Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
33s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2024, 17:57
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
21 signatures
150 seconds
General
-
Target
a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe
-
Size
160KB
-
MD5
a7a4c1133f7187188998358c0605b6e9
-
SHA1
05ff07e6c973d9ec58878f75214ee8524a368536
-
SHA256
5cf52b1715e4dcaa4c318b81782c4aecea23194bef94ffd52fa5b2cfc3856de2
-
SHA512
b15fc5a21f1aaff689369d1f596136531badb38561e11da35dbaf96dabd07a64eabd40aa49388df52b430782a777d4d0127ac45d80cd53a987a05d627b605066
-
SSDEEP
3072:WGCdrsmpcReL9T7b4w152d2kylpqw5K6I79kjt:WblsmxLuw1Ad2pgw5Kf9kp
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" coayov.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" coayov.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" coayov.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" coayov.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" coayov.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" coayov.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" coayov.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" coayov.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" coayov.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" coayov.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" coayov.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe -
Deletes itself 1 IoCs
pid Process 2548 coayov.exe -
Executes dropped EXE 1 IoCs
pid Process 2548 coayov.exe -
resource yara_rule behavioral2/memory/3012-1-0x0000000002CA0000-0x0000000003D2E000-memory.dmp upx behavioral2/memory/3012-3-0x0000000002CA0000-0x0000000003D2E000-memory.dmp upx behavioral2/memory/3012-6-0x0000000002CA0000-0x0000000003D2E000-memory.dmp upx behavioral2/memory/3012-7-0x0000000002CA0000-0x0000000003D2E000-memory.dmp upx behavioral2/memory/3012-5-0x0000000002CA0000-0x0000000003D2E000-memory.dmp upx behavioral2/memory/3012-4-0x0000000002CA0000-0x0000000003D2E000-memory.dmp upx behavioral2/memory/3012-17-0x0000000002CA0000-0x0000000003D2E000-memory.dmp upx behavioral2/memory/3012-19-0x0000000002CA0000-0x0000000003D2E000-memory.dmp upx behavioral2/memory/3012-18-0x0000000002CA0000-0x0000000003D2E000-memory.dmp upx behavioral2/memory/3012-49-0x0000000002CA0000-0x0000000003D2E000-memory.dmp upx behavioral2/memory/3012-53-0x0000000002CA0000-0x0000000003D2E000-memory.dmp upx behavioral2/memory/3012-50-0x0000000002CA0000-0x0000000003D2E000-memory.dmp upx behavioral2/memory/2548-73-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-71-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-72-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-76-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-70-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-69-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-80-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-79-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-81-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-83-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-82-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-84-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-85-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-86-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-88-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-89-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-90-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-94-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-95-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-96-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-100-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-99-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-104-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-105-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-107-0x0000000003220000-0x00000000042AE000-memory.dmp upx behavioral2/memory/2548-109-0x0000000003220000-0x00000000042AE000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" coayov.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" coayov.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" coayov.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" coayov.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc coayov.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" coayov.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" coayov.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\coayov = "C:\\Users\\Admin\\coayov.exe" coayov.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" coayov.exe -
Enumerates connected drives 3 TTPs 8 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: coayov.exe File opened (read-only) \??\M: coayov.exe File opened (read-only) \??\E: coayov.exe File opened (read-only) \??\G: coayov.exe File opened (read-only) \??\H: coayov.exe File opened (read-only) \??\I: coayov.exe File opened (read-only) \??\J: coayov.exe File opened (read-only) \??\K: coayov.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language coayov.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe 2548 coayov.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Token: SeDebugPrivilege 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 2548 coayov.exe -
Suspicious use of WriteProcessMemory 56 IoCs
