f8396418895c7a4b6456ac17cd09ba403
SHA512da4e219c2d0c711d96fd74d81146b5477dc82d45118adcdc30948893781debc2447af1d6cf00eceb913e442e8483f4bb065b73c3073a299190a76fcd89628133
-
Filesize
168KB
MD58848c71c4195d1f5c1c4a0190b2650d5
SHA1ff722087919ebb2e5da5ff759401062f24f42432
SHA256fdc509bd26642700e71ff9c0d508e2d5275581f0896b90a2408f6c67730eb702
SHA5123ecf9b2d0ed1c0d9b974eaae2404156885f065b97882e8f94cf46eca08092b64afe6c399e8c4c14c3ed171b4d9090d29ebffa506453897aad43f7b3443cdbbfb
-
Filesize
653KB
MD5ee4d4710f36f8e9f4609e564fa451eca
SHA165e0197ca7fc31a8414fc12b1469a4f429a94dfb
SHA2567f1f5df1bcc6eeb884082d32594fc760dc7e1eec577ae78906eee1eea2801bd4
SHA5127bba7c1b8fdf02053dbb99210fbc891f2d9fbd035e3498bf46ef8ea98bc116453bae46ebf034689078b8b45207d165ff7473fd55305286c7efbe887909784105
-
Filesize
15KB
MD5605878b664b6c4ddefd73918fc45a440
SHA168328d6a9ce62a668bbe12878af26c1f1d0e3f82
SHA2567b3a3bf008489b61de83b94a63db4556cae5de80701a2e1ebdf9a025b3b631c4
SHA512c83eea75288272c3fb72aca2486581127dc4875ee80165511c38d32d3cb7e553836249df79358fc5d0ec5d7aef183c888c2df03ea688d163984cdd919255da26
-
Filesize
11KB
MD5d0d7d2799802f7cddf8db7a2d8ae1e23
SHA1ae8d8cfd9f1a7104036a9e8658f50f9c35c7a1c6
SHA256828819614dc0dbfb73f22d4c3712e6369230eab92819c5d4efe75870ee109a5a
SHA5122b5af0e34720eb2f5b0aa04b589b46fb4b4d344b5c5d23fdd382348b051ac9766ff80f6a2455ef66da78ba880e8ce41b23daf741033de7701ca3f17f1adde408
-
Filesize
4KB
MD513a689123cebd31c1d1862e05981beca
SHA10430094a1a0f639ba9bf5831c24f1f4330762a6d
SHA256386933bdaf4774e88670e21abbebdeddf64b1e87b1681f85ac5b3ec1cac8dcdf
SHA5120663148e80f4703000bbfc8ede2bcc7cad19877585a5cc46aa13a7003377d7315d33f01c1d311d38bcf5e3782e4b361510214f09a9f6537b856c5ad9bc41fdae
-
Filesize
10KB
MD573ee934f37fc4d3dfa890ea5ec30db1d
SHA1ede6561cb69c3b9c6dc6a05b82cbee9b48e487cd
SHA25623be0b6141f07696b5ac41dbf633c5f18592b5c15d39a3eb8b5ffb65c7eb6aac
SHA512a0ee0b3ad08240ee20b154a5237471c46bcaf7f9753fca3428a48ccb9a31c05054d469dc87b96e5d44a15370ca45ae4d255db5cbc750e49aaa1fae4610c36568
-
Filesize
1KB
MD50152b4a3ba4745067a6f9a84401df3fc
SHA1e27f8fc0972e685befb96d46239fd61e3da5941e
SHA25679980d00c476a8708c16ebf57b6c458b788a441e066fb954f95d91cdc4faa363
SHA5128797db7cf4dec84a2a290d49da18011bf2067ee058f638532101e796b328181d9c172c6fdf7b6788ac04da4acf53e0b7ee4e9a5a1f9830ccc5f9f8edcf09ec2e
-
Filesize
35KB
MD59e3c13b6556d5636b745d3e466d47467
SHA12ac1c19e268c49bc508f83fe3d20f495deb3e538
SHA25620af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8
SHA5125a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b
-
Filesize
100KB
MD573fb2d5d673a1e63cc4f146a8347da9b
SHA1440f9a07eb875f3a042f50f4c85c0fb40d08a200
SHA2567008a74d4198320f4059f093592da210d10e29d1964ca531ce1416a6724b1574
SHA5121af32cdeb9225f7b417ee7afdb4aa04365e1065cf1b877c3fefd6bcb2ebdc39aae8eda9d7a7c8fd9c8fbae2261c5963f7cd3eef0b62449e1a92126641fae836e