Analysis
-
max time kernel
122s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19-08-2024 19:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
20 signatures
150 seconds
General
-
Target
ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe
-
Size
3.3MB
-
MD5
ac48f4c7b48dd71e17c4a5c4701abc3a
-
SHA1
83da8910b3f61a1c96dcac4abf920b71ea6b785c
-
SHA256
97e699febb9f14fec1f29d9ea6c53a034ff18b3e742cee39fab64e5e378f3b9b
-
SHA512
b5ad4c8fc3861c1e5660c67530ddcfdfda9a28cd41a448d9d2995f6dd0c192338bd59d42aaa0ca3a6575e82ab5abfb5365ff311b9efd3743ae4f5685cbb3ba96
-
SSDEEP
98304:PGDCGpKOaunZsscpNUg8z7AYsCZpbTfVLasRRgcx:PYCGpB7niscsg+7AIJV1RRtx
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 1120 IDM1.tmp -
resource yara_rule behavioral2/memory/1536-4-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-3-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-5-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-12-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-7-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-10-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-19-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-20-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-21-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-22-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-23-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-24-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-25-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-26-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-28-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-29-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-31-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-37-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-38-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-40-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-42-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-45-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-46-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-48-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-49-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-50-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-53-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-55-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-56-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-58-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-61-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-66-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-68-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-70-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-72-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-74-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-75-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-77-0x00000000021C0000-0x000000000324E000-memory.dmp upx behavioral2/memory/1536-80-0x00000000021C0000-0x000000000324E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened (read-only) \??\G: ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened (read-only) \??\H: ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened (read-only) \??\I: ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened (read-only) \??\J: ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened (read-only) \??\O: ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened (read-only) \??\S: ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened (read-only) \??\U: ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened (read-only) \??\Y: ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened (read-only) \??\Z: ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened (read-only) \??\L: ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened (read-only) \??\M: ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened (read-only) \??\P: ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened (read-only) \??\T: ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened (read-only) \??\V: ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened (read-only) \??\E: ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened (read-only) \??\Q: ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened (read-only) \??\R: ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened (read-only) \??\X: ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened (read-only) \??\K: ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened (read-only) \??\N: ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened for modification F:\autorun.inf ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe -
Drops file in Program Files directory 11 IoCs
description ioc Process File opened for modification C:\PROGRAM FILES\7-ZIP\7zG.exe ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\Uninstall.exe ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\AppVShNotify.exe ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\InspectorOfficeGadget.exe ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeC2RClient.exe ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\OfficeClickToRun.exe ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7z.exe ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\appvcleaner.exe ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\IntegratedOffice.exe ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\CLICKTORUN\MavInject32.exe ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe File opened for modification C:\PROGRAM FILES\7-ZIP\7zFM.exe ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SYSTEM.INI ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IDM1.tmp -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe Token: SeDebugPrivilege 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1536 wrote to memory of 792 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 8 PID 1536 wrote to memory of 800 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 9 PID 1536 wrote to memory of 332 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 13 PID 1536 wrote to memory of 2580 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 44 PID 1536 wrote to memory of 2608 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 45 PID 1536 wrote to memory of 2760 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 48 PID 1536 wrote to memory of 3588 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 56 PID 1536 wrote to memory of 3704 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 57 PID 1536 wrote to memory of 3880 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 58 PID 1536 wrote to memory of 3972 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 59 PID 1536 wrote to memory of 4040 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 60 PID 1536 wrote to memory of 960 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 61 PID 1536 wrote to memory of 4192 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 62 PID 1536 wrote to memory of 1916 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 75 PID 1536 wrote to memory of 1364 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 76 PID 1536 wrote to memory of 1860 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 81 PID 1536 wrote to memory of 2968 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 82 PID 1536 wrote to memory of 1120 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 84 PID 1536 wrote to memory of 1120 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 84 PID 1536 wrote to memory of 1120 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 84 PID 1536 wrote to memory of 792 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 8 PID 1536 wrote to memory of 800 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 9 PID 1536 wrote to memory of 332 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 13 PID 1536 wrote to memory of 2580 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 44 PID 1536 wrote to memory of 2608 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 45 PID 1536 wrote to memory of 2760 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 48 PID 1536 wrote to memory of 3588 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 56 PID 1536 wrote to memory of 3704 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 57 PID 1536 wrote to memory of 3880 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 58 PID 1536 wrote to memory of 3972 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 59 PID 1536 wrote to memory of 4040 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 60 PID 1536 wrote to memory of 960 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 61 PID 1536 wrote to memory of 4192 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 62 PID 1536 wrote to memory of 1916 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 75 PID 1536 wrote to memory of 1364 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 76 PID 1536 wrote to memory of 1860 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 81 PID 1536 wrote to memory of 2968 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 82 PID 1536 wrote to memory of 1120 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 84 PID 1536 wrote to memory of 1120 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 84 PID 1536 wrote to memory of 4488 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 86 PID 1536 wrote to memory of 2040 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 87 PID 1536 wrote to memory of 792 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 8 PID 1536 wrote to memory of 800 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 9 PID 1536 wrote to memory of 332 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 13 PID 1536 wrote to memory of 2580 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 44 PID 1536 wrote to memory of 2608 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 45 PID 1536 wrote to memory of 2760 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 48 PID 1536 wrote to memory of 3588 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 56 PID 1536 wrote to memory of 3704 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 57 PID 1536 wrote to memory of 3880 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 58 PID 1536 wrote to memory of 3972 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 59 PID 1536 wrote to memory of 4040 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 60 PID 1536 wrote to memory of 960 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 61 PID 1536 wrote to memory of 4192 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 62 PID 1536 wrote to memory of 1916 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 75 PID 1536 wrote to memory of 1364 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 76 PID 1536 wrote to memory of 1860 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 81 PID 1536 wrote to memory of 4488 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 86 PID 1536 wrote to memory of 2040 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 87 PID 1536 wrote to memory of 792 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 8 PID 1536 wrote to memory of 800 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 9 PID 1536 wrote to memory of 332 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 13 PID 1536 wrote to memory of 2580 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 44 PID 1536 wrote to memory of 2608 1536 ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe 45 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:792
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:800
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:332
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2580
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2608
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2760
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3588
-
C:\Users\Admin\AppData\Local\Temp\ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ac48f4c7b48dd71e17c4a5c4701abc3a_JaffaCakes118.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1536 -
C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp"C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\IDM1.tmp" -d "C:\Users\Admin\AppData\Local\Temp\IDM_Setup_Temp\"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1120
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3704
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3880
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3972
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4040
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:960
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4192
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:1916
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:1364
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:1860
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:2968
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4488
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2040
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
137KB
MD530ba75437387e9abdbc72c0c94ffe47a
SHA11a077d1d010236e408945b8eedb392c33252346e
SHA256a9f39a8244f651ee7696fd74a7f88320c9b3d8184c10e8db1a3c014ee5562391
SHA512570d015703a93ee0bb3de3c6b14ed4e6f64872558b4ffe3d7d597fca8b28795af9fd6761ba2f983e9bce04286287a5ce018f98c51f4d25db8cbdfc2bb5f04ef3
-
Filesize
100KB
MD5efd4a9ce5d01566be7ebc286ac55a1fd
SHA15ccb5fa6d84b01246aca8e4de04233224e44d077
SHA2565a725087a44d1641dc470a983944a7e1ac6ede85e0c2151224fa27100355b8d8
SHA5128e9733f90c610cb92c7a2a1efad3a2bacb6f718476f9164ee16fcd94229b240aed75c4536276dad818c8d86069a365d578296be476a481a8f2e12367b66c539a