Analysis
-
max time kernel
148s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/09/2024, 00:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
20 signatures
150 seconds
General
-
Target
ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe
-
Size
708KB
-
MD5
ce42c9afbbb6128df70fbd97f154f492
-
SHA1
efef2e72d8dfcdf90a9a3bdaf52c4b00321df087
-
SHA256
cafa42623d5c4e9d132d8f945b055a032e3530832a496de6a5795974413c1449
-
SHA512
4d213540e3925b71f24bfbb371f905bc7aec23e74e8b291cccfa95a770859610211a2feea63119c306dacdbb0c6ae05e2879fc0818ffb5416a05ec4884de0d0c
-
SSDEEP
12288:XPzvd/Y6FBe6ikWAehJuqTHZT5FQBlVREeKNvXYX49IM5:fzvdQee6ikWAAuqVTHQBlViNfYX4L5
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 1232 01593.tmp 2720 Setup.exe -
Loads dropped DLL 2 IoCs
pid Process 1404 MsiExec.exe 1404 MsiExec.exe -
resource yara_rule behavioral1/memory/2648-5-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2648-7-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2648-6-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2648-3-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2648-8-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2648-4-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx behavioral1/memory/2648-11-0x0000000001EA0000-0x0000000002F2E000-memory.dmp upx -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f7714a9.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI1566.tmp msiexec.exe File opened for modification C:\Windows\Installer\f7714ac.ipi msiexec.exe File opened for modification C:\Windows\SYSTEM.INI ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe File opened for modification C:\Windows\Installer\f7714a9.msi msiexec.exe File created C:\Windows\Installer\f7714ac.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI1555.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 01593.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe -
Modifies data under HKEY_USERS 43 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2648 ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe 2568 msiexec.exe 2568 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 61 IoCs
description pid Process Token: SeShutdownPrivilege 2804 msiexec.exe Token: SeIncreaseQuotaPrivilege 2804 msiexec.exe Token: SeRestorePrivilege 2568 msiexec.exe Token: SeTakeOwnershipPrivilege 2568 msiexec.exe Token: SeSecurityPrivilege 2568 msiexec.exe Token: SeCreateTokenPrivilege 2804 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2804 msiexec.exe Token: SeLockMemoryPrivilege 2804 msiexec.exe Token: SeIncreaseQuotaPrivilege 2804 msiexec.exe Token: SeMachineAccountPrivilege 2804 msiexec.exe Token: SeTcbPrivilege 2804 msiexec.exe Token: SeSecurityPrivilege 2804 msiexec.exe Token: SeTakeOwnershipPrivilege 2804 msiexec.exe Token: SeLoadDriverPrivilege 2804 msiexec.exe Token: SeSystemProfilePrivilege 2804 msiexec.exe Token: SeSystemtimePrivilege 2804 msiexec.exe Token: SeProfSingleProcessPrivilege 2804 msiexec.exe Token: SeIncBasePriorityPrivilege 2804 msiexec.exe Token: SeCreatePagefilePrivilege 2804 msiexec.exe Token: SeCreatePermanentPrivilege 2804 msiexec.exe Token: SeBackupPrivilege 2804 msiexec.exe Token: SeRestorePrivilege 2804 msiexec.exe Token: SeShutdownPrivilege 2804 msiexec.exe Token: SeDebugPrivilege 2804 msiexec.exe Token: SeAuditPrivilege 2804 msiexec.exe Token: SeSystemEnvironmentPrivilege 2804 msiexec.exe Token: SeChangeNotifyPrivilege 2804 msiexec.exe Token: SeRemoteShutdownPrivilege 2804 msiexec.exe Token: SeUndockPrivilege 2804 msiexec.exe Token: SeSyncAgentPrivilege 2804 msiexec.exe Token: SeEnableDelegationPrivilege 2804 msiexec.exe Token: SeManageVolumePrivilege 2804 msiexec.exe Token: SeImpersonatePrivilege 2804 msiexec.exe Token: SeCreateGlobalPrivilege 2804 msiexec.exe Token: SeBackupPrivilege 272 vssvc.exe Token: SeRestorePrivilege 272 vssvc.exe Token: SeAuditPrivilege 272 vssvc.exe Token: SeBackupPrivilege 2568 msiexec.exe Token: SeRestorePrivilege 2568 msiexec.exe Token: SeRestorePrivilege 3020 DrvInst.exe Token: SeRestorePrivilege 3020 DrvInst.exe Token: SeRestorePrivilege 3020 DrvInst.exe Token: SeRestorePrivilege 3020 DrvInst.exe Token: SeRestorePrivilege 3020 DrvInst.exe Token: SeRestorePrivilege 3020 DrvInst.exe Token: SeRestorePrivilege 3020 DrvInst.exe Token: SeLoadDriverPrivilege 3020 DrvInst.exe Token: SeLoadDriverPrivilege 3020 DrvInst.exe Token: SeLoadDriverPrivilege 3020 DrvInst.exe Token: SeRestorePrivilege 2568 msiexec.exe Token: SeTakeOwnershipPrivilege 2568 msiexec.exe Token: SeRestorePrivilege 2568 msiexec.exe Token: SeTakeOwnershipPrivilege 2568 msiexec.exe Token: SeRestorePrivilege 2568 msiexec.exe Token: SeTakeOwnershipPrivilege 2568 msiexec.exe Token: SeRestorePrivilege 2568 msiexec.exe Token: SeTakeOwnershipPrivilege 2568 msiexec.exe Token: SeRestorePrivilege 2568 msiexec.exe Token: SeTakeOwnershipPrivilege 2568 msiexec.exe Token: SeRestorePrivilege 2568 msiexec.exe Token: SeTakeOwnershipPrivilege 2568 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2804 msiexec.exe 2804 msiexec.