description pid Process procid_target PID 3012 wrote to memory of 780 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 8 PID 3012 wrote to memory of 788 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 9 PID 3012 wrote to memory of 336 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 13 PID 3012 wrote to memory of 2656 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 44 PID 3012 wrote to memory of 2672 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 45 PID 3012 wrote to memory of 2928 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 52 PID 3012 wrote to memory of 3312 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 55 PID 3012 wrote to memory of 3568 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 57 PID 3012 wrote to memory of 3740 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 58 PID 3012 wrote to memory of 3840 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 59 PID 3012 wrote to memory of 3900 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 60 PID 3012 wrote to memory of 3984 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 61 PID 3012 wrote to memory of 4100 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 62 PID 3012 wrote to memory of 4668 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 75 PID 3012 wrote to memory of 2428 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 76 PID 3012 wrote to memory of 4380 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 81 PID 3012 wrote to memory of 4088 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 82 PID 3012 wrote to memory of 2548 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 86 PID 3012 wrote to memory of 2548 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 86 PID 3012 wrote to memory of 2548 3012 a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe 86 PID 2548 wrote to memory of 780 2548 coayov.exe 8 PID 2548 wrote to memory of 788 2548 coayov.exe 9 PID 2548 wrote to memory of 336 2548 coayov.exe 13 PID 2548 wrote to memory of 2656 2548 coayov.exe 44 PID 2548 wrote to memory of 2672 2548 coayov.exe 45 PID 2548 wrote to memory of 2928 2548 coayov.exe 52 PID 2548 wrote to memory of 3312 2548 coayov.exe 55 PID 2548 wrote to memory of 3568 2548 coayov.exe 57 PID 2548 wrote to memory of 3740 2548 coayov.exe 58 PID 2548 wrote to memory of 3840 2548 coayov.exe 59 PID 2548 wrote to memory of 3900 2548 coayov.exe 60 PID 2548 wrote to memory of 3984 2548 coayov.exe 61 PID 2548 wrote to memory of 4100 2548 coayov.exe 62 PID 2548 wrote to memory of 4668 2548 coayov.exe 75 PID 2548 wrote to memory of 2428 2548 coayov.exe 76 PID 2548 wrote to memory of 4380 2548 coayov.exe 81 PID 2548 wrote to memory of 4068 2548 coayov.exe 85 PID 2548 wrote to memory of 2028 2548 coayov.exe 87 PID 2548 wrote to memory of 780 2548 coayov.exe 8 PID 2548 wrote to memory of 788 2548 coayov.exe 9 PID 2548 wrote to memory of 336 2548 coayov.exe 13 PID 2548 wrote to memory of 2656 2548 coayov.exe 44 PID 2548 wrote to memory of 2672 2548 coayov.exe 45 PID 2548 wrote to memory of 2928 2548 coayov.exe 52 PID 2548 wrote to memory of 3312 2548 coayov.exe 55 PID 2548 wrote to memory of 3568 2548 coayov.exe 57 PID 2548 wrote to memory of 3740 2548 coayov.exe 58 PID 2548 wrote to memory of 3840 2548 coayov.exe 59 PID 2548 wrote to memory of 3900 2548 coayov.exe 60 PID 2548 wrote to memory of 3984 2548 coayov.exe 61 PID 2548 wrote to memory of 4100 2548 coayov.exe 62 PID 2548 wrote to memory of 4668 2548 coayov.exe 75 PID 2548 wrote to memory of 2428 2548 coayov.exe 76 PID 2548 wrote to memory of 4380 2548 coayov.exe 81 PID 2548 wrote to memory of 4068 2548 coayov.exe 85 PID 2548 wrote to memory of 2028 2548 coayov.exe 87 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" coayov.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:780
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:336
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2656
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2672
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2928
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3312
-
C:\Users\Admin\AppData\Local\Temp\a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a7a4c1133f7187188998358c0605b6e9_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3012 -
C:\Users\Admin\coayov.exe"C:\Users\Admin\coayov.exe"3⤵
- Modifies firewall policy service
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Windows security bypass
- Deletes itself
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2548
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3568
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3740
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3840
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3900
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3984
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4100
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:4668
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2428
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:4380
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:4088
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4068
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2028
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
MD549e3d9489e3f8be5ff3aabeb756b24bc
SHA16adcad8b2535208bdd8e0eed190ecb9b5f95a5a7
SHA25674e022375f30e89623f656306a48e6729938e634f55b5de74019da990cc591e3
SHA5124b423bc41665c12b071f85fb80b1ad3fa239aa1b079d3331d84722d06a3d5cff513518b398c10c2cc5bb2feb75f86355036e7e8fa04070f0d6b58359e0d8cb19
-
Filesize
257B
MD532934d4f2619d0e501b998c4f9889448
SHA13933cb14cf0e42a9381531ed12e75d0f102fffd3
SHA2561e816e332a9fe19d2cb65810d033f70c8e948dc0c1ad40a0b2e61b9348251b49
SHA512a08be45fe41574a1017f637133c6f757d0cdd27b2cffa50c9ba6d9832cc155fe4e32ec5b97c2b52fed50c15ae2345abb72c37d1ae02ea31199131e60e6dffd02
-
Filesize
100KB
MD54114a5f72fa5b33317fe23a50900addd
SHA122b84f309d055b4ffab65a477c9b7bd11ed6bde0
SHA2562874ecb9047c728c1d72cf78737d02cb604ba8158b69df44433334863445248e
SHA5129faacf4d279a26eeee11a34bb1b9d6b14783930169b95a03ce8139b062e0a8ac0088aa00aabac83b298196841c80ff73bdbf9a1be3049bcd6710b0a8572203bd