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2804 2648 ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe 30 PID 2648 wrote to memory of 2804 2648 ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe 30 PID 2648 wrote to memory of 2804 2648 ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe 30 PID 2648 wrote to memory of 2804 2648 ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe 30 PID 2648 wrote to memory of 2804 2648 ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe 30 PID 2648 wrote to memory of 2804 2648 ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe 30 PID 2648 wrote to memory of 2804 2648 ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe 30 PID 2568 wrote to memory of 1404 2568 msiexec.exe 35 PID 2568 wrote to memory of 1404 2568 msiexec.exe 35 PID 2568 wrote to memory of 1404 2568 msiexec.exe 35 PID 2568 wrote to memory of 1404 2568 msiexec.exe 35 PID 2568 wrote to memory of 1404 2568 msiexec.exe 35 PID 2568 wrote to memory of 1404 2568 msiexec.exe 35 PID 2568 wrote to memory of 1404 2568 msiexec.exe 35 PID 1404 wrote to memory of 1232 1404 MsiExec.exe 36 PID 1404 wrote to memory of 1232 1404 MsiExec.exe 36 PID 1404 wrote to memory of 1232 1404 MsiExec.exe 36 PID 1404 wrote to memory of 1232 1404 MsiExec.exe 36 PID 1404 wrote to memory of 1232 1404 MsiExec.exe 36 PID 1404 wrote to memory of 1232 1404 MsiExec.exe 36 PID 1404 wrote to memory of 1232 1404 MsiExec.exe 36 PID 1232 wrote to memory of 2720 1232 01593.tmp 37 PID 1232 wrote to memory of 2720 1232 01593.tmp 37 PID 1232 wrote to memory of 2720 1232 01593.tmp 37 PID 1232 wrote to memory of 2720 1232 01593.tmp 37 PID 1232 wrote to memory of 2720 1232 01593.tmp 37 PID 1232 wrote to memory of 2720 1232 01593.tmp 37 PID 1232 wrote to memory of 2720 1232 01593.tmp 37 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ce42c9afbbb6128df70fbd97f154f492_JaffaCakes118.exe"1⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2648 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i C:\Users\Admin\AppData\Local\Temp\MSIF9CA.tmp2⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2804
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F8B65E918EDCFC468517DCA5002930522⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\01593.tmpC:\Users\Admin\AppData\Local\Temp\01593.tmp3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Setup.exe"C:\Setup.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2720
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:272
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003A4" "0000000000000390"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3020
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
280KB
MD5a394877a49ea1be45553fd1cdd17ce22
SHA12d895b9ea8a2eb7f828cc0e76db1899a36f9d131
SHA25679ceac666e87c82a059f523c2106a09f28a5b2f907a317768b502efdf841738f
SHA512ee44f9c53e7c49fbe1f112daa10439c6b65bbdc09a8bae91a498c5d54e2758485bb9cc01fb4b3bd896e52c47cfd83b38775cbfff190dfaebbccb925aec04073c
-
Filesize
382KB
MD56586651cc7b6588de7bdd38ead464f22
SHA127d21f935f7940939fe91d03a52298c2606d948e
SHA256140c23fabef89e7d8797639694303a1ea0aee3f0aa8ee633c4e83464baec0721
SHA51254c0d67237ea11b385d9353728a7acf9f5a25024ffad11e90d0a28d44da2d677313f3d1cf8433cdafc790dbba49e1a88d59d6bc685bc8eef087a0c480eb8ef6b
-
Filesize
558KB
MD5172e2462b13b295a1688701956ddc878
SHA1c1909f4798759a9b758d28fbba7318f97bff5e14
SHA256ea0afd35436e7624c6c3748a88c9cdf014a9e315ebd3473ff4e07eb74b5980e5
SHA5128a4d8a80f58e0999f855ac4af6de255d3aeb900b9de02f4380575c93b566396c5f2021661b83c53e4a1bfd99041257dc05f5c6322c5022d71e08701bedbcdf58
-
Filesize
493KB
MD5cad102efafbb6ffd628c34def67677bb
SHA173bd6bec972d891ff9aa8876064295530e134ccc
SHA2568914dc5c489b0911a072d590ab44981d05264502adbba43cf935f32e9262d11c
SHA5121e2d03d333ec2a5ea4bb8e4bd0781906f34e5a9a7fd208d0d72c87cb958abff10e9bbb91d57e8a2cd513564b98408afec2a2698ed5c07b793fd81acafbaaf987